Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Master Untangler
    Join Date
    Jun 2015
    Posts
    106

    Default IPS Best Practices for NGFW Home User?

    Hi - am running NGFW 13.2 in a home environment. Installed IPS with the default settings from the setup wizard. Also, after some period of time, I've pulled the report of IPS traffic LOGGED and exported to CSV.

    From there, I've BLOCKED all the specific SIDs listed in the log. Most were PORTSCAN type "attacks." Haven't noticed any network functionality that has been negatively impacted by these measures.

    Are there any other rules or perhaps entire categories that other suggest enabling from the start? It's quite a tedious process to select individual rules. Moved from Sophos UTM where I was able to go into a "tree" of system types and enable entire rule sets in an organized manner (Web Server, SQL server, SMTP server, NNTP server, etc.).

    Thank you.

  2. #2
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,015

    Default

    The general wisdom is that IPS does nothing in a home environment unless you're hosting publicly accessible services

  3. #3
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    642

    Default

    I completely agree with that conventional wisdom. IPS doesn't do much of anything if the traffic coming through it was initiated on the internal network to begin with, which is typical in home environments.

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,015

    Default

    actually I'd shorten that to just "IPS doesn't do much of anything."
    Sam Graf likes this.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,631

    Default

    Best IPS practice for home users is to not use IPS. You don't need it at home, it just doesn't do anything worthwhile there.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,089

    Default

    Quote Originally Posted by johnsonx42 View Post
    actually I'd shorten that to just "IPS doesn't do much of anything."
    It completes a checkbox.
    Sam Graf and JasonJoel like this.

  7. #7
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,015

    Default

    Quote Originally Posted by fasttech View Post
    It completes a checkbox.
    yes, but it's rather disappointing when you decide to use it for something it's actually supposed to do, and then find out it doesn't work

  8. #8
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    114

    Default

    we are more and more to have server at home or nas / personal cloud, etc....at home.

    it would be great to have detailled explanation about IPS for home user (Advanced user maybe) and what we should block or not

    i mean we have a firewall but what's the point if all the protections are off by default ? it's the opposite goal / aim of a firewall...!!

  9. #9
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    557

    Default

    Quote Originally Posted by doudoufr View Post
    i mean we have a firewall but what's the point if all the protections are off by default ? it's the opposite goal / aim of a firewall...!!
    It's not exactly true that all the IPS protections are off by default. The default logging is invaluable in deciding what to block and what to leave alone. Blocking is a very hands-on, intentional process, and without the log it would be virtually an impossible task.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,631

    Default

    Quote Originally Posted by doudoufr View Post
    we are more and more to have server at home or nas / personal cloud, etc....at home.

    it would be great to have detailled explanation about IPS for home user (Advanced user maybe) and what we should block or not

    i mean we have a firewall but what's the point if all the protections are off by default ? it's the opposite goal / aim of a firewall...!!
    A firewall is a layer 3 control.

    Untangle is a layer 7 system, firewalls are a joke, if you locked it down except the ports required for general internet use, everything would just work because most malicious traffic is on TCP 443 these days.

    But even if you deploy the IPS, it only really works when it's looking at traffic bridging through Untangle and hitting a public address on a server behind it.

    AND even in ideal conditions IPS/IDS is a huge time sink to keep tuned. That's why there are no guidelines, the guides are not to have it block anything, and it use it to monitor and flag activity you find suspicious. It's an investigative tool, not a barrier. Toss in NAT, and things get even harder, as half the rules no longer work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2