Untangle Your Network Security

I received about five different emails last week telling me about a free security product from Untangle that had entered the realm of open source on Tuesday.  I have a tendency to trust open source because the code is open to peer review rather than closed and proprietary.  When it comes to security of my network, I want to be able to lift the hood and check the spark plugs.  Untangle offers that.
 
Built on thirty open source projects such as ClamAV, Snort and SpamAssassin, Untangle provides a unique solution to the problem of network security.  The software is ready to run "out of the box" and requires little configuration to get started.  And it does not cause any noticeable performance hits on network speed.

Unlike the proverbial snake oil of the past that claimed to solve every imaginable problem, Untangle effectively blocks spam, spyware, viruses, phishing attacks and intrusions.  It also is easily configurable as a firewall, router and web filter.  And it even downloads updates automatically to ensure that your network is protected against the latest threats.  Everything is done behind the scenes so that the user is not bombarded with messages stating that a problem was found.

An advantage for the home user with children is the reporting feature.  All activity is logged on the network.  Not only can you see what kind of bad stuff has been blocked from coming in to your network, you can see which websites your children are visiting and control their access through the built-in web filter.  Pre-configured settings allow you to block content based on a variety of contents such as pornography, web-based mail, illegal drugs, gambling, hacking, violence, and a variety of other categories.  You can of course fine tune the settings to create your own blocklist.  Tired of your teenager filling all available space on the family computer with downloaded Mp3's?  Block them.  It will grow with your children and your needs.


Building the Network


The software is really easy to install and just as easy to manage.  I repurposed a Compaq Presario SR1563CL that my parents gave to me after their last upgrade.  It had been sitting in a closet for several months unused.  The computer came with the following specifications.

    AMD Athlon 64 3400+
    1GB RAM (shared with video)
    200GB SATA Hard Drive
    Integrated RTL8201CL 10/100 NIC

I added a second RTL8139 10/100 NIC that I purchased from a local computer parts supplier for a mere $5.35.

Before installing the software, I considered completely redesigning my network.  My previous configuration was a NetGear WRT634G connected directly to the cable modem and acting as an SPI firewall and router.  Port 1 was connected to a Vonage Motorola device.  Port 2 was connected to my media server (mentioned in a previous article for recording TV and sharing 500GB of audio and video across my home network).  Everything else in the house was wireless over encrypted tunnels.

The original setup caused me problems with Vonage phone service whenever I was downloading huge files.  My phone was out of commission for all intents and purposes for over a day while downloading the Knoppix 5.1 DVD.  By following Vonage's recommendation and placing their device outside of the firewall, it could consume the traffic that it needed for voice communications and leave the rest available for internet traffic.

Before I could completely rewire the network, I had to configure the computer.  I downloaded the Untangle software from www.untangle.com and burned it to a CD.  I had some problems initially with the software hanging at 80% on install.   A search on the forums did not provide any answers to my problems, but a simple BIOS modification on the computer fixed the issue.  I disabled the 1394 port and legacy USB support in the BIOS, rebooted the computer, and succeeded in installing the software.

Redesign of the network was simple.  I plugged the Vonage device directly to the cable modem and modified its configuration to point all traffic to a DMZ on port 1.  The Vonage devie was a little tricky cracking into because Vonage will not readily provide a username and password for configuration.  A quick Google search revealed that the username is 'router' and the password is also 'router' (I have since changed these for security).

From port 1 on the Vonage device, I connected a patch cable to the public interface on the Presario.  From the private interface on the Presario, I connected the NetGear wireless router and plugged the media server to one of the switched ports on the NetGear.   I immediately had outbound service throughout the network.

Networking can get a bit tricky, but here is a breakdown of how my network is configured.

The Vonage device received traffic ad a public IP address and handles DHCP and DNS forwarding for its switched ports.  It assigned an IP address to port 1 as 192.168.15.4 which I then reserved in the Vonage configuration.  The Untangle server was configured with this information for its public interface along with the iP of the Vonage device as the default gateway of 192.168.15.1.

By default, Untangle will issue IP addresses on the private NIC with a range of 192.168.1.81 through 192.168.1.94 (this may depend on the number of computers you have on your network).  Using DHCP, it also provides all necessary routing information to the devices connected to the internal interface.

