I think it would be wise to enable logging for ALL rules for ALL appliances as default.

New users/companies that setup Untangle have no idea what their network is being exposed to. By enabling logging for all rules in all appliances they
would be able to immediately see what is happening. Plus they may have a sense of false security because they do not see all logged entries and thus assume that everythings cool.

I have also noticed that in the IPS rules there is a section of backdoor rules that only allows you to select one at a time to log. Not the whole range. Is this intended?

Hi aits,

I completely agree with you that most organizations are unaware of the vulnerabilities of their network. I will pass on your recommendation to enable all the rules. However, logging all the rules brings the problem of too much data. The user would have tons of information and not know what or how to filter the data.

As far as logging the backdoor rules, you should be able to select each rule to log. Are you receiving an error message when you try this? Can you please provide more information?

Thanks,
JT
Untangle
Technical Support

You make some good points.

We turn on everything by default we feel:
1) Won't have negative side effects
2) Won't create false positives
3) Applies to most cases

In the case of IPS we only turn on the better rules.

Some rules (like blocking/logging instant messaging, games, p2p, etc) depend more on your policy about whether or not they are considered 'bad'

Ok, I understand where you're coming from. Too much data could definitely be overwhelming, but if presented properly it could be a sale maker. Here's my feelings.

1. Once a client is interested in the product and has agreed to try it out they are anticipating seeing something. They usually suspect their network has some types of vulnerabilities. My thinking is that we should somehow provide them a view of these anomolies as quickly as possible. One way is by making sure all rules have logging turned on. If not there very well could be some type of rogue hiding within their network that is active but they still would not know about it because the rule for it is not logging/enabled. False sense of security. And potentially dangerous for them.

2. I love the rack concept. The running scales/graphs are visually impressive and show the client that the system is being monitored. It would be even better if there was some way to display how many 'items' of that particular appliance were blocked, right there on the main rack screen. The number scanned and marked and passed I feel are not critical. They can get those in the daily reports. But to quickly see how many have been stopped in their tracks would be very nice for the customer. Something they could show their management people right away without having to dig out reports.

BTW, I was able to mark/select all of the IPS backdoor rules. There must have been a problem with the client interface at the time.

Thanks-George/aits

George,

I really like the idea of creating a special report during the eval period. Your suggestion has been forwarded to right people and hopefully we'll come up with a nice way to do this.

I'll also forward your comments to our GUI designer. I think he did a great job and really like the look and feel of it too. The system monitors are to scale and you can see the vertical values increase as the traffic increases.

If you have another suggestions or problems, please let us know. Our product will only improve with the suggestions of our users.

Thanks,
JT