IDPS Rules list

Quote:

---

Originally Posted by YeOldeStonecat

What would be helpful is some "profiles" which could be applied to IPS.

IMO, IDS/IPS isn't really necessary until you get to a business type network where you host servers behind Untangle and you have ports open and forwarded for services such as SMTP, Remote Web Workplace portal, TSGateway or RDS, etc etc.

It would be nice to have some canned, pre-defined categories to load some auto block rules for say...exploits against Remote Web Workplace/Essentials portals, or a profile that includes attacks against TSGateway/RDS (and vanilla terminal server) exploits. (yes I know just slam the door shut on port 3389..yes all of my clients are, just giving examples).

A good portion of Untangles clients are "SMB" sized clients. Networks of 25 to 200 maybe 300 users. I'd wager to say >50% of Untangles clients are in that category. We have....oh I dunno, 50-60 clients on Untangle, and >75% of those are networks under 50 users.

These are clients that cannot afford to hire full time IT staff. And they can't pay one of us SMB IT consultant guys the money required to sit in front of their Untangle admin and sift through the reports in that much details. Not everyone has enough time, or budget, to sit there and sift through IDS reports and determine what is valid and what should be blocked from that point forward (well after the attack happened BTW...so...too late!)

Yes, ideally, someone is paid to sit in a chair and read IDS logs and determine course of action. BUT...in the mean time, many other firewall brands out there have IPS systems with pre-loaded block rules by default...they've been out there for years. Heck even years before I discovered and started reselling Untangle back in the version 5 days, years before that I played with PFSense a lot..and it had a canned Snort plugin that was ready to rock 'n roll out of the block and block. Many other UTM brands also. And they work, I've seen their reports.

Speaking of PFSense, Ubiquiti's latest Unifi controller release added IDS ...AND...IPS..to their security gateways. (bonus points to anyone who knows why I said "speaking of pfsense" and then went onto the Ubiq Unifi product). :)

---

Thank you very much. Finally someone with knowledge of what's out there on the marketplace. Also, to say that security people don't use IDPS is flat out wrong and absurd.

Quote:

---

Originally Posted by YeOldeStonecat

Yes, ideally, someone is paid to sit in a chair and read IDS logs and determine course of action. BUT...in the mean time, many other firewall brands out there have IPS systems with pre-loaded block rules by default...they've been out there for years. Heck even years before I discovered and started reselling Untangle back in the version 5 days, years before that I played with PFSense a lot..and it had a canned Snort plugin that was ready to rock 'n roll out of the block and block. Many other UTM brands also. And they work, I've seen their reports.

---

Just to be sure I understand you right, you're saying that an unmanaged IPS with an initial default set of rules is good long term--or rather, that the vendor is responsible to manage the user's IPS block rules long term? That from the end user point of view, it ought to be install and forget?

I'm not saying that's a bad idea, but I spent decades of my life volunteering for organizations like you've described because of the risks that accompany the notion of set-it-and-forget-it security. So I follow your point well, but we'll have to disagree on the solution in the case of IPS at least. And that's independent of the product, just to be clear.

Quote:

---

Originally Posted by JasonJoel

In terms of blocking external access to known bad actors/block list hosts, systems like pfSense can do that fairly easily but that isn't something I've ever done on Untangle. That isn't really IPS, though, it is really more a firewall rule equivalent that they use the snort engine to do more easily.

---

So you would say that Snort rules designed for that purpose are more of a concession to how people like me use IPS? I'm genuinely interested in what you think here.

Quote:

---

Originally Posted by doudoufr

Jcoffin, at your home, you should have a server, or a nas, or a device connected to the internet right ? Aren't you using IPS at home ?

---

I have several servers yet there is no publicly open ports. Incoming is IPsec or OpenVPN only. I do not use IPS. The most valuable tool is reports by far. There is so much insight into your traffic in there.

My favorite line about Snort (IPS); "Snort rules must be developed carefully. This is necessary to reduce the number of false alarms of information generated and to reduce the amount of information logged."

As in every other thread on IPS I saw since registering on this forum, things are getting muddy again and apples and oranges are again starting to whirl into a witchy dance :D

There are different points of view to consider:

1) UT should do this as all others do. Well, it could be, but I bet the core team knows what they want to do marketing wise. And I pretty suspect that they know who their clients are :rolleyes: without us reminding them.

