xMatters understands that security is extremely important to you - and that means it's extremely important to us. We strive to support your security initiatives, and some of you have asked how to explicitly allow only the IP addresses that xMatters uses to communicate so that you can filter out traffic from other addresses.
Why filter IP addresses?
Some organizations and IT security departments use a mechanism where firewall or proxy rules are designed to limit network traffic to only IP addresses associated with your xMatters service. This can help to prevent communication from being hijacked or rerouted to a rogue website.
That's a good thing, right?
In fact, xMatters strongly discourages the use of IP filters. Our experience with providing emergency communications for incidents of all types, including disaster recovery and business continuity situations, has taught us that any mechanism that restricts the immediate and critical flow of communications can be a hindrance - especially in a crisis.
Although IP filtering is often seen as part of a "Defense-in-Depth" strategy for traffic shaping, the dynamic services offered by cloud providers - including xMatters - may not perform optimally with these strategies. (This is why filtering is generally used only for our EPIC client or Integration Agent, and not for the xMatters service or web user interface.) In fact, the high-availability protocols used by cloud services, such as geographic and high-IP-range load balancing, can produce a denial-of-service (DOS) issue if the load balancing systems require an IP change.
To help provide the best security possible without impacting the free flow of events and notifications, we provide a full range of application-level access management and control, including native and federated secure login, and data-in-transit protection via HTTPS/TLS.
We also encourage customers to employ domain-based filtering (*.xmatters.com) instead.
What if this is a security requirement?
If you have stringent security policies that require IP filtering, we provide the xMatters IP ranges in a machine readable format, available upon request from Customer Support.
This option does come with some caveats, however...
- You must explicitly allow ALL of the IP ranges provided. xMatters services can and will "move around" within the specified ranges.
- The list can change at any time, and you will need to implement a mechanism that either allows you to dynamically update your filters or notifies you when the list changes. (You can also "follow" this article using the button beside the title - we'll add a comment to this page whenever the IP ranges need to be updated.)
- We cannot tell when, how, or if you are filtering IPs on your system; you must be able to proactively identify whether you need to modify your own network settings.
- You must maintain and update this list in all applicable applications. If you are using IP filtering within an application that connects to xMatters (such as ServiceNow or another of our many available integrations), changes to the IP ranges could affect the ability to write information back into your application. You will need to make sure you handle these in-product lists over and above any filtering being performed at the firewall level.