This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems using option for "Block clients with bad reputation" in WAF configuration

I enabled the option to block bad reputation clients when I configured my WAF sites.   

Then I was startled to discover that I had blocked my ability to connect from home because my IP address had a bad reputation on SORBS and Barracuda RBLs.   Of course, I panicked that my home network was infected.   After deciding that my network was really still clean, I contacted SORBS by email.   Their reply said it was not just me, that I was part of a blocked network range, so I could not be de-listed.   Next, I called my ISP.  They forwarded the issue to a mysterious group that never responded despite multiple attempts.   The silence did not endear me to my ISP.

Eventually, I determined that the bad reputation was because my home is on a dynamic IP address, just like most other home users.   Since that type of address should not be used for email servers, the address range is blocked by some RBLs as a spam-prevention measure, not because of a known problem.

Sophos Support confirms that the email protection and the WAF bad client protection use the same RBLs.   So if I choose different RBLs to permit WAF client filtering, I weaken my defenses for email filtering, and vice versa.      However, change is not really an option because I would not know how to identify RBLs that never perform dynamic IP blocking. 

So unless your WAF sites are only used by businesses with static IPs, you probably should not use this feature.

Disappointed.



This thread was automatically locked due to age.
  • Doug, why not just make an Exception for bad reputation for your home IP or a DNAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Should this thread be in the Web Server Security forum, Doug?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • DouglasFoster said:
    Sophos Support confirms that the email protection and the WAF bad client protection use the same RBLs.   So if I choose different RBLs to permit WAF client filtering, I weaken my defenses for email filtering, and vice versa. 

    I think this is a misunderstanding. WAF and Email Protection might use the same RBLs (I take Support's word for it). But both components are configured independently from each other. If you disable "Block clients with bad reputation" for WAF it won't affect Email Protection. And if you disable RBLs in Email Protection it won't affect WAF.

    Just out of curiosity: How would you configure a different RBL for WAF? It's just a checkbox in the Firewall Profile. The RBLs used by WAF are not configurable through the UI.

  • We are in agreement.

    I was suggesting that one could theoretically fine-tune the email RBL list to only include RBLs that only blocks proven-malicious devices.   If such RBLs can be identified, they would work for both Email and WAF.   My point was that this may be difficult to do at all, and is probably undesireable, because it weakens defenses against home computers that get infected in the future. 

  • Hi Douglas,

    just to make sure my understanding is correct. Because I’m in the same situation at the moment, with some smartphones.

    You could activate the option ‘Skip remote lookups for clients with bad reputation’, so the RBL sources aren’t used. Only GeoIP is then used.

    I know it’s not the same level of protection, but more than disabling ‘Block clients with bad reputation’.

    Best regards

    Alex

    -