Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS exception on LAN. Good or dangerous?

tekpoint

Hi All,

After months (if not even years) of struggling with a poor performing wifi and numerous attempts to solve the problem (new ap, new cables new switches) I finally found out my problem to be the IPS turned on, on the lan side.

Before i got wifi speeds fluctuating between 9 to 25 Mbps, now with IPS set off i reach the actual 65 Mbps I am getting from my provider. My wired connection is also more stable (before it was also having with moments 35 Mbps and in other moments 55 or 60).

So I created this exception in IPS:

My questions:

1. Is it a dangerous setup and if yes by how far would you recommend not to you use it (eg: high or low risk, dangers involved..)?

2. Is it not maybe just enough that the WAN side is covered by IPS, why should I also do the LAN?

Keep in mind that for the first time in years I am very happy about the speed :) . To answer a possible suggestion upfront: no, making an exception only for the AP is not helping + the wired connection improved too. It is really the whole LAN segment.

Thank you in advance for your opinions / solutions!

Edward



This thread was automatically locked due to age.
Parents
  • 0

    Salut Edward and welcome to the UTM Community!

    I think you can solve the speed issue in a better, safer way, but we don't know anything about your setup.

    1. If this is a Sophos hardware UTM, which appliance do you have?  If it's your own hardware what CPU and RAM do you have?
    2. How many devices are active behind your UTM?
    3. What blocking were you seeing in the Intrusion Prevention log?
    4. How are you measuring the speed?

    That's enough to start with.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    HI Bob,

    Thank you for you answer.

    1. Own Hardware -> Intel Core i3 6006U - 8GB RAM - 120GB SSD - 6x1000Mbps LAN cards (of which only 3 inuse. In general it is definitely overpowered for the use i make of it)

    2. Less than 50 but close to that (occasionally the "50 ip's limit mail" comes to bother me ;) )

    3. To tell the truth I didn't check any logs...at that moment I was just experimenting the 1000st suggestion i found somewhere on a forum and it seemed to do the trick immediately. Unfortunately I don't recall the thread as it was not a main topic but something said between the lines of another issue. 

    4. Speedtest.net

    But, correct me if I am wrong, filtering within lan-to-lan communications for what is it good for? I would think, in a relatively simple setup, that as long as we monitor and filter the WAN, all the lies behind it is safe.

    Greets

    Ed

  • 0 in reply to tekpoint

    Good info, Ed.

    1. That's only a dual-core at 2 GHz, but it should be adequate for your 65 Mbps connection.  I suspect that you have an anti-UDP flooding problem and that the rest of the Exceptions have no effect.
    2. Should have worded my question differently.  How many computers do serious downloads simultaneously?
    3. As I implied in 1, I think you'll find that the Intrusion Prevention log will tell you specifically what Exception you need.
    4. The tool used by Intrusion Prevention is Snort.  Snort is single-threaded, so total throughput would need to be measured with speedtest.net running simultaneously on two different computers.  Quand même, 2 MHz should do 65 Mbps with a single thread.

    See #2 in Rulz (last updated 2020-11-12).  Your Exception eliminates most of the protection offered by Snort.  What if one of your internal devices gets an infection and becomes part of a botnet?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to tekpoint

    Good info, Ed.

    1. That's only a dual-core at 2 GHz, but it should be adequate for your 65 Mbps connection.  I suspect that you have an anti-UDP flooding problem and that the rest of the Exceptions have no effect.
    2. Should have worded my question differently.  How many computers do serious downloads simultaneously?
    3. As I implied in 1, I think you'll find that the Intrusion Prevention log will tell you specifically what Exception you need.
    4. The tool used by Intrusion Prevention is Snort.  Snort is single-threaded, so total throughput would need to be measured with speedtest.net running simultaneously on two different computers.  Quand même, 2 MHz should do 65 Mbps with a single thread.

    See #2 in Rulz (last updated 2020-11-12).  Your Exception eliminates most of the protection offered by Snort.  What if one of your internal devices gets an infection and becomes part of a botnet?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    1. Hmm...is a quad core actually if memory servers me right. Current resources usage is 3% and never went above the 13% (source: yearly stats).

    2. Ok if you put it that way: couple of non-stop streaming net radios, a plex server, an exchange server & a cctv system. I definitely wouldn't label my network as an intensive usage environment.

    3. While I didn't really have time yet to look at the logs (will try coming weekend) I managed to filter out by "try and error" the exception that gives me the good speed and (on the contrary of what you suggested) the black sheep turned out to be: intrusion prevention. With only this checked and all the rest left enabled, speeds were back to normal. 

    4. Ok, done the test on two cabled workstations simultaneously (+ at the moment of testing there were two internet radios streaming & one HD internet tv streaming). System1: 42 Mbps  System2: 27 Mbps. So I think on that front we are pretty good (better then i thought to be honest :) )

    You are right about the protection, but would this setup up be more acceptable now with only intrusion prevention being disabled in the lan segment? I also count on the good work of Advanced Threat Protection to keep those c&c servers out ;)

  • 0 in reply to tekpoint

    2. speedtest.net only measures available bandwidth - whatever is left over when those devices are active.

    If the issue is Intrusion Prevention, then the solution would be a faster CPU if you can't tune Snort well enough on the 'Advanced' tab.  Also, you can get some great help from Sascha Paris' excellent UTM Tweaking Guide 2.0 - especially the section on Intrusion Prevention near the bottom.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML