IP range based authentication
Summarize
Summary of IP range based authentication
IP range based authentication allows you to secure your web-based application by restricting access based on IP addresses. This feature enables you to block specific addresses or ranges that may belong to malicious users, enhancing overall security. For more advanced capabilities, consider using the Adaptive Authentication (AA) pre-authentication context policy.
Show less
Key Features
- The system prevents you from locking yourself out by warning you if your current IP address would be blocked.
- Be cautious when configuring IP rules within a corporate intranet, as internal IP addresses may not reflect your public-facing IP.
- Restricted users receive a 403 error and do not affect server resource counts.
- IP range authentication does not override existing access control rules, serving as an additional security measure.
- Allow rules take precedence over deny rules, meaning that if an address is both allowed and denied, it will be permitted.
- Current support does not extend to asterisks or CIDR blocks for IP specification.
- Forwarded proxy address handling applies allow rules first, followed by deny rules if no allow rules match.
Key Outcomes
When implementing IP range based authentication, ensure to add the IP addresses of all application nodes as exceptions if IP access control is enabled on the source instance, especially for update set transfers. For instance IP information, log in to ServiceNow and search for the My IP Information service catalog item. Additionally, review the properties com.snc.ipauthenticator and glide.ip.authenticate.strict in the Instance Security Hardening Settings for further access restrictions.
One way to secure a web-based application is to restrict access based on the IP address.
You can block access to a specific address or range of addresses that you suspect belong to malicious individuals. The instance allows you to control access by IP address.
Notes and Limitations:
- The system won't let you lock yourself out, so if you try to add a rule such that your current address would be locked out, the system warns you and refuses your insert.
- If you're inside of a corporate intranet, be very careful about setting up your IP rules. The IP address you see on your own computer (like 10.10.10.25) generally bears no relationship to the IP address you will actually appear as out on the internet. Your company likely proxies and/or NATs your address into a predictable set of outbound addresses which you will likely need to ask your network team about.
- A user whose access is restricted based on an access rule gets a 403 error on their browser.
- Restricted users do not use transactions, semaphores, or count towards any server resource counts.
- This feature does not supersede or override your existing access control rules if, for example, you're running a VPN to our data center. It's an additional check that must be met in addition to any access controls we may have set up on your PIX.
- Allow rules always supersede deny rules. So if an address is both allowed (by one rule) and denied (by a second rule) it is, in fact, allowed.
- Asterisks and CIDR blocks are not currently supported.
- Regarding forwarded proxy addresses, the allow rules are applied to each address in the chain and then the deny rules are applied to each address in the chain if none of the allow rules matched.
- IP range based authentication can effect the transfer of update sets. If IP address access control is enabled on the source instance, add the IP addresses of all application nodes supporting your instance as
exceptions.Note:To find your instance IP information, Log in to ServiceNow - NOW Support, and Search for the My IP Information service catalog item.