With its flagship infrastructure monitoring made easy product, MAGNAPing, Zenith Elevate caters to owners of complex, distributed, and secure IT infrastructures. It was security that motivated the development of MAGNAPing; therefore, its every release is thoroughly tested in environments just as secure as our users’. We could not help but notice a bias in the general approach to security on the Internet.
The Problem
Some types of monitoring, for example of correct external IP address, require holes to be drilled in firewalls, from MAGNAPing instances to the IP reporting API endpoints, and here lies a problem. Many such sites reside behind the CloudFlare proxy, which answers from a broad range of disparate IP sub-nets. The web site owner is happy: it is secured against DDOS, bots, or undesirable visitors. But the consumer is left with some unknowns:
- Have they discovered all of the possible CloudFlare IP addresses, by the time they ran nslookup, dig, or drill, etc. or tried to access the chosen external IP API a dozen times and saw a few being used, in WFP audit events?
- Will the thus discovered IP addresses ever change, retaining ownership?
- Will the ownership of thus discovered IP addresses ever change?
This is not a problem for full-fledged hardware routers or router OSs that can resolve an FQDN to its current address, but Windows Filtering Platform on the device that runs a MAGNAPing instance can only allow its rules to be based on an IP address, range, or sub-net, which is not immediately available from CloudFlare and can only be discovered by way of trial and error.
Yes, reality is that in many IT infrastructures it is one of the architectural requirements that tiers or servers are protected by their own Windows firewalls in addition to hardware firewalls.
If the infrastructure owner chooses to keep discovering IP addresses of such services, then another of our products, MAGNAWall, can help speed up and simplify this process, but it is powerless to remove the above unknowns.
Solutions
In such scenarios, Zenith Elevate does not recommend firewall rule over-provisioning by IP sub-nets. This may lead to compromised security by allowing address ranges that do not belong to the owner of the desired web service or API now or in the future. Instead, we have no choice but to recommend to find an external IP API provider that does not hide behind CloudFlare. Failing that, we recommend to roll out your own endpoint, and we can provide assistance in launching it.
Alternatively, you may take advantage of Zenith Elevate’s own IP reporting service at https://www.zenithelevate.com/myip/ (rate-limited to one request per second).