6 April 2014

Whitelisting online services for external parties using their IP

This article is targeted at a minor- to non-technical audience, therefor I prefered the use of simplified examples and extensive explanations.
Also I would like to point out from the start that the method mentioned here is not considered best practice due to strong security issues associated with accessing sensitive services through unencrypted connections (like a VPN) over the internet.

When whitelisting services hosted on the internet for external partners (i.e. partner platforms, management services, …) sooner or later the responsible IT-department demands "the public IP of this party".
Considering that for non-technical staff, any IP looks like the other, this sometimes leads to misunderstandings which may result in the IT-department getting i.e. an internal IP from someone in the 3rd party, being unusable for routing over the internet.
For this, it is important to know, how to reliably determine the public IP of the own internet connection or - in this case - the internet connection of the own company.
Now, leaving out the special circumstances of "dynamic IPs" for a moment, the easiest way to determine this, is using one of the myriad of websites, that offer exactly this service, for instance:

Information on the used internet connection, provider and location.

As you can see above, it correctly determined my external IP (tempered) as well as the city, state/region, country and even my ISP (blacked out).

Now, in case of our example above, considering the external partners have a static and only one external IP (e.g. internet connection) the only thing necessary is, for someone of the external party, to visit this website, write down the IP and send it to the IT-Department of your company.
Once they have whitelisted this IP for the respective services, the external party should be able to access it.

Static and Dynamic IPs
As mentioned in the example above, IPs can be either static or dynamic. This is something important when it comes to whitelisting a services on basis of IP addresses, because doing so for a dynamic (meaning "varying") IP could lead to the loss of access after the external party dis- and reconnects to the internet or their ISP simply assigns them a new IP address. Logically this will lead to the IT-department having to adjust this whitelisting as regular as the IP changes - which can even be daily.
Usually dynamic IPs are primarily used for  domestic and private internet connections, but also for businesses that don't use a business tariff or simply an ISP that doesn't offer this service.

So as a conclusion, it is important to make sure, the IP which has to be whitelisted is static or the external party should see if they can acquire such by contacting their ISP.

Internal and External IPs
One more trap when requesting an IP from non-tech staff, is the confusion between an internal and an external IP. This is usually avoided with the approach suggested above but still good to keep in mind whenever one sees an IP address and is uncertain whether it's valid for the particular case or not.
For IPs there are certain standards that help you determine if an IP belongs to an internal (company, home, …) network or the internet.
Following you can see 3 ranges which are reserved for internal networks only and therefor not usable on the internet:––– -

As a general disclaimer contrary to the explanation, I would like to point out that granting access to external parties over the internet using the IP instead of using a secured and encrypted VPN is considered risky from a security point of view.
When possible, such a VPN should always be preferred.

I hope this set of information was helpful for you and would be happy for any comments, suggestions or feedback.