Zero Trust Model means that no matter who you are or where you’re coming from, you should undergo the same scrutiny from the security perspective. In identity centric world it means authenticating (and authorising) every call, every flow, regardless if it’s made within the context of a user or outside of it.
Hold on, you’ll say, what about risk based authentication (RBA) and some of its signals – IP reputation and velocity?
Reputation of the source
IP reputation seems self explanatory, it’s a bit like DBS check (Disclosure and Barring Service in UK), before employing a new candidate for specific roles that require clean slate as far as criminal behaviour is concerned. Are you a baddie? Did you carry out some DoS attacks as an after school project? Are you a spammer? Perhaps you are part of a botnet control network.
Another edge use case of reputation is anonymising. If you’re trying to hide behind a VPN or a web proxy or a TOR network, perhaps you are doing it for a reason. It may be a legitimate reason (here’s me acknowledging all privacy aficionados and extremists – and I mean it in the best possible way) or it may be because you have something to hide and you’re just trying to disguise your true identity. While a proxy server’s IP may not have a bad reputation score per se, in RBA – the risk is rising (variably) if you are trying to hide.
Velocity
IP velocity amounts the transactions carried out from the same address. For example, if you’re trying to carry out a credential stuffing attack (you can read about identity based attacks here), you will be trying to log in to many accounts using leaked, default or most commonly used passwords. Many attempts from the same address should raise a red flag and if the velocity reaches certain level (beyond risk appetite) it should be flagged. Consequently, sustained high velocity may affect the reputation (it doesn’t work the other way round). There is a possibility of a false positive, if you’re NAT’ing the source address of your enterprise connections, which would happen mostly in workforce use cases, hence a good exception mechanism (white-list) is required.
Bogons
No, they’re not Harry Potter’s fantastic beasts. Bogon address space consist of fake IP’s that are not allocated by the IANA or Regional Internet Registry and allowed for public Internet use. Although it’s a very edge use case, there are platforms (usually firewalls and edge routers), that blackhole all traffic coming from unallocated addresses. How the addresses appear on the Internet if they’re not allocated, is a topic for another night. The biggest problem is maintaining an up to date list of those and that’s not so easy, since address space is continuously allocated (and de-allocated, though that’s not so dominant). There are services (like Team Cymru) that provide the lists, but still you are likely to encounter a false positive, so whoever acts on Bogon signal, needs to be prepared to deal with it. The same challenge applies to TOR exit nodes list, it’s dynamic.
Anonymising
There are many ways to achieve various levels of anonymity. In the old days, you’d break into someone’s server (or a few of them), then connect through many (sometimes meshing/doublebacking on yourself) in order to make it really difficult to trace back. These days, there are commercial and non-commercial services available that allow you to stay completely (well almost) anonymous in the web. Proxies, VPN’s and the most popular – TOR (The Onion Router). While they may serve genuine use cases, they also can indicate some bad intentions. A VPN service will protect you while using unsecured or untrusted Wi-Fi network (like in the hotels or at the airports), but they can also be used to switch locale in order to stream a video that is only available in a certain country. A lot of video streaming services block VPN exit nodes, even though they are localised geographically in the country of data residence. You can even open an anonymous, log-less email account via ProtonMail.
Many email providers will not allow you to open an email account from an IP address of low reputation or coming through anonymiser service.
Defense in depth
Even though Zero Trust tells us to authenticate and authorise and not discriminate, it doesn’t mean we cannot build layers of security and this perimeter signal (source) is important in modern authentication systems. It’s a bit like a kid, who despite flashing an ID, proving to be over 18, cannot get past the bouncer in the night club, because he’s looking like a 10 year old child. Sometimes the risk is too high to grant access to resources even though seemingly the source is authenticated. On the flip side, I may not even want to allow the authentication process to take place if the alarm bells are ringing and they’re too loud to ignore.
RBA and a good reputation signal architecture
So you want to include RBA in your flows. You can buy/rent/build as all options are currently available on the market. It seems to me building a reputation service would be re-inventing the wheel, there are many providers of the data on the market. So let’s focus on the downstream, the business end. Let’s have a look at an example check of an IP of 62.21.63.30. I have randomly selected it for the purpose of this evaluation. I checked against 4 providers: Brightcloud, Cyren, Apivoid an IPqualityscore.
As you can see the results, while fairly consistent, vary from provider to provider. It’s usually a secret sauce how the score is delivered beyond the spam list ‘membership’. It may be age, history, URL associations, file sharing associations, owner etc. And it’s because of the secret sauce, lack of transparency and the dynamic character of detection, it’s wise to use more than one. How you aggregate score, that’s your secret sauce. You can choose to use the worst, if you’re staying on the conservative side or combine and average the signals, if you feel more liberal.
Summary
Hopefully you can now see, how ‘perimeter’ is still a valid signal in authentication, even in Zero-Trust model. Notice I did not call it a ‘factor’, which is the term we used in the past in relation to IAM. A good RBA and reputation score may protect your business, prevent fraud and reduce the number of incidents. It will improve your overall security posture and most likely reduce the cost of operation.