Re: IP Spoofing

Alex_Langridge · ‎01-12-2020

One of our Marketo landing pages, calls an external API to pass some information. For this, the external API client ID and secret are placed on the landing page.

In order to secure this setup, we are planning to use IP restrictions to only allow calls from the landing page to the external server. I just wanted to confirm if we should be concerned regarding IP Spoofing? Also, any other security risks involved with this approach?

Also, will there be extra concerns to do with shared Marketo IP?

SanfordWhiteman · ‎01-13-2020

You can't call webhooks from the LP. Webhooks are only called from flows (Call Webhook).

Rajesh_Talele3 · ‎01-13-2020

I think https://developers.marketo.com/webhooks/ would be useful.

SanfordWhiteman · ‎01-13-2020

is there anyother way for the API server to authenticate?

No, because you're creating a public page, accessible to anyone, that contains credentials that can be used from anywhere.

There is no way other than filtering based on source IP address for you to make those credentials safe to expose.

Since you don't have a known set of IP addresses, filtering on source IP is impossible.

SanfordWhiteman · ‎01-13-2020

Regarding, 'The IP address of your Marketo instance will not be the source IP address of connections made by end users, so the question doesn't really make sense'

Since the landing page sits on Marketo, will the source IP of the API calls made via the landing page not be from the Marketo IP?

Of course not, the source IP is the person's external IP.

(Just like the source IP of your visits to this page, on Marketo Nation, isn't the IP address of the Jive Community server. It's your home/work IP.)