Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30
  1. #21
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    No, what you're talking to is a support quagmire that's known to compromise firewalls. If what you wanted was so stupidly easy, people wouldn't be making millions on content control engines. Addresses change, things happen. This sort of thing requires regular attention and maintenance. Heck, you said it yourself the whole reason you want to use a DNS name is because the address changes. As the net moves into IPv6 the problem only gets worse.

    The reality is the concept of a firewall itself is becoming outmoded. That's why we have UTMs now.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #22
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    Quote Originally Posted by sky-knight View Post
    No, what you're talking to is a support quagmire that's known to compromise firewalls. If what you wanted was so stupidly easy, people wouldn't be making millions on content control engines. Addresses change, things happen. This sort of thing requires regular attention and maintenance. Heck, you said it yourself the whole reason you want to use a DNS name is because the address changes. As the net moves into IPv6 the problem only gets worse.

    The reality is the concept of a firewall itself is becoming outmoded. That's why we have UTMs now.
    You're obviously not reading what I'm writing. I beginning you don't even understand the problem. You keep conflating "content control" with what I'm looking for, which isn't the same thing. What I'm asking for is what I'm already doing manually. So it's not a "support quagmire", rather the alternative is -- having to manually update firewall rules every time a service provider changes the IP address associated with the name. Automating this process in no way lowers the security threshold or otherwise. Getting the IP address and updating the rule. Wow! That's groundbreaking stuff, I tell you.

    But even UTM's are somewhat outmoded, because from I'm seeing, the market is shifting to security as a service, especially when you're working on an environment with more than 1 fire wall that spans multiple locations. And even internally, many organizations have devices isolating LAN segments to prevent lateral threats and provide isolation between these segments. A product like Untangle gives you the ability to pick and choose what you need for a given context, but the real work of monitoring and maintenance is automated. Logging into every single device is rather arduous so anything you can do mitigate this and use heuristics based approaches that correlate events on a network to determine threats is welcomed. This has given rise to the SEIM solutions (Logrythm, FireEye) and products like OpenDNS Umbrella which is supplanting content filter and intrusion detection systems. Additionally, firewalls and other security appliances like end point management systems and MDM solutions report to SEIM solutions which correlate the events. UTM's have their place, but the real growth in the is Security as a Service. UTM's still employ signature based detection algorithms, which isn't a bad thing, it's just old technology that is being outsmarted. Security as a Service is how to protect from behaviors and 0 day threats. Security hardening and threat mitigation is neccesary, but modern threat detection and mediation is based on behaviors. Policies and signatures can stop a lot of junk, but it's static.
    Last edited by blaize; 04-08-2016 at 06:12 AM.

  3. #23
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,275

    Default

    Just jumping in to say that my lock thread finger is itching.

    Blaize Untangle dose not have the feature you are after and writing a module for it is not what I can see on the map.
    If your really want the feature register a feature request in bugzilla.untangle.com and make ppl vote fore it.

  4. #24
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    Quote Originally Posted by WebFooL View Post
    Just jumping in to say that my lock thread finger is itching.

    Blaize Untangle dose not have the feature you are after and writing a module for it is not what I can see on the map.
    If your really want the feature register a feature request in bugzilla.untangle.com and make ppl vote fore it.
    I'm not asking for it, I was asking if it was possible. That's all. Otherwise, I'll do a workaround of some kind. There's no demand for it, so there's no need to include it. I'm cool with that.

  5. #25
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Quote Originally Posted by WebFooL View Post
    If your really want the feature register a feature request in bugzilla.untangle.com and make ppl vote fore it.

    ^^^ That. And Blaize, if you write a modification, please post it here. I am interested. Cisco is doing this exact thing in their Next GEN ASA's with FirePower. Ever since they bought OpenDNS, I am sure there will be more integration with Cisco and OpenDNS providing these features.

    In regards to Firewalls going the way of the do-do bird, Gartner would disagree. On the contrary, Gartner's 2015 IT Security findings forecasts that UTMs are going out around 2020 the same way mullets and big eyeglass did back in the 90's... although I disagree with Gartner on that one.

    I see a big opportunity for Untangle here. It is unfortunate that tit-for-tat's get in the way of valuable customer feedback and creativity. I would love to see something like this in UTM.
    --
    "I have often regretted my speech, never my silence." - Xenocrates
    https://www.johndball.com

  6. #26
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    Every DNS lookup being subject to a content filter is quite different than every firewall rule evaluation. And I haven't seen Cisco "do this" with the ASA line.

    I mean, they've been doing this: https://supportforums.cisco.com/docu...roubleshooting

    And there's a nice best practices list there that shows why such a feature is bone headed.

    That being said, the idea that an admin have the option of shunting the IP address picked up by the firewall module, into the web filter and having the category blocks of that module be able to trigger a block in the firewall is some integration that I haven't yet seen, and could offer value. And the OP is correct that Untangle doesn't currently do this, and a DNS filter does. That being said, this is one of those thing that has caused me endless headache with OpenDNS, and one of the reasons why I'm very careful about using it anymore. I've had that situation intermittently shutdown an Exchange server.

    Of course, if Untangle was doing it I'd have a nice block event in the firewall / webfilter module and I know exactly what was going on. OpenDNS's visibility is terrible in comparison. And if Untangle could say, prevent all access to any IP address in the WebFilter's malware category... that would be nice.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #27
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    Quote Originally Posted by sky-knight View Post
    Using Trust DNS (OpenDNS): Check
    Low TTL: Check
    Single Hostname to IP: Check
    Websites with multiple IP not an issue, so Check. Truth is, I'm not concerned about HTTP.

    According to this, what I'm trying to isn't outside the scope of what Cisco is saying their hostname ACL's are for. In any case though, I wouldn't call it "boneheaded", rather something that if realize the caveats on and act accordingly, you're not going to have issues.

  8. #28
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    That last bit is the problem.

    Cisco's product is designed to be implemented and maintained by trained professionals. Untangle is designed to be implemented and maintained by anyone. When you make that turn into that design goal, features like this get thrown out! Sure you and I could use it effectively, but your average forum denizen around here would use it improperly and turn it into another support ticket.

    Example, the source port flag in the firewall... note it's simply not there anymore. Rare good use case, but commonly misused and causing problems.

    P.S. OpenDNS isn't always low latency...
    Last edited by sky-knight; 04-08-2016 at 10:08 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #29
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Quote Originally Posted by sky-knight View Post
    Sure you and I could use it effectively, but your average forum denizen around here would use it improperly
    HAY! I resemble that remark!

    abailey likes this.

  10. #30
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    Naw Jim you can RTFM. But you know how many people just don't... I used to post all sorts of hacks and things around here and I had to stop because people would just leeroy it and break things. Now I'm all paranoid because I don't want to make more work for the UT support team. They offer that support for free, and I'd like that to stay. But the time constraints... ugh... not fun.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2