Oracle® Adaptive Access Manager Reference Guide Release 10g (10.1.4.5) Part Number E12054-03 |
|
|
View PDF |
This chapter describes the base security models contained in the Oracle Adaptive Access Manager package. These models contain both business and security rules necessary for basic operation. Additional models are available as needed for advanced security.
With additional effort and time, the base models can be extended to support deployment specific requirements. These would include additional data types, transaction runtimes and rules.
Security models contain the security rules which can be universally enforced across all users or to a specific list of user groups. The security rules involve decisions based on risk evaluation of the time, user, device, and location information.
The security rules are based on known risk conditions and potentially risky behavior and are categorized into the following Models:
Fraud - Cant Challenge
Fraud - Challenge
Risky IP nested model
System - Post Blocking
System - Pre Blocking
System - Questions Check
System Challenge Question
System Forgot Password
Assumptions
A registered user is a user who has an image, a phrase, and challenge questions on file. Users will be answering challenge questions using the QuestionPad.
The base models and rules described below assume that groups are pre-populated with data (i.e. IP Intelligence data, list of device IDs, etc.) in the Oracle Adaptive Access Manager Engine. Some of this data is not provided with Oracle Adaptive Access Manager and must be acquired through third party providers.
Not all deployments will have a need for all of these base rules. Rules can easily be deleted if desired.
This Post-Authentication model is applied to users with no challenge questions active. For most rules only alerts are generated.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Device 1st time for user | This rule will trigger if this device has not been successfully used by this user before. | Device: Device first time for user. If this device is used for the first time by this user
|
None | User 1st time on device |
Device multiple users | If multiple users are using the same device within a short time frame this rule will trigger. | Device: Login count. Check unique user count using this device in past x seconds
|
None | Device Multiple Users |
From anonymizer | If a login comes from an anonymizer this rule will trigger. | Location: IP routing type. Routing type for the IP. It could be fixed/static, anonymizer, AOL, POP, Super POP, Satellite, Cache Proxy, International Proxy, Regional Proxy, Mobile Gateway or Unknown
|
Block | Anonymizer IP |
IP with max users | If there are more than the max users from an IP this rule will trigger. This rule will not trigger for users from AOL. | LOCATION: IP in group. If the IP is in the IP group
LOCATION: IP is AOL. Check to see if the IP is from AOL Proxy
Location: IP Max Users. Maximum number of users using the current ip address within the given time duration
|
None | IP Multiple Users |
Max devices for user | If a user uses multiple devices within the specified time the rule will trigger. | User: Devices. Number of devices tried in given time
|
None | max devices for users |
Monitor countries | If a login is from one of the monitor countries this rule will trigger. | Location: In Country group. If the IP is in the given country group
|
None | Monitored Country |
Risky connection type | This rule triggers if the connection type was previously deemed high risk. | Location: IP Routing Type in group. Check to see if the IP Routing Type is in the group
|
Block | Risky Connections |
Unsuccessful from device | If there are more than the max unsuccessful attempts within the set time from a device this rule will trigger. | Device: Timed not status. Maximum login attempts for all but the given status within the given time period
|
None | Device: Many Failures |
User not from city | This rule will trigger if the city they are trying to access from has not been used by them in the time specified. | User: Location Used Timed. If user used this location within the given time period
|
None | User not from city |
User not from state | If multiple users are using the same device within a short time frame this rule will trigger. | User: Location Used Timed. If user used this location within the given time period
|
None | User not from state |
These rules are run for users who have opted for challenge question using TextPad.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Device 1st time for user | This rule will trigger if this device has not been successfully used by this user before. | Device: Device first time for user. If this device is used for the first time by this user
|
ChallengeQuestionPad | User 1st time on device |
Device IP surge | If a device has not used an IP recently and a sudden surge of traffic occurs this rule will trigger. | Device: Device in group. Check to see if this device is in group
Device: Excessive use. Device is execessively used but not used before
|
ChallengeQuestionPad | Device_IP surge |
Device max velocity | This rule will trigger if a device has had a login a further away than possible at jet speed. | Device: Velocity from last login. Triggers when miles per hour is more than specified value
|
ChallengeQuestionPad | Device max velocity |
