IP Filtering using CIDR

When creating or editing a new token, it is possible to set up IP filtering using CIDR blocks. This enables the licence administrator to only allow access from IP addresses within a certain range.

When creating a new token, or editing an existing one, it is possible to specify the IP filter:

Screenshot_2022-02-17_at_14.56.26.png

It is possible to add multiple IP filters on the same token.

Why use IP filtering?

From a security perspective setting up an IP filter will give you much more control over who can access what data. Using IP filtering and multiple tokens in parallel allows you to have an IP range for flow setup, another range for feeding flows with data, another one for export of data, and so on. This leaves less room for errors, gives you greater control of your data and makes it easier to maintain the flow of data between systems. 

CIDR Blocks

IP filtering using a CIDR block (a CIDR block being an IP address followed by a backslash and a number) requires some basic knowledge of binary and IP addresses in general, which this article will not cover. An IP address consists of four 8-bit sections (32-bit total). The number that follows the backslash can be any number between 0 and 32. The number represents the number of bits that are blocked when defining the range.

Defining a CIDR block of /0 allows access from any IP address between 0.0.0.0 and 255.255.255.255. Similarly, a CIDR block of /32 would only allow access to the exact IP address.

Adding /8 after an IP address will block all IP addresses not matching the first 8 bits. This means that the IP address 52.212.206.254/8 would define a range that includes all IP addresses between 52.0.0.0 and 52.255.255.255.

In the same way, defining a CIDR block of /16 will block all IP addresses not matching the first 16-bits, defining a CIDR block of /24 will block all IP addresses not matching the first 24-bits, defining a CIDR block of /32 will block all IP addresses not matching the first 32-bits.

Example

The WISEflow production environment uses multiple IP addresses for communication, one of them being:

52.212.206.254

If I want to add an IP filter that only allows a single IP, use /32 as a suffix: 

52.212.206.254/32

This indicates that all the 32 bits in the IP address are fixed.

Similarly, to add a range of seven IP addresses to a filter, use the /29 suffix indicating an IP range:

52.212.206.248
52.212.206.249
52.212.206.250
52.212.206.251
52.212.206.252
52.212.206.253
52.212.206.254

This indicates that only 29 bits in the IP address are fixed, providing a range of seven IP addresses that can be used.

The same principle applies to subnets.

External resources:

Calculating CIDR blocks: https://www.ipaddressguide.com/cidr 

Wikipedia article on CIDR: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section