[keycloak-dev] Adaptive risk login
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Mon Aug 29 10:41:48 EDT 2016
>
> VPNs are certainly not the solution in all cases as more and more
> applications are exposed directly on the Internet everyday.
Very true (as are all your other statements) but my point about VPNs
wasn't that more people are using VPNs as a way to protect
applications (probably the opposite). Its that VPNs can be easily
used to bypass many of the features of adaptive authentication. Most
adaptive deployments I've seen rely on geo location mappings of IP
ranges to determine where users are logging in from. Use an OpenVPN
into a Amazon/Google/Azure/Pick-Your-Favorite-Proider network and out
to the internet and that feature becomes useless.
Looking at the list Thomas provided, 6 of them can easily be spoofed
or circumvented:
VPNs from a private server in the cloud would circumvent these
- IP Address Range - ip IP not in IP range raise risk
- IP Address History - if IP not in IP address history raise risk
- GeoLocation - if IP geolocation based on
http://www.maxmind.com/app/country is not from a certain area raise
risk
And these can be bypassed by a browser plugin:
- Known cookie - if a certain cookie + value not present raise risk
- Device cookie - if not a known or trusted device raise risk
- RequestHeader - if certain request header is not present raise risk
(additionally, many enterprises deploy GPOs that clear persistent
cookies, which is how a device cookie is implemented)
While these are certainly only examples of rules that can be used,
most of the really interesting rules requires a considerable amount of
data and analysis to be useful. That data needs to be kept up-to-date
as does the analysis.
I'd amend your statement on layered security to be "effective" layered
security. If someone is trusting a security mechanism that either
isn't kept updated as needed or is not providing the expected security
becomes a liability. I've seen plenty of examples of folks relying on
a security mechanism that didn't supply nearly the security they
thought it did and it didn't work out too well.
More information about the keycloak-dev
mailing list