Restrict Access and Conceal Web Server IP Addresses
Avoid revealing server IPs and limit access exclusively to WAFs and authorised networks.
Plain language
This control is about keeping the actual location of your web servers a secret and making sure only the necessary security tools and trusted parties can access them. If you don't, malicious individuals could find and target your servers directly, leading to data breaches or downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Web application firewallsOfficial control statement
If using a WAF, disclosing the IP addresses of web servers under an organisation's control (referred to as origin servers) is avoided and access to the origin servers is restricted to the WAF and authorised management networks.
Why it matters
Exposed origin IPs let attackers bypass the WAF and hit web servers directly, increasing risk of compromise, data theft and outages.
Operational notes
Audit firewall/ACLs so only WAF egress IPs and authorised management networks can reach origin servers; block direct Internet access and remove leaked DNS records.
Implementation tips
- The IT team should ensure that the web servers are only accessible through a Web Application Firewall (WAF). They can do this by configuring the firewall settings to allow traffic only from the WAF to the servers, blocking all other direct access.
- System administrators should regularly update the access control list to include only authorised management networks. This means reviewing who currently needs access to the web servers and making changes as people join or leave the organisation.
- The IT security team should conduct routine tests to verify that the server IPs are not exposed. This can involve using online tools to scan what information about your server is publicly accessible and ensuring nothing private is revealed.
- Business managers should work with IT to ensure authorised networks are well-documented. They should maintain a clear list of who has access and why, updating this documentation regularly to reflect any changes in staff or roles.
- The IT manager should set up alerts on the firewall to notify them immediately of any unauthorised attempts to access the web servers. This involves configuring the firewall to monitor all access attempts and sending alerts based on predefined rules.
Audit / evidence tips
-
Aska network configuration diagram: Request a diagram showing how the web servers are connected to the WAF and authorised networks
Goodincludes only the authorised pathways without direct public access to the servers
-
Aska list of access rules on the firewall: Request a document listing all firewall rules that allow or deny traffic
Goodis rules that explicitly block all other traffic sources
-
Askrecords of access audits: Request the logs from recent audits monitoring who accessed the web servers
Goodincludes regular, thorough audits with no unauthorised access detected
-
Askevidence of server IP address scans: Request reports from scans conducted to check if server IP addresses are exposed
Goodshows regular scanning activity with no findings of exposed IPs
-
Aska list of authorised management networks: Request an updated and complete list of networks authorised to access the web servers
Goodhas a recent date and correlates with access rules on the firewall
Cross-framework mappings
How ISM-1862 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1862 requires securing web hosting behind a WAF by avoiding disclosure of origin server IP addresses and restricting inbound connecti... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.22 | Annex A 8.22 requires segregating network groups to control access between services and systems | |
| link Related (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires restricting access to information and associated assets in line with an access control policy | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.