1 2 3 4 Previous Next 39 Replies Latest reply on Jan 14, 2010 7:07 AM by rugby

    New UTM Features Discussion

      We want to improve the UTM Firewall product whenever and however we can. Your insight, creativity and experiences are important to us. Would it not be cool to see your suggestion adopted in the roadmap and ship in a product? Well, here is your chance to have your say.

        • 1. Re: New UTM Features Discussion

          - Set the VPN configuration pages to be tabbed, rather than a wizard that has to be moved through. It's much simpler to go directly to the Phase 2 configuration than to have to click through the other settings.

          - Allow time based rules (for example, to block AIM traffic during business hours, but let it be accessible for people in the office after 6pm)

          - Add a larger list of predefined port groups for use in creating rules (iChat, video streaming, alternate SMTP ports).

          - Allow multiple connection types to be chosen for rules (currently I may create a server definition, with all traffic types listed, that can be edited to grant or restrict access to a server. But I'd rather be able to select multiple definitions to make it easier to catch all related ports at once)

          - Give a dedicated page to track aggregate usage by a particular user, and by traffic type, either over the last defined period. Maybe this is easier done in the logging software, but it would be great to have a "Top 5 users" listed on the status page.

           

          This isn't a UTM feature request, but I do have a UTM Firewall community request: any way to add an edit button so we can clean up any typos we may have found after posting (say, within 15 minutes after posting)?

          Now I see it- didn't see it before...

           

           

          Message was edited by: Mike on 11/12/09 4:01 PM
          • 2. Re: New UTM Features Discussion

            > - Set the VPN configuration pages to be tabbed, rather than a wizard that has to be moved through.

            It will be a wizard when you create it, so you can't forget to 'do stuff'. after that it'll turn into a tabbed form. we will do this for

            other subsystems too. should be in 5.0 if the schedule deities smile on us.

             

            > - Allow time based rules (for example, to block AIM traffic during business hours, but let it be accessible for people in the office after 6pm)

            Will be in 5.0.

             

            > - Add a larger list of predefined port groups for use in creating rules (iChat, video streaming, alternate SMTP ports).

            hmmm. wasn't on our radar. doesn't that get hard to search? I always found /etc/services on linux with its 500+ entries more of a hinderance than a help.

             

            > - Allow multiple connection types to be chosen for rules (currently I may create a server definition, with all traffic types listed, that can be edited to grant or restrict access to a server. But I'd rather be able to select multiple definitions to make it easier to catch all related ports at once)

            Not sure what you mean. You can already create groups of services in the Definitions section. And you can also group interfaces together. That would seem to cover what you are asking for but perhaps I misunderstand.

             

            > - Give a dedicated page to track aggregate usage by a particular user, and by traffic type, either over the last defined period. Maybe this is easier done in the logging software, but it would be great to have a "Top 5 users" listed on the status page.

            Firewall Reporter gives you most of that - off-device. Doing it 'on-device' is on the todo list. there are some resource constraints with it, so probably not going to be possible on all devices. Hopefully 5.5 but haven't done the MRD for that yet.

             

            Cheers

            Tom

            • 3. Re: New UTM Features Discussion

              Updating Siproxd to a more recent version would be good.  This version doesn't understand that you don't allocate RTP ports sequentially, among other things. They are in RTP/RTCP pairs.

              Thanks

              Larry

              • 4. Re: New UTM Features Discussion

                Fair enough. So ticketed #14835.

                Should just be a simple update - if so we'll try to fit it in with 5.0 or soon after.

                 

                Cheers

                tom

                • 5. Re: New UTM Features Discussion

                  Tom,

                   

                  Will the IDS/IPS still be Snort based in the next iteration of the 565? Are there any other security features on the roadmap?

                  Will a serial port still be present on the next gen device?

                  Will the next gen device have crypto accelerator like the current version?

                   

                  My feature requests:

                  I'd like to see captive portal included on the 565's wifi.

                  Also it would be nice if OpenDNS Content Filtering is supported

                  Can some form of NAC be integrated in to the device?

                   

                  A problem I've run across on a few wireless installations is that WPA2 Enterprise with 802.1x requires RADIUS auth back to a corporate server across the WAN. In installations where PCI-DSS requires WPA2 with 802.1x, we often see wifi  connecting Symbol/Intermec handscanners, remote POS stations, or its now popular to use a wireless handheld ordering system. If the WAN link goes down the store/restaurant is often out of businesss until the WAN is back up  because the devices can't reach the corporate RADIUS server any longer.

