Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 56

Thread: IDPS Rules list

  1. #11
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    One time of it blocking an attack is not worth the time invested?

  2. #12
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Sure. But NAT is a reasonably reliable defense for networks with no publicly exposed services. So that's a relevant factor in the conversation. I have no idea what percentage of Untangle deployments protects public services, so I'd only be guessing at how big a factor.

    And just because IPS might be worth the time invested doesn't mean the time is actually invested. I get the impression that some Untangle users think of the IPS app as a silver bullet that just works. Untangle should come with a default set of blocks that won't break anything but will offer robust protection. In other words, it should be a reliable shield with a minimum of user effort even in the short term.

  3. #13
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Quote Originally Posted by Sam Graf View Post
    And just because IPS might be worth the time invested doesn't mean the time is actually invested. I get the impression that some Untangle users think of the IPS app as a silver bullet that just works. Untangle should come with a default set of blocks that won't break anything but will offer robust protection. In other words, it should be a reliable shield with a minimum of user effort even in the short term.
    Quote Originally Posted by Sam Graf View Post
    Sure. But NAT is a reasonably reliable defense for networks with no publicly exposed services. So that's a relevant factor in the conversation. I have no idea what percentage of Untangle deployments protects public services, so I'd only be guessing at how big a factor.
    NAT is NOT a network defense. Period.

    Quote Originally Posted by Sam Graf View Post
    And just because IPS might be worth the time invested doesn't mean the time is actually invested. I get the impression that some Untangle users think of the IPS app as a silver bullet that just works. Untangle should come with a default set of blocks that won't break anything but will offer robust protection. In other words, it should be a reliable shield with a minimum of user effort even in the short term.
    Not every rule should be enabled, but there should be a set of no-brainer rules enabled. If it breaks some traffic, let the end user tweak it.

  4. #14
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Well, I wasn't looking for an argument. I was trying to explain the rational that I've seen here. You're welcome to argue for default blocks and all that, but that's not something I'm interested in.

    Good luck.

  5. #15
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default




    True. This comment was't really directed to you....

  6. #16
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Quote Originally Posted by yelped View Post
    NAT is NOT a network defense. Period.
    Disagree, and by the definition of what 'defense' means, I'm know I'm right. You could maybe say it isn't a very effective defense (I would argue about that too, though).

    Quote Originally Posted by yelped View Post
    Not every rule should be enabled, but there should be a set of no-brainer rules enabled. If it breaks some traffic, let the end user tweak it.
    Disagree. If they are 'no brainer' (which they are NOT if they break traffic) then enable them yourself. It should be easy since they are 'no brainers', right? Share the list with others if you want to encourage helping those less smart/less time.

  7. #17
    Master Untangler
    Join Date
    Oct 2017
    Posts
    161

    Default

    Quote Originally Posted by JasonJoel View Post
    Share the list with others if you want to encourage helping those less smart/less time.
    Wow Jason! Less smart is a little harsh for people like me trying to learn something new. If you came into my field of expertise I wouldn’t say you were not smart for not knowing products needed to build a road or highway.

  8. #18
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    My point wasn't that you were more/less smart, necessarily, so that waqs probably poor word choice (sorry about that). Rather if there is a magic list of 'no brainers' that aren't obvious to others, then it should be shared.

    There is no doubt that the community could put together a list of low risk items that could be turned on in the vast majority of scenarios. There are some threads like that in various Snort forums, in fact. While I don't personally think that's super useful, I certainly wouldn't discourage others doing it.

    In the end, a community supported list may get enough traction for Untangle to use the list by default, or make it an easily loadable option for end users.

    The hard part is that each additional rule adds some amount of overhead, too. So even if a list of 500 items that are safe and prudent exists, it still doesn't apply to all environments nor can all systems handle the overhead.

    In a perfect world I think there would be lists by function - if you host a web server, use this list. If you host remote access servers, use this list.

    But it takes time and expertise to do that.
    Last edited by JasonJoel; 03-23-2018 at 05:35 AM.

  9. #19
    Master Untangler
    Join Date
    Oct 2017
    Posts
    161

    Default

    No worries Jason. I agree that maybe a small list of essential type rules could help people like me know which rules should be engaged. I get flags all the time. But if you take the time to look you can see that is a device trying to communicate most of the time. I get flags all the time from my Yamaha MusicCast enabled devices communicating.

  10. #20
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I think too it's perfectly legitimate to look at this predefined block list matter from the Untangle support point of view. If canned IPS block lists cost Untangle something in support time, then the business incentive to make even a community-provided offering is reduced. I think we see that even in the recommendations over the app itself: "No, you don't need this (in part because if you have to ask if you need this, using it can't reliably end well for anybody)."

    I am, of course, putting words into people's mouths there. I've never heard anybody say that.

Page 2 of 6 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2