Short answer is that IP-based security is a pretty good method as long as you can (A) tie the access list down to a certain range and (B) that the addresses in that range remain secure.

The longer answer...

Anything can be faked - it just takes time, skill and effort. However for some things the amount of time and effort far outweight the possible gains - IP addresses generally fall into the second category, as the amount of effort to establish a *full connection* using a fake IP is extremely high.

Lets assume I'm an attacker and that it's obvious IP based security is in effect on your application, at this point I'd start to look around at weak points elsewhere in the chain.

A trivial example would be that a client/customer/user has access to a machine which has been assigned an IP your application "trusts". Somehow a proxy server ends up installed on their machine (maybe they did it, maybe it was like that when they got it, maybe they have a weird virus etc) - assuming this proxy server was accessible to an attacker, they could use this appear to be coming from a "trusted" address - neatly bypassing your IP security.

- Tony

Thanks Tony, that helps a lot :)