Blocking client devices with poor reputation
While using IP-based access controls (blacklisting) to block network traffic from malicious client devices is core to a WAF solution, issues with using only IP-based access controls remain. Because IP-based access controls rely on identifying attackers by comparing their IP addresses with blacklist databases, network security concerns and vulnerabilities remain when attackers can:
- Change their IP address by using anonymous proxies
- Hide behind shared public IP addresses through NAT, DHCP or PPPoE technologies
Compared to changing IP address or hiding behind shared IP addresses, it is difficult and impractical to change the computer attackers use to probe defenses and launch attacks. Rather than relying only on IP-based access controls, FortiWeb's device tracking feature identifies suspected attackers based on the computers they are using. To identify a visiting device, FortiWeb generates a unique device ID according to a set of its characteristics, including the time zone, source IP, operating system, browser, language, CPU, color depth, and screen size.
When device tracking is enabled and a device reputation security policy is selected, FortiWeb evaluates the reputation of client devices that trigger security violations. If a device triggers a security violation in a device reputation security policy, it will acquire a lower device reputation. Access to networks and servers can be managed according to a device's reputation.
See also
How device reputation works
The device reputation mechanism takes into account the following factors:
Threat weight of security violations
Each protection feature involved in the device reputation mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the reputation of the device that launched the event.
Reputation of a device
FortiWeb reacts to security violations launched by a device according to reputation of the device. A device initially joins the network with a good reputation. A good reputation indicates a low-risk device; a bad reputation indicates a high-risk device. In a device profile, the historical threat weight field is the sum of the threat weights of all the security violations launched by the device. As a device triggers security violations, the device reputation is negatively affected; each time a device violates a device reputation security policy, a corresponding threat weight is added to the total value in the device profile. The higher the accumulated threat weight of the device, the poorer reputation of the device.
Risk level of a device
A device can be classified as low-risk, medium-risk, and high-risk according to its device reputation. To identify the risk level of a device, the scale of the risk levels must be defined. For example, devices that have a historical threat weight between 0-100 may be considered low-risk, between 101-500 medium-risk, and between 501-1000 high-risk.
Violation action based on risk level
When device tracking is enabled and a device reputation security policy is selected, FortiWeb can react to a security violation according to a device's reputation rather than just the individual security policy. Once the scale of device risk levels is determined, a violation action of each risk level may be defined so that FortiWeb can properly react to the risk level of a device when it detects a security violation launched from the device.
When device tracking is enabled and a device reputation security policy is selected, FortiWeb behaves as follows:
- Identify the device through the fingerprint technique and check whether a profile of the device already exists when a security violation launched by a visiting device is detected. If a device profile does not already exist, a profile of the device with a unique device ID is created.
- Add the threat weight of the security violation launched by this device to the historical threat weight in the device's profile.
- Evaluate the reputation of the device (risk level of the device) by comparing the historical threat weight of the device with the predefined device risk level.
- Trigger the violation action corresponding with the risk level.
Configuring device tracking & device reputation security policies
Five major steps are required to configure device tracking device reputation security policies:
- Enable device tracking feature visibility if it isn't already enabled. For details, see To enable device tracking feature visibility.
- Define the threat weight of each security violation. For details, see To define the threat weight of each security violation.
- Create a device reputation security policy. For details, see To define device risk levels and corresponding violation actions.
- Enable device tracking and select a device reputation security policy in a protection profile. For details, see To enable device tracking and select a device reputation security policy in a protection profile
- Create device reputation security policy exceptions. For details, see To create device reputation exceptions.
You can also modify device tracking settings globally. For details, see To modify device tracking settings.
To enable device tracking feature visibility
|
By default, device tracking feature visibility is enabled. |
- Go to System > Config > Feature Visibility.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions. - Enable Device Tracking.
- Click Apply.
To define the threat weight of each security violation
- Go to Policy > Threat Weight.
- Configure Risk Level Values.
There are four different risk levels used to indicate how serious a security violation is: Low, Medium, High, and Critical. The specified values of the risk levels are the weights used to calculate the reputation of a device when it violates the security policy. - Define risk level of security violations.
Assign a threat weight of 1-100 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.
Here are the security violations that FortiWeb can detect:
- Signatures (See Blocking known attacks & data leaks)
- Custom Signatures (See Defining custom data leak & attack signatures)
- DoS Attacks (See DoS prevention)
- Custom Policy Violations (See Combination access control & rate limiting)
- Padding Oracle Attacks (See Defeating cipher padding attacks on individually encrypted inputs)
- CSRF Attacks (See Defeating cross-site request forgery (CSRF) attacks)
- HTTP Protocol Constraint Violations (See HTTP/HTTPS protocol constraints)
- Brute Force Logins (See Preventing brute force logins)
- URL Access Violations (See Restricting access to specific URLs)
- Page Access Violations (See Enforcing page order that follows application logic)
- Start Page Violations (See Specifying URLs allowed to initiate sessions)
- Allow Methods Violations (See Specifying allowed HTTP methods)
- IP List Violations (See Blacklisting & whitelisting clients)
- Geo IP Violations (See Blacklisting & whitelisting countries & regions)
- Parameter Validation (See Validating parameters (“input rules”))
- Hidden Field Tampering (See Preventing tampering with hidden inputs)
- Uploading Viruses, Trojans, and other Malware (See Limiting file uploads)
- Cookie Security Policy Violations (See Protecting against cookie poisoning and other cookie-based attacks)
- Poor IP Reputation (See Blacklisting source IPs with poor reputation)
- User Tracking (See Tracking users)
Adjust the slider bar to assign a risk level to each security violation.
