IP Reputation Checking?

Hi Alex,

you are confusing UTM configuration and XG configuration. To design XG firewall rules you need to think differently, the any in the source zone is not the any in the destination zone.

More than likely your attacks are getting through your incoming rule, try disabling it.

Alex,

rfcat_vk is right. Make sure you understand zones. Even in bridge mode, zones are still considered. You are using a general IPS policy which is not restricted. To protect web services, make sure to configure WAF where there are more than 250 protection features.

Give us some logs and what attacks is not blocked (logs).

Thanks

Thanks Luk

I think I understand zones, i am relying on the fact they apply in a transparent bridge.  I can see in the logs that the IPS is blocking some forms of traffic on multiple ports and traffic, HTTP is included in standard scan whether or not a WAF is included.

Given the sophos WAF doesn't support websockets i have moved to nginx for the reverse proxy function, i still expect the XG to protect the http and https stream using IPS, Sandstorm etc irrespective of WAF.

Things that are not blocked include things like this:

These pass through the XG.

Maybe my expectations are too high / wrong? Maybe the issue is I should have downloaded the UTM home edition instead?

At this point the XG is offline, i discovered it was generating 2Mbps of downloads (and no it wasn't a host on my network generating this traffic it was the XG) i have yet to identify what it was doing.  If i put it back online I will come back, if not it means i gave up with XG Home and went with something else.  And don't get me started on some of the weird ARP behaviour and IP assignment issues where the UI clearly shows what IP is bound to the bridge or the management interface but all evidence shows that the IPs are swapped (or rather ARP packets seems to be doing bad things).  I am sure you think I have basic config / user error issue - i assure this box is doing VERY weird and inconsistent stuff, maybe it doesn't like my hardware config....  i do understand in quite some detail the low level mechanism of IP, and ethernet and how packets get constructed and put on the wire so please trust me when i ask you to stop assuming i am making high level mistakes (i accept i may be making mistakes but not simple ones :-) )

Regards

Akex

Don't see this as a personal attack more clarification of your post. What you are telling us (XG users) is our networks are not secured by the XG, yet many XG sites pass PCI testing.

I would suggest you let someone like Luk have access to your XG, he is a certified XG architect.

Hi Alex, 

As you are comparing with the enterprise-grade solution with personal home protection. 

The bad IP reputation would cause numerous false positives and this would not mean that your system will be infected.  The XG would protect you from real-time threats, this would include malware attack from the website if infected and also mail communication.  

Our AV will scan the page for any malicious code and if detected it would be blocked. Now if there is a treat detected it will be blocked by our IPS policy. As your traffic would traverse through LAN to WAN. You may need only LAN to WAN rule only, as for WAN to LAN is only needed if you wish to communicate from outside zone to internal network which is not recommended unless you have an MPLS line configured as a WAN port.

The IP reputation is restricted to SMTP and the websites were not affected by bad reputation on XG.e.g. If a Web server is infected that IP may be blacklisted but that Public address may have a Web server which will be blocked by IP reputation even though it's not infected. This is considered a False positive. Another example would arise if the actual threat is detected but the IP address is not blacklisted, this would result with the False negative. 

The RBL would decide if the host address is blacklisted or not if you would check the mxtoolbox website you would also need to check the reason the host address is blacklisted. 

In XG, you would change the IPS policy and even create your own based on the Signature you wish to allow/deny. Even have a customized web filter and application control. 

If you wish to enable such option to enable  IP reputation then you may vote for a feature request.  We would be happy if you would participate to improve our product as per your requirement. 

http://ideas.sophos.com/forums/17359-sophos-utm/suggestions/7114816-make-rbl-list-update-possible-via-pattern-update-o 

Thanks Aditya, that's great context and confirms what i was seeing - i.e. nothing wrong with the rules;  Also i guess you guys calling 'XG Home' gave me some over expectations.  Remeber i had never used sophos or any UTM product before that. 

I was only using the sophos as a tertiary form of protection mainly for fun and to learn and to do reverse publishing (are you guys gonna support websockets?) and moved it to be secondary as a test, i will just move it back to being tertiary if i keep it.

Now i need to figure out a) why the XG would have been downloading 2Mbps a second b)why i don't see the 6GB of RAM and c) how to stop the DNS false positives.  If i can figure that out i will keep if not i will nix it.

Thanks for your help

alex

rfcat_vk i never said it wasn't secure I was asking why it appeared to allow threats through that another device blocked, thats all, i got the runaround on 'my rules being wrong so my IPS wasn't working' when the answer was my expectations were wrong as Aditya nicely clarified that the feature i was expecting isn't there and in sophos view doesn't need to be there.  There was nothing wrong with my rules or settings.

So until Aditya's post no one was making sense to me. 

The only difference between a home licence (same software) and commercial licence is how much you can personalise it and IP licence count.

The only difference between a home licence for XG is the amount of memory and cpu cores you can assign to it and no sandstorm which also applies to the UTM.