Key Terms:
- An internet protocol (IP) address is a unique number that is assigned to a device when it connects to the internet. It becomes your address as you browse the web.
- IP whitelisting is when you only allow a certain IP address to access wherever you store your business information, such as on a server.
- A static IP address is one that never changes. You would need your employees to have static IP addresses so that you can whitelist them.
- The opposite of a static IP address is a dynamic IP address, which constantly changes.
- A local area network (LAN) is a computer network that connects devices that are in a limited area, like in an office building.
What Is an IP address?
An IP address is a unique number that gets assigned to your device when you connect to the internet.
This unique code helps devices talk to one another and exchange data on the internet.
There are two main types of IP addresses:
- Static IP addresses.
- Dynamic IP addresses.
You can learn more about static and dynamic IP addresses in this blog post.
What Is a Whitelist?
A whitelist (allowlist) is an administrator-defined register of entities approved for authorized access to digital resources such as networks, apps, or to perform specific actions.
Whitelisting can be used to improve security by ensuring that only approved users or devices have access to sensitive data or systems. It can also be used to ensure that only authorized actions can be performed on critical resources.
Whitelisting is a stringent cybersecurity technique that, if done correctly, can prevent many cybersecurity issues by default. However, it may be time-consuming and inconvenient for administrators and must be implemented and maintained precisely. It isn't, however, an impenetrable barrier to assaults.
How does a whitelist work?
Think about it like a guest list for an exclusive event. If your name is on the list, you get access to the event without any hassle. If your name is not on the list, you will be sent away.
A whitelist will restrict network access to anyone whose IP address does not match one on the list. This improves your security.
Only users with approved devices have access to your data or systems.
Typically, a whitelist would be created to allow an authorized user to do things like access a network.
With a whitelist in place, no one can access your exclusive online event unless they are invited, either.
What Is IP Whitelisting?
The whitelisting of an IP address is a cybersecurity technique that gives IT administrators control over who can access business systems and resources.
IP whitelisting (allowlisting) involves creating a list of trusted IP addresses (dedicated static IP addresses are necessary), assigning them to a user or group of users as a unique identifier, and permitting the IP address on the target server only.
As a result, any system inside the LAN, datacenter or third-party SaaS application can be set up to be accessed only by users with the organization’s IP address, whether they connect from a private corporate network or through a VPN gateway. Unknown entities trying to access the system from an unlisted IP address will be restricted.
A cloud VPN service like GoodAccess can help you set up a whitelist with static IP addresses.
IP whitelisting is typically handled on
- Firewall - configured to grant access to the network only to specific users/devices/LANs
- Edge routers - typically set up to block undesired traffic on router's TCP and UDP port in order to protect internal LAN from the public internet threats
- Business VPN gateway - see types of VPN to learn more
- Web server - typically to manage incoming requests and prevent extensive malicious requests (brute force attacks)
- Application layer - incoming queries can be evaluated and blocked/allowed by design in the code of the application
- SaaS application - SaaS apps usually allow setting up IP whitelists to harden security measures.
Fig 1: IP whitelisting settings in Amazon AWS (so called security groups). This example shows allowing TCP/UDP traffic only from GoodAccess VPN gateway.
Fig 2: Whitelisted IP address of the GoodAccess VPN gateway in Amazon AWS settings.
How can I whitelist an IP address?
If you want to create an IP whitelist, you would need to decide which devices and users are allowed to access your business systems.
Once you have a list of approved IP addresses, web applications, or users, you can add them to your whitelist using the network settings on your computer, router or firewall.
You may need to configure a router to create the whitelist or edit firewall rules on your device. This will depend on your setup and security requirements.
This would be similar to compiling a list of attendees for your exclusive event in real life and then passing the list on to the doorman at your venue to manage entry.
The process of IP whitelisting is not straightforward, though, and you can easily make mistakes. GoodAccess acts as the perfect doorman and makes IP whitelisting and managing access simple.
How can IP whitelisting IP addresses help my business?
IP whitelisting puts you in the driver’s seat.
Other than advanced security, an IP whitelist also allows you to manage your remote team effectively.
It puts you in control when it comes to which employees can access different levels of your company’s information and who can perform specific tasks.
For example, you can give your senior management team permission to change documents stored on your server. Junior staff, however, would not receive the same permissions.
Why IP Whitelisting Is a Good Choice for Your Business
If your business has software, systems, and stored data, you need to protect them. You must ensure nobody can access this information unless they are an employee.
You also need a way to ensure that your remote employees can access your systems safely and securely.
IP whitelisting helps you achieve both of these things.
Let’s unpack some of the circ*mstances where IP whitelists would be useful for your organization.
