vs. untangle (arista)

chasinreno

I've been an Untangle user (home paid) for several years but have lost confidence because of a breach. I was infected with a bot that executed a DDOS attack. The webfilter app blocked the attack but did not detect the bot when I was infected. Kaspersky also failed to detect the infection.
So, I'm wondering if pfsense would have prevented the DDOS attack?
I'm on a home network so I'm not terribly excited about going through the complex setup that Sophos requires. Pfsense looks more applicable to my needs. ;)

Any input would be greatly appreciated.
chasinreno

michmoor

@chasinreno Not sure what factor if any the webfilter wouldve had in preventing any ddos attack.
Did you have threat prevention enabled?
Did you have any endpoint protection on the infected machine? If you did then right away i would focus on why your solution didnt work.

Untangle is a good firewall. Its possible the threat prevention profile you have doesnt recognize the attack. It happens.

chasinreno

The webfilter app automatically recognized the attack and blocked the outgoing traffic to the targeted ip. I didn't have to configure it other than various personal preferences. My first clue was getting fifteen batches of 100 notifications each on my phone email. It was so draining on my phone it almost ruined the battery before I could turn it off. It took two days to get the battery back to 100%. For several days the notifications kept coming so I eventually had to uninstall the email client. What was really odd was the daily notifications all had the original date of the attack so they had to be duplicates.

I use Kaspersky for endpoint protection which used to be the best available but it completely missed the original infection. I still don't know where it came from.

What totally scared me was witnessing some Untangle log data being erased, right in front of my eyes. That was version 16.2 and I have since installed version 17.

I had threat prevention installed and running [idsec and ipsec]. I have the paid home license so all apps were available and used.

My renewal is coming up 9/13 so I'm still deciding what I should do.

chasinreno

michmoor

@chasinreno TBH, i would stick with Untangle.

1. It clearly worked. It spotted a problem and alerted you.
2. The endpoint a/v tool failed you. Not the firewall.
3. You are familiar with the firewall. The worse thing you can do for yourself is to move to a product you're not familiar with. Thats how misconfigs happen which leads to security problems.

pfSense is a good firewall but it does require a bit of homework when it comes to setting up your IPS. Its not as seamless as a click here button and its done. It can be but it requires a heck of a lot of tuning.
If Untangle meets all your requirements that you have for yourself than stick with it. Why change/ What would pfsense have done differently given the same situation? I suspect you wanted to continue to get notified on your cell so it wouldve done the same thing. It also probably wouldve recognized a threat and blocked it.

Gertjan

@chasinreno

I'll add a fourth point : a phone that needs 2 days to fill it's battery ?
The phone is part of your security chain .... The conclusion is obvious ;)

@chasinreno said in vs. untangle (arista):

so I eventually had to uninstall the email client.

What about : Stopping the mail client ?
Then stop the mail box from filling up. The mailbox is not on your phone, but somewhere else. The mails are coming from you, a source that you control : your firewall - or the device that generates the traffic. Rip out the right cable (WAN by default), as this will stop the 'attacks' to an innocent victim (the one being ddosed) and the filling up of the mailbox.
And be ware : some one was ddosed. This can have severe repercussions if you are identified as the source.

Whatever you use as a firewall, or security software on an end user device, its the user that has the final control. The (your) firewall and software you use on the end device can scrape of several % in of the chance something bad happens. The other 9x % : the user.
Yes, I know, these payware anti viruses promise a lot.

If you want to lower this 9x % chance, you have to do 'things' with your firewall and local firewall anti virus software that will totally 'break' the internet experience.
Normally, we all know that nothing should be downloaded from the Internet, and then opened (and executed). But do we really know what our browser, email client does ? What happens when we click the mouse ?
The thing is : if a ddos is running on a device, some one has started it. And some one downloaded it first. And to do so, he was visiting a place (site) where content is ... well... lets say there are people out there that just like fake/bad/stupid/... info and are actually looking for it.
So, the biggest IT task of all : go see that human, spend some time with him. Explain the risks. As soon as he understood that 'being careful' protects him, as you will kick him of the network if he f*cks up again, you'll be having a common interest/goal. Everybody will be safe.

And @michmoor is right : use the tools that you can manage, that you know. Nevertheless, knowledge needs to be fed.

Every router firewall on planet earth has the following default settings :
Everything coming from the WAN (Internet) is blocked.
Everything that is requested from the LAN, is granted.
Very few actually change these rules, as it needs you to become an network expert (yes : expert). That's a nearly full time day job.
To be safe doesn't demand much effort, though. It's like driving the car : use two hands, use the steering wheel and stay on the right side of the road : no none dies.
Don't try to buy that insurance that tells you that 'no skills are needed' ;)

Sorry for the rent.

nimrod

@chasinreno said in vs. untangle (arista):

I've been an Untangle user (home paid) for several years but have lost confidence because of a breach. I was infected with a bot that executed a DDOS attack. The webfilter app blocked the attack but did not detect the bot when I was infected. Kaspersky also failed to detect the infection.
So, I'm wondering if pfsense would have prevented the DDOS attack?
I'm on a home network so I'm not terribly excited about going through the complex setup that Sophos requires. Pfsense looks more applicable to my needs. ;)

Any input would be greatly appreciated.
chasinreno

You need to understand that security starts with YOU. There is no software that can protect you from yourself.

Stewart

@chasinreno It doesn't sound like the firewall itself failed you. What kind of bot was it? How did it come in? How and where did you find it?

The firewall CAN do AV scanning but if it was sent over an HTTPS connection then it would need to perform a MITM attack in order to be able to scan the download. AV scanning is best left to being able to view it in an unencrypted format, like directly on the PC. Paid AV has extra features like better scanning for fileless attacks, advanced script protection, or firewalls but I've found the real strength of the paid versions is the management, reporting, and support during an infection.

In this case it sounds like the firewall did its job. It found malicious traffic going across the network and stopped it. IDS/IPS protects network traffic by, essentially, profiles. It protects based on the reputation of the remote network and the type of traffic being sent. It doesn't determine whether that traffic is good or bad. For example, if I want to port forward for SQL queries but I've blocked that in my IDS, it will be blocked. It doesn't care if it is me (good) or an attacker (bad). In this case, you downloaded a file (a legitimate type of traffic) from a site not blocked via IDS/IPS (a site with a neutral or better reputation) but then that file began sending traffic the IDS/IPS didn't like (NOT legitimate traffic) maybe to a site that was blocked (perhaps a poor reputation. That's what's supposed to happen.

What appears to have failed you is your AV. It's best to figure out what got in and how, upload the infected files to virustotal (for crowdsourcing) and report it to the AV company. What was the infection and what was the AV you were using? When you upload it to virustutal it should give you a like. Post it here, I'd be curious to see what it was.