The NetGear wireless device was configured to provide DHCP in the scope of 192.168.1.2 through 192.168.1.51.  It will route traffic from those IPs upstream to the Untangle device.  Voila!  Complete outbound network communication.

[Edit:  A friend gave me the simple solution to my problem that I had overlooked.  All of my clients were showing up in the reports as having the same IP address.  By connecting the private interface of the Untangle device to a switched port rather than the router port on the NetGear I was able to track behavior for each and every client on my network.  This required turning off the DHCP service of the NetGear and relying solely on that of the Untangle box.  It also removes the secondary (and unecessarily redundant) firewall built into the NetGear.]
 
The next trick was getting inbound traffic to work.  Since this was handled by the NetGear previously, I copied down the port mappings from the NetGear device.  Once all of the settings that I needed were documented, I configured the firewall on the Untangle to point those ports to the new IP addresses of the devices.  I was able in the router configuration of the Untangle to set static IP addresses for all internal servers.

Next Steps


Untangle provides several filters for spam and identity theft that I am unable to take advantage of due to my current configuration.  All of my email is web-based or housed off-site.  In order for these services to benefit me, I will need to build an internal email server and configure it in the Untangle box.  I can then redirect all of my mail to the internal server to cause filtering to occur.  Of course I will need to make further adjustments to provide off-site access to emails once this is completed.

The Web Content Control worked out of the box.  I tested several adult sites with the service both turned on and off to see how well it worked.  It worked like a champ.  Even with the Web Content Control turned off, there were some adult sites that I could not reach because they contained spyware or other malicious software that was blocked by other services on the box.  I tested from a Mac to prevent any potential infections.  I recommend against testing from a Windows based computer.  Untangle will most likely stop the traffic, but why take the chance with something as unsecure as Windows (pick a version).

The system is supposed to have the ability to email reports from all of the services to the administrator.  I have been unable to get this component working.  Configuring an internal mail server should solve this problem.

I have not configured the OpenVPN service that ships with Untangle.  I generally have used RDP in the past for remote access.  I currently have all remote access services turned off for security reasons.  Most of my network services that I would need to access remotely provide a secure web interface for doing so.  I will test out OpenVPN to see if it can provide me that extra level of security without making things too complicated.

Another potential for remote access is the Remote Access Portal.  According to the Untangle site, "Remote Access Portal, a clientless SSL VPN, provides secure remote 'anywhere access' to a company's intranet through a regular web browser. Remote Access Portal is a great choice for remote access to desktops, web-based applications including email, and file sharing."  However, this service is part of the subscription Professional Package and would cost approximately $25 per month for my configuration.  Though this is a good deal for small businesses, I find it difficult to justify for home use.  I can use Hamachi or some other product to get similar results without the recurring cost.


What I Would Like To See


There are a few security products that would be nice to have implemented on the same box.  I could maintain them on my low-grade Debian Sarge box, but it is about 6 years old and is only a Pentium III 933MHz.

NoCatAuth provides a nice little welcome page with login any time someone connects with a web browser.  From time to time, I turn off WPA encryption on the wireless network so that I can see who out there is gaining access.  Having the ability to have the disclaimer would warn people that I have the ability to actively monitor and capture all traffic from such unauthorized use.  It also would alert friends who are visiting me to keep their behavior acceptable.  Believe it or not, I have had people try to hack into my network when they visit.  Little do they know that all of my internal communications operate through secure ssh tunnels for every computer on my network.  This prevents just such behavior.  But it is nice to be able to snoop back and provide them a warning that I am doing so.

One other addition that would be nice to see is OSSEC HIDS from Daniel Cid over at www.ossec.net.  OSSEC monitors the inside computers (completely cross platform) to detect internal issues. It provides a nice vehicle for internal log analysis, integrity checking, rootkit detection, time-based alerting and active response.  Since I have the drive capacity and the system already has the capability to see all network traffic, there is great potential to implement it as a monitoring tool and to incorporate it into the reports so that you can see what issues exist on the inside network.


Conclusion


Untangle is a marvelous product.  It does more in a single installation than any other product on the market, commercial or otherwise.  The incorporation of third party open source projects means that there is a diverse body of support and updates for the product and a mass of humanity working on keeping the various components current.

If you are a small to medium sized business looking for better protection of your network, use this product.  Buy the Professional Package.  You will not regret it.