Working with Untangle Firewall

Untangle Firewall is a hardware security solution that provides a robust platform to control and observe network operations. The suite of software includes a firewall, web content blocker, routing capabilities, and many more traffic shaping features. I was interested in trying this out because I was looking for peace of mind regarding home network security. I’m pleased with how my Untangle box has been working so far. In this write-up I briefly explain my experience with different apps included in the software.

The hardware specifications for Untangled version 13 are pretty light for a small home network. The avoid any hassle I tried out a Protectli Vault, fitted with a J1900 processor, 8 GB ram, 120 GB SSD, 4 port Intel NIC for $350 at the time of this writing. It’s a workhorse and perfect for my network of about 8 – 12 devices running. It’s working with a 300/20 connection with constantly redline upload traffic. The CPU has clocked in a 50% under the heaviest load. There is definitely room to scale with this route. If I wanted to get brave I could switch out the 8GB memory stick for 16GB if the board allows it. The SSD swapfile should carry me plenty if things get rough.

Installation can be done using just a USB keyboard. In this case Untangle was loaded from a USB stick into one of the two USB connections on the Vault. Untangle charges different rates for commercial and home users. Off the gate, Untangle comes with a 14-day free trial. After the grace period it’s $50/year for the home version which includes all the “apps”. Once thing I wish it had, though, was a screenshot feature.

 

collage-2017-08-08.png

 

Out of the box; simple and productive. The homepage can be customized to include a plethora of different visualized reports.

Network management took a second to get used to. At first I wanted to get my bearings by googling every session I saw pop up then slowly expanding the network to more devices as I felt more comfortable This led me to some interesting whois websites which provide useful domain data to compare with the built in Untangle resolution. I noted the IPs I didn’t know, using the session viewer in real time, until I had become familiar with the addresses and ranges that services on the network typically use. This type of experience with network behavior lets an administrator quickly view the status of the network by looking at the geographic or other visual representations of data. I feel the at-a-glance data visualization is a key advantage of using Untangle and software like it. I chose to investigate the different apps individually so understanding their functions became easier. At first the amount of information available was overwhelming. The software had a reasonable learning curve so that feeling was short lived.

I apologize for the screenpictures. For this particular instance I wanted to know what the oscp connection was. Google suggested it checks the validity of the certificates installed on the machine. I like the at-a-glance functionality a home screen with contextually selected apps offers. The map tickles my geographic fancy. Sometimes it’s easier to work with spatial data. Glancing at a map and noting the locations of the connections can assist with interpretation on the fly. It would be even better if you could export the state of the dashboard to a static image. Exporting the configuration of the dashboard would be beneficial, too, allowing an administrator the quickly restore the last configuration. I might be missing something, but it doesn’t seem to allow the moving of visualization tiles once they’ve been place on the dashboard. This could be a major inconvenience when reorganizing or grouping visualizations after-the-fact. The geographer in ma

At first it’s easier to misestimate the amount of connections a computer can make in a browsing session. The web page loads, the 10 or so ads and marketing services connect, the DNS is queried. With 3 internet devices browsing the internet and interfacing with media, the amount of sessions can easily reach the hundreds. I worked with each app individually until I felt like I had a solid understanding of the underlying systems. Approaching the software in this manner made it easier to understand at a functional level.

 

800px-1600x1080_apps.png

 

First up was the firewall. Through trial and error, I figured out which connected sessions were important to my computing. This was most critical component I needed security-wise. Being able to see all of the open sessions, in real-time and retroactively, gave me enough data to play with initially to get a hang for the system and understand the routine sessions on my network. The firewall lets you set rules that block traffic, let’s say I own a business and I want to block all traffic that appears to be from Facebook, this would be possible by setting custom firewall rules the block the Facebook domain. In my case I wanted to identify what exactly was going on with the background connections, windows telemetry data, time synchronization efforts, and websessions being kept alive by a browser. I identified the major, constant connections, like the one a cloud migration operation to amazon cloud drive I’m currently running. This allows the administrator to get comfortable with the network and she how it is normally shaped. Along with these connections was a constant odrive connection that was brokering the Amazon Cloud Drive upload. Connections like these that I have accounted for personally were set to bypass the firewall entirely so I could reconfigure the rules without worrying about them being taken offline. The peace of mind this device provides when auditing or preforming network forensics feels priceless.

Untangle includes two web traffic shaping apps; Web Filter and Web Monitor. A few of the apps have “lite” versions (free) and full versions (paid). The application library has a Virus Block Lite and a Virus Blocker. One is the free version and the other is included in the subscription. Untangle developers the lite version and the paid version provide additional protection when run in tandem. They might be using different databases or heuristics to identify threats between the two apps.

