Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 31889 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guidelines for using Pre-defined IPS policies

BrianCarp

I'm wondering how the modifiable IPS policies relate to the non-modifiable policies and what the recommendations are for using them. The first six seem clear enough (DMZ TO LAN, LAN TO WAN, etc.), assuming you have these standard zones set up, and I assume the policies have been written to perform security according to average traffic patterns between these zones.

However there is not much in the way of description or documentation for the other pre-defined policies: "generalpolicy", "lantowan strict policy", "lantowan general policy", and "dmzpolicy". What is the "general" policy? How do the "lantowan" policies compare to the basic "LAN to WAN" policy? And is the "dmzpolicy" like a "DMZ TO ANY" or something else? I'm assuming the lantowan "strict" simply looks for more signatures than the "general", but I'm wondering which of these is equivalent or closer to "LAN TO WAN" or what the other differences might be.

Also what is the recommendation for troubleshooting and tweaking IPS behavior with respect to false positives? I'm most concerned with LAN-WAN traffic, which is almost exclusively initiated by LAN users, and so I assume the various lan-to-wan policies are the appropriate policies to use. However they seem to overperform by causing legitimate traffic to prohibited and for users to receive HTTP errors. I notice this especially when communicating with servers in Amazon EC2. Is the solution to try using a modifiable lan-to-wan policy, monitor the IPS log for false positives, and then tweak the policy to disable those signature checks? Do the logs report sufficiently verbose information to do this kind of tuning?



This thread was automatically locked due to age.
  • 0

    Hi BrianCarp,

    I believe you have all the reasons for the confusion about how the editable policies (7 to 10) relate to the non-editable first 6 policies.

    I tried going through the signature sets of last 4 to look for how they relate or differentiate from the first 6, but with no luck.

    Please give me some time. I'll get in touch with the concerned people to have a comprehensive answer here. Rest assured - the documentation will definitely be updated accordingly.

    Regards,

    Dhiren  

  • 0

    Thanks for posting this, you have pretty much mirrored my own thoughts and questions about all this.

  • 0 in reply to PaulRoberts

    It will be beneficial to get an answer. we are new to the Sophos family and I am having a hard time understanding how to enable IPS properly.  It is different from SonicWALL.

  • 0 in reply to Dhiren

    Any updates on this?  I would like to know the correct way to use the IPS on this as well.

  • 0

    I look at my IPS rules last night for the first time.  When I created my firewall policies initially, I used the standard IPS profiles, matching the to->from zone names to use the appropriate filter.

    So then I started thinking about all those rules.  My first step last night was to create new IPS policies for each type of business policy (read: port forwarding) in place based on what port was open to the internet.  For my SSH business rule, I added any rules related to SSH.  For the rule that exposes my internal Apache web server, I only took the Apache rules.  Basically create a new policy for business rule that exposes ports to the internet, then when you add rules, use the search (you need to hit "Select Individual Signature" to get the search box open) to find rules that apply to your ports.  You can use also use the filters on the right to help find what you need.  For instance, do you have WebAdmin exposed?  Then search for webadmin, and you will find there is a rule that you can add to your policy.

    For the outgoing traffic, I only added IPS policies to rules that originate from users.  I didn't bother with rules that allow my servers to go to the internet since there is a low chance they will have issues.  For the users I simply used the default LAN to WAN policy.

    If you do that basic step, you will streamline your IPS policies.  As best I can tell, there 2900 server rules and 4577 client rules.  You don't need to run all those rules on a firewall rule if that rule only exposes one specific service.

  • 0 in reply to JorgeRojas

    SonicWALL!  I have a old sonicwall and I am trying to migrate to the XG.  Did you run into trouble with layer 3 routing policies?

  • 0 in reply to Dhiren

    Unknown said:
    Hi BrianCarp,

    I believe you have all the reasons for the confusion about how the editable policies (7 to 10) relate to the non-editable first 6 policies.

    I tried going through the signature sets of last 4 to look for how they relate or differentiate from the first 6, but with no luck.

    Please give me some time. I'll get in touch with the concerned people to have a comprehensive answer here. Rest assured - the documentation will definitely be updated accordingly.

    Regards,

    Dhiren  

    Any updates on this? I am also curious what the difference is between all the pre-defined IPS policies.

  • 0 in reply to shred

    The Gui isn't easy, I took a number of attempts to un-select Microsoft Cabnet files names from the IPS policy System files which was effecting windows updates.

    I found that if you search for the name and the SID and use the column filters you can un-select the policy with out disturbing anything else.  I suggest just un-selecting the option then saving it ASAP.  The reason being scrolling through all 7000+ policies at 50 rows a shot is not easy to work with, also noticed that if you select the check box to select all, no all are selected.

    My 2 cents worth.

    feature request more intuitive GUI for managing IPS policies. 

    Still need to check if all are selected..