Untangle Network Security

Chapter 1. Introduction to Untangle

This chapter will introduce you to the Untangle company and its products. Untangle has two product lines: Untangle NGFW and IC Control. In this chapter, we will introduce you to Untangle NGFW and the modules available to be installed on the NGFW.

This chapter will also cover some of the information security basics required to understand the importance of using Untangle NGFW to protect our networks. In addition, the major changes from version 9.4.2 to version 10.2.1 will be covered.

In this chapter, we will cover the following topics:

Introducing Untangle, Inc.
An overview of information security
Introducing Untangle NGFW
Reviewing the change log

An overview on information security

If you have a public IP, you and your company may be the next victim of the cybercrime business. 75 percent of Internet traffic is malicious (https://wiki.cac.washington.edu/download/attachments/7479159/White_Paper_6-Feb26-round2-AS-BE+DRAFT.doc) and the cybercrime business value equals 105 USD billion, which surpasses the value of the illegal drug trade worldwide. In addition, most of the cybercrime attacks are determined, not just opportunistic, and they include the theft of IDs, trade secrets, research and development, and so on. So, you must be ready.

The CIA triad

Your role as a security administrator is to protect the information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. The CIA triad is explained as follows:

Confidentiality: Ensuring that the data or an information system is accessed by only an authorized person
Integrity: This means protecting data from modification or deletion by unauthorized parties
Availability: Ensuring that data and information systems are available when required

Types of attacks

The attacker's target is to compromise one or more attributes of the CIA triad, which will allow him to gain access to confidential data and steal it. He may be interested in manipulating data by deleting or modifying some parts of it. Also, his target may be to reduce or interrupt the availability of your services, which could highly impact your reputation. Common methods and attacks that are used by attackers are as follows:

Malware: This is a short name for malicious software. This is used or created to disrupt computer operations, gather sensitive information, or gain access to private computer systems. Some malware types are as follows:
- Virus: This attaches itself to legitimate applications. Viruses can be used to cause direct damage such as prevent the computer from booting or to open some ports and services, which can be used by the attacker to gain access or steal data. They can replicate themselves and spread from one computer to another.
- Worm: This is a standalone malware program that has the same damage properties of the viruses. However, unlike viruses, it does not need to attach itself to an existing program.
- Rootkit: This is a program or a set of programs that usually have kernel level access and effectively can hide from antivirus programs.
- Spyware: This collects information about what the user is doing and what data is on the user's computer and feeds it to the remote party, which could take advantage of this information. The spyware programs usually change the default search engine and the default home page.
- Keylogger: This records the key stroke entered by the user. This can be used by the attacker to capture the user's login credentials.
- Backdoor: This allows the attacker to bypass normal authentication and get remote control of the victim's computer, while attempting to remain undetected.
- Trojan horses: This type of malware masquerades as a legitimate file or helpful program but the real purpose is to grant unauthorized access to a computer to the hacker. For example, you may download and install a screensaver that will install backdoors to your system.
- Botnet: This is a collection of Internet-connected computers whose security defenses have been breached and controlled by a malicious party. The set of breached computers could be used to initiate huge attacks.
- Adware: This is a software installed on the user's computer that will periodically pop up an advertisement that encourage users to buy some products, which is considered to be an annoying and disturbing action.
Phishing: The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an e-communication. For example, you may receive a fake e-mail (which looks like it was from your bank) informing you that your password has expired and asking you to change it by logging to the bank using a link that will redirect you to a malicious website (which also looks like as the original bank website). The fake website will capture your login credentials.
Spear-phishing: This is a phishing attempt directed at specific individuals or companies.
Whaling: This is a phishing attempt directed to a company's executives.
Spam: This is an unwanted e-mail that usually includes advertisements, malicious attachments with malware, and phishing links.
Denial of Service (DoS) attack: The attacker tries to make the server unable to respond to customer requests by overloading the server with many requests. The same is also true for applications/services hosted by this server as the attacker may be interested in disabling certain application not the whole server. For example, attacking an Apache HTTP server that's hosting the web service.
Distributed Denial of Service (DDoS) attack: This is the incitation of a DoS attack from multiple computers instead of only one machine. The DDoS attack usually includes the usage of a botnet.
Smurf attack: An example of a smurf attack is when the attacker sends a broadcast ping request to your network. If the attacker did address spoofing, your network devices will send the ping replies to the spoofed address, which will lead to a DDoS attack.
Man-in-the-middle attack: In this attack, traffic between two devices is passed through a rouge device controlled by the attacker. Thus, the attacker can get the original traffic and read the data if the communication is unencrypted, even he may inject malware to the traffic.
Privileges escalation: The attacker will use vulnerability in the operating system or applications to get higher access privileges (for example, root access).
Xmas attack: This is used to get more information from the network scan. So instead of the normal ping and port scans, the xmas attack can analyze the TCP response of the target systems and get more detailed information such as the operating system version and the services running.
Typo squatting / URL hijacking: As a result of typing an error, a user may go to a malicious website. For example, the user may type http://www.goggle.com instead of http://www.google.com.

