Salesforce Developer Security Trusted Ip Ranges

salesforce-developer-security

// Trusted Login IP Ranges:

The salesforce platform allows administrators to define IP ranges that are 
trusted.  Users who login from defined IP ranges are trusted and the login 
operation proceeds normally.  It is important to understand that this only 
covers login operations.  If a user already has a valid session id, they could 
make requests from IPs not in the trusted range. There is an additional security 
feature which covers this scenario : "Lock sessions to originating login IP". 

There are two ways Trusted IP ranges can be defined, and each has unique 
security features:

1. Organization level Trusted Login IP ranges: Administrators define a list of 
   IP addresses from which users can login without receiving a login challenge 
   for verification of their identity, such as a code sent to their mobile 
   phone.  The main security behavior here is that login is not completely 
   blocked.  If the user succesfully completes the login challenge, they can 
   proceed.  The requirements and behavior is different based on entry point of 
   login (UI/Browser, or API).

   For UI/browser login, ser must go through a login challenge if coming  from 
   an IP outside the Organization Trusted range.  After a succesful challenge, 
   the user's client browser is now trusted and can login from any ip address 
   without being challenged.  This is accomplished with a unique cookie set on 
   the client's browser.  If the client's browser cookie is cleared, a login 
   challenge will be required on login from an IP outside the Trusted range.  
   This in effect turns the Trusted Login IP range into a type of Trusted client 
   feature. 

   For API login, in order to login from an IP outside the Organization Trusted 
   range, the user must provide a security token appended to their password.  
   Users can obtain their security token by changing their password or resetting 
   their security token via the Salesforce user interface.  Unlike the UI login, 
   API login always requires the security token.

2. Profile level Trusted Login IP ranges: Administrators define a list of IP 
   addresses from which users can log in.  This list is defined per profile.  
   The main security feature is that login is completely blocked if coming from 
   an untrusted IP.

Salesforce will require a security token for any unrecognized IP address. You 
can bypass this restriction by appending a security token to your password.

1. Setup -> Administer -> Security Controls -> Network Access
2. Create a new record with a Start IP Address and End IP Address equal to your 
   Workbench instance from above. 

To determine our IP address, we can use the following approaches:

1. Use http://www.whatsmyip.org

2. Setup -> Administer -> Manage Users -> Login History

To add a new IP range to the System Administrator profile, Setup -> Manage 
Users -> Profiles -> System Administrator -> Scroll to "Login IP Ranges" -> New

As long as an IP range is defined on your user profile, logins can ONLY occur 
from within this range.

While both choices have the ability to keep out a potential attacker, profile 
based login IP ranges is the stronger choice since there is no possibility to 
login outside of the entered login range.

// Lock Session to Login IP:

This setting allows administrators to require all requests to come from the IP 
the login was established from. This security feature was designed for high 
security environments to protect against a hijacked user's sessionid being used 
from another IP address.

SECURITY TRADEOFFS:

This feature comes with serious usability limitations, and is not a fit for most 
environments. Devices or applications that switch IP addresses frequently (e.g 
mobile devices on cell networks, or server side applications behind load 
balancers) can be affected when a new IP address not match the original IP 
address.  Should the IP address change, a new login must be issued to get a new 
sessionid.

Note that even if Trusted Login IP ranges is used in conjunction with this 
feature, all subsequent requests will required to originiate from IP address 
the initial login occured from.  The feature will not use the full range of the 
Trusted Login IP ranges to verify.

To Lock sessions to the IP address from which they originated:

1. Setup -> Security Controls -> Session Settings

2. Enable the "Lock sessions to the IP address from which they originated" 
   permission.

If we enabled the "Lock sessions to the IP address from which they originated" 
checkbox, and log into the application, we can no longer log into Workbench.  
This is because the sessionID is locked to the IP address where the initial 
login took place (the IP address of our browser is different from the IP 
address of the Workbench server).  This results in the following:

1. If an attacker steals your sessionId, they cannot use it outside of the 
   location where you originally logged in. In this way your security is 
   improved.

2. You can no longer use handy plugins like the Workbench browser extension (due 
   to the passing of the sessionId). This may reduce usability.

3. Mobile devices often roam from IP to IP. They would now be required to login 
   at each new IP. This may significantly reduce usability.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License