• EN
Sticky

Okta + Netskope = Zero Trust

  • 26 April 2024
  • 0 replies
  • 161 views
jonbartlett
Rank
Userlevel 1
Badge +4

A common use case using Netskope One SSE and Okta is to extend your zero trust perimeter using Okta Network zones and the Netskope NewEdge network. This will create an additional obstacle for an attacker to use compromised credentials and is recommended by Okta as a defense against credential stuffing attacks. The Netskope One client checks the device posture or compliance in real time via Device Classification to ensure that only Corporate managed devices are allowed to connect to Okta. The following Okta authentication policy rule scenarios are presented below: (these would also apply when using tunnels)

 

Prerequisites for all policy scenarios

 

  1. Prevent users from disabling the Netskope Client in the Netskope Admin console: Settings→ Security Cloud Platform→ Client Configuration → Tamperproof 
    1. For more information: https://docs.netskope.com/en/netskope-help/netskope-client/netskope-client-hardening/ 
  2. Create a Network Zone in Okta: Security → Networks → Add zone → IP Zone
    1. The current list of Netskope IP ranges: https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting 
    2. By default, Netskope NewEdge inserts a X-Forwarded-For header into all traffic destined to Okta domains.
  3. Add the Netskope NewEdge networks or Dedicated Egress IP Addresses (DEIP) to both the Gateway IPs and Trusted proxy IPs (this enables support for the X-Forwarded-For header inserted by Netskope and preserves IP velocity and reputation for Okta Behavior Detection and Threatsight) sections. Creating this prerequisite Network Zone is also required for Dynamic Zones.

  

Since both sections are populated, this zone is now X-Forwarded-For aware and will utilize the real client IP address for Okta policy and risk assessment 

Ho4okB-cKhU2GPBwfB-Q3GIsLME00IRfrxepiVJjn2dQMe5oKHc8rY_yC6X0v4Qe7dYQF9D4RjP8fkaXRQIKSJPfTKKl48auFkrAp2P6azoDfjOdNYza4p3bZxbihtgVHMf3bOi3IbvAYWBRSawuo_A

  1. Create a Okta custom error message: Customizations → Other → Access denied error message 
    • Add links for additional help and/or to open a support ticket

 

Y-6ovB9GZu1m5E3wVwMbakQUZJtdUEFe45jxD92BM2udoucE6vfQJ10SBE2_0KcHm4DfNQJ4tQTvulQoksxxO6F9Rs1xoKgVhAMoLrTGEB0DKxvGO-GfPkqjaYaQiJlb8fCyOEgOaITbtatorCCWhhs

 

  1. Create a new Okta authentication policy or update an existing policy rule with the Okta Network Zone created above. See below for an example of Okta policy rules. 

 

An exception group can be used for testing or exception approvals

7I6Z0oaaUf3vKqe9r4SffokfSSaiopYQYPCNxdnh9ZxqrUTHrLU7lzzvTC0sIodVPx3CfDtZ5J26fCt3LyvKvovzwWtpSRHzJv8NKgynhNW0pv__EIrB5mqZ-e188G2bvS_UPtH_W8Nzu904TWTo9Uk

 

Allow mobile device access until the Netskope One mobile client is deployed. Require device registration(Okta Verify is installed) to prevent User-Agent string spoofing or tampering.

Scenario: Restrict access to application(s) for users that originate from Netskope NewEdge

Business Outcomes: Improve user experience for hybrid or remote users. Reduce application identity attack surface and time spent resolving security policy violations by untrusted sources. Reduce breach remediation costs by restricting adversary initial access and persistence techniques.

