Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: U25 vs U25x

  1. #21
    Untangler
    Join Date
    Jan 2017
    Posts
    59

    Default

    Can really comment on the direct CPU comparison other then this link n2930 vs 3215u

    I have a similar network config (Devices count etc) and the U25X doesn't even break a sweat. I am seeing 940mb/s avg downloads to each of my test machines. Memory doesn't seem to be an issue as well.

  2. #22
    Untangler
    Join Date
    Feb 2017
    Posts
    56

    Default

    Quote Originally Posted by jcoffin View Post
    Yes, as with any hardware, with a moderate amount of sessions. Frankly any IPS is just a resource hog with little value unless you offer network services to the Internet.
    I beg to differ with a caveat. Running a Fortigate 60E with full IPS, it's saved me from multiple internal compromises. IPS snagged traffic masking itself on Port 53. IPS snagged a subjugated antivirus software used to push services out a lesser used SMB port. Both would have been serious issues without a quality IPS on the network and we're talking a pretty small home network where this happened.

    Now for the majority of things, I agree with you. MOST people won't see any value with IPS and they could go months without any hits for little benefit. But in those cases where it is a benefit, it's a huge benefit.

    I like Untangle, but I hate how it implements IPS and the difficulty dealing with the rules in comparison to other SOHO/Corporate gear. Has this been improved or is it still a mess?

  3. #23
    Master Untangler
    Join Date
    Mar 2017
    Posts
    185

    Default

    Quote Originally Posted by JamesHenderson View Post
    I beg to differ with a caveat. Running a Fortigate 60E with full IPS, it's saved me from multiple internal compromises. IPS snagged traffic masking itself on Port 53. IPS snagged a subjugated antivirus software used to push services out a lesser used SMB port. Both would have been serious issues without a quality IPS on the network and we're talking a pretty small home network where this happened.
    I'd beg to agree with a caveat
    Talking about Untangle, in most environments I would use the Application Control app for the first scenario and the Firewall app for the second. In fact, these are not the scenarios I would choose an IDS/IPS for. The first is network behavior: let networking protocols flow only if they are what the say they are. The second is common sense: block all outgoing traffic to SMB/CIFS if not tunneled (most ISPs started to do this almost 15 years ago).

    The truth is that an IDS/IPS is a simple signature based control system, just like AV, mostly. Since the beginning they began getting more and more signatures, to the point that the letter I (for Intrusion) points today to more false positives headaches than most other networking software. And tons of logs. And if nobody is doing aggregation and normalization on them, then the IDS/IPS is simply useless. I won't even start with the evasion topic.

    But in those cases where it is a benefit, it's a huge benefit.
    But in those cases where you don't see it, cause there's no log nor action, you don't really know if you're safe or in the land of false negatives. Just like AV. And in all environments where there's nobody that could dive into discerning false negatives, it's better to simply have NAT and not to click on e-mail attachments. For instance: when the FG60E detected fake DNS egress traffic, how comes a rogue process like that could be installed onto and running on an internal system?

  4. #24
    Untangler
    Join Date
    Feb 2017
    Posts
    56

    Default

    Quote Originally Posted by docfuz View Post
    But in those cases where you don't see it, cause there's no log nor action, you don't really know if you're safe or in the land of false negatives. Just like AV. And in all environments where there's nobody that could dive into discerning false negatives, it's better to simply have NAT and not to click on e-mail attachments. For instance: when the FG60E detected fake DNS egress traffic, how comes a rogue process like that could be installed onto and running on an internal system?
    Because in the world we currently live, and the very advanced threats we're facing it's a possibility that should be addressed. The continued leak of state sponsored malware/tools, the escalating sophistication of attacks and the compromised update channels relying on NAT to protect you is reckless and SPI is pretty much obsolete.

    Even today, not having WIPS/WIDS or Rogue AP Detection/Suppression is getting reckless and won't get you some compliancy if you need it. PCI DSS is on example where you won't pass compliance without WIDS+RAP. Wireless Intrusion is becoming a pretty severe problem and a growing attack surface. Untangle doesn't support this, but really needs to.

    When a local client browsing gets hit with an XSS vuln, without IPS how are you going to stop the vuln? Are you going to assume the endpoint protection has anti-exploit technology specifically for that application? (most don't) I'd be living a life of fear without IPS. I've seen it stop too much to think it's a placebo or unnecessary feature. This is another area where I don't agree with the philosophy of Untangle and sort of check back a few times a year to see if they've evolved.

