Understand Network Perimeters

For security purposes, identity domain administrators, security administrators, and application administrators can define network perimeters in Oracle Identity Cloud Service. A network perimeter contains a list of IP addresses.

After creating a network perimeter, you can prevent users from signing in to Oracle Identity Cloud Service if they use one of the IP addresses in the network perimeter. This is known as blacklisting. A blacklist contains IP addresses or domains that are suspicious. As an example, a user may be trying to sign in to Oracle Identity Cloud Service with an IP address that comes from a country where hacking is rampant.

An IP address is a string of numbers that identifies the network of any device connected to the internet. It's like a return address on an envelope, and is associated with a human-readable domain. Since the IP address tells other devices where data is coming from, it can be a good way to track bad content.

Blacklists can list a single IP address or a (set) range of IPs. Oracle Identity Cloud Service can use this information to block users who attempt to sign in from suspicious IP addresses.

You can also configure Oracle Identity Cloud Service so that users can log in, using only IP addresses contained in the network perimeter. This is known as whitelisting, where users who attempt to sign in to Oracle Identity Cloud Service with these IP addresses will be accepted. Whitelisting is the reverse of blacklisting, the practice of identifying IP addresses that are suspicious, and as a result, will be denied access to Oracle Identity Cloud Service.

You can configure Oracle Identity Cloud Service so that only users who use a particular IP address or IP address in a specific range will be allowed to sign in to Oracle Identity Cloud Service. Or, you can configure Oracle Identity Cloud Service to monitor for suspicious IP addresses or IP address ranges, and prevent users who use these IP addresses from signing in to Oracle Identity Cloud Service.

With a network perimeter, you can define, in a standard format, an exact IP address, a range of IP addresses, or a set of masked IP addresses. Both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocols are supported.

Detailed information about these three formats appears below.

  • Exact IP address. You can enter a single IP address or multiple IP addresses. If you enter multiple exact IP addresses, then put a comma between each one.

  • Two IP addresses, separated by a hyphen, which is an IP range. For example, if you specify the IP range of 10.10.10.1-10.10.10.10, any user who attempts to sign in to Oracle Identity Cloud Service with an IP address from 10.10.10.1 through 10.10.10.10 will be using an IP address that falls within the IP range.

  • Masked IP address range. Each number of an IP address is 8 bits. For example, if you have a masked range of 10.11.12.18/24, then the first three numbers (24 bits) is the mask that must be applied to see if an IP address falls in this range. For this example, valid IP addresses will be those that begin with 10.11.12.

Note:

The examples listed above are using IP addresses with the IPv4 protocol. However, you can apply the same formats to IP addresses that use the IPv6 protocol (for example, B138:C14:52:8000:0:0:4D8).

After defining your network perimeters, you can assign them to a sign-on policy, and configure the policy so that if you're trying to sign in to Oracle Identity Cloud Service using an IP address that's defined in the network perimeter, you can log in to Oracle Identity Cloud Service or you'll be prevented from accessing Oracle Identity Cloud Service.

See Add a Sign-On Policy for more information about assigning network perimeters to a sign-on policy.