Types of controls

The following are three different types of controls we need to implement to keep our network and systems safe:

Technical: This includes the use of technology (that is, software and devices) to reduce vulnerabilities; common technical controls include the usage of security software and devices, access control systems, authentication systems, and encryption.
Management: This is also known as administrative controls. This includes the assessment of risks and vulnerabilities, planning, and writing a security policy.
Operational: This deals with day-to-day procedures and policies that the users should follow. An example of operational controls is change management.
Note
A list of 20 critical security controls can be found at http://www.sans.org/critical-security-controls/.

Defense in depth

We should use the defense in depth concept in which multiple layers of security controls (defenses) are placed through our network. Some of defense in depth techniques are as follows:

Layered defense: This sets your defense at multiple stages (such as network edge and individual PCs) instead of using only one layer of defense. If that one layer of defense fails, you will be an easy victim for attackers. So, use an antivirus at network edge to protect against downloaded threats and a desktop antivirus to mainly protect against threats coming through the internal network.
Multiple tools: These make the attacker's job harder by using firewalls, antivirus programs, intrusion detection systems, intrusion prevention systems, and so on instead of using only one tool.
Update all your systems and programs: It's important to update all your systems to prevent the exploitation of any discovered vulnerability; only updating your operating system will not block the threat as the attacker may have privileged access from unpatched program such as Java or Flash Player.
Don't use the administrator account for daily activities: As the attacker's goal is to gain privileged access over your network, his job will be easier if you run malware using the administrator account.
Read and learn: Attacker techniques always change and evolve; you need to be always aware of the new techniques and how you can fight these techniques.
Think like an attacker: This will help you to discover your network's weak points.
Follow up: Always review the event logs to be aware of the threat's sources and work on preventing these threats.

Introducing Untangle NGFW

Untangle NGFW is the simplest firewall you will ever use. Untangle Inc. really has done a very good job of simplifying the graphic interface and customizing the firewall settings to suit most companies' needs. Untangle NGFW is a network security device that is placed at the network edge to scan traffic and protect the network from threats. Let's identify the meaning of NGFW, but before identifying NGFW, we will need to explore other terms that may lead to term conflicts:

Firewall: This blocks traffic based on the predefined port and IP-based policies.
Stateful firewall: The firewall sets a stateful table that remembers the user's traffic. The firewall will block all traffic initiated from outside the network and not by an internal user. If the incoming traffic was requested by the internal user (which is determined based on the stateful table), the firewall will allow this traffic.
Proxy: The user sends traffic to the proxy, which will send the traffic to the external world on behalf of the user. The incoming traffic will be ended on the proxy, which will forward it to the appropriate user. As the traffic passes through the proxy, the proxy could scan the traffic and implement policy control based on the IP address, user ID, and so on.
Security gateway: This is also known as application aware firewall or layer 7 firewall. This has the ability to look at the application layer while the traffic passes through it to identify and stop the threats.
Unified Threat Management (UTM): Instead of buying multiple security devices with different roles and putting them in series (for example, using IPS device and spam filtering device), you can buy an UTM that combines all these roles into one device.
NG firewall: While the UTM is just about collecting services together, NGFW has other specifications, as defined by Gartner:
- The UTM collocates security services under a single appliance, whereas NGFW integrates them. For example, in UTM, the packet is scanned by the firewall role, then passed to the IPS role and finally to the antivirus role. Whereas in NGFW, the firewall is integrated with the IPS, antivirus, and so on, resulting in a single-pass engine (that is, the packet is scanned by the different rules simultaneously).
- Include the first generation firewall capabilities, for example, network address translation (NAT), stateful protocol inspection, virtual private networking (VPN), and so on.
- Integrated signature-based IPS engine.
- Application awareness, full-stack visibility, and granular control.
- The ability to set directory-based policies (for example, policies based on Microsoft Active Directory group membership).
- The ability to decrypt and scan HTTPS traffic.

Based on Gartner's definition, we could say that every NGFW is in necessity a UTM, but not every UTM is a NGFW. So, our Untangle product is a next generation firewall as it perfectly meets the Gartner definition.

Note

Keep in mind that Untangle scans the traffic while it passes through the device, thus it's not a proxy device.

Untangle NGFW is based on the Debian distro. Untangle NGFW includes the basic networking functionalities such as providing DNS, DHCP, NAT, and static routing. It also provides additional modules to provide antivirus, antispam, and antiphishing solutions. The complete set of Untangle modules will be covered in the next section.

Untangle has two operation modes: it could run as the primary firewall, which is the preferred mode for Untangle NGFW, or it could run behind another firewall, which is useful if you have an in-place firewall and you don't want to risk the headache of removing the other firewall, or if the other firewall provides a functionality that Untangle NGFW is not providing, such as Data Loss Prevention (DLP).

Untangle NGFW modules

In this section, we will see the modules provided by Untangle NGFW to achieve network security and control.