Network Access Control
One of the most common use cases is restricting network access to your internet-facing services by using a firewall, where only whitelisted IP addresses are allowed to connect to the service. Only with a static IP can you define a firewall rule that remains valid indefinitely.
SaaS Access Control
Blind trust in SaaS provider security measures might be tricky. To further harden cloud resource security, SaaS applications such as Salesforce, Amazon AWS, Office365, etc., usually allow the whitelisting of an IP address within provider security settings.
Remote Access Enablement
Remote users connect via networks where company policies cannot be enforced, such as a home office or public wi-fi at airports, hotels, and cafés.
So it makes sense to protect the connection to target systems via, e.g., a VPN gateway with whitelisted static IP. First, the user connects to the gateway via a client app installed on a particular device, and after authentication and verification, access is allowed to specific systems.
In such a scenario, the user’s connection is protected from any device where they successfully log into the app.
IoT Security
You may want to secure Internet of Things (IoT) devices such as cameras, sensors, or building controllers that use a public network to communicate with other devices.
IP whitelisting is a simple way to ensure that only trusted users can access your IoT devices.
Fig 3: When you combine IP whitelisting with system access control, you have a comprehensive way to ensure that only authorized users access your services. (source: GoodAccess feature named Access Cards)
Unifying access control on the network layer
Software and systems often require users to perform something called two-factor authentication. This is an additional security measure to ensure that users are permitted to access the software.
It can, however, become problematic if you have many software applications requiring two-factor authentication.
By having an IP whitelist and VPN gateway in place, you are already authenticating the user, so you will not need two-factor authentication, too.
The Cons of IP Whitelisting
The downside to IP whitelisting is that it is a repetitive and time-consuming process, especially if you have network administrators who manage large networks with many users and devices.
Especially those IT admins who manage large networks with tons of users and devices, may suffer from the following:
- Setting-up a whitelist is (can be) labor-intensive
Every user and every IP address needs to have their access rights properly evaluated and manually implemented on the firewall, router etc. On one hand, overly restrictive whitelists may limit the smooth running of business operations. On the other, an overly permissive allowlist loses its purpose of hardening network security. - Managing up-to-date whitelists requires additional resources
When the user roles or access rights change frequently, it requires additional work to keep whitelists responsive.
However, there are ways to make the whitelisting process smoother and more efficient.
Instead of whitelisting the IP address of each device (which is virtually undoable due to the need for many static IPs), IT administrators can only whitelist the dedicated static IP address of the VPN gateway.
With modern cloud VPNs, which also provide zero-trust access control, such as GoodAccess, this is a very convenient approach to reduce the complexity of IP whitelisting and preserve a high-level of security:
- The IT admin whitelists the VPN's static IP address on the target system (LAN, app, cloud etc.) so that only users connecting to the business resources via the VPN are allowed access.
- The VPN serves as an access control point. The IT admin can easily assign every user with the necessary access rights to the business resources. This is done via the VPN's web UI.
- To access the target system, users must first sign in to VPN and be authorized by 2FA, MFA, or SSO. Once this is done, the VPN “knows” what systems the authorized user is permitted to use and allows access.
This approach minimizes manual configuration and centralizes whitelist management on the VPN level so that businesses can enjoy benefits of whitelisting IP without the sacrificing valuable time of its administrators.
Fig 4: IP whitelisting combined with system access control on VPN level reduces complexity (source: GoodAccess feature named Access Cards)
IP Whitelisting in 2023: A Fresh Perspective
IP whitelisting is a powerful security technique for businesses to use, but it is not the ultimate answer to all your remote working security concerns.
However, when IP whitelisting is done correctly, it can significantly enhance the protection of business resources and also help your business to comply with regulations that require data protection and strict access control (such as NIS2).
As it follows the principle “deny all, permit some,” it restricts external traffic to a preselected number of IP addresses and, by design, reduces the attack surface and risks associated with unauthorized access.
There are also drawbacks which make working with whitelists a tough job. Especially the labor/time-intensity of setting up and maintaining IP whitelists as well as the additional complexity of managing whitelists in different places (firewall, VPN, SaaS app, etc.).
But there are ways to make whitelisting simpler, such as using a cloud VPN like GoodAccess which lets you:
- Manage IP whitelists from one web GUI,
- Extend whitelists to services and applications that do not natively support IP whitelisting,
- Apply the zero-trust network access principle by assigning every user a private account and network identity so they are allowed to access only the applications they need to do their job,
- Unify multifactor authentication security on the network level instead of laborious manual configuration for each application. This works even if your systems don't support 2FA/MFA on the application level.
If you want to try out IP whitelisting via GoodAccess business VPN, and other remote access and security features, check out the full-featured 14-day free trial here.