2) When Fortigate 60 was shipped internationally, I was asked to configure and deploy two hundreds of them across my country for a government agency. They wanted IPS, they used one of those "pre-canned basic sets" everybody keeps talking about. Well, in under a month they asked other consultants to completely disable them because if these pre-canned sets are not backed up (and daily updated) by the vendor, the false positives that kill sessions will overwhelm even the most dedicated fanboy. Let's say the basic set does something like Untangle shield does. As soon a legit nmap to scan for SSH daemons in a class B starts, it will be throttled or killed. But hey, it's part of the pre-canned set that discovers compromised systems going egress :cool:

3) In most homes, SOHO and small SMBs, what is really necessary it's an egress IPS with up-to-date signatures that can block malware from spreading and compromised systems to call home, just for giving two examples. But without interface and tagging and usernames (and all other UT goodies) it's not simply a matter of pre-canned basic sets. Moreover: UT is an edge system, it wouldn't stop a ransomware you installed by clicking on an attachment, it won't stop it from moving from one PC to the file server, and if a compromised system goes HTTPS to Japan, it won't do a thing. You don't want an IPS. You want tens of them around your network, you want NAC with port security and dynamic VLANs, you really want something else. At that point, the necessary effort usually makes those solutions a bad choice for SMBs comparing to risk management, backup and disaster recovery procedures and solutions.

4) I don't want to see exotic names, I simply want "Protect Linux" and "Protect Windows". What? If you take a look at the categories, you'll see there is no such thing and you know what? It's like that because IPS are not packet filters, we're looking at the wrong angle if we're basing our assumptions on that scenario. I'd choose pre-canned firewall rule sets on IPS rule sets that might kill my session without me understanding what it's really doing. If on the contrary I really begin to breath security, I will understand what categories are and where to put IPS nodes in my network. Having said that, the names and descriptions could be translated. Does it make business sense for UT to do that? I don't know, I don't work with them.

Am I a security guy? Alas.
Do I use IPS on my UT at home? Yes.
Do I agree with all the apples and oranges around here? Hmmm, let me think about that for a second :cool:

Quote:

---

Originally Posted by YeOldeStonecat

These are clients that cannot afford to hire full time IT staff. And they can't pay one of us SMB IT consultant guys the money required to sit in front of their Untangle admin and sift through the reports in that much details. Not everyone has enough time, or budget, to sit there and sift through IDS reports and determine what is valid and what should be blocked from that point forward (well after the attack happened BTW...so...too late!)

---

Those are exactly the clients I would not recommend an IPS to. I know at the same time they are exactly the clients who would love to have a click-and-install one :D and marketing wise it has got some sense, too.

But as you stated they've got no resources to build up their set of rules, they cannot fine tune. You're right. That also means they've got no resources at all to comply with and adapt to false positives and undiscriminated killing of sessions.

Hell, I love looking at IPS logs, but I love sometimes to have real time tcpdump flow as a screensaver. Right now my UT untangle which I tried to limit to only the categories I'm interested in, has given me almost 2900 useless logs out of 2953 log entries. Why useless? TCP scans from the Internet against closed ports on my UT WAN. The other 53 are false positives in the sense that the rule is completely out of context on the real session going on. If those 53 had blocked instead of logged I would have had problems. If I hadn't the resources to adapt and correct, I would have had worse problems.

I like UT and pfSense because the core teams seem to really grasp many security concepts the majority of the security vendors do not. Well, I believe they do, too, they just want to sell products anyway. Probably if there was no money in the world, SOHO and SMBs would not have IPS installed :D

Quote:

---

Originally Posted by Sam Graf

Just to be sure I understand you right, you're saying that an unmanaged IPS with an initial default set of rules is good long term--or rather, that the vendor is responsible to manage the user's IPS block rules long term? That from the end user point of view, it ought to be install and forget?

Well, without resulting to f'ing annoying and condescending bold letter types...

I'm not saying that's a bad idea, but I spent decades of my life volunteering for organizations like you've described because of the risks that accompany the notion of set-it-and-forget-it security. So I follow your point well, but we'll have to disagree on the solution in the case of IPS at least. And that's independent of the product, just to be clear.

---

Nothing wrong with a basic set of default block rules by category. For example...say you have a web server, or a terminal server, and have done the port forwards for those. Putting up a set of basic rules that will auto block well known attacks...there's nothing wrong with that, many other brand appliances do that and do it well. With well known, well documented rules loaded...there really isn't false positives to cause problems. Seen it done nicely by other brands, seen the weekly reports, their IPS steps in and does the job.

