Originally Posted by
YeOldeStonecat
What would be helpful is some "profiles" which could be applied to IPS.
IMO, IDS/IPS isn't really necessary until you get to a business type network where you host servers behind Untangle and you have ports open and forwarded for services such as SMTP, Remote Web Workplace portal, TSGateway or RDS, etc etc.
It would be nice to have some canned, pre-defined categories to load some auto block rules for say...exploits against Remote Web Workplace/Essentials portals, or a profile that includes attacks against TSGateway/RDS (and vanilla terminal server) exploits. (yes I know just slam the door shut on port 3389..yes all of my clients are, just giving examples).
A good portion of Untangles clients are "SMB" sized clients. Networks of 25 to 200 maybe 300 users. I'd wager to say >50% of Untangles clients are in that category. We have....oh I dunno, 50-60 clients on Untangle, and >75% of those are networks under 50 users.
These are clients that cannot afford to hire full time IT staff. And they can't pay one of us SMB IT consultant guys the money required to sit in front of their Untangle admin and sift through the reports in that much details. Not everyone has enough time, or budget, to sit there and sift through IDS reports and determine what is valid and what should be blocked from that point forward (well after the attack happened BTW...so...too late!)
Yes, ideally, someone is paid to sit in a chair and read IDS logs and determine course of action. BUT...in the mean time, many other firewall brands out there have IPS systems with pre-loaded block rules by default...they've been out there for years. Heck even years before I discovered and started reselling Untangle back in the version 5 days, years before that I played with PFSense a lot..and it had a canned Snort plugin that was ready to rock 'n roll out of the block and block. Many other UTM brands also. And they work, I've seen their reports.
Speaking of PFSense, Ubiquiti's latest Unifi controller release added IDS ...AND...IPS..to their security gateways. (bonus points to anyone who knows why I said "speaking of pfsense" and then went onto the Ubiq Unifi product). :)