Access Control

Access control is used to help prevent unauthorized access to Kentik Detect. The following topics cover management of access control in the Kentik Detect portal:

• About Access Control
• Access Control Page

Access control is used to enhance security by allowing you to specify IPs and subnets that are granted access to Kentik Detect. Access is denied to all other IPs and subnets that attempt to connect. For greater flexibility, access settings may be set individually for each of the following Kentik Detect subsystems:

• Portal: Access via the Kentik Detect portal.
• Agent: Access via Kentik’s NetFlow Proxy Agent.
• API: Access via Kentik Detect APIs (see APIs Overview).
• Database: Access via PostgreSQL client (see Connecting to KDE).
  Note: psql access to KDE is now deprecated. For additional information, contact Kentik support.

The access control settings for all four subsystems are set on the Access Control Page. To open the page, click Admin in the portal navbar, then choose Access Control from the sidebar at left.

The Access Control page is covered in the following topics:

• Access Control UI
• Access Control Defaults

The Access Control page is home to the access control settings for the four Kentik Detect subsystems listed in About Access Control.

Each subsystem is represented by a card that contains the following UI elements:

• Access setting: A set of radio buttons that enable you to choose one of the following access control options for the subsystem:
  - Allow All: No restriction; the subsystem can be accessed from any IP or subnet.
  - Deny All except: The subsystem can be accessed only from the IP addresses and subnets listed in the whitelist field.
• Whitelist field (only shown if access setting is “Deny All except”): A comma-separated list of IP addresses and/or subnets that are granted access rights to this Kentik Detect subsystem. Access from all other IPs and subsystems will be denied.
• Save button: Click to save changes to access control setting for this subsystem.

Note: Access Control is based on the public IP from which you attempt to connect to a given Kentik subsystem, even if your client is on an RFC1918 private LAN or behind NAT. To determine the public IP, curl https://ipinfo.io/ip from the client.

The default access control setting varies depending on the Kentik Detect subsystem:

• Portal: Default is “Allow All.” Switch to “Deny All except” is recommended.
  Note: If you choose to switch to “Deny All except,” be sure to enter in the whitelist field the IP address from which you are connected or else your access will be denied when you click Save. Users who try to log in from an IP/subnet that is not whitelisted will see an “Unable to authenticate” notification on the Kentik Detect login page.
• Agent: Default is “Allow All.” Switch to “Deny All except” is recommended.
• API: Default depends on when the organization subscribed to Kentik Detect:
  - Subscribed before April 19, 2017: Default is “Allow All.”
  - Subscribed on or after April 19, 2017: Default is “Deny All except.” Before the API can be used, access must be enabled by whitelisting the IPs/subnets from which the API will be accessed.
• Database: Same as API.

To determine the IP address to whitelist when you connect to any of the above Kentik Detect subsystems:

• For portal, go to https://ipinfo.io/ip.
• For agent, API, or database, use the value returned from running the following code on the server that hosts the code that will be connecting to Kentik Detect:

curl https://ipinfo.io/ip