not sure untangle is the best option for me

[amrogers3]

This was posted on 6/19/10 at the untangle forums

The UVM only processes TCP and UDP packets. This is done for performance. All packets transferring from one interface to another on the Untangle server are subject to the UVM.

This is why by default the DMZ is bridged to external. You can assign servers Internet IP addresses, and defend them with the UVM's abilities transparently. More and more people are wanting to configure Untangle for the more traditional routed and NAT'd DMZ approach... but such a thing is more difficult.

You should also be aware that the bridging or routing is performed by the Linux kernel. In cases when the UVM is offline, packets will pass uninspected. This leaves every Untangle server an opening for a few seconds to a few minutes on each reboot. There is a gap between when the java runtime spins up and loads the UVM, and the kernel starts passing packets.

Is this how all software firewall installs work? That is a HUGE security vulnerability at startup.

Also found out untangle does not drop ICMP packets since it works at the UDP/TCP level. Additionally, I do not utilize SMTP email so the spam and phish blocker won't help me.

Not sure untangle is the way to go for me. Is this true regarding the kernel and when the UVM is loaded?

 

[Valnar]

Untangle is a pretty mediocore firewall, which is why I use pfSense in front of it for my firewall duties. I put Untangle in transparent mode and use its other UTM features - minus the firewall module.

 

[mattjw916]

I don't think Untangle can ever be considered the "best" option but it depends on what you're defending and what your budget is.

This place is turning into the Untangle fanboi forum though...

My production environment at work is defended by multiple IOS firewalls, hardware IPS, Checkpoint firewalls and FWSMs in a HA configuration.

At home I use a Cisco IOS zone-based firewall and some other goodies depending on what I'm testing or studying at the moment.

Deploy what suits your needs/business requirements.

 

[amrogers3]

Untangle is a pretty mediocore firewall, which is why I use pfSense in front of it for my firewall duties. I put Untangle in transparent mode and use its other UTM features - minus the firewall module.

I've been researching pfSense. Looks to be solid but it operates at a lower level than untangle. I believe it operates at level 3 where untangle operates at 7. Guess there isn't a 100% solution to anything

By the way, what internet service you using? You know if it works well with Uverse?

 

[cymon]

Whether or not there is any grace period of non-protection depends on the OS design. That's a pretty poor design decision (what it should do is wait until all modules are loaded before traffic starts to pass). I would imagine that products like Cisco IOS/ASA, where they have an operating system that they developed themselves would not have this issue, because the routing and filtering would be completely integrated, as opposed to having untangle using the Linux kernel to route, another package (maybe iptables) to handle ip-based firewalling, more packages to handle spam/virus blocking.

It might be different in transparent mode.

Regarding TCP/UDP blocking: TCP/UDP/ICMP are all running at layer 4. ICMP access control is a lot simpler, since there is no concept of ports or state. I know that iptables can block by specific ICMP messages, I am not sure whether untangle has a frontend for this feature.

 

[amrogers3]

pfSense is an offshoot of monowall correct? been comparing pfSense to Smoothwall and seems like pfsense supports NATing, RADIUS, and is on the BSD OS. Smoothwall, not too sure about NATing and RADIUS and it runs on the linux OS. Looks like pfSense is the solution I am looking for.

Can pfSense or any firewall/UTM exists that can monitor hotmail, yahoo, gmail traffic?

Can't find any supporting evidence there is such a device from my google research.

 

[czhao]

By the way, what internet service you using? You know if it works well with Uverse?

I'm running untangle with uverse. You can either put untangle into a transparent mode letting uverse box manage the dhcp or you can set DMZ+ on uverse box to pass on you public ip to untangle.

 

[amrogers3]

I'm running untangle with uverse. You can either put untangle into a transparent mode letting uverse box manage the dhcp or you can set DMZ+ on uverse box to pass on you public ip to untangle.

Yeah, that is what I am doing now but I was trying to figure out if I put uverse in DMZ mode and pass everything to pfSense. Going to put untangle behind pfSense..

 

[dashpuppy]

I know you are trying to learn all these things, but what exactly are you trying to accomplish from all this work you are doing with all this software / equipment ?

 

[amrogers3]

I know you are trying to learn all these things, but what exactly are you trying to accomplish from all this work you are doing with all this software / equipment ?

securing my network best way possible

 

[YeOldeStonecat]

securing my network best way possible

Is this just a home network?
If you use quality hardware, you should be rebooting Untangle...perhaps once a year, when you do program upgrades. Why is some few seconds during a reboot causing you to lose sleep?

 

[YeOldeStonecat]

By the way, what internet service you using? You know if it works well with Uverse?

Any router with an ethernet port on the WAN side should work with UVerse, assuming you know how to configure it in the 2Wire gateway.

 

[czhao]

Yeah, that is what I am doing now but I was trying to figure out if I put uverse in DMZ mode and pass everything to pfSense. Going to put untangle behind pfSense..

I'm running the DMZ+ so untangle manages everything. This way, I only need to go to one place for most of the configurations.

 

[/usr/home]

BTW, Windows XP is vulnerable for a while at startup too.

 

[amrogers3]

Is this just a home network?
If you use quality hardware, you should be rebooting Untangle...perhaps once a year, when you do program upgrades. Why is some few seconds during a reboot causing you to lose sleep?

It is for home network. I will probably use untangle inline with another firewall. There is a lot of the functionality I don't use in untangle.

 

[Captain Colonoscopy]

Can pfSense or any firewall/UTM exists that can monitor hotmail, yahoo, gmail traffic?

Can't find any supporting evidence there is such a device from my google research.

Astaro Home perhaps? You can monitor and/or block any webmail app, by user or IP address if you have everything setup right. Could also look at Endian.

 

[Deleted member 12106]

pfSense is an offshoot of monowall correct? been comparing pfSense to Smoothwall and seems like pfsense supports NATing, RADIUS, and is on the BSD OS. Smoothwall, not too sure about NATing and RADIUS and it runs on the linux OS. Looks like pfSense is the solution I am looking for.

Can pfSense or any firewall/UTM exists that can monitor hotmail, yahoo, gmail traffic?

Can't find any supporting evidence there is such a device from my google research.

What do you bean by monitor? You can see who access these sites and that is about it. Because the traffic is https(secure) you are not going to capture the emails.

BTW, Windows XP is vulnerable for a while at startup too.

I use dos 6.22.

 

[Valnar]

I use dos 6.22.

My favorite OS of all time. At idle, it's more stable than anything.

 

[dashpuppy]

What do you bean by monitor? You can see who access these sites and that is about it. Because the traffic is https(secure) you are not going to capture the emails.



I use dos 6.22.

I use dos 3.1, its more secure, less holes! and fits on 2 floppy's.

 

[Deleted member 12106]

I use dos 3.1, its more secure, less holes! and fits on 2 floppy's.

I found a 33.3 modem in the closed at work the other day.

 

[mattjw916]

My USR Sportster 28.8 bps modem (pre-"plug and play" with dip switches to set the interrupt) was the best modem I ever used. ISA bus lol. Cost me $256 in 1995. Spent many an hour on AOL and BBSs with it.

 

[dashpuppy]

My USR Sportster 28.8 bps modem (pre-"plug and play" with dip switches to set the interrupt) was the best modem I ever used. ISA bus lol. Cost me $256 in 1995. Spent many an hour on AOL and BBSs with it.

256$ was a decent price too, now people look at that card and wonder what it is! LOL!

USR had some great modems, but some of them were a BITCH to get installed and or find drivers for

 

[pwrusr]

Which is why I love external modems
pop the modem in a serial port and so long as the settings on the modem are good it should just work

 

[Captain Colonoscopy]

How did this devolve into a discussion on modems and DOS?

OP, you decide/try anything else yet?

 

[amrogers3]

How did this devolve into a discussion on modems and DOS?

OP, you decide/try anything else yet?

I have no idea where modems and DOS came from.

Yeah, I'm going to go the pfSense router on openBSD. Going to try and install this weekend

 

[pwrusr]

Be sure to post back and tell us how it goes

 

[calvinj]

If you want to be cheap about it BSD can be easily installed on a usb stick. I'm running FreeNAS OS from a 4 gig flash drive.

I ran pfsense at home for a while. 500 mhz p3 with 512 of ram and a 10 gig hard drive. 2x dual port 10/100 intel nics. Ran great until I moved to a Cisco Router

 

[amrogers3]

Be sure to post back and tell us how it goes

will do.

If you want to be cheap about it BSD can be easily installed on a usb stick. I'm running FreeNAS OS from a 4 gig flash drive.

I was looking at setting up freeNAS at a later date down the road. How is it to set up and configure?

 

[kevinzak]

Is this just a home network?
If you use quality hardware, you should be rebooting Untangle...perhaps once a year, when you do program upgrades. Why is some few seconds during a reboot causing you to lose sleep?

You never really answered this. I mean, I can be upset that my house isn't secure (read: locked) for the five seconds I'm walking through the door, but that doesn't mean it's logical. Especially when I'm walking through the door once a year.

 

[amrogers3]

You never really answered this. I mean, I can be upset that my house isn't secure (read: locked) for the five seconds I'm walking through the door, but that doesn't mean it's logical. Especially when I'm walking through the door once a year.

