Salesforce Developer Security Trusted Ip Ranges
// Trusted Login IP Ranges: The salesforce platform allows administrators to define IP ranges that are trusted. Users who login from defined IP ranges are trusted and the login operation proceeds normally. It is important to understand that this only covers login operations. If a user already has a valid session id, they could make requests from IPs not in the trusted range. There is an additional security feature which covers this scenario : "Lock sessions to originating login IP". There are two ways Trusted IP ranges can be defined, and each has unique security features: 1. Organization level Trusted Login IP ranges: Administrators define a list of IP addresses from which users can login without receiving a login challenge for verification of their identity, such as a code sent to their mobile phone. The main security behavior here is that login is not completely blocked. If the user succesfully completes the login challenge, they can proceed. The requirements and behavior is different based on entry point of login (UI/Browser, or API). For UI/browser login, ser must go through a login challenge if coming from an IP outside the Organization Trusted range. After a succesful challenge, the user's client browser is now trusted and can login from any ip address without being challenged. This is accomplished with a unique cookie set on the client's browser. If the client's browser cookie is cleared, a login challenge will be required on login from an IP outside the Trusted range. This in effect turns the Trusted Login IP range into a type of Trusted client feature. For API login, in order to login from an IP outside the Organization Trusted range, the user must provide a security token appended to their password. Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. Unlike the UI login, API login always requires the security token. 2. Profile level Trusted Login IP ranges: Administrators define a list of IP addresses from which users can log in. This list is defined per profile. The main security feature is that login is completely blocked if coming from an untrusted IP. Salesforce will require a security token for any unrecognized IP address. You can bypass this restriction by appending a security token to your password. 1. Setup -> Administer -> Security Controls -> Network Access 2. Create a new record with a Start IP Address and End IP Address equal to your Workbench instance from above. To determine our IP address, we can use the following approaches: 1. Use http://www.whatsmyip.org 2. Setup -> Administer -> Manage Users -> Login History To add a new IP range to the System Administrator profile, Setup -> Manage Users -> Profiles -> System Administrator -> Scroll to "Login IP Ranges" -> New As long as an IP range is defined on your user profile, logins can ONLY occur from within this range. While both choices have the ability to keep out a potential attacker, profile based login IP ranges is the stronger choice since there is no possibility to login outside of the entered login range. // Lock Session to Login IP: This setting allows administrators to require all requests to come from the IP the login was established from. This security feature was designed for high security environments to protect against a hijacked user's sessionid being used from another IP address. SECURITY TRADEOFFS: This feature comes with serious usability limitations, and is not a fit for most environments. Devices or applications that switch IP addresses frequently (e.g mobile devices on cell networks, or server side applications behind load balancers) can be affected when a new IP address not match the original IP address. Should the IP address change, a new login must be issued to get a new sessionid. Note that even if Trusted Login IP ranges is used in conjunction with this feature, all subsequent requests will required to originiate from IP address the initial login occured from. The feature will not use the full range of the Trusted Login IP ranges to verify. To Lock sessions to the IP address from which they originated: 1. Setup -> Security Controls -> Session Settings 2. Enable the "Lock sessions to the IP address from which they originated" permission. If we enabled the "Lock sessions to the IP address from which they originated" checkbox, and log into the application, we can no longer log into Workbench. This is because the sessionID is locked to the IP address where the initial login took place (the IP address of our browser is different from the IP address of the Workbench server). This results in the following: 1. If an attacker steals your sessionId, they cannot use it outside of the location where you originally logged in. In this way your security is improved. 2. You can no longer use handy plugins like the Workbench browser extension (due to the passing of the sessionId). This may reduce usability. 3. Mobile devices often roam from IP to IP. They would now be required to login at each new IP. This may significantly reduce usability.
page revision: 0, last edited: 02 Jan 2017 00:16