Web Monitor is the free app, it allows you to monitor web traffic, its origination, destination, size, associated application, etc. Web Filter is required to shape the traffic. Web filter out of the box comes with several categories of web traffic it blocks. Pornography, malware distributors, known botnets, anonymizing software are all blocked with web filter by default. Several hundred additional categories for web traffic exist to make this selection as precise as an administrator would like. There was one instance where the filter warned me before I was redirected to a malware site while sifting through freeware. This is a necessity for me. The ad blocker, which functions similar to a pi hole, catches the ads before they even make it to the client computer. Normally a user would expect the browser to block ads but that’s not the case with this in-line device. The ability to catch ads over the wire adds an additional line of defense for a traditional browser adblocker.

Intrusion prevention is another app I couldn’t live without. Intrusion prevention systems (IPS) use behavioral and signature analysis to inspect packets as they move across the network. If the signature of a communication or a behavior registers as malicious, the IPS logs and, according to the user-set rules, blocks these attempted misbehaviors. The intrusion detection was quiet while I was messing with it, which is a good sign. There were several UDP portscans and distributed portscans, originating from the Untangle box. These might be functions of the Untangle install or the intrusion detection app scanning the public IP for vulnerabilities but I’m not 100% sure. It could always be a malicious actor over the wire. Whatever the cause, these portscans were the only behaviors the intrusion prevention system picked up.

The question becomes, how thorough do you want to be when setting up rules for the apps. Let’s say a Chromecast is portscanning itself for benevolent reasons, like troubleshooting a connection. Should you allow this? Should you follow the rule of least privilege? Should Chromecast have the ability to recon your network? Security and convenience tend to be mutually exclusive to a certain degree. Knowing what your sweet spot of productivity is will allow better administration of the box.

 

collage-2017-08-09.png

Bandwidth control is something I’m still getting the hang of. One question I have is why the speed I’m getting from the bandwidth monitor app readings and the interface readings seem to be off by a factor of 10. They both seem to be presenting results in the MB/s format. No unit conversion errors detected.

I can’t speak for the banwidth app itself. There are additional apps for bandwidth shaping. WAN balancer makes sure a serving load is balanced across a number of assets. If you were running a server that needs high availability and maximized performance, you would get some use out of the feature. WAN fallover is a feature that activates a backup connection, in the case the primary WAN is unreachable. Again, these features are geared towards users with the need for traffic shaping and high-availability solutions.

There is an app for both IPsec VPN and OpenVPN. I didn’t have a chance to mess around with these. The is a webinar on the IPsec VPN hosted by Untangle on YouTube. I’m curious about the particularities because I’m eager to get this feature operational as soon as possible.

I had an interesting time with the SSL inspector. This app allows you to decrypt HTTPS sessions and intercept traffic before encrypting it again and sending it on its way. Turning this on threw SSL errors on almost all devices in the house. Things like Roku couldn’t connect to YouTube because the certificate chain was incomplete considering the Untangle box was middle-manning the connection. Luckily, it comes with a certificate creator that can serve certificates to client computers so browsers won’t think it’s a malacious redirect.

Transferring the Root certificate around was comically difficult. It couldn’t be transferred on Gmail because of security issues. Those issues might have been because Google thought the attachment was malicious, or that it’s not good OpSec to email root CA installers around, although it was for a client computer. The SSL app is able to generate an installer for Windows machines in additional to the plain cert.

I was able to move it around by putting it on Google Drive. Downloading with Edge threw all sorts of bells and whistles. At first SmartScreen said it didn’t recognize the file and threw the “are you sure you want to download” prompt? Then the warning that “this file could harm you computer” from the browser. Then Kaspersky prompted about the file. Finally, UAC was triggered. This is all in good measure, installing bogus certs on computers this way can be compromising.

SSL inspector needed to be turned off while this configuration was being done. The internet was unusable with browsers like Edge with SmartScreen because of the certificate errors. MAC addresses for devices with hardcoded certs bypassed the SSL inspector all together so they wouldn’t throw errors.

 

stuntsec_ca.png

 

SSL inspector needed to be turned off while this configuration was being done. The internet was practically unusable if the correct certs aren’t installed on the network devices.

Captive Portal and the Brand Manager apps were nice touches to include. These were probably the most fun I had playing around with. The branding manager allows you to provide stock logos that replace the default Untangle logo in the software. I designed a mockup logo for fun and really enjoyed how thorough this functionality was.

