As part of our ongoing commitment to your organization’s security, we are adding a further layer of security to your baseline RedShield service: Enhanced IP reputation filtering and SNI/Host header match check. We are also adding default OCS unavailable pages to enhance the end-user experience.
These new features will be rolled out to customers hosted in our Melbourne datacenters at 19:00 on Monday 22 November (UTC), ahead of being rolled out to all customers. This does not require any action from you or your team. If you have any questions or concerns about this change, please raise this by emailing support@redshield.co to log a support ticket.
Enhanced IP Reputation Filtering
For a long time, we have offered the ability to block specific IPs to reject connections from designated countries. However, this requires customers to manage their IP blocklist, or risk blocking genuine customers.
With enhanced IP reputation filtering, a new RedShield-managed IP blocklist will be rolled out as a new shield to all of our customers as part of our baseline service.
How does the new shield work?
The RedShield-managed IP blocklist will be deployed as a shield front-ending your application to block known malicious IPs.
The blocklist will be updated on a daily basis using CISCO Talos and SANS DShield attack data. These lists are based on a significant amount of global data and are regularly updated as attackers change IP addresses.
As a further enhancement to this new feature, we are exploring using our own data from IPs that we are seeing attack our customers across the globe. This means all customers will collectively benefit from our learned global experience.
What does the end user experience look like?
For most customers, your ordinary blocking page will be displayed with a support ID and instructions on how to raise a support ticket to have their IP removed from the blocklist.
For customers with non-HTTP servers (i.e. those on FastL4) or with their policy in transparent mode, we are unable to display a blocking page, so the connection will simply be reset. Please contact support@redshield.co to discuss alternative options.
Will this new shield impact existing IP or geofencing shields in place?
This shield will not impact existing IP or geofencing shields; these existing shields will continue to be used where they suit your needs.
What are the risks?
There is a small risk of genuine users being blocked. We expect this is very low-risk, and as we already manage false positives for you, any additional work will be on us to manage.
Server Name Indication (SNI)/Host header match check
To further enhance customer domain fronting protection, we are adding an SNI/Host header match check.
This change will ensure that we only allow requests that are intended for the websites we are protecting.
Below is an illustration of what this would look like that has www.example.com shielded by RedShield, and is also running another website (internal.example.com) that is not meant to be publicly accessible.
In the current state, a misconfigured Reverse Proxy might allow users to access sites that are not supposed to be accessible publicly.
Adding an SNI/Host header match check will mean RedShield will reject these requests.
Default Origin Content Server Unavailable Page Deployment
All websites protected by RedShield get a default “server unavailable” page. This is a page that is shown in case your web server goes down or stops responding to requests.
To enquire about customizing your OCS unavailable page, contact support@redshield.co.
____________________________________________________________________________
These new features will be rolled out to customers hosted in our Melbourne datacenters at 19:00 on Monday 22 November (UTC), ahead of being rolled out to all customers. This does not require any action from you or your team. If you have any questions or concerns about this change, please raise this by emailing support@redshield.co to log a support ticket.
Comments