: How do I validate IP Address ownership for authentication? I have a website where digital content is behind a paywall. We verify users have access by IP address. Our customers are all large
I have a website where digital content is behind a paywall. We verify users have access by IP address. Our customers are all large companies, with static IP addresses. So, if a user is within the network of their company, then they automatically have access to our site. The problem is, we have no way of validating that the companies actually own every address on the list of addresses they give us.
Anyone have any ideas of how we verify that the companies actually own the IP addresses they are giving us.
More posts by @Jennifer507
2 Comments
Sorted by latest first Latest Oldest Best
The short answer is, if they are just giving you a list of IP numbers, there is no way to verify that they are all owned by the company. However for large corporations, you can do a whois lookup on an IP range and determine the owner: whois.arin.net/ui
For example, if I enter 8.8.8.8, it returns that 8.8.8.0 - 8.8.8.255 are assigned to Google, with various details and contact information.
However, the list of IP addresses given to you by a company might include the CEO's home IP, which would no doubt be controlled by (for example) Verizon or Comcast or some other provider. Company members might travel to a conference and need access from a hotel IP.
A better solution would be to tap into a corporation's authentication scheme via OAuth or another web service, or when a user attempts to connect from an unknown IP, require a valid corporate email, and email the user a link for verification.
You could physically send someone to the company and check with a simple "ifconfig" what the IP is...this is a silly solution and it's pretty bad if you're based in US and the company is in AUS. You could think about something else but the point is you should avoid IP Based Authentication at all. Suppose someone knows your company and one of your customers, he could do some penetration tests and discover their IP Address...then by using IP spoofing they fool your system.
I think you should think about a X.509 certificate based solution implementing a sort of asymmetric challenge-response system. It's important to use asymmetric technlogy instead of symmetric to be more protected in terms of non-repudiation. Of course, you need your clients to have valid certificates...your company could act as a Certificate Authority to issue the certificates...then the customers will have to properly protect the private key. A good solution could be RSA with 2048 bit key and SHA-1 for signature (used by Twitter for example)
In general always avoid address based authentication
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.