Blocking client devices with poor reputation

While using IP-based access controls (blacklisting) to block network traffic from malicious client devices is core to a WAF solution, issues with using only IP-based access controls remain. Because IP-based access controls rely on identifying attackers by comparing their IP addresses with blacklist databases, network security concerns and vulnerabilities remain when attackers can:

Compared to changing IP address or hiding behind shared IP addresses, it is difficult and impractical to change the computer attackers use to probe defenses and launch attacks. Rather than relying only on IP-based access controls, FortiWeb's Device Tracking feature identifies suspected attackers based on the computers they are using. To identify a visiting device, FortiWeb generates a unique device ID according to a set of its characteristics, including the time zone, source IP, operating system, browser, language, CPU, color depth, and screen size. When Device Tracking is enabled and a device reputation security policy is selected, FortiWeb evaluates the reputation of client devices that trigger security violations. If a device triggers a security violation in a device reputation security policy, it will acquire a lower device reputation. Access to networks and servers can be managed according to a device's reputation.

See also

How device reputation works

The device reputation mechanism takes into account the following factors:

Threat weight of security violations

Each protection feature involved in the device reputation mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the reputation of the device that launched the event.

Reputation of a device

FortiWeb reacts to security violations launched by a device according to reputation of the device. A device initially joins the network with a good reputation. A good reputation indicates a low-risk device; a bad reputation indicates a high-risk device. In a device profile, the historical threat weight field is the sum of the threat weights of all the security violations launched by the device. As a device triggers security violations, the device reputation is negatively affected; each time a device violates a device reputation security policy, a corresponding threat weight is added to the total value in the device profile. The higher the accumulated threat weight of the device, the poorer reputation of the device.

Risk level of a device

A device can be classified as low-risk, medium-risk, and high-risk according to its device reputation. To identify the risk level of a device, the scale of the risk levels must be defined. For example, devices that have a historical threat weight between 0-100 may be considered low-risk, between 101-500 medium-risk, and between 501-1000 high-risk.

Violation action based on risk level

When Device Tracking is enabled and a device reputation security policy is selected, FortiWeb can react to a security violation according to a device's reputation rather than just the individual security policy. Once the scale of device risk levels is determined, a violation action of each risk level may be defined so that FortiWeb can properly react to the risk level of a device when it detects a security violation launched from the device.

 

When Device Tracking is enabled and a device reputation security policy is selected, FortiWeb behaves as follows:

1.  Identify the device through the fingerprint technique and check whether a profile of the device already exists when a security violation launched by a visiting device is detected. If a device profile does not already exist, a profile of the device with a unique device ID is created.

2.  Add the threat weight of the security violation launched by this device to the historical threat weight in the device's profile.

3.  Evaluate the reputation of the device (risk level of the device) by comparing the historical threat weight of the device with the predefined device risk level.

4.  Trigger the violation action corresponding with the risk level.

 

How to configure device reputation security policies

Four major steps are required to configure device reputation security policies:

To define the threat weight of each security violation

1.  Go to Policy > Threat Weight.

2.  Configure Risk Level Values

There are four different risk levels used to indicate how serious a security violation is: Low, Medium, High, and Critical. The specified values of the risk levels are the weights used to calculate the reputation of a device when it violates the security policy.

Assign a threat weight of 1-100 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.

3.  Define risk level of security violations.

Here are the security violations that FortiWeb can detect:

Adjust the slider bar to assign a risk level to each security violation.

For Signatures and HTTP Protocol Constraints, first enable them here and go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks & data leaks and HTTP/HTTPS protocol constraints.

Moving the cursor of a slider bar to the leftmost side sets the threat weight of a security violation to OFF, meaning that a threat weight will not be calculated for the security violation in the device reputation security policy. Once a security violation without a defined threat weight is detected, FortiWeb will not react to the security violation according to the device reputation security policy, and instead the violation action specified in the local security policy will be triggered.

4.  Click Apply to save the configuration.

 

To define device risk levels and corresponding violation actions

1.  Go to Tracking > Device Reputation, select Device Reputation Security Policy tab, and select an existing policy or create a new one.

