Title

Okta must be configured with Network Zones defined to block anonymized proxies according to organizationally defined policy. (Cat II impact)

Discussion

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Working with the organizational CSSP, the ISSM should obtain a list of known anonymizer proxies that exist on the commercial internet. If this is not available from the CSSP, then the Okta-provided "Enhanced dynamic zone blocklist" should be activated.

Check Content

From the Admin Console: 1. Select the "Security" menu, and then click the "Networks' item. 2. If the CSSP has provided a list of anonymizers to block, verify the "IP Block list" is configured with them. a. Click the pencil icon next to IP Block list. b. Verify the "Gateway IPs" section contains all of the IP ranges in the provided list. 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Verify the "Enhanced dynamic zone blocklist" is set to "Active". If Network Zones are not configured to block anonymous proxies, this is a finding.

Fix Text

From the Admin Console: 1. Select the "Security" menu, and then click the "Networks" item. 2. If the CSSP has provided a list of anonymizers to block, add the IP ranges to the "IP Block list". a. Click the pencil icon next to IP Block list. b. Add the IP ranges to the "Gateway IPs" section and click "Save". 3. If the CSSP is not able to provide a list, then implement the Okta managed list. a. Set the "Enhanced dynamic zone blocklist" to "Active".

Additional Identifiers

Rule ID: SV-279692r1155075_rule

Vulnerability ID: V-279692

Group Title: SRG-APP-000039

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.