xMatters understands that security is extremely important to you - and that means it's extremely important to us. We strive to support your security initiatives, and some of you have asked about using a technique called IP white-listing or whitelisting.
What is IP whitelisting?
IP whitelisting is a mechanism where firewall or proxy rules are designed to limit network traffic to only IP addresses associated with your xMatters service. This can help to prevent communication from being hijacked or rerouted to a rogue website.
That's a good thing, right?
In fact, xMatters strongly discourages the use of IP whitelisting. Our experience with providing emergency communications for incidents of all types, including disaster recovery and business continuity situations, has taught us that any mechanism that restricts the immediate and critical flow of communications can be a hindrance - especially in a crisis.
Although IP whitelisting is often seen as part of a "Defense-in-Depth" strategy for traffic shaping, the dynamic services offered by cloud providers - including xMatters - may not perform optimally with these strategies. (This is why whitelisting is generally used only for our EPIC client or Integration Agent, and not for the xMatters service or web user interface.) In fact, the high-availability protocols used by cloud services, such as geographic and high-IP-range load balancing, can produce a denial-of-service (DOS) issue if the load balancing systems require an IP change.
To help provide the best security possible without impacting the free flow of events and notifications, we provide a full range of application-level access management and control, including native and federated secure login, and data-in-transit protection via HTTPS/TLS.
We also encourage customers to employ domain-based whitelisting (*.xmatters.com) instead.
What if whitelisting is a security requirement?
If you have stringent security policies that require IP whitelisting, we can provide the xMatters On-Demand IP ranges upon request.
This option does come with some caveats, however...
- You must whitelist all of the IP ranges provided. xMatters services can and will "move around" within the specified ranges.
- The list can change at any time, and you will need to implement a mechanism that either allows you to dynamically update the whitelist or notifies you when the list changes.
- We cannot tell when, how, or if you are using IP whitelisting on your system - you must be able to proactively identify whether you need to modify your own network settings.
- You must maintain and update this list in all applicable applications. If you are using IP whitelisting within an application that connects to xMatters (such as ServiceNow or another of our many available integrations), changes to the IP ranges could affect the ability to write information back into your application. You will need to make sure you handle these in-product whitelists over and above any filtering being performed at the firewall level.
To get the list of IP ranges used by xMatters On-Demand, contact xMatters Client Assistance.
A note about our upcoming hosting improvements...
As detailed in this article, we'll be making some substantial improvements and enhancements to our hosting services, beginning in May and continuing through into 2019. As part of these changes, the list of IP ranges required by xMatters will change and expand. All of the caveats listed above will still apply!
If you are using IP whitelisting, you can obtain an updated list of IP ranges in JSON format (making it machine-readable) from Client Assistance prior to the upgrades in your region. See the linked articles for the schedule.
xMatters internal reference: DOC-7432