2.  Configure the following settings:

Settings Descriptions
Name

Policy name

Weight Range for Low/Medium/High Risk Level

Risk levels are used to evaluate how dangerous a device is. Each time a device violates a device reputation security policy, the historical threat weight of the device increases according to the threat weight of the security violation. FortiWeb compares the historical threat weight of the device with the weight range specified here to identify the risk level of the device so that FortiWeb can trigger a corresponding violation action.

Adjust the slider bar to specify weight ranges between 0-1000 for the risk levels.

Action for High/Medium/Low/Unidentified Risk Level Device

Specify the violation action FortiWeb carries out in response to security violations launched by a high/medium/low/unidentified risk device.

The options are:

  • Alert — Accept the request and generate an alert email and/or log message.
  • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.

You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

  • Period Block — Block subsequent requests from the client for a number of seconds. Also configure Block Period.

You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

  • Using Local Action — Takes the local action specified in a protection profile.
Device Reputation Exceptions Select an exceptions policy. For details, see To create device reputation exceptions.

3.  Click OK to save the configuration.

To enable a device reputation security policy in a protection profile

1.  Go to Policy > Web Protection Profile, select the Inline Protection Profile tab, and select an existing profile or create a new one.

2.  Enable Device Tracking and select a policy in Device Reputation Security Policy. For details, see Device Tracking in Configuring a protection profile for inline topologies.

When Device Tracking is enabled, FortiWeb responds to the detected security violations according to actions defined in the selected device reputation security policy rather than the individual security policy and rule in the protection profile. Even so, the security policies are still necessary in a protection profile to identify security violations.

FortiWeb bypasses a device reputation security policy and reacts to security violations according to individual policies and rules when:

  • Device Tracking is disabled
  • The threat weight of security violations is disabled (set to OFF)
  • Device reputation exceptions have been selected
To create device reputation exceptions

1.  Go to Tracking > Device Reputation, select the Device Reputation Exceptions tab, and select an existing policy or create a new one.

2.  Security features placed in Selected Security Feature Name will bypass device reputation security policies. From Security Feature Name, select the security feature and click the right arrow button to move it to Selected Security Feature Name.

To cancel the exception to a security feature, select the feature in Selected Security Feature Name and click the left arrow to remove it back to Security Feature Name.

3.  Click OK to save the configuration.

An example shows a configuration and resulting behavior of a device reputation security policy

In Threat Weight, the following settings have been selected:

Fields Values
Risk Level Value
Low 5
Medium 10
High 30
Critical 100
Threat weights of security violations
Signatures Disabled
DoS Protection OFF
Illegal Json Format Low (5)
File Upload Restriction Medium (10)
Illegal Xml Format High (30)
Brute Force Login Critical (100)

 

In the device reputation security policy, the following settings have been selected:

Fields Values
Weight Range of Device Risk Levels
Low 0-30
Medium 31-100
High 101-1000
Action for Device Risk Levels
Low Alert
Medium Period Block
High Alert & Deny

 

FortiWeb takes the following actions after identifying these security violations from a device:

Security Violations Behaviors Device Threat Weight Device Risk Violation Action
File Upload Restriction

Generate a device profile after identifying violation coming from the device for the first time.

Add the threat weight of File Upload Restriction (10) to the device.

10 Low

Alert

Illegal XML Format Add the threat weight of Illegal Xml Format (30) to the device. 40 Medium Period Block
Brute Force Login Add the threat weight of Brute Force Login (100) to the device. 140 High Alert & Deny
File Upload Restriction Add the threat weight of File Upload Restriction (10) to the device. 150 High Alert & Deny
DoS Protection Threat weight of DoS Protection is off in Device Reputation, FortiWeb reacts to the violation according to the DoS protection policy specified in the protection profile. 150 High According to the DoS protection policy
Illegal Json Format Add the threat weight of Illegal Json Format (5) to the device. 155 High Alert & Deny
Signatures Signatures feature is disabled in Device Reputation, FortiWeb reacts to the violation according to the signatures policy specified in the protection profile. 155 High According to the signatures policy

In this example, FortiWeb carried out two different actions for the two File Upload Restriction violations and carried out a high-risk action to a low-risk Illegal Json Format (threat weight of 5) violation.This is because FortiWeb will react to each security violation according to the reputation (risk) of the device regardless of the type of security policy the device violated.