<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Review Network Zones Configuration for Improved Security Posture

Last Updated:

Administration
Okta Classic Engine
Okta Identity Engine

Background

In the pursuit of enabling simple and secure access to any technology, Okta Security periodically reviews customer implementations of Okta SignOn Policies. The primary goal is to maintain a policy engine that steers Okta Admins toward strong security outcomes.

 

During one of these reviews, Okta observed use of a Network Zone configuration that could result in unintended consequences for the organization's security posture. 

 

The Vulnerability

The identified configuration involves setting up a Dynamic Network Zone that designates the entire internet (0.0.0.0-255.255.255.255) as a trusted proxy.

 

When configured this way, access requests from devices within that policy are not evaluated by ThreatInsight (Okta’s baseline protection against high-volume, credential-based attacks).

 

Security Impacts

Irrespective of the Multifactor Authentication (MFA) policies used to protect access to resources, consider the potential impacts of choosing not to utilize ThreatInsight:

 

  • Exposure to Credential-Based Attacks: Exempting all internet addresses from ThreatInsight exposes users to credential-based attacks, such as password spraying and credential stuffing.

  • Skewed Risk Scoring: ThreatInsight evaluations are a critical input for Okta’s Risk Engine. Many Okta customers create different SignOn Policies based on these risk assessments. Most often, this results in relaxed requirements for requests assessed as low risk and the imposition of higher assurance controls for those deemed high risk. If ThreatInsight is bypassed, high-risk events may be incorrectly assessed with a lower risk score.

  • Fewer Detection Opportunities: Regardless of whether ThreatInsight is configured in block/enforce mode versus audit/log mode, the signals generated by ThreatInsight are surfaced in the System Log and various dashboards within the Okta Admin Console. Choosing not to evaluate requests reduces the opportunity to recognize and respond to events of security interest.

 

Recommended Actions

  1. Review Network Zones: Audit the organization's current Okta Network Zone configurations.

  2. Remove the Trusted Proxy Rule: Okta recommends considering removing any rule that designates 0.0.0.0-255.255.255.255 as a trusted proxy.

 

NOTE: If you are a Tecnics customer, please contact Tecnics for support to understand what impact this change will have on your use of the Technics service.

 

Further Reading on Trusted Proxies

When an admin creates a Network Zone in Okta (specifically an IP zone), they can designate it as either a Gateway IP or a Trusted Proxy IP.

To understand how ThreatInsight responds in either scenario, please review Okta's official whitepaper on ThreatInsight.

Recommended content

Still looking for help?
Loading
Okta Support - Review Network Zones Configuration for Improved Security Posture