Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
  1. #11
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    113

    Default

    i understand why it's not blocking anything by default. I hear your point.
    But, what i don't understand....if you log Something, it means it already happens, so it's too late when it's logged. no ?

    maybe a set of basic rules should be blocked by default (like office exploit, excel, word, and some Windows exploit). It's a start. and i think it's even a better way to understand how ips works and take a look at the logs.

    i'm a home user so please forgive me for my complete ignorance....:-) (also i'm not English, so i hope i don't misunderstood some points)

    So you Sky-knight, you don't use the ips ? even for your clients ?

  2. #12
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    472

    Default

    Quote Originally Posted by doudoufr View Post
    But, what i don't understand....if you log Something, it means it already happens, so it's too late when it's logged. no ?
    Too late for prevention by the IPS system, yes, if you're relying solely on the IPS app. The point is, the IPS logs give you early warning that something may be going on. The logs are invaluable.

    The catch is that for us home users, the logs are full of detections that are not a sign of intrusion, successful or attempted. Things that are actually worrisome are a small minority of the log contents. It's often not the rule only that matters, but also the nature of the traffic. And the IPS app does not care about the nature of the traffic, where it's coming from and going to. It just looks for rule violations regardless of the nature of the traffic.

    And in the case of an attack actually directed at your home system, the IPS app isn't going to save you from anything much. I feel like the IPS app helps detect or prevent drive-by stuff. That's its value, I think, helping you keep your system under the radar.

    Anyway, the problem with basic default blocks comes in, in my opinion as a home user, because the vast majority of detections do not represent anything malicious. Default blocks are far more likely to break something than to actually prevent something. Far more likely. That's not a good learning environment, in my opinion, because the cause of the breakage isn't obvious. It's back to understanding the logs, not just clicking this or that.

    You and I are home users only in a general sense. We are Untangle users first and foremost. Untangle isn't a trivial suite of tools. Just because we choose to use it in our homes doesn't mean anything, really. Untangle is what it is. The professional and the home user are faced with the same product. The only difference between me and a professional is that I'm going to look stupid in public far more often, and I'm going to have to work a lot harder at using my security tool of choice.

    I even bought a thin but expensive book on Snort just to try to grasp the basics of how the IPS app works. Figuring out how to use such a complex tool from the ground up is really my responsibility. I'd be suspicious of an IPS App for Dummies, to be honest.
    Last edited by Sam Graf; 02-15-2018 at 08:15 AM. Reason: I can't type
    Spiral likes this.

  3. #13
    Untangler
    Join Date
    Feb 2017
    Posts
    56

    Default

    Quote Originally Posted by johnsonx42 View Post
    The general wisdom is that IPS does nothing in a home environment unless you're hosting publicly accessible services
    Who made this rule up?

    I could tell you stories over the last few months where my Fortigate 60E with full IPS stopped egress of sensitive data on my network. One time a program was masking data traversal over port 53 that would have totally bypassed Untangle. Or how a subjugated AV product was sending out telemetry/spying over a lesser used (and IPS flagged) SMB port. How is a UTM like Untangle supposed to prevent XSS attacks if IPS is turned off?

    I agree, for a 'home' it might not be a stellar addition, but unless Untangle is totally focused on the Home/SOHO market it should still have an evolving/improving IPS or it won't be taken seriously in the UTM marketplace. Many of us run non-Untangle devices too, and know the value of a good, updated, effective IPS. For example Fortinet protects against Meltdown/Spectre exploitation which is already in the wild. How would that be accomplished on Untangle?

    https://fortiguard.com/encyclopedia/ips/45413

    I'm not here to promote Fortigate, I am here to caution about ignoring or neglecting the value of an IPS because I want to see Untangle grow.
    ccollinscj likes this.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2