The captive portal seems to function in a similar way as the SSL inspector, though I think it uses a different certificate because it throws certificate errors on machines with the SSL inspector cert installed. The captive portal page can include your brand manager content and display and solicit agreement to a terms of service, offer the option to download the certificate and or the installer, log a user in, and brokers a number of other useful functions. Very cool if you’re trying to administer web usage.

 

Stuntman Security 2.png

 

Web Cache is something you want to consider if you’ve got the resources for it. A web cache monitors traffic and puts frequently visited elements in a cache that it can serve locally. If I’m logging on facebook every day, it’s easier, and arguably safer to store the “Facebook” logo locally and serving the local copy instead of asking the website for it. The Web Cache presents a lucrative target for attackers but luckily keeping tabs on its operation with the Untangle reporting system is easy.

There are the features that you would expect to see in home security software. Untangle’s advantage is catching threats over the wire, theoretically before they hit the client box. The complete package includes the two virus scanning apps, the Phish Blocker which I assume is some kind of DNS functionality to check URLs for malpractice. There are the two spam blocker apps which I believe work with some cloud threat database. These tools provide the same functionality as a security suite for your desktop. If you start seeing unusual malware activity you can leverage the firewall against it to really turn up the heat.

In addition to the virus and malware protection, an ad blocker is included. Like the advantage above, Untangle sees the advertising domains and blocks them before they hit the boxes behind it. I know for certain the ad blocker has been busy on my box.

Active Directory is available to further expand your capability on the local network. I didn’t have a chance to mess around with it. Most home networks don’t have active directory services running but some power users out they should get a kick out of it. I played around with policy manager for a bit. It’s useful if you want to run SSL on one group of devices and ignore others, like streaming devices. Essentially each policy runs its own set of apps and generates its own reports. Very useful for compartmentalizing your network.

A lot of the Untangle apps demand more resources as you connect more devices to the network. You need to be conscious of the box running Untangle and how scalable it is. If you’re running a Web Cache for 100 users, the resources required to manage it scales exponentially from 10 useers depending on their workflow. SSL inspector can be a problem if resources are limited while the workload increases. Intrusion detection is another relative resource hog.

I learned about DHCP and routing the hard way, which is always to most effective way. I realized I wasn’t resolving hostnames from devices that were connected to the router. A router, typically by default, sends all information upstream from one IP address. This function is twofold, first it’s because there aren’t enough IPv4 addresses to be issued to every device, and secondly, it’s safer to have the router acting as a firewall so each home device doesn’t directly face the internet.

By changing the wireless router that was behind the Untangle box to “access point” mode, it quickly differed this DHCP serving to the Untangle box. Untangle was then able to resolve the hostname for each device connected to the wifi. This allows for fine tuning of access rules and traffic shaping.

The remote functionality is robust and well-supported. Access can be tailored to the user. Users that only need access to reports are safety granted this access without enabling access to system settings. Multiple boxes can be administered from a single interface. Phone administration is possible through the browser. HTTP administration most be allowed from the client box to allow configuration on a client.

The reports app, though more of a service, is probably the most important app in the box. Reports act as the liaison between the administrator and the Untangle utilities. Graph are easily generated and data is visualized so it can be easily digested on the fly. Reports can be stored on the box for up to 365 days. You will have to account for the resource usage of maintaining this database. Reports can automatically be sent to your email inbox at an interval of your choosing. This report contains much of the top level information about the box’s performance, allow remote administration to be conducted confidently and quickly.

The configuration for each untangle install can be backed up with the Configuration Backup app. It has built in Google Drive functionality and can send and restore from the cloud, eliminating the need for panic if a box becomes physically compromised. Another scenario for this functionality would be sending a configuration template to new boxes. After installation of a new box, you would just need to select the loadout from Google Drive and hours of possible configuration could be avoided. The same backup functionality is available for reports. So essentially, if a box burns up, you just have to replace the hardware and it’s back off to the races thanks to the automated backups.

I had a great time messing around with this software. I’m very pleased with the hardware purchase. The all-in-one computer plus a year’s subscription to Untangle at home was $400. I’m enjoying it so much I’m considering a second box that I can administrate remotely. The opportunity definitely provided me a peace of mind that application solutions couldn’t. Hopefully in the future I can use some of the data for geographic projects. I’ve already started messing around with projecting some geographic data in ArcMap. Here’s to hoping for more positive experiences working with the Untangle box.

Josh Dean Concord Charlotte

 

 

2 thoughts on “Working with Untangle Firewall

  1. Great write up!! I’m trying to do the same thing but can’t get the vault to boot from the usb image. Did you download the 32 bit or 64 bit version of Untangle? Maybe it just doesn’t recognize my USB?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s