Can URL redirect be used to restrict access to ServiceNow based upon IP Address and/or domain?

curtisrowell · ‎09-20-2018

I have a client who is worried about someone hacking the ServiceNow network and gaining access to the server instances.

I was going to suggest they turn on IP Address Access Control; however, they are installing the HR module and will need to have this available to dependents who are on the public cloud.

Is it possible to script a URL redirect such that if a browser request is coming from the public cloud, it is automatically forwarded to the HR Portal or blocked and if they are coming from a customer IP address, allow access to the requested portal.

Jeff Currier · ‎09-20-2018

I am struggling to understand how using this redirect will help the initial problem statement of securing the network. Redirecting from one portal page to another would only change the page they get to see. The IP address of the server and the authentication method would still be the same. What was to be accomplished by the redirect other than sending them to a different page?

I think you could create the redirect you are suggesting, but the maintenance would be difficult as you are keeping track of many IPs, especially if employees want to work outside the office.

The IP Address Access Control you mention could keep things secure for the employees, but dependents would be a problem. You client may just need to learn to trust the platform.

curtisrowell · ‎09-20-2018

Employees who work outside the office would be required to use VPN, thus will have a known public IP Address. While there will be quite a few IP Addresses, they could all be maintained in a table

"Client may just need to learn to trust the platform"

It isn't that they don't trust the platform. This is a major corporation with military contracts. Their InfoSec is paid to be uber paranoid.

Their concern is that if someone were able to gain access to the instance. (e.g. a disgruntled SN employee who is going to quit or likely be fired, or a hacker who gains access to the SN environment) If they were able to do so, they might, for example, write a discovery probe to gather some sensitive data then run discovery.

Between you and me, this is an eye roller; however, I have to answer the query.

User186043 · ‎09-20-2018

This doesn't directly answer your question around a UI page/URL redirect, though there are other issues I can see with that. ServiceNow will let you restrict access by IP range: IP Range Based Authentication, Access Control

Agree with Jeff above though, hacking the platform and platform level security should not be your client's issue, leave that to the 24/7 ServiceNow teams to ascertain.

One issue with a UI/URL redirect will be that, 1. it will be significantly slower than IP range restriction due to having to process on page load, 2. will not prevent or hinder any sort of DOS attacks as processing will have already happened; though DOS is really the domain of ServiceNow engineering and what you pay your licensing fees for.

curtisrowell · ‎09-21-2018

Well, for good or ill, this client is big enough that their attitude is "No, we do not have to accept SN's platform security. Fix the gap."

The main concern is to prevent people who gain access to the platform from dropping a custom probe on an instance and running it through discovery.

If IP Access Control isn't possible and URL redirection isn't scalable or tight enough. Are there other avenues which could prevent someone from doing this?