IP address access control

Apply an IP access control to outbound traffic, inbound traffic, or bidirectional traffic. The system only blocks an IP address if a matching Deny rule exists and no matching Allow rule exists. By default, there are no restrictions on access to your instance.

Product Documentation

Adaptive Authentication

Adaptive authentication is a policy framework to enforce contextual authentication controls to the right users at the right time. Adaptive authentication uses authentication policies to evaluate authentication requests and either deny or allow access to your instance based on the specified policy conditions.

Admins can use adaptive authentication policies and contexts to restrict access to the instance for users and APIs based on criteria like IP address, user role, and user group.

Product Documentation

Why migrate to Adaptive Authentication

1. Supports CIDR-based IP range definition
2. Use user attributes like role/group membership and authentication methods used for logging in to enforce granular restrictions.
3. Change the error code/message shown for blocked sessions.
4. Enforce step-authentication based on the IP range and user attributes

Activating Adaptive Authentication

Enable Adaptive Authentication (com.snc.adaptive_authentication) plugin

Enabling The System Properties

Steps: -

1. Open Adaptive Authentication > Properties
   
   1. Adaptive Authentication -> Authentication Policies -> Properties
2. Enable the following properties.
   
   1. Enable Authentication Policy
      
   2. Enable Device Trust Flow

Migrate IP Filter Criteria

1. If you already use the IP address access control feature, IP filter criteria can be created automatically by importing data from IP access control inbound IP ranges.
2. Go to System Security > IP address access control.

1. Click on the “Migrate to IP filter Criteria” related link. This will only appear if active IP ranges are available in the IP_access table for inbound IP restrictions.

1. Upon clicking on the UI action, a scheduled job (Migrate IP Address Controls to Adaptive Authentication IP Filter) will start in the background to migrate IP ranges to IP criteria. The job will create new IP criteria. Two IP criteria will be created if both allow and deny ranges are defined.
   
   1. Is allow Migrated IP Filter
      
      1. Consist of all active inbound IP ranges that are of “Allow” Type
         
   2. Is deny Migrated IP Filter
      
      1. Consist of all active inbound IP ranges that are of “Deny” Type

Another example

1. You can go ahead and rename the filter as needed.
2. Once you have migrated the IP ranges, the related link will disappear.

Create IP Filter Criteria

1. If IP ranges are not defined as part of IP access control feature, then the admin can manually create IP criteria.
2. Navigate to Adaptive Authentication -> IP Filter Criteria
3. Create an IP filter as desired. Product doc

Steps To Configure Policy

1. Navigate to Adaptive Authentication -> Pre-Authentication Context
2. Change the Default Policy to “Allow Policy” and observe that the “Allow policy” is mapped to Allow Access Policy.

1. Open the Allow Access Policy reference record; click on the Edit button for Policy Input.
2. Select the IP filter created/migrated in the last step
3. Also, select the Trusted Mobile app filter and save the record.
4. Open Policy Conditions, and click on the “New” button
5. Create OR condition as below
   
   1. The trusted IP range is true, OR the Trusted Mobile app is true.

1. Save the Condition
2. Instance access would be allowed from all the devices connecting from a trusted network. Access originating from untrusted networks would be allowed only from trusted mobile apps. All non-trusted mobile app access would be blocked from untrusted networks.
3. Users would be forced to undergo the device registration process upon accessing the instance from Mobile apps.

Deactivate IP address access control

1. Deactivate all inbound IP ranges, as you have already migrated to pre-auth

Mobile App Registration Process

1. Users will see the device registration screen when clicking on the instance name.
2. Users must open another session from a desktop/laptop connected to the trusted network.
3. Click on the "Register a trusted mobile device" related link in the user profile section.

1. Click on Add New Trusted Device Link

1. Scan the QR code from the mobile app
2. Upon successful validation, the device will be registered to the user account, and the user will be redirected to the login page.

After completing these steps users connecting from the trusted mobile device would be able to access the instance from outside the trusted network as well.

Labels:

• Platform and Cloud Security