Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 15373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Implementing an IP Blocklist

RChadwick

This has been asked for for years. I just wanted to see if maybe now it might be on someone's to-do list. I'm getting portscanned almost daily now. When I search for the offender's IP, they almost always appear on some blacklist. It would be FANTASTIC if UTM could support one or more of these blacklists, and simply keep these attackers from getting even a peek at my network. Portscanning is simply a symptom that someone is trying to break in, and this is a great time to stop them, but I feel defenseless. The UTM tells me someone's knocking, but there's little I can do.

Will UTM support blocklists? Does XG?



This thread was automatically locked due to age.
Parents
  • 0

    In "Intrusion Prevention" you have "Anti-Portscan" On?

    If so, what is the problem? If any other Firewall implements that, it slows the work of the firewall. I'm curious to hear who is this firewall

  • 0 in reply to Ol Deda

    I do have anti-portscan on. My problems:

    1) While emails are sometimes limited to the first 5 ports (Meaning I get 5 emails when someone portscans me), I often get 100 emails. I reported this bug years ago.

    2) Anti-portscan is not a complete solution, only a piece of a large picture. Common ports can still be guessed and scanned without triggering anything, as well as distributed attacks. By it's nature, it would only trigger when a number of consecutive ports are scanned quickly. Scanning slowly, from different IP addresses, would still allow an attacker to run a portscan, if it's even needed.

    3) A known attacker can release attack after attack on known, or discovered ports, until they find a way in. Blocking their IP makes it that much harder for them. Anti-portscan is ineffective.

    Most attacks don't rely on port scanning. Anti-portscanning does nothing for most attacks. Even something as simple as blocking for a period of time a port scanner's IP would be better than what we currently have. Portscans are a great early warning, as there's usually no legitimate reason to do one without permission. It's frustrating to do NOTHING with that early warning, other than raising the anxiety level of the admin. Should I be on call 24 hours a day so I can manually enter firewall rules?

    Blocklists are implemented in other routers without issue. Even Sophos can block entire countries. Even if it required better hardware to implement a Blocklist, I'd gladly upgrade.

    If I wanted to stick my head in the sand as far as security goes, I'd go back to a consumer Linksys router. If a UTM is advertised as secure, why not add a simple feature that would work towards that goal. Conversely, why would a security company go out of their way to leave paths open for attackers? Fighting against a secure solution in one area leads customers to believe Sophos doesn't take any security seriously.

     

    In short, a Blocklist is entirely different from Portscanning.

  • 0 in reply to RChadwick

    Remember that UTM is a bunch of different technologies bolted together under a single user interface.

    • Web Protection implements the concept with the Reputation Limit setting within the Filter Action
    • WAF implements the concept with "Block clients with bad reputation" setting within the firewall profiles
    • SMTP implements the concept with default and configurable RBLs
    • Firewall implements the concept, at least in part, with Anti-Portscan

    I don't quibble that improvements are possible, but I think the coverage is better than it appears at first glance.

Reply
  • 0 in reply to RChadwick

    Remember that UTM is a bunch of different technologies bolted together under a single user interface.

    • Web Protection implements the concept with the Reputation Limit setting within the Filter Action
    • WAF implements the concept with "Block clients with bad reputation" setting within the firewall profiles
    • SMTP implements the concept with default and configurable RBLs
    • Firewall implements the concept, at least in part, with Anti-Portscan

    I don't quibble that improvements are possible, but I think the coverage is better than it appears at first glance.

Children
No Data
Unfiltered HTML