Device multiple users | If multiple users are using the same device within a short time frame this rule will trigger. | Device: Login count. Check unique user count using this device in past x seconds
|
ChallengeQuestionPad | Device Multiple Users |
From anonymizer | If a login comes from an anonymizer this rule will trigger. | Location: IP routing type. Routing type for the IP. It could be fixed/static, anonymizer, AOL, POP, Super POP, Satellite, Cache Proxy, International Proxy, Regional Proxy, Mobile Gateway or Unknown
|
ChallengeQuestionPad | Anonymizer IP |
IP surge | If an IP has not been used lately but experiences a sudden surge in users this rule will trigger. | LOCATION: IP in group. If the IP is in the IP group
Location: IP Excessive use. IP is execessively used but not used before
|
ChallengeQuestionPad | IP surge |
IP with max users | If there are more than the max users from an IP this rule will trigger. This rule will not trigger for users from AOL. | LOCATION: IP in group. If the IP is in the IP group
LOCATION: IP is AOL. Check to see if the IP is from AOL Proxy
Location: IP Max Users. Maximum number of users using the current ip address within the given time duration
|
ChallengeQuestionPad | IP Multiple Users |
Max devices for user | If a user uses multiple devices within the specified time the rule will trigger. | User: Devices. Number of devices tried in given time
|
ChallengeQuestionPad | max devices for users |
Monitor countries | If a login is from one of the monitor countries this rule will trigger. | Location: In Country group. If the IP is in the given country group
|
ChallengeQuestionPad | Monitored Country |
No challenge in 30 days | User has not been successfully challenged in the last 30 days. | User: Challenge timed. Check to see if user answered challenge question successfully in last n days
|
ChallengeQuestionPad | 30 day challenge |
Risky IP? | This rule checks to see if an IP has enough users to warrant higher security. 5 or more users in the last week will trigger this rule. | LOCATION: IP in group. If the IP is in the IP group
LOCATION: IP is AOL. Check to see if the IP is from AOL Proxy
Location: IP Max Users. Maximum number of users using the current ip address within the given time duration
|
None | None |
Risky connection type | This rule triggers if the connection type was previously deemed high risk. | Location: IP Conn Type in group. Check to see if the IP Routing Type is in the group
|
ChallengeQuestionPad | Risky Connections |
Unsuccessful from device | If there are more than the max unsuccessful attempts within the set time from a device this rule will trigger. | Device: Timed not status. Maximum login attempts for all but the given status within the given time period
|
ChallengeQuestionPad | Device: Many Failures |
User blocked recently | If a user has been blocked more than the maximum allowed number of times in a row within the time specified this rule will trigger. | User: Action Timed. Maximum number of actions in the past x seconds
|
ChallengeQuestionPad | User blocked recently |
User not from city | This rule will trigger if the city they are trying to access from has not been used by them in the time specified. | User: Location Used Timed. If user used this location within the given time period
|
ChallengeQuestionPad | User not from city |
User not from state | If multiple users are using the same device within a short time frame this rule will trigger. | User: Location Used Timed. If user used this location within the given time period
|
ChallengeQuestionPad | User not from state |
These rules will run for a user that has questions active and if they are coming from an IP with high traffic.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Device w/ max users | If a device from a risky IP has more than the max number this rule will trigger. | Device: Login count. Check unique user count using this device in past x seconds
|
ChallengeQuestionPad | Device Multiple Users |
device w/ max failures | If there are more than the max unsuccessful attempts within the set time from a device on a risky IP this rule will trigger. | Device: Timed not status. Maximum login attempts for all but the given status within the given time period
|
ChallengeQuestionPad | Device: Many Failures |
System fraud rules. Executed for all users.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Max Failed Challenges | If a user fails more than the maximum number of allowed consecutive challenges this rule will be triggered. The failure counter looks across all user sessions so these consecutive failures may not have been in the same session. | Challenge Block | Max Failed Challenges | |
Max Questions Presented | This rule looks to see if a user has been presented with two or more questions without a successful answer. | User: Challenge Questions Failure
Checks to see how many questions have failures
|
Challenge Block | Max Questions Presented |
This model stops fraudulent login attempts before the password is entered.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Black listed IPs | This rule will trigger if an IP address has been black listed previously. | LOCATION: IP in group. If the IP is in the IP group.
|
Block | Restricted IP |
Black listed ISPs | This rule will trigger is a login is attempted from an ISP that was previously blacklisted. | Location: ISP in group. Check to see if the ISP for the current IP address is (or is not) in the ISP group.
