Fortinet 523 FortiWeb 5.0 Patch 6 Administration Guide
See also
•Limiting the total HTTP request rate from an IP
•Preventing brute force logins
•Example: Setting a separate rate limit for shared Internet connections
•Blocking known attacks & data leaks
•Rewriting & redirecting
•Compression & decompression
•Supported cipher suites & protocol versions
Example: Setting a separate rate limit for shared Internet connectionsThe small ice cream shop Tiny Treats might have only one network-connected smart cash
register. Any request from that public IP likely comes, therefore, from that single client (unless
they have not secured their WiFi network...). There is a 1:1 ratio of clients to source IP
addresses from FortiWeb’s perspective.
Down the street, Giant Gelato, which distributes ice cream to eight provinces, might have a LAN
for the entire staff of 250 people, each with one or more computers. Requests that come from
the Giants Gelato office’s public IP therefore may actually originate from many possible clients,
and therefore normally could be much more frequent. However, like many offices, the LAN uses
source IP network address translation (SNAT) at the point that it links to the Internet. As a result,
from FortiWeb’s perspective, the private network address of each client is impossible to know: it
only knows the single public IP address of Giant Gelato’s router. So there is a single source IP
address for Giant Gelato. However, there is a 250:1 ratio of clients to the source IP address.
Disable
Client-Initiated
SSL
Renegotiation
Enable to prevent client-initiated SSL/TLS renegotiation.
According to RFC 5246, either the client or the server can re-negotiate the
connection in order to change cryptographic keys and other parameters.
However, SSL/TLS renegotiation attacks exist to take advantage of the fact
that the negotiation phase is more processing-intensive for the server than
it is for the client. By repeatedly initiating renegotiations, clients can cause a
DoS.
Prioritize RC4
Cipher Suite
Enable to prefer the RC4 encryption algorithm, if the client’s hello during the
handshake advertises support for it.
In older TLS 1.0 implementations, including the NSS cryptographic
package used by Mozilla Firefox and Google Chrome web browsers, both
AES and 3DES are vulnerable to initialization vector (IV)-based cipher block
chaining (CBC) attacks due to using the same IV repeatedly. This causes
the cipher blocks to become predictable, and therefore vulnerable to a
MITM eavesdropper.
Because RC4 is a stream cipher, which does not use CBC, it is not
vulnerable to the BEAST attack.
Caution: Known attacks also exist for RC4, depending on the
implementation. Weigh the risks and benefits carefully. You should never
use a cipher that is weaker than the value of the data that it is protecting,
but clients may be unaware that they are configured to offer weaker
ciphers, and will use them if the server (or FortiWeb) agrees. For information
on cipher suites supported by FortiWeb, see “Supported cipher suites &
protocol versions” on page 279.
Setting Name Description