Page 5 of 6 FirstFirst ... 3456 LastLast
Results 41 to 50 of 56

Thread: IDPS Rules list

  1. #41
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    141

    Default

    In fact, what would be good is :

    As a home user, with a nas, and a server, i would like to know what i need to block or Watch.
    Because now, i'm seeing in the reports some log about the IPS but i do not understand them.

    Jcoffin says that the reports are a great Tools, but....as it is (for the IPS i mean), it is.....not very usefull. I don't understand what it is.
    As I said in my previous post, regex are not very "user friendly".
    So for now, i have services open to the internet (because i need too) but i'm not very well protected i think. And that's the whole point of having a firewall....!
    This part (IPS) could be simplify and be more easier to use (for the one who wants!).

    Also, don't get me wrong. I'm a home user, and sometimes i may be rude or Something, but it is because English is not my mother thongue (french heeere!). So i'm trying to understand and answering the best i can. So please forgive me.
    Also i don't have all IT skills that you have, you, all IT professionnals.

  2. #42
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Sam Graf, I see you. I made the same statement I don't know how many times. As it is right now, an IPS is much more prone to a false sense of security than other UTM applications/configurations. And that's because in users' mind it should actively Prevent Intrusions as a System itself, almost without configurations and supervisors. The only other piece of security that does things like that is the Antivirus.

    Evading that is explained in tons of documents. Evading IDS/IPS had its time in the nineties, but engines haven't changed that much. What I presume YeOldeStonecat is saying is that it simply might be just another layer on the plate. Of course it should be backed up by a very large disclaimer. And of course, like AV, its rules are usually present after outbursts.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  3. #43
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Quote Originally Posted by docfuz View Post
    And of course, like AV, its rules are usually present after outbursts.
    So why walk away from providing security to those who weren't hit yet? All I see here is concerns about a false sense of security. I don't see how that concern overrides providing a service that actually does prevent some attacks.

  4. #44
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Quote Originally Posted by yelped View Post
    So why walk away from providing security to those who weren't hit yet? All I see here is concerns about a false sense of security. I don't see how that concern overrides providing a service that actually does prevent some attacks.
    Foreword: I didn't say anything like that. If you think I did, I may have mis-worded it. Moreover, as I said, I use IPS on my UT at home! But I did say that I like tcpdump output as a screensaver as well.

    I'm only saying IPS are honestly over-rated and I'm saying it from an attacker point of view. For instance, IF people didn't click on attachments, real-time av monitoring would be probably useless today. Most (from a theoretical point of view, every) IPS rule is based on signatures which are useless if a system is patched, hardened and with sound coding practices.

    And even for dynamic vulnerabilities, let's take for examples web based ones, like XSS and SQLI, it's just a chess match between signatures and evasion through mutations. I'm not saying that you don't need it. I'm saying its usefulness against, in UT for instance, Web Filter, Application Control and SSL Inspector is very low IMHO, but your mileage may vary.

    So ironically, it is most useful where systems are not patched, applications are not securely coded and there is no security guy/team. But then, eventual false positives and negatives will be far worse because systems are not patched, applications are not securely coded and there is no security guy/team

    But then again, and you can check my other posts around here, I already said it could be useful and interesting to have sets of rules as suggested by YeOldStoneCat with disclaimers and updates and interface/users specifications and the likes.

    But if the discussion is about the UT core team, its marketing stand on IPS and its roadmap about it, I don't really say a thing.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  5. #45
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Moreover I am interested in some attacks scenarios you think IPS would protect from, because any example I heard in this forum (in past threads) can be satisfied with other apps/approaches.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  6. #46
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,565

    Default

    Quote Originally Posted by docfuz View Post
    YeOldeStonecat, we agree on the relative usefulness of a basic service set (not the basic something-for-anything set it's mostly discussed here) but then again, when we speak about well established rules, the signatures have come to that degree of matureness with time and almost always there are patches for the same problems we ought to solve with an IPS. I choose patches.

    But, in some cases patches are not available, I agree. Let's say.... vertical web applications. So, some IPS rules for SQL injection might be appropriate. But then again, it depends on the client. Untangle client, I mean. And for the organizations with wits and money (not the home clients) is this kind of IPS really interesting compared to endpoint IPS (e.g. modsecurity) or WAFs that interact with the web platform they're protecting knowing pages and modules and connectors and .....?