  • Create a rule that requires access from Netskope NewEdge and a password every 12 hours.

pjyySLUJe26iSqsdOpL2hqGF2-ARgX8fKLjEJRn9Im_ZjA_MQqtYdNB1ioIdJOogeFHjpyidUedo6f5iUyt9RfpJOinVXUN_jicWnyadGCeNE2SJYeWzfBfi3sdXoh6dhchyrLmjv6tzd397zAt2-UE

End User Experience results

  • Okta Dashboard from Netskope NewEdge (Netskope client enabled)

 

WC-bf333IS1oWKxxEuXtTNn_pWJH_SBWAQISAbsE_I5ddfFIydiY3Cmdckf8ioug_Aj2qiMEJv48GkSZgAs0rBrRvhMXGYxcLQr7SqnoQ04W_cFMc462My4Wo7xGxQ0faKEOmvpwT2v6DapPTea3__E

 

Okta Dashboard not coming from Netskope NewEdge (Netskope client disabled)

  • Authentication policy denies access and places a lock symbol on the application chiclet

VbwWNzVJJcL2E_rore-K8ZN5rX5la8pYqH9wwHY3brecYaRQpF6J37NzGvpMwoXUHxtZSac-YUcHJMT4HvXwGEYmzCgYV8YyOWpvjevgERX_RKNitX0uObAShIWOokKCn_dcNptRTVKuG87e9Y1Pbxw

boi_5tYaJ48eVlyPnl2OrvYJY2GomsWVi1X5Cl6dAdQvQgM_lDVNPNvjssMmfUQyhbuwy4-nBkn-nJjFB-IUoK8NQQ6YqnbQjpHLpaoz2VGG6neYhtrTXIugf7xVTLeXXFGequmEcIiQ9FSa7REP4Tw

SP initiated Okta custom error message not coming from Netskope NewEdge (Netskope client disabled) {The Corporate Logo will be your own}

vAbqU3A7DfCj0EsdLbleFMU4Vrll9WXHeFg7_BFOJ1NShideAMMMH1mr-CTp6ZmPWTTOwrmsdXH5ZFyP2wkkp_nEBrSwlPmqABM1bJLI7hoSkUX2NmqjLlaCP5A9vsXFSlhjs2iMD33a4yVWQ6FcX5Y

 

Scenario: Restrict access from Netskope NewEdge in the United States 

Business Outcomes: Reduce sovereignty compliance requirements and time spent resolving security policy violations by untrusted sources. Reduce breach remediation costs by restricting adversary initial access and persistence techniques.

This scenario requires using Netskope Dedicated Egress IP addresses. 

To obtain a list of the Dedicated Egress IP addresses for the Data Planes in the United States in the Netskope Admin console: Settings → REVERSE PROXY→SAML→ NETSKOPE SOURCE IP


 

_OJ32mTkt04nihGuH9_Zkdt5t-ra853zFxRH0ylIcCWoptuFwBGRitK5nzNVTlHptv0JTwntkSMh3WWjT54WvRtkkm92_gBkjuf7fvLrGkJq1A-zxplvLoSsRv_hlc832AkzDxG_dhvtJFh6lWQFtCo

Please follow the steps in the scenario above to create an Okta Network Zone using these IP addresses for the Data Planes in the United States.

 

Using a Dynamic Zone for ASN is not recommended since it only uses the ISP ASN instead of Netskope’s ASN. Proxy type also does not apply, per Okta this type is an anonymizer. Even though the Geolocation data in the logs are correct, testing has shown that neither apply to the Netskope NewEdge IP addresses. 

 

Scenario: Restrict access to originate from Netskope NewEdge and the user’s client IP originates in the United States

Accuracy of the Geo Location for IPs

Business Outcomes: Reduce sovereignty compliance requirements for user location and time spent resolving security policy violations by untrusted sources. Reduce breach remediation costs by restricting adversary initial access and persistence techniques.


Warning: If you check this box, the Dynamic Zone becomes active immediately without applying to an Authentication Policy {It is recommended to test using your Okta Sandbox or Preview Tenant}FfayqlL2sMb2xqt051UAtv2UyYw9kHNdX-dDbiscuYiAjQHzDGbLhF6ErQ29k6BycTOb1xmy02gbsjg7Iigz3RJ4b5KRlhjHoqmGGNW7RwLtOAcdUp5sNdEMyHKeN3Nk82HC9-RbSX1v0y5hvRqFWzo

 

  1. Using the Netskope NewEdge zone created above, create a rule to block if Not in this zone:(Netskope client is disabled)

B2nrsd8WS8Qalrx34A-yGXHt6e-x1cdwg8w5ebJTdYdpoUY5l4OGK-a8XMRN9OcFfe9bPG9N-vcLdWW4drxXDWXwTXUmRvxJ7GJ-aqb61g_bJPS4zAPypC9598G2xMOR7n-fac8ntHZULKNSYUtGqoE

