With its flagship infrastructure monitoring made easy product, MAGNAPing, Zenith Elevate caters to owners of complex, distributed, secure IT infrastructures. It was the security that motivated the development of MAGNAPing; therefore, its every release is thoroughly tested in environments just as secure as our users’. We could not help but notice a bias in the general approach to security on the Internet.
The monitoring for the correct external IP address requires holes to be drilled in firewalls, from MAGNAPing instances to the IP reporting API endpoints, and here lies a problem. Many such sites reside behind CloudFlare proxy that answers on a broad range of IP sub-nets. This is not a problem for full-fledged hardware routers or router OSs that can resolve FQDN to its current address, but Windows Filtering Platform on the device that runs the MAGNAPing instance can only allow its rules to be based on an IP address, range, or sub-net, which is not immediately available from CloudFlare and can only be discovered by way of trial and error.
The web site owner is happy: it is secured against DDOS or bots. But the consumer is left with lots of unknowns:
- Have they discovered all of the possible CloudFlare IP addresses, by the time they ran nslookup, dig, or drill, etc. or tried to access the chosen external IP API a dozen times and saw a few being used?
- Will the thus discovered IP addresses ever change, retaining the ownership?
- Will the ownership of the thus discovered IP addresses ever change?
In such scenarios, Zenith Elevate does not recommend firewall rule over-provisioning by IP sub-nets. This may lead to reduced security by allowing address ranges that do not belong to the owner of desired web service or API. Instead, we have no choice but to recommend to find an external IP API provider that does not hide behind CloudFlare. Failing that, we recommend to roll your own endpoint, and we can provide assistance in launching it.