For Signatures and HTTP Protocol Constraints, first enable them here and go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks & data leaks and HTTP/HTTPS protocol constraints.
Moving the cursor of a slider bar to the leftmost side sets the threat weight of a security violation to OFF, meaning that a threat weight will not be calculated for the security violation in the device reputation security policy. Once a security violation without a defined threat weight is detected, FortiWeb will not react to the security violation according to the device reputation security policy, and instead the violation action specified in the local security policy will be triggered.
To define device risk levels and corresponding violation actions
|
|
If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create a device reputation security policy. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking. |
- Go to Tracking > Device Reputation and select the Device Reputation Security Policy tab.
- Click Create New.
- Configure these settings:
-
Alert—Accept the request and generate an alert email and/or log message.
-
Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.
-
Deny (no log)—Block the request (or reset the connection).
-
Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
-
Using Local Action—Takes the local action specified in a protection profile.
- Click OK to save the configuration.
| Name |
Policy name |
|---|---|
| Weight Range for Low/Medium/High Risk Level |
Risk levels are used to evaluate how dangerous a device is. Each time a device violates a device reputation security policy, the historical threat weight of the device increases according to the threat weight of the security violation. FortiWeb compares the historical threat weight of the device with the weight range specified here to identify the risk level of the device so that FortiWeb can trigger a corresponding violation action. Adjust the slider bar to specify weight ranges between 0-1000 for the risk levels. |
| Action for High/Medium/Low/Unidentified Risk Level Device |
Specify the violation action FortiWeb carries out in response to security violations launched by a high/medium/low/unidentified risk device. The options are: You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). |
| Device Reputation Exceptions | Select an exceptions policy. For details, see To create device reputation exceptions. |
To enable device tracking and select a device reputation security policy in a protection profile
- Go to Policy > Web Protection Profile, select the Inline Protection Profile tab, and select an existing profile or create a new one.
- Enable Device Tracking and select a policy in Device Reputation Security Policy. For details, see Device Tracking.
|
When Device Tracking is enabled, FortiWeb responds to the detected security violations according to actions defined in the selected device reputation security policy rather than the individual security policy and rule in the protection profile. Even so, the security policies are still necessary in a protection profile to identify security violations. FortiWeb bypasses a device reputation security policy and reacts to security violations according to individual policies and rules when:
|
To create device reputation exceptions
|
|
If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create device reputation exceptions. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking. |
- Go to Tracking > Device Reputation, select the Device Reputation Exceptions tab, and select an existing policy or create a new one.
- Security features placed in Selected Security Feature Name will bypass device reputation security policies. From Security Feature Name, select the security feature and click the right arrow button to move it to Selected Security Feature Name.
To cancel the exception to a security feature, select the feature in Selected Security Feature Name and click the left arrow to remove it back to Security Feature Name. - Click OK to save the configuration.
To modify device tracking settings
|
|
If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can modify device tracking settings. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking. |
Once you enable device tracking, you can modify its settings according to your environment's needs, including:
- How long a device's reputation is tracked
- How long FortiWeb keeps device reputation data
- How long a device will be blocked
- How often a device fingerprint is updated
- Go to System > Config > Device Tracking.
- Configure these settings:
- Click Apply.
| Historical Threat Weight Cleanup Period |
Select the amount of time that FortiWeb will store threat weight information for a device. Once threat weight information has been stored for longer than the selected amount of time, FortiWeb will remove that information. |
| Delete Inactive Records After |
Enter the amount of time (in days) that FortiWeb will store data for an inactive device before FortiWeb removes data for that device. The default value is 0. The valid range is 0–30. |
| Block Duration |
Enter the amount of time (in hours) that FortiWeb will block a device within a single Historical Threat Weight Cleanup Period. |
| Update Device Fingerprint After |
Enter the interval (in minutes) in which FortiWeb will update the device fingerprint of a currently tracked device. The default value is 60. The valid range is 60–1440. |
| Database Query Timeout |
Enter the maximum amount of time (in seconds) that FortiWeb will wait for a response when it queries the database for threat weight information for a device. The default value is 3. The valid range is 1–30. |
Example configuration and resulting behavior of a device reputation security policy
In Threat Weight, these settings are configured:
| Risk Level Value | |
|---|---|
| Low | 5 |
| Medium | 10 |
| High | 30 |
| Critical | 100 |
| Threat weights of security violations | |
| Signatures | Disabled |
| DoS Protection | OFF |
| Brute Force Login | Critical (100) |
In the device reputation security policy, these settings are configured:
| Weight Range of Device Risk Levels | |
|---|---|
| Low | 0-30 |
| Medium | 31-100 |
| High | 101-1000 |
| Action for Device Risk Levels | |
| Low | Alert |
| Medium | Period Block |
| High | Alert & Deny |
FortiWeb takes the following actions after identifying these security violations from a device:
| Security Violations | Behaviors | Device Threat Weight | Device Risk | Violation Action |
|---|---|---|---|---|
| Brute Force Login | Add the threat weight of Brute Force Login (100) to the device. | 140 | High | Alert & Deny |
| DoS Protection | Threat weight of DoS Protection is off in Device Reputation, FortiWeb reacts to the violation according to the DoS protection policy specified in the protection profile. | 150 | High | According to the DoS protection policy |
| Signatures | Signatures feature is disabled in Device Reputation, FortiWeb reacts to the violation according to the signatures policy specified in the protection profile. | 155 | High | According to the signatures policy |