Join our live webinar "Secure Remote Access - Full Control and Compliance" on November 21 at 6 pm (GMT).
Join our live webinar "Secure Remote Access - Full Control and Compliance" on November 21 at 6 pm (GMT). Book your spot
Book your spot
Using a dedicated static IP address is considered best practice when enabling remote access for the workforce via VPN (Virtual Private Network). In this article, we will look at how to get a static IP address, what IP whitelisting is, and what the typical use cases are.
There are two main ways how to obtain a static IP address:
Both the ISP and business cloud VPN can provide you with a public static IP address. This IP address can be either dedicated or shared.
A shared static IP address is a single address used by several entities, i.e. tenants or organizations, which is convenient for the purposes of home users as shared IP addresses are often free.
However, a shared IP address is ill suited for security measures like IP whitelisting.
On the other hand, a dedicated IP address is completely private to one user or a group of users and is not shared with anyone outside your organization.
For this reason, it can be used for a variety of purposes ranging from routing to securing remote access.
Fig 1: Getting a gateway with dedicated static IP from a cloud VPN vendor is quite straightforward. Just be sure to select the closest one to preserve the best latency.
Fig 2: Once the gateway is selected, a public static IP is assigned to the user/device so that, i.e., it can be whitelisted on the server.
Besides home and local networks, you will see static IP addresses used by devices and services that want to be found.
A typical example are DNS servers which need to remain accessible to machines requiring DNS resolution services for navigating the internet.
Another example is direct access without a domain name. If you connect to a server using its static IP address, you can always do so even if the DNS service is unavailable or it has no domain name at all.
This is particularly useful in remote access scenarios for ensuring access via an access gateway of one kind or another (router, firewall, or a VPN server).
The latter concept is known as IP whitelisting.
IP whitelisting is a method of preventing unauthorized access by allowing only trusted IP addresses to connect to the system.
You can think of IP whitelisting as only giving one person or one family a key to the front door of your home, rather than giving everyone you know a key.
A prerequisite is a static IP address, as dynamic addresses change regularly, and therefore the whitelist would be outdated with each change, requiring extensive manual work to make continuous adjustments.
Using IP whitelisting (firewall/ACL/webserver/source code) on the server can easily hide online systems from the public. Such systems are only available to the users with the organization’s IP address, whether they connect from a private corporate network or through a VPN gateway.
Users connecting to the system from an unlisted IP address will be restricted.
Fig 3: In case you have an additional gateway, you can whitelist both static public IPs. But naturally, you can use only one based on your geolocation. Using different gateways is best practice for preserving low latency across regions.
There are several reasons why to use static IP when operating a network. The most common ones include network access restriction and remote access to services.
One of the most common use cases is restricting network access to your internet-facing services by using a firewall, where only whitelisted IP addresses are allowed to connect to the service.
Only with static IP can you define a firewall rule valid indefinitely.
When using a dynamic IP address, the firewall rule would become obsolete anytime the IP address changes. As a result, a whitelist update would be necessary (which implies extensive manual work in large networks).
Another common use case is when you host some service inside your local network and need to access it without geographical limitations.
Your ISP has a range of IP addresses. Without a static IP, you use one of their shared IP addresses that don’t uniquely represent your network.
Having a static IP address therefore allows you to connect from any remote location (local firewall rules apply), knowing the IP address is always the same and resting assured the connection remains available. This ensures the privacy of communications and helps to comply with regulations that require strict access control (ie. NIS2).
Data stored in the public cloud is protected by the provider along with the rest of their cloud infrastructure, but the business subscribing to the cloud hosting services is still responsible for the protection of their data during transit.
IP whitelisting is an effective method of establishing a trusted connection between the cloud and another key element of the company infrastructure, such as a VPN server.
Whitelisting makes the cloud resources perform quicker, easier to access, and more secure—since access would only be allowed from the trusted IP address.
Imagine you host services inside your local network, data center, or even in the cloud and need your employees to access them from anywhere.
It is possible to make the system available publicly, but it would make it vulnerable to network attacks (e.g. man-in-the-middle attacks, DoS and DDoS attacks, eavesdropping, data breach).
Therefore, it is reasonable to make your resources available only to known IP addresses (so-called IP whitelisting - see the box above) as part of security controls.
Without a static IP VPN, your users connect with one of your ISP’s shared IP addresses that don’t belong to your trusted IP range and don’t uniquely identify them as one of your internal employees.
With static IPs whitelisted by the server, like your CRM application server, users’ IP addresses always remain the same.
This is why users can connect from everywhere (local firewall rules apply) securely. Static IP is essentially a unique online ID of the user used for secure remote system access.
VPN creates a secure encrypted tunnel connection from a device to a VPN server based in the selected country (see business cloud VPN or Types of VPN blog to learn more).
A VPN service establishes a secure encrypted tunnel connection from a device to a VPN server based in the selected country.
The user device is assigned an actual static IP address, and all their data is routed via an encrypted tunnel.
This is the way to ensure users always have the same static IP wherever they connect from.
The IP address is fixed and dedicated to the user or a group of users, so only they can use it for accessing remote systems. This can be of critical importance in scenarios like port forwarding, where IP whitelisting remedies what would normally be a critical vulnerability.
Business Cloud VPN typically delivers:
A business VPN with a static IP address enables companies to deal with the current reality of work.
Employees often use unprotected devices and connect via non-company-owned infrastructures, which carries the risk of picking up malware and compromising access credentials.
However, even if bad actors do get a hold of your login information, it is not enough to breach your systems, because they connect from a different IP address than the whitelisted one.
A static IP VPN helps you implement a multifaceted security policy that not only places additional obstacles in the path of adversaries, but also makes life easier for you.
In GoodAccess, we invest our passion into developing a cybersecurity platform that is easy to deploy, easy to manage, and easy to use.
