Transient IP Check is not a full proof approach in itself, in addition to the cookie being hijacked, IP Addresses could also be spoofed. It good to have something than nothing, that is the extent of Transient IP Check in a nutshell layman term. But security has evolved and so has the Session Assurance feature. Not sure which version of CA SSO you are on, but the Session Assurance feature on (new design) R12.6 / R12.7 is a lightweight and a better performant solution than the one in R12.52. Enhanced SA provides a much higher level of security than just a mere IP Check and is deemed more better fit / fuller solution to Session Hijacking.
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/enhanced-session-assurance-with-…
Configure Enhanced Session Assurance with DeviceDNA™ - CA Single Sign-On - 12.7 - CA Technologies Documentation
Tech Tip : CA Single Sign-On :: Policy Server:How to Configure Enhanced Session Assurance
Tech Tip : CA Single Sign-On :: CA Access Gateway::Introduction to the Redesigned Enhanced Session Assurance (12.6/12.7)
Again as I mentioned, it is really dependant on how deep we need to dive to secure resource and how other supporting components (e.g. Networks, Proxies, LB's) align. From what I understand from the very first conversation, TransientIPCheck is working for all Intranet based access. The challenge is when the same URL is accessed from the Internet TransientIPCheck creates a havoc, because now the Client IP is masked by the intermediate components.
Like I mentioned here are the options
- We could look at Enhanced Session Assurance. This should cater to both Internet and Intranet. But necessitates having CA AG (with Session Assurance) running in parallel to the WebAgent.
- Segregate Internet and Intranet Traffic. Internet Traffic goes to a Web Front end which does not do IP Check. All Intranet Traffic is routed to a Web Front end which enforces IP Check. In doing so, we retain the IP Check currently being done on Intranet and at the sametime cater to Internet Traffic as well. The Internet Traffic would be additionally secured using VPNs OR NetScalars OR Junipers, so relaxing the rules on the Internet facing Web Front end, should be mitigated.
- Configure CustomIPHeader in WebAgent ACO. Configure proxies / firewall / LBs to pass through the ClientIP in a header. Default HTTP Headers Used by the Product - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation