On 29 August 2016 at 19:06, Marc Boorshtein <marc.boorshtein@tremolosecurity.com> wrote:
>> >
>> > VPNs are certainly not the solution in all cases as more and more
>> > applications are exposed directly on the Internet everyday.
>>
>> Very true (as are all your other statements) but my point about VPNs
>> wasn't that more people are using VPNs as a way to protect
>> applications (probably the opposite).  Its that VPNs can be easily
>> used to bypass many of the features of adaptive authentication.  Most
>> adaptive deployments I've seen rely on geo location mappings of IP
>> ranges to determine where users are logging in from.  Use an OpenVPN
>> into a Amazon/Google/Azure/Pick-Your-Favorite-Proider network and out
>> to the internet and that feature becomes useless.
>
>
> Yep, that's an issue. There's also bot farms as well. Not many people will
> issue an attack from their home address.
>
> Still has some level of protection. For example VPNs are costly, tend to be
> rate limited.

If you're talking about a DDoS or script kiddies just running massive
sets of scripts against a target, sure but I don't think KC (or any
authentication system) will be what stops that.  That'll be a
combination of network infrastructure and web application firewalls
screening out specific exploits.  Where the value of adaptive auth
would I think be more likely is a targeted attack with a known set of
credentials where a set of actors is trying to leverage something they
have to get elevated privileges.  In which case getting a single
openvpn running on an aws account could cost as little as a few
dollars and circumvent many of the risk barometers based on source ip.


>
>
> It does depend on what level of protection you are looking for. If it's for
> a web application and you're trying to block out script kiddies and other
> people looking for easy targets the rules doesn't have to be that complex.
>

Sure, but I don't think KC (or any authentication system) is going to
stop a script kiddie.  The vulnerabilities they are generally going
after are known exploits that haven't been patched and don't require
authentication.  Just watch the logs for a known wordpress site and
you won't see any requests for authentication from trollers (unless
its with a specific exploit).  You'll see reams of trying to hit
wp-admin with known exploits to bypass authentication all-together.

It's certainly not going to stop attacks going after known exploits. The only real defense against that is limiting what's exposed and making sure everything that is exposed always has the latest security patches. The latter being one good reason for using a supported product rather than a community project as you are able to get patches to older versions as well as retrieve patches prior to the vulnerabilities being made public.

Adaptive authentication could for instance stop someone trying to use common passwords with a list of known usernames. We have a rather naive brute force protection in Keycloak that prevents that to some degree, but it's far from sophisticated enough. For example it prevents many guesses to one user, but not few guesses to many users. However, that would more likely be the job of a intrusion detection system and firewalls to stop those type of attacks in either case.
 

Even looking at the articles mentioned, everything is theoretical.
Adaptive authentication has been around for at least 8-10 years, you'd
think if it were used to great success there would be more success
stories rather then theories.  The new part they point out is the
addition of machine learning to the process to make more intelligent
decisions, which makes sense.  Something like Google's new captcha
system.  KC would make a great integration tool for something like
that.

You're right. Simple rules like an IP range are just not going to cut it. Much more complex and intelligent processing of data is required. If the rules are to defensive you also end up blocking legitimate users. In which case you need a way for the legitimate user to prove they are who they say you are. In which case you can send a mail or even use Google's reCAPTCHA. Even sending an email when you've detected a login from a new machine is useful to at least detect malicious access.

One thing we should at least do is to add a device cookie which includes the user-id that is signed with the realm key. This would allow us to identify a device that has been used before. If we detect a new device we can introduce options such as send an email to verify the device, display a reCAPTCHA or even simply send an email to the user to notify about the login.
 


ps: great conversation, really enjoy these types of discussions

+1000