    I agree with you on this example and client identikit, I'm just not sure it's UT clients we're speaking. But they - UT team - know if it fits and maybe they'll fine tune the IPS app as well
    Patches are of course strongly recommended and of course part of a layered approach in ones "best practices" bag of tricks. But as you likely know....Microsoft can be slow in their patches. Or perhaps a vulnerability will not be addressed until the next operating system release.

    Many other vendors have very nice IPS systems. Again...we (our little company) is all "Untangle" first. However, we happen to manage many clients with other firewalls in place (until we can convince them to replace them with Untangle ) and I get to see those IPS systems first hand.

    Sonicwall and Meraki both have very good IPS systems, flip it on and choose from 3x levels of protection. Constantly updated also...so always has the latest rulesets/definitions. So when new attacks come out...similar to antivirus software, shortly after discovery the security software gets the definition update to recognize it. And to be honest...many of the hacking tools remain in use for a very long time. Those black market "kits" that are available for purchase on the market. So while you said above that, such as with AV software, "rules are present AFTER outbursts"...the actual virus, or attack, will remain quite popular and active out there for many many months.

    Granted...you pay extra for that IPS feature, but...it's important.

    Many other firewalls have various ways of auto implementing IPS...some do it poorly (I'm not a fan of how Fortinet does it), some handle it very well (overall I strongly dislike Sonicwalls..but one of the few things I think SWs do well is IPS)

    IMO some IPS is better than no IPS.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  7. #47
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,565

    Default

    Quote Originally Posted by docfuz View Post
    Moreover I am interested in some attacks scenarios you think IPS would protect from, because any example I heard in this forum (in past threads) can be satisfied with other apps/approaches.
    I have Untangles "IDS" notify me when it senses something happening. As an example...back when I used to have regular Terminal Servers out there at clients (not TSGateway, but old fashioned terminal servers)....I'd frequently get emails from Untangles IDS about some attack happening. When I'd see a few of those attacks stack up coming from the same IP address, I'd check out that IP..and put a block in the firewall rules for incoming from that IP. Sometimes that would take a few hours or a day or three to get to. That was back then. I know some of todays hacking tools to bust into terminal servers....if it took me 3 minutes to log into my clients Untangle and set a block rule...it would be too late, that terminal server would be ransomed and the hacker would have injected a new user in ADUC and have access to the network.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  8. #48
    Untanglit
    Join Date
    Mar 2017
    Posts
    24

    Default

    I've been tuning IDS/IPS signatures for a very long time and find this 'feature' on Untangle is hardly usable and serves no purpose as it only logs. Signature content by other vendors will sometimes be defined as High, medium, low, information, etc but Untangle marks them by the threat name/type, which is fine with the EXCEPTION that can't tune them because the interface is clunky. You should be able to select 'all' in a category and block some obvious ones, but having to click through 1000s of them and manually mark them is an administrative nightmare. I certainly hope sooner rather than later, the IPS/IDS interface, logging, tuning get to be easier
    Last edited by RobG303; 05-17-2018 at 10:10 AM.
    yelped likes this.

  9. #49
    Newbie
    Join Date
    May 2018
    Posts
    9

    Default

    I'm relatively new to Untangle, but not to security. I would like to see a number of improvements in this IPS space as this appears to be weakest link in the software suite. The first improvement that would likely solve the immediate requirements of most people on this forum would be a more robust filtering mechanism on the IPS list similar to what's available in reporting views, coupling this feature with a "select all" box on the search results would allow people to elegantly and quickly perform bulk changes. Seems like a no-brainer and not so significant code change investment. I for one am getting carpal tunnel syndrome alone from this IPS user interface!

    Down the line other improvements like being able to define multiple IPS policies and subsequently being able to apply to other application rules, or groups of network devices would be a powerful feature. Imagine an IPS policy for workstations which would include most IPS rules in block mode, but a more selective policy for server/infrastructure assets (or vice versa). Lastly the ability to tie an IPS policy to another application rule could permit different policies for asset class and traffic direction! But of course this would likely be a significant re-architecture/refactoring of the untangle firewall solution, but would be awesome.

  10. #50
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,714

    Default

    Enabling all the IPS rules (Snort) will cause issues on any network. This is why there is no "select all" box. IPS is notorious for false positives. The recommend method is to review the logged events and block the those which are positive results.

    Unless you have several ports forwards or DMZ interface, the value of IPS is minimal by definition.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 5 of 6 FirstFirst ... 3456 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2