In a dream world every client would have staff that VPNs in thus no port forwarding required. BUT..we (well..SOME of us) live in reality, and have to deal with clients that have networks which involve making some services available to the wild side via port forwards, so the more layers I can stack on, geo blocking and other ACLs...and ideally..even sprinkle on some basic IPS rules..it would be nice. I like doing that with other brand UTMs...Untangle is my favorite UTM for all the other things it does and we're big resellers since going back to version 5...we have a LOT of Untangle units out there in use at clients. So...this isn't my first day on the job, nor first decade on the job, nor first double decade on the job. I'm about 25 years in the IT world, serving SMB networks since the dial up days.
This is the one module I wish was implemented a bit better, after getting a taste for how nicely other brand UTMs have done it. Sorry if it makes some fanbois all butt hurt, but to be honest I've probably still a bigger Untangle fanboi than 99% of the others here and I've brought at lot of other Untangle resellers to the table.

Just loading a basic set of rules that block well known attacks isn't a bad thing. It's another layer of defense. Some of you should see how other firewalls do it, stick a terminal server out there and a week later see how many attempted grinding attacks are automatically stopped. And that itself isn't a bad thing. And again...I've done that and NOT had people screaming to disable that brands IPS due to problems. Well established rules work fine. I'm not saying to blindly and nilly willy go and load every single rule...obviously being that careless WOULD lead to tons of F/Ps.

Quote:

---

Originally Posted by docfuz

But as you stated they've got no resources to build up their set of rules, they cannot fine tune. You're right. That also means they've got no resources at all to comply with and adapt to false positives and undiscriminated killing of sessions.

---

Soo...on all the other UTM products I've installed with a decent IPS system, where I loaded a basic set of rules to protect an exposed service, I've NOT had problems with tons of F/Ps. Perhaps there may be a brand or more UTM that poorly does IPS...and loading ALL the rules might lead to problems. But I'm not talking about that.

My use of IPS would be loading rules of attacks/recons specific to a service I had port forwarded to. I think that point is always being missed here..I'm not talking about loading up all the rules on any Untangle install. I'm talking about specific categories of well known "safe" rules (not aggressive rules) to protect certain types of services (such as SMTP, HTTP, HTTPS, RDP, TSGateway, etc.). I'm not talking about for home users, I don't give a rats behind about home setups, or even small office setups with no hosted services behind them. Only talking about when you have servers on a biz network, setup with port forwarding, IMO that's the only time I employ IPS (or wish to employ it).

YeOldeStonecat, we agree on the relative usefulness of a basic service set (not the basic something-for-anything set it's mostly discussed here) but then again, when we speak about well established rules, the signatures have come to that degree of matureness with time and almost always there are patches for the same problems we ought to solve with an IPS. I choose patches.

But, in some cases patches are not available, I agree. Let's say.... vertical web applications. So, some IPS rules for SQL injection might be appropriate. But then again, it depends on the client. Untangle client, I mean. And for the organizations with wits and money (not the home clients) is this kind of IPS really interesting compared to endpoint IPS (e.g. modsecurity) or WAFs that interact with the web platform they're protecting knowing pages and modules and connectors and .....?

I agree with you on this example and client identikit, I'm just not sure it's UT clients we're speaking. But they - UT team - know if it fits and maybe they'll fine tune the IPS app as well :cool:

Quote:

---

Originally Posted by YeOldeStonecat

Nothing wrong with a basic set of default block rules by category. For example...say you have a web server, or a terminal server, and have done the port forwards for those. Putting up a set of basic rules that will auto block well known attacks...there's nothing wrong with that, many other brand appliances do that and do it well. With well known, well documented rules loaded...there really isn't false positives to cause problems. Seen it done nicely by other brands, seen the weekly reports, their IPS steps in and does the job.

In a dream world every client would have staff…

---

This is where I bow out of this conversation, then. In a nightmare world, organizations with no money and no qualified staff are actually running unsupervised web servers and heaven knows what else behind unsupervised (or vendor supervised) security systems using canned configurations. In my opinion, that puts themselves and others at measurable risk. And who is responsible when something bad happens? Unless the argument actually is that security is that easily implemented.

If Untangle decide to provide default IPS rules or rule sets, I have no problem with that. I was never opposed to the idea if it can be done well and as a starting point only. But this discussion has devolved, in my opinion, to applauding long term reliance on default rules or rule sets because that's being done successfully by other vendors, etc. Except that false positives are not being entirely eliminated so have to be dealt with by somebody, and a false sense of security is possible and even potentially enabled in organizations unwilling to invest in security beyond buying the hardware and/or paying their subscription as an operational priority. I'm not interested in encouraging that, even as a home user.

Perhaps that's just my ignorance showing. Those that are smart enough to see the wisdom in this approach can carry on the discussion just fine without me. :cool: