IDPS Rules list

I hear everyone's input here, but I think that you're looking at it from the wrong perspective. IDPS is part of the paid licensing package from Untangle. As such, the end users should be demanding from Untangle to step up their game and provide a (somewhat) functioning out-of-the box/moderate configuration-needed IDPS. We shouldn't be making excuses for Untangle why they can't provide a basic rule set because it would add to their support costs, the same way we shouldn't make excuses for SonicWall, FireEye, and Palo Alto Networks. If their customers demand it, then the company should provide it or lose those customers to other companies who do provide it.

I don't think that this is such an outlandish idea.

I don't entirely disagree with your point, but I think there is a meaningful difference between making excuses for Untangle versus trying to understand and respect any validity to their point of view. To make the argument that any defense of their point of view in this case necessarily amounts to making excuses begs the question. It necessarily assumes only one interpretation of or solution to the very things we're discussing.

That's all I have to say about that. :)

IPS inspectors are just doing regex matching on packets. As packet patterns are not 100% identical for the same type of traffic, therefore need human review. Unless you have public Internet services on your internal network, it's highly unlikely IPS will ever detect a real threat.

True, but I still think that this is something that should be provided with the product. It can be disabled by default as it is now, but there should be a choice of low risk, minimum baseline set of rules, and a medium risk set of rules, with the caveat clearly spelled out on that page that care should be taken to ensure that the rules are effective and tweaks may be necessary to ensure legitimate traffic gets through.

Quote:

---

Originally Posted by jcoffin

IPS inspectors are just doing regex matching on packets. As packet patterns are not 100% identical for the same type of traffic, therefore need human review. Unless you have public Internet services on your internal network, it's highly unlikely IPS will ever detect a real threat.

---

I'm sorry, I may be stupid but I don;t understand what you are saying. Why shouldn't an IDPS be effective if its rules blocks someone from NK from accessing my internal devices?

Quote:

---

Originally Posted by yelped

True, but I still think that this is something that should be provided with the product. It can be disabled by default as it is now, but there should be a choice of low risk, minimum baseline set of rules, and a medium risk set of rules, with the caveat clearly spelled out on that page that care should be taken to ensure that the rules are effective and tweaks may be necessary to ensure legitimate traffic gets through.

---

Note: following isn't technical. It's business.
Most people won't follow disclaimer notes since they don't read disclaimers. When was the last time you fully read a pharmaceutical product's pamphlet before using it? You get the point. So, when packets will be blocked and sessions interrupted, people will start yelling at support. It's better to ship it in logging mode only.

I agree, though, that simply stating in the forums that people won't probably need IPS altogether is probably stretching the concept a little bit :cool:

Moreover, it would really be cool to have the same level of rule manipulation and building we get with the other UT apps: set interfaces, timings, things like these. As it is right now, it's a bit underpowered.

I'm one of those in the forums telling people that IPS is over-rated. The main problem is that most UT users would probably need an Egress Snort only. And it's not very clear how to set it up with the current app interface.

Quote:

---

Originally Posted by yelped

I'm sorry, I may be stupid but I don;t understand what you are saying. Why shouldn't an IDPS be effective if its rules blocks someone from NK from accessing my internal devices?

---

The default configuration is the best general case. If you are using NAT, packets are not coming in unless requested. Firewall app can block countries in a simple rule.

Again the usefulness of IPS in most home / SMB environments is limited. But it's up to you to configure Untangle as you see fit.

But in home environments nowadays we all have devices connected to the internet, such as a nas, a server, a IOT devices etc....

i understand that we should configure IPS as we want but...."ET DROP Dshield Block Listed" or "PSNG_TCP_FILTERED_DECOY_PORTSCAN" or "ET CNC Shadowserver Reported CnC Server Port 54321 Group 1" or any Other rules are not very....well....understandable.

It will be much more easy if we have rules like "protect Windows server "protect linux server" "protect against malware" etc....and the specific regex will be checked accordingly.

Now, even if i see in my reports some matching events....i don't even know what it is.
For home user, it will be so much easier.

Jcoffin, at your home, you should have a server, or a nas, or a device connected to the internet right ? Aren't you using IPS at home ?

What would be helpful is some "profiles" which could be applied to IPS.

IMO, IDS/IPS isn't really necessary until you get to a business type network where you host servers behind Untangle and you have ports open and forwarded for services such as SMTP, Remote Web Workplace portal, TSGateway or RDS, etc etc.

It would be nice to have some canned, pre-defined categories to load some auto block rules for say...exploits against Remote Web Workplace/Essentials portals, or a profile that includes attacks against TSGateway/RDS (and vanilla terminal server) exploits. (yes I know just slam the door shut on port 3389..yes all of my clients are, just giving examples).

A good portion of Untangles clients are "SMB" sized clients. Networks of 25 to 200 maybe 300 users. I'd wager to say >50% of Untangles clients are in that category. We have....oh I dunno, 50-60 clients on Untangle, and >75% of those are networks under 50 users.

These are clients that cannot afford to hire full time IT staff. And they can't pay one of us SMB IT consultant guys the money required to sit in front of their Untangle admin and sift through the reports in that much details. Not everyone has enough time, or budget, to sit there and sift through IDS reports and determine what is valid and what should be blocked from that point forward (well after the attack happened BTW...so...too late!)

Yes, ideally, someone is paid to sit in a chair and read IDS logs and determine course of action. BUT...in the mean time, many other firewall brands out there have IPS systems with pre-loaded block rules by default...they've been out there for years. Heck even years before I discovered and started reselling Untangle back in the version 5 days, years before that I played with PFSense a lot..and it had a canned Snort plugin that was ready to rock 'n roll out of the block and block. Many other UTM brands also. And they work, I've seen their reports.

Speaking of PFSense, Ubiquiti's latest Unifi controller release added IDS ...AND...IPS..to their security gateways. (bonus points to anyone who knows why I said "speaking of pfsense" and then went onto the Ubiq Unifi product). :)

Quote:

---

Originally Posted by doudoufr

Jcoffin, at your home, you should have a server, or a nas, or a device connected to the internet right ? Aren't you using IPS at home ?

---

I am not him, but the typical answer to that question is NO.

IPS, in general, are configured for INBOUND traffic, not OUTBOUND. For the INbound case, it is only useful if you have port forwards coming in / are hosting services on your network that you need to access remotely. Most home users do not have that type of remote access configured.

Now, if you want to do OUTbound IPS, that does exist on some systems - but there is no defined set of rules as internal devices talk a plethora of protocols. On top of that, many of them use encrypted traffic outbound with no capability to inspect (no way to load a cert to allow inspection on most IoT devices).

In terms of blocking external access to known bad actors/block list hosts, systems like pfSense can do that fairly easily but that isn't something I've ever done on Untangle. That isn't really IPS, though, it is really more a firewall rule equivalent that they use the snort engine to do more easily.