http://fusionsecurity.blogspot.com/2011/01/risky-business.html
More recently, I've had a chance to play with Symantec's VIP (Identity Protection) user services, which is most well known for its two-factor one-time-pin (OTP) service. VIP also includes a risk component that can collect footprint information about the client and return a risk score back to the PEP or PDP for enforcement. VIP user services is divided into a couple of different areas:
- Query Services: Provides information on the end-user and when the credential was last bound to the user and when the credential was last authenticated.
- Management Services: CRUD operations on users, adding credentials to those users
- Authentication Services: Validate OTPs and evaluate risk
These are SOAP based services and the WSDLs are available for download from the VIP Management Console. I used Axis2 to connect to convert the WSDL to Java stubs and connect to the service. Here is a snippet:
RiskScoreType riskScore = null;
EvaluateRiskRequest riskRequest = new EvaluateRiskRequest();
IpAddressType remoteIpAddress = new IpAddressType();
myRequestId.setRequestIdType(requestId);
riskType.setIp(remoteIpAddress);
riskType.setRequestId(myRequestId);
riskType.setUserId(myUserIdType);
riskType.setUserAgent(myUserAgentType);
riskType.setIAAuthData(myIAAuthDataType);
Boolean isRisky = true;
try {
EvaluateRiskResponse response = authServiceStub.evaluateRisk(riskRequest);
System.out.println("Status: " + response.getEvaluateRiskResponse().getStatus());
isRisky = response.getEvaluateRiskResponse().getRisky();
System.out.println("Risky? " + isRisky);
System.out.println("Policy Version: " + response.getEvaluateRiskResponse().getPolicyVersion());
System.out.println("Risk Reason: " + response.getEvaluateRiskResponse().getRiskReason());
riskScore = response.getEvaluateRiskResponse().getRiskScore();
Risky? false
Policy Version: 1.0
Risk Reason: Device recognition, Device Reputation
Risk Score: 51
The risk score is based on configurable settings on the VIP management side. I'll discuss the VIP policy side in the next part of this series.