Intrusion Prevention and 9.0

dmorris · 06-27-2011, 11:59 AM

We made several performance improvements and overall cleanups to the product in 9.0, especially to "matchers" which match rules/strings to port, address, usernames, etc. This isn't a change to Intrusion Prevention specifically, but it does effect Intrusion Prevention heavily along with other rule-based apps like Firewall, Policy Manager, etc.

This has really improved the performance of Intrusion Prevention so as a result you might notice that it is matching a lot more traffic and signatures than it did in previous versions.
This is an unfortunate side effect for these improvements. Why "unfortunate?"
Because many users have never run an intrusion prevention system before and may not be prepared for the level of effort required to run an intrusion prevention system.

Here is my personal thoughts about running Intrusion Prevention in Untangle:
* There will be false positives, often thousands of them. You can ignore them or disable the rules you don't want to hear about. This is the nature of IPS.
* Intrusion Prevention plays just a small role within Untangle and within most organizations overall security landscape.
* Keeping a Intrusion Prevention system running can be a lot of work.
* The amount of security gained from Intrusion Prevention is debatable.
* Given, the above points in most networks it may make sense to NOT enable Intrusion Prevention as the gain is minimal but the effort is real. If you aren't prepared to deal with Intrusion Prevention I would suggest you NOT run Intrusion Prevention.

Hopefully this will help explain some of the things people are seeing in 9.0

bigdessert · 06-27-2011, 12:00 PM

to me this is great news!

f1assistance · 06-27-2011, 05:59 PM

I second that!
Whining about what I should have deployed in this environment seems way more costly...plus, we've all been there, done that!
Besides, HOPE is not a security strategy.

adrianp918 · 06-27-2011, 06:11 PM

is there a list of what the corresponding codes mean...for novice people?

adrianp918 · 06-27-2011, 06:16 PM

never mind i found it i believe in the logs and description its self

sky-knight · 06-27-2011, 06:32 PM

So the official position is that this thing is now as annoying as a block by default firewall?

I need to upgrade.

fasttech · 06-27-2011, 06:36 PM

Quote:

Originally Posted by sky-knight

So the official position is that this thing is now as annoying as a block by default firewall?

Or, perhaps it's something along the lines of, 'Now, it actually works.'.

sky-knight · 06-27-2011, 08:22 PM

True, that module has always been really quiet. I'm going to have to disable it in my field units until I can get a feel for the updated functionality.

dmorris · 06-27-2011, 09:19 PM

Maybe I'm the only one not looking forward to the flood of calls and posts saying "OMG I've been ATTACKED!!!11"

fasttech · 06-27-2011, 10:11 PM

Let's just say, out of many, varied installations over the years, this is the only ips system that I didn't have to tune. Look forward to the change.

06-27-2011, 11:59 AM	#1 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,612	Intrusion Prevention and 9.0 We made several performance improvements and overall cleanups to the product in 9.0, especially to "matchers" which match rules/strings to port, address, usernames, etc. This isn't a change to Intrusion Prevention specifically, but it does effect Intrusion Prevention heavily along with other rule-based apps like Firewall, Policy Manager, etc. This has really improved the performance of Intrusion Prevention so as a result you might notice that it is matching a lot more traffic and signatures than it did in previous versions. This is an unfortunate side effect for these improvements. Why "unfortunate?" Because many users have never run an intrusion prevention system before and may not be prepared for the level of effort required to run an intrusion prevention system. Here is my personal thoughts about running Intrusion Prevention in Untangle: * There will be false positives, often thousands of them. You can ignore them or disable the rules you don't want to hear about. This is the nature of IPS. * Intrusion Prevention plays just a small role within Untangle and within most organizations overall security landscape. * Keeping a Intrusion Prevention system running can be a lot of work. * The amount of security gained from Intrusion Prevention is debatable. * Given, the above points in most networks it may make sense to NOT enable Intrusion Prevention as the gain is minimal but the effort is real. If you aren't prepared to deal with Intrusion Prevention I would suggest you NOT run Intrusion Prevention. Hopefully this will help explain some of the things people are seeing in 9.0 __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com Last edited by dmorris; 06-27-2011 at 07:15 PM..

06-27-2011, 06:32 PM	#6 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	So the official position is that this thing is now as annoying as a block by default firewall? I need to upgrade. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

06-27-2011, 08:22 PM	#8 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	True, that module has always been really quiet. I'm going to have to disable it in my field units until I can get a feel for the updated functionality. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

06-27-2011, 09:19 PM	#9 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,612	Maybe I'm the only one not looking forward to the flood of calls and posts saying "OMG I've been ATTACKED!!!11" __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons

06-27-2011, 12:00 PM	#2 (permalink)
bigdessert Master Untangler Join Date: Apr 2007 URLs submitted: 1 Posts: 608	to me this is great news!

06-27-2011, 05:59 PM	#3 (permalink)
f1assistance Master Untangler Join Date: Apr 2009 Location: Holly Springs, NC URLs submitted: 154 Posts: 218	I second that! Whining about what I should have deployed in this environment seems way more costly...plus, we've all been there, done that! Besides, HOPE is not a security strategy.

06-27-2011, 06:11 PM	#4 (permalink)
adrianp918 Master Untangler Join Date: May 2009 Posts: 397	is there a list of what the corresponding codes mean...for novice people?

06-27-2011, 06:16 PM	#5 (permalink)
adrianp918 Master Untangler Join Date: May 2009 Posts: 397	never mind i found it i believe in the logs and description its self

06-27-2011, 10:11 PM	#10 (permalink)
fasttech Master Untangler Join Date: Jan 2009 Posts: 721	Let's just say, out of many, varied installations over the years, this is the only ips system that I didn't have to tune. Look forward to the change.