Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 5932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS needed for all internal networks

redhorse2017

Hello,

I am not sure if we should activate IPS because we don’t have internal services which are reachable from external networks (such as webserver via DNAT). What is the advantage of activating this feature and which attacks do I prevent? Perhaps someone has a good example for a potential risk when IPS is not activated.

Thanks a lot!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    For most organizations, the vast majority of of the traffic that enters their network from the outside is responses, not activity initiated  from the outside. Look at the 'Attack Patterns' tab,  and just eliminate the checkmarks for things you don't have and for things that don't  proactively access the Internet.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    thanks!

    BAlfson said:
    For most organizations, the vast majority of of the traffic that enters their network from the outside is responses, not activity initiated from the outside. Look at the 'Attack Patterns' tab, and just eliminate the checkmarks for things you don't have and for things that don't  proactively access the Internet.

    Okay, so I should enable IPS for all local subnets which have access to the Internet and disable all Groups in the "Attack Patterns" tab which are not running in our environment, no matter if it is outgoing or incoming traffic?

    Example:

    All Windows-PCs have access to the Internet, so I leave this checkbox enabled (Operating system specific attacks -> Windows), our DNS-Servers just ask the Firewall for DNS lookup, so there is no connection the Internet and I can disable the checkbox. Can you confirm this?

    Thanks & greetings

  • 0 in reply to redhorse2017

    You won't catch me recommending that you disable anything specific.  I do agree that you want to enable the 'Operating system specific attacks -> Windows' patterns.  If you're good at keeping things patched, you can also consider setting the 'Rule age' for each group.

    Cheers - Bob

Reply
  • 0 in reply to redhorse2017

    You won't catch me recommending that you disable anything specific.  I do agree that you want to enable the 'Operating system specific attacks -> Windows' patterns.  If you're good at keeping things patched, you can also consider setting the 'Rule age' for each group.

    Cheers - Bob

Children
No Data