Fortinet 5.0 Patch 6 Example: Setting a separate rate limit for shared Internet connections

Fortinet 523 FortiWeb 5.0 Patch 6 Administration Guide

See also

•Limiting the total HTTP request rate from an IP

•Preventing brute force logins

•Example: Setting a separate rate limit for shared Internet connections

•Blocking known attacks & data leaks

•Rewriting & redirecting

•Compression & decompression

•Supported cipher suites & protocol versions

Example: Setting a separate rate limit for shared Internet connections

The small ice cream shop Tiny Treats might have only one network-connected smart cash

they have not secured their WiFi network...). There is a 1:1 ratio of clients to source IP

addresses from FortiWeb’s perspective.

Down the street, Giant Gelato, which distributes ice cream to eight provinces, might have a LAN

for the entire staff of 250 people, each with one or more computers. Requests that come from

the Giants Gelato office’s public IP therefore may actually originate from many possible clients,

and therefore normally could be much more frequent. However, like many offices, the LAN uses

source IP network address translation (SNAT) at the point that it links to the Internet. As a result,

from FortiWeb’s perspective, the private network address of each client is impossible to know: it

only knows the single public IP address of Giant Gelato’s router. So there is a single source IP

address for Giant Gelato. However, there is a 250:1 ratio of clients to the source IP address.

Disable

Client-Initiated

SSL

Renegotiation

Enable to prevent client-initiated SSL/TLS renegotiation.

According to RFC 5246, either the client or the server can re-negotiate the

connection in order to change cryptographic keys and other parameters.

However, SSL/TLS renegotiation attacks exist to take advantage of the fact

that the negotiation phase is more processing-intensive for the server than

it is for the client. By repeatedly initiating renegotiations, clients can cause a

DoS.

Prioritize RC4

Cipher Suite

Enable to prefer the RC4 encryption algorithm, if the client’s hello during the

handshake advertises support for it.

In older TLS 1.0 implementations, including the NSS cryptographic

package used by Mozilla Firefox and Google Chrome web browsers, both

AES and 3DES are vulnerable to initialization vector (IV)-based cipher block

chaining (CBC) attacks due to using the same IV repeatedly. This causes

the cipher blocks to become predictable, and therefore vulnerable to a

MITM eavesdropper.

Because RC4 is a stream cipher, which does not use CBC, it is not

vulnerable to the BEAST attack.

Caution: Known attacks also exist for RC4, depending on the

implementation. Weigh the risks and benefits carefully. You should never

use a cipher that is weaker than the value of the data that it is protecting,

but clients may be unaware that they are configured to offer weaker

ciphers, and will use them if the server (or FortiWeb) agrees. For information

on cipher suites supported by FortiWeb, see “Supported cipher suites &

protocol versions” on page 279.

Setting Name Description