|
|
Random request I know but looking for the stat so I can use it to support something I'm working on at work regarding user authentication.
Anyone know?
Thanks in advance
Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen => Freeola => Vivaciti (using O2 Wholesale DSL) => Xilo (C&W Wholesale) => Xilo (O2 Wholesale) => Xilo (TT Wholesale due to O2 Wholesale closure) => Zen LLU =>> ZeN FTTP (Openreach 300 Mbps down, 47 Mbps up)
Router: Fritzbox 7530
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
Edited by techguy (Sun 13-Aug-23 14:55:33)
|
|
|
Not enough to attempt any sort of whitelisting, I would have thought. What if the staff change their ISPs or tether to their phone?
if you are looking to increase security by restricting access to your VPN/Apps/Azure by IP addresses then probably the furthest you can go is narrowing down to UK IP address range/location.
If you go beyond that, you'll probably get diminishing returns on security vs overhead.
Andrews & Arnold Home ::1 on Draytek 2862ac - Why settle for inferior?
|
|
|
|
What do you mean by "implemented static IPs"? And do you mean consumer or business? Do you mean IPv4 or IPv6?
There are some ISPs that don't offer static IP at all (like BT retail). There are some that offer it as an optional paid extra. There are some that offer it for free but you have to request it. I am not sure there are many that provide it as the default (I think for Aquiss a static IPv4 is setup as default and you have to request IPv6 but not sure how many others there are).
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
the furthest you can go is narrowing down to UK IP address range/location. Its getting tough on IPv4 with the amount of block trading going on. The best approach is a robust two factor authentication, (username/password & some external item) OR certificates that are installed when you're face-to-face with the machine that will be used remotely.
23 years of broadband connectivity since 1999 trial - Live BQM
|
|
|
|
It may not be appropriate for your requirements, but there are always L2TP tunnels that can provide static IPs. They works with any ISP (including 4G), but will add a monthly cost.
I use A&A's L2TP which costs £10pm (for an individual - i.e. no VAT receipt) and provides a static IPv4 and a a block of IPv6.
|
|
|
Absolutely do not implement any authentication based on the user creating an allow-list of IP addresses. There are lots of services that will help you identify suspicious logins and you should use these instead.
Any sort of region lockout will be defeated easily with a VPN.
Edited by jpm (Mon 14-Aug-23 10:07:43)
|
|
|
|
Can you please tell Seb and the guys here as I regularly get locked out of TBB forums when I travel. Apparently I’ve been banned several times already this month. Luckily I can drop off the local hotel etc WiFi and connect via Telstra 4/5G which seems OK. Australia must be filled to the brim with evil, malevolent spammers and hackers like me!! Can’t trust us convicts 😂
|
|
|
The ISP list on TB has a filter for static IP (It's in the advanced filter section)
https://www.thinkbroadband.com/packages
Aquiss FTTP BQM | AAISP VOIP | Ubiquiti UDM Pro | 2x Unifi AC-Lite & 1x AC-LR Wifi AP
|
|
|
Percentage of UK ISPs that have implemented static IPs?
Well, smaller ISP's might be more likely to use static IPs than the larger ones, so the percentage of ISP's implementing static IPs might not be that low.
But when we consider the number of residential users with a static IP, it will be very low. The "big four" residential ISPs (BT, Sky, TalkTalk, Virgin) all use dynamic IP addresses.
Oliver.
|
|
|
I doubt there are any stats, I don't expect many ISPs will have them, well not for home use. Zzoomm will supply them for a cost, but it is not widely advertised.
Adrian
Desktop machines Mac mini pro with macOS Ventura, also pc Ryzen powered with windows something or other.
Zooming with Zzoomm FTTP,
|
|
|
Absolutely do not implement any authentication based on the user creating an allow-list of IP addresses. There are lots of services that will help you identify suspicious logins and you should use these instead.
Any sort of region lockout will be defeated easily with a VPN.
[/quote
Funny for me I consider whitelist ACL based on IP the most secure mechanism I ever seen. Of course I mean a individual IP ACL that doesnt use shared IP addresses, not a generic per country or ISP thing. Although thats still better than just globally allowing the entire internet.
Meanwhile services that try to detect suspicious activity, I often trigger them. But that doesnt mean they bad either WAF's are a solid tool, its just I dont think ACL's based on IP's should be played down.
|
|
|
|
I made an assumption that the OP was looking at this in terms of locking down a SaaS application, not something like a firewall management interface. Services where you get sent an email when you log in and then have to activate the IP you've connected from are really annoying, just use TOTP if you want to do multi-factor auth.
|
|
|
Random request I know but looking for the stat so I can use it to support something I'm working on at work regarding user authentication.
Anyone know?
Thanks in advance
% of ISPs isn't relevant as if you assume the smaller players all did, but the larger ones did not, you'd have a high % of ISPs that did, but a low % of users that have Static IPs...
Given the majority of users are concentrated on a small number of ISPs who either absolutely don't do Static IP and it changes on every connection or they offer 'sticky' (long lease) IPs that will hang around for short interruptions but isn't static as such.
|
|
|
I made an assumption that the OP was looking at this in terms of locking down a SaaS application, not something like a firewall management interface. Services where you get sent an email when you log in and then have to activate the IP you've connected from are really annoying, just use TOTP if you want to do multi-factor auth.
Those seem to be fading away on where I have come across them.
Steam used to only trigger 2FA if your IP had changed from last 2FA auth, now they removed the IP access part and seem to use other mechanisms to identify if it needs triggering which in my case seems to be whenever my login expires (so quite often, annoying).
Some datacentres still use them which I do like but they are optional and off by default whenever I have come across them.
Thanks for clarifying it was about SaaS access.
Edited by Chrysalis (Wed 23-Aug-23 23:20:07)
|
Pages in this thread: 
Print Thread
techguy
