Setting up Trusted IPs for Prime Comms

Requirements -

• The main objective of the project was to customize the miniOrange Drupal 2FA module to modify the “Mark Trusted IPs” feature, allowing Prime Comms to list trusted networks and bypass the 2FA requirement when users accessed the Drupal site from those networks. The solution needed to be flexible and easy to manage, providing Prime Comms with the ability to add and remove IP addresses from the list of Trusted IPs and configure the module to support additional authentication methods if needed in the future.
   
• miniOrange proposed a customized solution that involved installing and configuring the miniOrange Drupal 2FA module to support the feature allowing them to mark IPs as trustworthy. This would allow Prime Comms to add trusted networks to a list and bypass the 2FA requirement when users accessed the Drupal site from those networks.
   
• The solution also involved addressing the challenge posed by the load balancer in the network. miniOrange proposed applying rules through the WAF to obtain the base IP addresses required for the feature to work. 
   
• miniOrange also proposed providing a user-friendly interface for Prime Comms to manage the list of these trusted IPs and configure the module to support additional authentication methods if needed in the future. The solution would be flexible and easy to manage, providing Prime Comms with a secure and efficient solution that met their requirements and improved the overall security of their Drupal site.

Challenges -

• The primary challenge faced in this project was obtaining the base IP addresses from the client. There was a load balancer in the picture, which meant that the IP addresses were not readily available. Our team recommended applying rules through the Web Application Firewall (WAF) to obtain the base IP addresses directly to the module.

Implementation -

The miniOrange Drupal 2FA module was customized to support the requested feature by adding a Trusted IPs list field to the configuration settings. The module would read the list and allow the listed IPs to bypass the 2FA requirement.

To address the challenge posed by the load balancer, miniOrange proposed applying rules through the WAF to obtain the base IP addresses required for the feature to work. The miniOrange Drupal 2FA module would read the true client IP address and allow it to bypass the 2FA requirement if it was on the list of trusted IP addresses.
 

miniOrange developed a user-friendly interface for Prime Comms to manage the list of trusted IPs and configure the module to support additional authentication methods. The interface included a simple form that allowed Prime Comms to add and remove IP addresses from the list.

The final solution provided by miniOrange met all of Prime Comms' requirements and improved the overall security of their Drupal site. The Mark Trusted IPs feature provided the flexibility to not invoke 2FA for trusted IPs, while the user-friendly interface allowed Prime Comms to easily manage the IP list and configure the module to add and remove trusted IP addresses from the list as and when required.

Results - 

The implementation of the trusted IPs feature for Prime Comms' Drupal site using the miniOrange Drupal 2FA module was successful. The client was able to list specific IP addresses and ensure that 2FA was not required for those particular IP addresses. The solution exceeded the customer's expectations in terms of usability and manageability, and the client reported that their site's functionality was improved by the feature. The project demonstrated the importance of implementing security measures such as IP whitelisting to protect against cyber threats.

In conclusion, the miniOrange Drupal 2FA module provided Prime Comms with a flexible and secure solution for Marking Trusted IPs. Despite the challenges faced, our team was able to deliver a solution that met the client's requirements and improved the overall security of their Drupal site. Drupal's security features and the miniOrange Drupal 2FA module's flexibility made it the ideal solution for this project.