I take lots of pictures. Sometimes I’m using WiFi. Other times I’m out by the pond (fishing, if you must know) and using my cell connection. Same house. Same location.
And yet the geolocation information embedded into pictures taken in the same location vary based on whether I’m on Wi-Fi or cell. Sometimes I’m “near Wrightstown.” Other times I’m not. When I’m on a wired machine, it gets even crazier. As I’m writing this, I’m pegged as being in Appleton, WI. Which is about 20 miles south of here. My iPhone, on the same desk, tells me I’m in the Town of Lawrence (correct). A photo I uploaded to Facebook says I’m near Wrightstown, some 5-10 miles away.
Needless to say, we’re all aware that geolocation based on IP address can be as much art as science sometimes. Having worked in the GIS field (way back now, when I was still allowed to code) I’m well aware of the mathematical gymnastics required to map coordinates to place names accurately without introducing the questionable accuracy of an IP address. Consider this extraordinary situation encountered because of the vagaries of geocoding by IP:
MaxMind matches IP addresses, which are used to connect devices to the internet, to physical locations. It has said these are not meant to be precise.
James and Theresa Arnold say it registered their home as the position of more than 600 million addresses.
They say this has led many people to wrongly believe a host of crimes were committed at the property.
"The first week after the Arnolds moved in, two deputies from the Butler County Sheriff's Department came to the residence looking for a stolen truck. This scenario repeated itself countless times over the next five years," documents filed with a Kansas court read.
http://www.bbc.com/news/technology-37048521
I’m glad I’m not the Arnolds*. And while this case is extraordinary, it does illustrate that dependence on IP address is not necessarily a sound idea – especially if you’re using it, in part, to authorize access to applications.
We know many financial institutions, in particular, rely on IP address as much as they do device to ascertain validity of login attempts. That’s a good thing if you’re pretty much always using the same device from the same place because your IP address doesn’t change all that much. But for mobile apps, which are increasingly “the way” folks communicate with customers, it could be problematic. My IP address changes as I roam, not to mention sometimes even when I don’t thanks to limitations on the reach of WiFi outside my home.
IP address as a means of identification has long passed its usefulness, anyway. It used to be that everyone using that broadband connection had their own IP because they got it directly from the provider, via DHCP. But that went the way of the Dodo when devices connected to the Internet in a home outnumbered the people. According to recent surveys, “there are now 734 million in use within U.S. Internet homes, averaging 7.8 connected devices per home.” That’s twice the average 3.14 people per household in the US in 2015.
Which means the notion of one IP address per person (and now thing) is largely untenable an option, given the limited number of IPv4 public IP addresses providers have to dish out. Everyone’s using just one public IP per household, generally speaking, and everyone else is being routed through that little black box.
IP, as a means of authoritative identification, is dead.
Credentials, whether they be tokens or username/password or some other heretofore undiscovered method, are the best means of identifying – and thus authenticating – users. It is also the best way to protect apps today, given the abuse of IP addresses in a variety of attacks. When I can spoof my IP as readily as I can my user-agent, it is not a good idea to consider it an authoritative source of information.
Nor it is appropriate to use for allowlisting or denylisting, because honestly, IP addresses can be changed in a matter of seconds on the Internet. Tens of millions of IP addresses are routinely noted as taking part in DDoS attacks. Some intentionally, others by happenstance of visiting the wrong site or buying the wrong device. Blocking by IP address leads to headaches for consumers. Using IP reputation moving forward isn’t going to be nearly as effective as it once was, back in the day, when the Internet was young and innocent and full of people with good intentions. Now that the Internet is old and jaded and rife with attackers who are as likely to abuse your devices as they are anything else, we’ve got to look to something else.
We need to move to identity as the new firewall, to secure the new perimeter that is the application. Whether it be through federation or traditional corporate identity management, we need to rely more on ID than on IP to secure our borderless businessand provide access to an increasingly mobile set of users, both corporate and consumer.
* Interestingly, my mother’s family are Arnolds. No relation, I’m sure, but then again…
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...