V-279692

Discussion

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Working with the organizational CSSP, the ISSM should obtain a list of known anonymizer proxies that exist on the commercial internet. If this is not available from the CSSP, then the Okta-provided "Enhanced dynamic zone blocklist" should be activated.

Check Content

From the Admin Console:

1. Select the "Security" menu, and then click the "Networks' item.
2. If the CSSP has provided a list of anonymizers to block, verify the "IP Block list" is configured with them.
	a. Click the pencil icon next to IP Block list.
	b. Verify the "Gateway IPs" section contains all of the IP ranges in the provided list.
3. If the CSSP is not able to provide a list, then implement the Okta managed list.
	a. Verify the "Enhanced dynamic zone blocklist" is set to "Active".

If Network Zones are not configured to block anonymous proxies, this is a finding.