|
Block | Restricted ISP |
Black listed countries | This rule will trigger if a country has been blacklisted in the past. | Location: In Country group. If the IP is in the given country group
|
Block | Restricted Country |
Black listed devices | This rule will trigger if the device used has been black listed in the past. | Device: Device in group. Check to see if this device is in group
|
Block | Restricted device |
Black listed users | This rule will trigger if a user has previously been black listed. | User: In Group. If the user is in the given group
|
Block | Restricted user |
WEBZIP used | This rule will trigger if there is a login attempt using the WEBZIP browser. The WEBZIP browser is often utilized by fradsteres to record a website in preparation for a phishing exercise. For this reason it is too risky to allow the use of WEBZIP. | Device: Browser header substring. Checks whether the supplied string exists as a substring in the browsers header information
|
Block | Restricted software |
This model routes users based on whether they have challenge questions active or not. User who have active questions will go to the Fraud - Challenge model users without active questions will go to the Fraud - Alert Only model.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Questions active? | This rule will trigger if a user has active challenge questions. | User: Question Status. Question status of the user
|
None | None |
System block rules for challenge runtime.
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Max failed challenges | Failed Max Consecutive Challenges. | Challenge Block |
This model contains rules which can block the logins
Rule | Description | Conditions | Action Group | Alert Group |
---|---|---|---|---|
Anonymizer used | If an anonymizing proxy is used this rule will trigger. | Location: IP routing type. Routing type for the IP. It could be fixed/static, anonymizer, AOL, POP, Super POP, Satellite, Cache Proxy, International Proxy, Regional Proxy, Mobile Gateway or Unknown
|
ChallengeQuestionPad | Anonymizer IP |
City first time for user | This rule will trigger the first time a user logs in from a new city. | User: City first time for user. Is the user using this City for the first time
|
ChallengeQuestionPad | User not from city |
Device 1st time for user | This rule will trigger if this device has not been successfully used by this user before. | Device: Used count for User. Device used count
|
ChallengeQuestionPad | New Device |
Device IP surge | If a device has not used an IP recently and a sudden surge of traffic occurs this rule will trigger. | Device: Device in group. Check to see if this device is in group
Device: Excessive use. Device is execessively used but not used before
|
ChallengeQuestionPad | Device_IP surge |
Device multiple users | If multiple users are using the same device within a short time frame this rule will trigger. | Device: Login count. Check unique user count using this device in past x seconds
|
ChallengeQuestionPad | Device Multiple Users |
Failed Max Challenges | ||||
IP Max users | Logins to different accounts have been attempted from the same IP address within a given time frame. | LOCATION: IP in group. If the IP is in the IP group
LOCATION: IP is AOL. Check to see if the IP is from AOL Proxy
Location: IP Max Users. Maximum number of users using the current ip address within the given time duration
|
ChallengeQuestionPad | IP Multiple Users |
IP surge | If an IP has not been used lately but experiences a sudden surge in users this rule will trigger. | LOCATION: IP in group. If the IP is in the IP group
Location: IP Excessive use. IP is execessively used but not used before
|
ChallengeQuestionPad | IP surge |
Max password failures | This rule will trigger if there have been invalid passwords entered more than the amount allowed on a device. | Device: Used count for User. Device used count
|
ChallengeQuestionPad | Device max failed PWs |
No questions active | If a user does not have any challenge questions active they will not be allowed to enter the forgot password flow. | User: Question Status. Question status of the user
|
Block | None |
Restricted Countries | User logins from these countries are restricted. | Location: In Country group. If the IP is in the given country group
|
Block | Restricted country |
Restricted Devices | Logins from these devices are restricted | Device: Device in group. Check to see if this device is in group
|
Block | Restricted devices |
Restricted IPs | Logins from these IPs should be blocked. | LOCATION: IP in group. If the IP is in the IP group
|
Block | IP multiple users |
Risky connection type | This rule triggers if the connection type was previously deemed high risk. | Location: IP Conn Type in group. Check to see if the IP Connection Type is in the group.
|
ChallengeQuestionPad | Risky Connections |
State first time for user | The first time a user logs in from a new state this rule will trigger. | User: State first time for user. Is the user using this State for the first time.
|
ChallengeQuestionPad | User not from state |
User blocked recently | If a user has been blocked more than the maximum allowed number of times in a row within the time specified this rule will trigger. | User: Action Timed. Maximum number of actions in the past x seconds
|
ChallengeQuestionPad | User blocked recently |
User max velocity | This rule will trigger if the physical distance from which the user is attempting to login is a non-plausible distance from the location of the last successful login in respect to the time elapsed. | User: Velocity from last successful login. Velocity from last successful login.
|
Block | user max velocity |
unsuccessful from device | If there are more than the max unsuccessful attempts within the set time from a device this rule will trigger. | Device: Timed not status. Maximum login attempts for all but the given status within the given time period
|
ChallengeQuestionPad | Device: many failures |