About Spotlight Secure Attacker Fingerprints

Spotlight Secure provides a database of known attackers to WebApp Secure for use throughout the appliance. If enabled, a two-way communication process shares information about attackers and attacks to and from a Spotlight server run by Juniper Networks. This allows WebApp Secure to positively identify attackers that have attacked other Juniper customers. This service also provides additional details about sessions which allows Juniper to make more informed decisions on how to respond to threats. By default, the service is turned off.

The two-way link enables WebApp Secure to block attackers based only on a unique and specialized fingerprint gathered by a completely different WebApp Secure installation. It also provides a mechanism for reporting attacker information gathered on the local installation to the Global Attacker Database. Because your local WebApp Secure appliance is relaying information to a central data store, the ability to recognize attacker quickly and effectively increases as the database grows.

Here is an overview of how Spotlight Secure Attacker Fingerprints works:

  1. A user gets profiled by WebApp Secure.
  2. WebApp Secure sends a unique client fingerprint that is unique to that user.
  3. The Spotlight service searches its Global Attacker Database for an attacker with the same fingerprint.
  4. If a match is found, Spotlight feeds all identifying information on that user to the WebApp Secure appliance automatically.
  5. If the user is not doing anything malicious, and is not found currently within Spotlight Secure’s database, the fingerprint for the user is still stored within the local session.
  6. If at any point the user becomes malicious and is flagged by WebApp Secure, the appliance will submit the fingerprint and other data to the Spotlight service for inclusion in the Global Attacker Database.

Related Documentation