Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 8221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention Enabled for External.

TrotterD

Hello, hope you are well.

Is there any best practices to follow when enabling Intrusion Prevention feature on a UTM. During a very quick one day training course provided by Sophos they said that you can literally get away with just switching it on and not have to do much detailed tuning as out the box its a very balanced policy and suites most environments.

I did this and just added the "External (Address)" and the "Internal Networks" to the global settings for Local Networks.

So far this has only logged an ICMP Flood detection from a monitoring PC that has a continuous PING running on it.

Does anybody have any experience with regards to a good basic setup and if IPS is really needed for the internal side.

Regards,

Dave



This thread was automatically locked due to age.
  • 0

    Best practice says to turn it on only for internal facing interfaces, like LAN, DMZ, but not WAN interfaces.  You can set up an exception for that particular PC to get that notification to go away.

  • 0 in reply to darrellr

    Hi Darrellr, hope you are well and thanks for the reply.

    Do you know the reason for not including the External interface, or if you have a link to where you got the info from I would appreciate that. I am assuming it is because it would trigger far too often with false positives.

    I have created an exception for our Sophos Reporter monitoring PC and that has done the trick.

    Regards,

    Dave

  • 0 in reply to TrotterD

    Well, the box is called Local Networks.   It is generally best practice (and enforced in some cases) to only scan internal interfaces for IDS/IPS.  Many vendors only apply the IDS/IPS engines per policy rather than per network.  So, if you allow port 80 from WAN to forward to internal, that policy will have IDS/IPS performed, but not traffic that is blocked (no reason to commit resources to scan traffic that is not allowed).  This is why you would typically not scan the WAN interface.  It uses resources to scan traffic that likely will not pass through the firewall anyway.  If you are scanning all of the traffic that is allowed (monitoring interfaces with a source or destination of WAN) you are only committing resources to traffic that may be able to traverse the firewall.


    If you really want to scan all traffic destined from outside your wan interface, I would use something like security onion to monitor that before it hits your UTM.  Let you UTM do what it is made for, nothing more.

  • 0 in reply to TrotterD

    because then your machine will try to scan the entire internet as well.  Your really do not need to do that you only need to scan the traffic that is destined for you or that exits.  stick with internal networks for IPS.

  • 0

    Hello, thanks for the advice.

    The way you both explained it makes more sense.

    Regards,

    Dave