5 seconds on a network is an eternity in my opinion and defeats the whole purpose of a firewall. Second I would like to implement RADIUS. Untangle doesn't allow that.

 

[MrGuvernment]

Untangle is a pretty mediocore firewall, which is why I use pfSense in front of it for my firewall duties. I put Untangle in transparent mode and use its other UTM features - minus the firewall module.

Please explain further, how is it mediocore as a firewall? it does as good a job as anything else out there, it comes down to does the user know how to configure it properly...

As YeOld said, use good hardware and it is safe, also think, if someone wants to exploit your UT box,

1. they have to know when it will be rebooted and where it is and how to access it
2. they have to find an exploit that will even let them do anything to get access to it

So if they have 1 and 2, you probably have bigger problems.

Also you could use the Packet Filter to block / drop ICMP packets, i would say the forums are turning into a UT fanboi forum because UT is a great product for what you get, toss in some paid app's and you have everything you need.

 

[amrogers3]

Also you could use the Packet Filter to block / drop ICMP packets, i would say the forums are turning into a UT fanboi forum because UT is a great product for what you get, toss in some paid app's and you have everything you need.

Unfortuately, another problem I has with untangle is that is does not allow any way to drop ICMP packets. I'm sure it is a good product, just not for my purposes.

 

[amrogers3]

Can an ASA forward all traffic out one port so Snort will be able to see it? I was trying to do Snort inline but that doesn't sound like an option atm.

 

[Valnar]

Please explain further, how is it mediocore as a firewall? it does as good a job as anything else out there, it comes down to does the user know how to configure it properly...

Umm, no. It's firewall module is rudimentary at best. Nowhere near pfSense, Cisco ASA or even a Sonicwall in flexibility. If I need to explain, then you must be used to consumer firewalls like Linksys.

 

[marley1]

I would explain because I haven't heard any of these before till today.

How is the firewall on it bad?

 

[calvinj]

will do.



I was looking at setting up freeNAS at a later date down the road. How is it to set up and configure?

Easy,

Just remember to plug in the flash drive before starting up the machine and don't unplug it after you have it setup.

 

[kevinzak]

5 seconds on a network is an eternity in my opinion and defeats the whole purpose of a firewall. Second I would like to implement RADIUS. Untangle doesn't allow that.

No it's not, and no it doesn't. 5 seconds is 5 seconds. If you set it up correctly, you won't even have any traffic flowing during those 5 seconds (or however long a reboot takes, probably longer, but it's still not anything of consequence) anyway.

I also don't quite get the RADIUS. If it's for educational purposes, see the paragraph following this one. But for practicality, any network that would require a RADIUS setup has no business running Untangle, imo. It's a fantastic piece of software with a multitude of uses, but at that level, you move into a different league.

If you were to argue you are taking all these steps in order to learn something, fine, have at it. One could argue that if you're trying to learn enterprise-level security on home-grade solutions, you're missing the point entirely, but that's neither here nor there. You're arguing that you're legitimately concerned about the security of your network and these measures you're taking are practical and even necessary, which is utterly ridiculous unless you have some kind of ties to classified documents and a team of blackhats after you. If someone wants access to something on your network, they're not going to wait an entire year for a window of opportunity. They're going to find some different type of exploit that can be executed in a (relatively) timely fashion.

 

[Macco]

Can an ASA forward all traffic out one port so Snort will be able to see it? I was trying to do Snort inline but that doesn't sound like an option atm.

The 5505's can - 5510 and higher cannot.

Just configure the port Snort will be on w/
switchport monitor <interfaceToMonitor>

 

[Deleted member 12106]

Unfortuately, another problem I has with untangle is that is does not allow any way to drop ICMP packets. I'm sure it is a good product, just not for my purposes.

You neeed to do it in the packet filter.

http://forums.untangle.com/tip-day/2480-how-close-ports-open-default-5-1-a.html

I have mine set to drop icmp, ftp, and ssh.

 

[YeOldeStonecat]

5 seconds on a network is an eternity in my opinion and defeats the whole purpose of a firewall. Second I would like to implement RADIUS. Untangle doesn't allow that.

Not if you think about it logically. Lets see....while the Untangle firewall is booting up...are you actively surfing the web and download e-mail? Probably not...since it's uhm..not running yet. The most important firewall function is up...NAT, no unrequested traffic is coming in from the internet.

No radius? It has captive portal, and the Directory Connector.....and ability to authenticate against a Radius server is coming soon.

I never care for ability to drop ping or not. I don't care if someone can get replies if they ping me...I have a firewall doing my job. Analogy....when you drive by a bank and/or walk into a bank, you can see the vault....is that a security risk for the bank..that you can see the vault?