  1. Create a Dynamic Zone to Allow IP addresses from the United States

bnjKm031AOEMgx3S1PWpvnODnV93Bu_OBYehU_eHiGA0i7trZugvjw0R9TiPZQenT239ako3fdh3bb6vx3wunkcKzL0bBKw-2EdrQCV5jbJ8NS-kXWjTLvYeMHmChMMeq3l31gfO2QMh34vdN7XoWEc

Because you created a Network Zone above called Netskope NewEdge, Okta will now evaluate the Dynamic Zone based on the X-Forwarded-For Header.(User’s real client IP address)

 

  1. Create a rule to allow from the United States 

7vHgXBbdpyOFmeyLRqdjI2zZGEUTRIUsHTi7Pp0OAE5o8SAdlkIKWQxK8HOKM4u45Y5HdndQjnpDLMixa3DlQnTAqyFvNtWanNJxLyFIUvHdWxaD5UkojQSNFLsg2l_4n4BnUbVe0dNnOSMjbas90a0

 

 

Scenario: Restrict access for Administrators to originate from Netskope NewEdge or secure on-premise

(If the secure on-premise IP addresses are not behind a Proxy{No X-Forwarded-For}, use only the Gateway IPs section in the Network Zone) 

Business Outcomes: Reduce privileged account access exposure and time spent resolving security policy violations by untrusted sources. Reduce breach remediation costs by restricting adversary initial access and persistence techniques.

  1. Create a rule for an exception group (duplicated from prerequisites to emphasize importance)

cCHudQ11A-2YdvZhupWlMjj9Yt-4111Zan7IuY7c7Af9yznAkYnHTWzO2RlUJp4HfjdEI5GhbOlV2_v0ZvpvrB4RWNQeeQF0myoUbxDraADd5rmchzKla30AGidQXb4wRwC1uqRpinZwy27AZ4Qi9Kw

  1. Create a rule to allow from Netskope NewEdge or On-premise zones

 

Lgkq2DnJ6S3J2P4HHdevURbJtokrZXFTX-UeOHrXhEnLvfqbmKWgsU5KkQUWAufWPfIyHSEXkKOU7JlWkKO7vSYwRPnSkNvSLGEYy9WtjtnfoH_ES40fOLjmCmfdWeSaMKgTRmBA4RU_o7B228lDg8w



 

Scenario: Restrict access to Okta API Tokens to originate from Netskope NewEdge

Business Outcomes: Reduce privileged account access exposure and time spent resolving security policy violations by untrusted sources. Reduce breach remediation costs by restricting adversary initial access and persistence techniques.

 

  1. Enable the Network Restrictions for SSWS Tokens: Settings→Features {licensed feature, not available in free Okta Developer tenants}

1ZOfHR1smdwBC2qsCXsM5xSmmChgR6aQMjaJ7qa1n6GfplqECjRZMIj9ronqlRO3-4a4e4_5nwH5v2GX8nmSY1wKcKtaF4U5BedhOQU9010RC9Jdp-RtdReDPXRPWJtttGG0IO2v5Tu3Ht-3vSicilw

  1. You can apply the Network restriction when creating a new API Token as below

ndhiOSiXx7CIdrhNcSYJS34Ua3CXG0hzqBT6G8Y8pNqVHSLrnxegocx2eDmc4RrRWO8zEwbBHOG3-5XDmhwvGtgwEAL3T8dJ09KdonCX3GpTBZA62J5yYGAI_2wNWvlVs8paUJmG1wfJDF8NGjykBkI

Or by editing an existing API Token and selecting the Netskope NewEdge Zone

 

Troubleshooting

For troubleshooting, you can view the IP Chain in the Okta system log, refer to this Okta support article. If you only see a single IP address in the Okta system log, please verify the X-Forwarded-For header using these websites: https://notskope.com or https://ifconfig.me If you see the X-Forwarded-For header, please check for overlapping Network Zones. You may need to delete your Network Zones and recreate them. 

Jon Bartlett

0 replies

Be the first to reply!

Reply


Terms & ConditionsCookie settings