IP based Restriction
Page Background: In this document we would talk about the IP based restriction in terms of the user authentication mechanism.
What is IP based Restriction
The procedure for identifying users seeking access to databases is IP address authentication. It recognises users coming from a subscribing institution and subsequently authenticates access using the organization's external IP addresses. On a user's profile, you may define a range of permitted IP addresses to restrict login access at the user level. Any attempt to log in from a different IP address is rejected when IP address restrictions are applied for a profile.
Use Cases for IP based restrictions
There can be various use cases for IP based restrictions such as:
Maintain control with effective recovery and for security reasons such as lowering redundancy, dealing with bandwidth concerns, etc.
Preventing your employees from accessing restricted content or data.
Limiting access to your data for users on public WiFi networks outside of the office.
Administrators may use IP restriction/limitations to determine which IP addresses are allowed access to the user's accounts. A specific employee or user won't be prevented from logging in and accessing the information if a user tries to log in outside the necessary range; instead, an error will be raised. Therefore, enabling IP limits assures that access to your sensitive information cannot occur through an unregistered IP address or at an insecure public location.
Types of IP Addresses
Static IP Address: This IP address do not change, every-time a user connects to the system or a network.
Dynamic IP – This IP addresses changes every-time a user connects to a system or network.
We recommend that your users use static IP addresses, the reason is that, static addresses do not change and hence it is easier to maintain the IP restrictions in case of static addresses.
How Does IP Restriction work?
The IP Restriction solution typically checks the login request's IP address against the allow list whenever a user attempts to log in or use their account. The system rejects login requests if the IP address is not in the list.
Some of the actions that you can define for the IP based restrictions are as follows:
Allow - You want to allow access to IDHub for the specified IP addresses
Deny - You want to allow access to IDHub for the specified IP addresses
Challenge - You can prompt the user for 2FA (or other authentication methods that you have setup)
Notes and Limitations:
When setting up your IP rules when using a business intranet, exercise extreme caution. In most cases, the IP address you see on your computer, such as 10.10.10.25, has nothing to do with the IP address you will actually use while browsing the internet. You should probably question your network team about how your organisation proxies and/or NATs your address into a known set of outgoing addresses.
A 403 error is shown in the user's browser when access is prohibited due to an access rule.
Deny rules are never more important than allow rules. Therefore, an address is actually authorised if it is both permitted (by one rule) and prohibited (by another rule).
When it comes to forwarded proxy addresses, the allow rules are applied to each address in the chain, and if any of the allow rules didn't match, the deny rules are then applied to each address in the chain.
This feature is currently not available and will be there in a future release of IDHub.