Product News System administration

Improvements to Security using WAF Rules

Originally published January 20, 2020

At D2L, we take security and privacy very seriously. Our approach puts our client’s security and data confidentiality, availability and integrity first. Our process works, demonstrated by a track record of delivering reliable security to all of our clients and is continuously being improved. Over the next few months, D2L will be proactively blocking potentially malicious traffic from reaching the Brightspace Cloud environment, through a piece of cloud technology called a web application firewall (WAF).

The rules that we are putting in place check whether the traffic is coming from a source (e.g., an Internet Service Provider(ISP) or a Virtual Private Network (VPN) that has a bad reputation, according to an industry-recognized list (link to the list below) and that the traffic is coming from a remote country/region other than where the Brightspace site is hosted. All traffic coming into the Brightspace Cloud environment will be checked, and if it matches the "rules", then the traffic will not be allowed.

When is this happening?

This will be enabled in the Brightspace Cloud Singapore region in February, 2020.

Other regions will be brought on board gradually over the next few months:

Europe, Asia-Pacific (Australia and New Zealand): March, 2020 - COMPLETE
Canada, US: April 6, 2020 - COMPLETE

Regional deployment information will also be included in the monthly Release Notes, so you can keep an eye on those for details as well.

What is the impact?

These new rules will be implemented in Singapore region in February. D2L has been monitoring usage patterns, and has validated that this will have an extremely low impact to current users. Approximately 0.01% of traffic in Singapore will be blocked when these new rules are implemented. Less than 0.002% of traffic to the Brightspace Cloud will be blocked when this is implemented in Europe and Australia in March 2020.

In North America we also expect very low impact. Brightspace sites hosted in the US will see about 0.0012% of total traffic blocked, and sites hosted in Canada will see 0.00056% of traffic blocked.

What does it mean for me?

There is a possibility that users attempting to access Brightspace might be blocked by the new rules if they are accessing Brightspace via a connection (e.g., a proxy server) that has a bad reputation and that connection is coming from a country/region outside of where the Brightspace site is hosted. If this happens, the user will receive a “403 Forbidden” error.

Figure: Brightspace WAF 403 Forbidden Error.

In this case, the user may reach out for assistance, either from your institution’s support channels or D2L’s End-User Support. If the user contacts your institution’s admins or support channel, here are some steps that you can take to help troubleshoot the issue:

Check whether the user can access another, non-Brightspace site (e.g., www.d2l.com, or www.google.com). If they cannot, then this indicates that they are experiencing a general internet connectivity issue, rather than a problem with the Brightspace environment, specifically.
Ask if they are accessing the Internet through a VPN or proxy and, if so, which one they are using.
Using a proxy or VPN does not guarantee that a user will be blocked by the rules, but it can certainly be a contributing factor.
Ask the user to find their IP address, by visiting or typing “whatsmyip” into Google.
You can then visit a site that lists addresses with a bad reputation (such as Talos Reputation Center), and see if the IP address is included in any blocklists or has a poor reputation.

If the rules are blocking the user, they will need to choose a different mean to access Brightspace, such as a home ISP connection or campus network, or request an exception from D2L.

How can I prepare for this change?

Determine if your institution, or certain users at your institution, uses a VPN or proxy to access Brightspace, you can take similar steps to determine whether this will be blocked by the rules:

1.First, assess whether a VPN or proxy is required to access the Brightspace environment (as opposed to, say, a home ISP connection or campus network). If not, the users should be directed to use a more typical connection, as this will certainly not be blocked by the WAF rules.
If a VPN or proxy is required, ask the user to find out the IP address, by visiting or typing “whatsmyip” into Google.
You can then visit a site that lists addresses with a bad reputation (such as Talos Reputation Center), and see if the IP address is included in any blocklists, or has a poor reputation.

Communicate to users in advance that ISPs and VPNs that a) have a bad reputation and b) send their traffic outside of the client’s region will be blocked by Brightspace. If they are using a custom ISP or VPN to access Brightspace, they should check the reputation of the ISP/VPN (using the steps above), and look into an alternative way of accessing Brightspace, if needed.

Can I request an exception?

If you are concerned that the rules are blocking legitimate traffic for your users, please send to D2L for investigation. D2L can update the WAF’s configuration to make an exception for this situation if warranted. To request an exception, please open a case with the Brightspace Helpdesk with the following information about what is being blocked

Impact: Campus, individual user
Source location: Campus, home ISP, café, VPN, and so on.
Source IP: Source IP of requests being blocked

D2L will update the rule and notify you within a timeframe based on the priority of the case.

How can I find out more?

Please contact your TAM (Technical Account Manager) or CSM (Client Success Manager), who can share more detailed information about the new rules. https://whatsmyip.org/ https://whatsmyip.org/ https://whatsmyip.org)