Page 6 of 6 FirstFirst ... 456
Results 51 to 56 of 56

Thread: IDPS Rules list

  1. #51
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,565

    Default

    Quote Originally Posted by jcoffin View Post
    Enabling all the IPS rules (Snort) will cause issues on any network. This is why there is no "select all" box. IPS is notorious for false positives. The recommend method is to review the logged events and block the those which are positive results.

    Unless you have several ports forwards or DMZ interface, the value of IPS is minimal by definition.
    I don't believe many people want a "select all" box. However, many other professional firewalls have some profiles you can apply. Say.."Common Remote Desktop Services Attacks", or "Common IIS attacks". And various levels you can apply those with..aggressive (higher chance of FPs), medium, lower (less chance of FPs).

    Inbound for only hosted services (such as servers you're doing port forwarding to) is obvious. Not many people want to "enable all" for "ALL" in and out traffic.

    Seeing the alerts from logging of the IDS is...quite after the deed is done. By the time the IT gets the alert in the inbox, someone using a grinding tool against RDS already broke down that door. Sorta like having a fire alarm that notifies you after a napalm bomb took out your house, you drive home to see a smoldering pile of ashes. Alerting after someone broke in...how helpful is that? Having some pre-defined blocks of common attacks via a fairly updated list of those attacks (like many other firewall brands successfully do)...it's a nice thing to have. Actually have the ability to stop the attack.
    Last edited by YeOldeStonecat; 06-19-2018 at 06:12 PM.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  2. #52
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by YeOldeStonecat View Post
    I don't believe many people want a "select all" box. However, many other professional firewalls have some profiles you can apply. Say.."Common Remote Desktop Services Attacks", or "Common IIS attacks". And various levels you can apply those with..aggressive (higher chance of FPs), medium, lower (less chance of FPs).

    Inbound for only hosted services (such as servers you're doing port forwarding to) is obvious. Not many people want to "enable all" for "ALL" in and out traffic.

    Seeing the alerts from logging of the IDS is...quite after the deed is done. By the time the IT gets the alert in the inbox, someone using a grinding tool against RDS already broke down that door. Sorta like having a fire alarm that notifies you after a napalm bomb took out your house, you drive home to see a smoldering pile of ashes. Alerting after someone broke in...how helpful is that? Having some pre-defined blocks of common attacks via a fairly updated list of those attacks (like many other firewall brands successfully do)...it's a nice thing to have. Actually have the ability to stop the attack.
    Yes, we are working on something like, the problem is that if we give people who know what they are doing the ability to check rules in mass, then other people will use this ability to wildly misconfigure their settings. We've learned this lesson before which is why we had to hide that ability in expert mode. Ultimately this is bad for everyone because they misconfigure their settings thinking they are doing good and then have a bad experience and end up having to uninstall.

    We're trying a new approach that will hopefully be a bit better and less likely to lead to a bad outcome.
    miles267, Kkorkky, yelped and 1 others like this.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #53
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Quote Originally Posted by dmorris View Post
    Yes, we are working on something like, the problem is that if we give people who know what they are doing the ability to check rules in mass, then other people will use this ability to wildly misconfigure their settings. We've learned this lesson before which is why we had to hide that ability in expert mode. Ultimately this is bad for everyone because they misconfigure their settings thinking they are doing good and then have a bad experience and end up having to uninstall.

    We're trying a new approach that will hopefully be a bit better and less likely to lead to a bad outcome.
    Great. To me it gets down to choices. So I like your statement.

    While I agree that they might do bad things with IPS configuration, point is people will do bad things even with the Firewall, Web Filter or Application Control. Not in the way of causing network misbehaviors maybe, but in the way of not achieving what they thought UT could do and at such, they might uninstall anyway.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  4. #54
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by docfuz View Post
    While I agree that they might do bad things with IPS configuration, point is people will do bad things even with the Firewall, Web Filter or Application Control. Not in the way of causing network misbehaviors maybe, but in the way of not achieving what they thought UT could do and at such, they might uninstall anyway.
    I agree. But in my experience (both personally and from reading here), anyone primarily in Untangle's IPS capability but that doesn't understand it is more likely to get in an inscrutable jam with that app than with any of the other apps (save possibly the add blocker, because that can cause weird website behavior). And the easiest way to get out of an inscrutable jam is to bail.

    So the choice you speak of is really just two in number. The end user is solely responsible for correctly using the IPS app, or Untangle as a company assumes some (or all) responsibility for the correct use of the IPS app. And I don't think that set of choices offers anything simple or magic. Ultimately the end user is responsible for the function of the app from a local security standpoint, something also true of all the other Untangle apps and configuration options. An admin who suffers an exploit can't blame Untangle under either choice, but under the second option she could blame Untangle for network funnies. It's a difficult road. All IMHO, of course.

  5. #55
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Quote Originally Posted by dmorris View Post
    Yes, we are working on something like, the problem is that if we give people who know what they are doing the ability to check rules in mass, then other people will use this ability to wildly misconfigure their settings. We've learned this lesson before which is why we had to hide that ability in expert mode. Ultimately this is bad for everyone because they misconfigure their settings thinking they are doing good and then have a bad experience and end up having to uninstall.

    We're trying a new approach that will hopefully be a bit better and less likely to lead to a bad outcome.
    That sounds great. This is one area where I find Untangle to be at a disadvantage compared to the competition. When is the targeted release date for this? 3 months? Six months?

  6. #56
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Quote Originally Posted by Sam Graf View Post
    It's a difficult road. All IMHO, of course.
    Agreed. In fact most other vendors who are evidently much bigger, probably simply ignore post-fact whinings, hiding behind tons of disclaimers, and they probably don't care about uninstalls. Let's what the UT team can come up with. Fill the configuration pages with tons of disclaimers anyway
    Sam Graf likes this.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

Page 6 of 6 FirstFirst ... 456

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2