    Even Fortinet protected systems from Meltdown/Spectre via IPS a couple days after disclosure. That's pretty important, don't you think? Also I shiver to think of the amount of payload that would have come off of our managed networks without IPS, let alone the IPS notifying us of the issue. It's easy to say 'Don't click emails, only browse X websites, don't click advertisements, etc', but that's not the reality in which we live.

  5. #25
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by JamesHenderson View Post
    Even Fortinet protected systems from Meltdown/Spectre via IPS a couple days after disclosure.
    This made me chuckle. Its also why its not possible to have any data-driven honest discussion about IPS on the forums.

    Did they also add a signature for "FGTAbc11*xy+Qqz27"?
    Last edited by dmorris; 02-20-2018 at 02:22 PM.
    Sam Graf likes this.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #26
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    708

    Default

    Quote Originally Posted by dmorris View Post
    Did they also add a signature for "FGTAbc11*xy+Qqz27"?

    That's just wrong. lol

  7. #27
    Untangler
    Join Date
    Feb 2017
    Posts
    56

    Default

    Quote Originally Posted by dmorris View Post
    This made me chuckle. Its also why its not possible to have any data-driven honest discussion about IPS on the forums.

    Did they also add a signature for "FGTAbc11*xy+Qqz27"?
    Speculative execution isn't a mystery, it has known parameters for IPS.
    https://fortiguard.com/encyclopedia/ips/45413

    I guess those Snort SIDs 45357-45368 are a joke too?

    Anyway, that DUHK was in very old, limited firmware revisions. It was added as a method to gain access for support tickets that couldn't be resolved with traditional methods. It's been replaced by maintainer which requires physical access to the device and challenges. There wasn't any way to remotely exploit that DUHK unless the Fortinet was purposely configured incorrectly and security settings were degraded. SSH on WAN isn't ever an enabled by default option and would be ridiculously ignorant.

    execEvil() with Untangle was far more frightening to be honest and just as easily, if not moreso exploitable. Glass houses, etc..

    So with that past us.. I find Untangles disregard for traditional, established, effective solutions like IPS to be a bit worrisome. But the responses I find a good bit childish and pretty odd. Honestly.
    Last edited by JamesHenderson; 02-20-2018 at 07:54 PM.

  8. #28
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by JamesHenderson View Post
    Oh please, that DUHK was in very old, limited firmware revisions. It was added as a method to gain access for support tickets that couldn't be resolved with traditional methods. It's been replaced by maintainer which requires physical access to the device and challenges. There wasn't any way to remotely exploit that DUHK unless the Fortinet was purposely configured incorrectly and security settings were degraded. SSH on WAN isn't ever an enabled by default option and would be ridiculously ignorant.

    execEvil() with Untangle was far more frightening to be honest and just as easily, if not moreso exploitable. Glass houses, etc..

    So with that past us.. I find Untangles disregard for traditional, established, effective solutions like IPS to be a bit worrisome. I can't even imagine how a secured facility or one requiring compliance could even deploy an Untangle unit missing the key features of a UTM. I find the responses by Untangle to be childish at best. Do you guys even care to be taken seriously in the industry?
    We are data driven, not marketing/opinion driven. Hence the huge disagreements by many people who believe (and often resell and thrive on) the marketing nonsense from the industry. An industry thats still pretending that web traffic isn't SSL encrypted. Just wait until you see this year's magic quadrant and they discuss sandboxing extensively as if this is a relevant or important feature.
    Part of being open source is being accountable and transparent, and to be frank truthful.

    btw, execEvil() is still used extensively. There have been no security issue related to it.
    Its just a method to call exec(). "man 3 exec" for more info.
    If you know something we don't, like you can call this function without authenticating as an administrator first, please let us know. If you're talking about being able to launch commands as administrator when signed in as an administrator... we know. This is as designed.

    Different strokes for different folks. If you don't like Untangle and want to be fear marketed to, there are literally tons of options. We're the option for the other people, and one of the very few at that. We focus on things that actually matter, not FUD.

    Locking thread as this has devolved into another IPS discussion. I should not have commented.
    I just couldn't believe someone would claim something as silly as an IPS sig to stop meltdown/spectre. That doesn't even make any sense at all.
    Last edited by dmorris; 02-20-2018 at 08:42 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2