                   

                  Could a small RADIUS system such as TinyPEAP be integrated into the 565 for a dozen or so uname/pwd's so the auth would take place on the 565? -Or,is there a way to authenticate to a corporate RADIUS but use a cached copy of the uname/pwd when the corp auth server is not available (like Windows does when the Domain Controller is not present)?

                   

                  Stan Herring

                  Cybera

                  Tennessee

                  • 6. Re: New UTM Features Discussion

                    And while we are at it how about:

                    - SSL VPN?

                    - Documentation for more VPN clients (or even a basic, multi-platform application)

                    - Filtering based on domain name (i.e. block port 80 to facebook.com-would be great when combined with earlier request for time-based rules; we don't need to block all web access all the time, nor are we looking to necessarily block "all social networking", just a few cherry-picked sites would be good. Maybe even make that the limitation- 5 domains built-in, more would need the content filter).

                    • 7. Re: New UTM Features Discussion

                      - SSL VPN?

                      will be done in three stages. device-device, roadwarrior-device, portal.

                      device-device is done and will beta soon.

                       

                      - Documentation for more VPN clients (or even a basic, multi-platform application)

                      vpnc.org provides that type of info. Is that not enough?

                       

                      - Filtering based on domain name

                      you can do that now. Definitions->Addresses -> New 'DNS Hostname'.

                      Then create a 'group of addresses' which includes your DNS hosts.

                      then use that in a firewall rule.

                      The DNS name lookup results are pre-cached (as of 4.0) and observe Time-To-Live, so should refresh as DNS updates happen (eg. dynamic host-names).

                      The pre-caching means that DNS lookup failures/delays do not block any critical activity. So in 4.0 using DNS names is much safer than in 3.x firmware.

                       

                      And of course once we have a nice UI for time-based rules you'll be able to combine all this together as well.

                       

                      Cheers

                      tom

                      • 8. Re: New UTM Features Discussion

                        - Will the IDS/IPS still be Snort based in the next iteration of the 565?

                        yes. with MFE rules. (dynamic updates soon after 5.0 release).

                         

                        - Are there any other security features on the roadmap?

                        Yes - we'll be looking to bundle a range of McAfee Security features/products into the product.

                        Priority TBD.

                         

                        - Will a serial port still be present on the next gen device?

                        serial and USB will be standard.

                         

                        - Will the next gen device have crypto accelerator like the current version?

                        yes.

                         

                        - I'd like to see captive portal included on the 565's wifi.

                        it is on the todo list.

                         

                        - Also it would be nice if OpenDNS Content Filtering is supported

                        Trusted Source has a multi-lingual team dedicated to categorizing URLs.

                        96+ categories (vs 50 or so for opendsn). We responds to recategorizations

                        within 1 business day, etc. etc. - this is a core business activity for McAfee.

                        It forms an integral part of our Security as a Service (SaaS) strategy.

                         

                        So we're working on shifting URL categorization over to Trusted Source and

                        using its new digest mechanism for emails as well as making it fully transparent

                        so that internal mail hosts no longer get annoyed.

                         

                        - Can some form of NAC be integrated in to the device?

                        We have the Nessus Attack Scripting Language engine on the device with which

                        one can do a form of NAC. And we will be looking at integrating a range of in-house

                        technologies into the product of course. DLP, NAC and others - over time.


                        - WPA2-enterprise.

                        EAP encodes the password, which does not fit well into pluggable-authentication.

                        As a result its not currently tied into our PAM cache (and its tunable parameters, see UI).

                        A custom cache or local radius server are about the only options, yes. The later though

                        raises issues of synchronization. Hmmm. tricky - but something we should address, yes.

                         

                        Cheers

                        tom

                        • 9. Re: New UTM Features Discussion

                          This may be a bit off topic but I tried to upgrade the firmware from 3.x to 4.x.

                           

                          I was successful in upgrading the firmware on our SG565 appliance and then using the old SG565 3.x config file.

                           

                          I was not successful in upgrading the firmware on our SG560 appliance and then using the old SG560 3.x config file.

                           

                          I went back to using the latest 3.x firmware on both applianced because of this.

                           

                          What is the best way to upgrade from 3.x to 4.x firmware without having to manually enter in all the config stuff?

                          1 2 3 4 Previous Next