EFW Support

Support => Installation Support => Topic started by: bendeliduka on Saturday 21 May 2011, 06:00:11 am


Title: IS the commercial ENDIAN product dead?
Post by: bendeliduka on Saturday 21 May 2011, 06:00:11 am
The commercial product available for virtual demonstration is version 2.4.0, the community edition available for download is 2.4.1

both exhibit some flaws that call into question the quality of the underlying code.

Freshly boot either system and System | Dashboard the "Intrusion Detection" is listed as OFF, yet when I move to the Services menu (on the top) and select Intrusion Prevention (Same thing, just could not settle on a naming convention?) it is shown as running (green box).

clicking on the box turns the IPS off, and alerts to the effect that it is being turned off.  Clicking again on the gray box turns it back on.

Additionally, the documentation is somewhat unclear on how the IPS works, but...
(docs.endian.com/services.html#intrusion-prevention) does indicate under the RULES heading that
Code:
...By default the policy of all rulesets is to alert.  This behavior can be changed by clicking on 
the alert icon and it will turn into a red shield.  This means that after clicking on the Apply button the
 chosen ruleset will not cause alerts anymore but will block traffic that matches its rules...

The above is only partially correct.  Experience indicates that while the icon changes to a red sheild, the matching traffic is NOT BLOCKED but is ALERTED.

Rebooting the system and verifying the rules are still set "correctly" confirms the result are inconsistent with the documentation and the expectations from the GUI interface.

Most of the documentation on the Endian Knowledgebase (kb.endian.com) is years old and out of date (version 1.x releases)

Don't get me wrong.  I am a huge fan if linux and the GUI interface looks like something I could train less skilled network administrative staff to manage.  But the serious defects in functionality degrades the products usefulness below community/commercial standards.

The only way I was able to block the the traffic was to create Outbound firewall rules to block the IP Ranges.
I'm saddened to see a product with such promise having such poor support and out of date documentation, a total lack of informational howto's (the list goes on)

There is additional functionality that would make the logging and tracking behavior more interesting as well...
like the ability of the logs to show WHY traffic was DROPPED and the ability to negative filter and drop 'chatter' from the lots while looking for specific traffic (like suppressing all the windows broadcast crap)




Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media