Untangle NGFW can be divided into the kernel, Untangle VM (UVM), and Apps. The UVM controls all the routing and networking functions of Untangle. In addition, any traffic directed to the Untangle NGFW itself is processed by the UVM. The additional functionalities (such as antivirus and antispam) are provided by the modules (Apps), which run inside the UVM.

Untangle NGFW uses the concept of virtual racks, which is a set of modules. Different virtual racks could be assigned to different users. Untangle NGFW has two types of modules, applications and services, based on their functionality on the virtual racks concept.

Applications are unique to each rack. Thus, a rack can include antivirus application while the other doesn't, or one rack can include antivirus application that scans the .exe files and the other rack scans other extensions expect for the .exe files.

Services are shared between racks. So if we configured the Untangle NGFW to integrate with Microsoft Active Directory, all virtual racks can benefit from that.

The Untangle applications are as follows:

Web Filter Lite: This is used to block access to certain websites such as social networking, spyware, and malicious websites. It's open source and free under GPL.
Web Filter: This is a paid application based on zVelo technologies, which have a lot of features over the Lite version.
Virus Blocker Lite: This is used to protect against viruses. It's based on the open source CalmAV and it's provided by Untangle for free.
Virus Blocker: This is a paid version based on the Commtouch, which is an effective antivirus engine for network gateways.
Spam Blocker Lite: This is used to protect against spam. It's based on the open source SpamAssassin project and it's provided by Untangle for free.
Spam Blocker: This is a paid version that uses an additional anti-spam database based on the cloud services from Commtouch, besides the SpamAssassin project.
Phish Blocker: This is used to prevent phishing sites and e-mails. It's open source and free under GPL.
Web Cache: This is used to enhance user experience by storing parts of websites. This will make the websites load faster the next time the user requests them. It's a paid application that is based on the Squid project.
Bandwidth Control: This is a paid application that is used to control bandwidth utilization by allowing higher priority traffic to utilize more traffic than the traffic with lowest priority.
HTTPS Inspector: This is used to allow Untangle to scan encrypted HTTPS traffic. It's a paid application.
Application Control Lite: This is used to block certain applications such as IM and BitTorrent applications from accessing the Internet. It's open source and free under GPL.
Application Control: This provides better application detection and a larger database than the lite version. It's a paid version and is based on Procera Networks' technologies.
Captive Portal: This is used to achieve user authentication before they could use the network resources. It's available for free.
Firewall: This provides the ability to block certain ports, IP addresses, and protocols from accessing the network. It's open source and free under GPL.
Intrusion Prevention: This scans the incoming traffic for malicious traffic and stops it. It's based on the Snort project and is available for free.
Ad Blocker: This is used to prevent sites' advertisements and cookies. It's free and based on the Adblock Plus project.

The Untangle services are as follows:

Reports: This provides summarized details of the Untangle NGFW events. It's open source and free under GPL.
Policy Manager: This allows the creation of different policies for different users, or in other words creating other virtual racks. It's a paid application.
Directory Connector: This is a paid application that provides integration with Microsoft Active Directory and Radius servers, which allow Untangle NGFW to set rules and provide access based on the usernames and group membership.
WAN Failover: This is a paid application that allows an uninterrupted Untangle NGFW WAN service as it moves traffic to/from a failed WAN NIC to other NICs.
WAN Balancer: This allows the use of multiple ISPs to provide a higher bandwidth for your network. It's a paid application.
OpenVPN: This provides free SSL-based VPN services based on OpenVPN.
IPsec VPN: This is a paid application that provides IPsec-based VPN.
Configuration Backup: This is a paid application that automatically backs up Untangle NGFW to the Untangle cloud.
Branding Manager: This allows you to customize how Untangle NGFW looks. It's a paid application.
Live Support: This is a paid application that allows you to profit from the Untangle official support.

In addition to the preceding services, there is the Shield module, which runs on the Untangle platform level, which protects against the DoS attacks.

A concept that is worth being discussed here is the false positive and false negative alarms, as the different applications scan the traffic they would generate alarms. The false positive alarm means that the application has classified the traffic to be a malicious traffic while it's a legitimate traffic. This would result in a lot of overhead for the firewall administrator to review all these incorrect alarms.

The false negative alarms means that the application couldn't detect malicious traffic and classified it as legitimate traffic. This is the most dangerous type of alarm as this implies that the traffic has already entered your network and the attack may have been done.

Untangle packages

You can use and buy individual applications or use packages, which are a complete set of applications. Untangle, Inc. provides two packages: the free and the complete one. The free package includes all the free applications and services, while the complete package includes all the paid applications in addition to the free ones. The following table summarizes the applications that can be found in each package:

Package name	Free package	Complete package	Notes
Web Filter	Untangle open source	zvelo.com
Virus Blocker	clamav.net	commtouch.com
Spam Blocker	spamassassin.apache.org	spamassassin.apache.org and commtouch.com
Application Control	l7-filter.clearfoundation.com	proceranetworks.com
Phish Blocker	√	√	Google's safe browsing API
Captive Portal	√	√
Firewall	√	√
Intrusion Prevention	√	√	snort.org
Ad Blocker	√	√	adblockplus.org
Reports	√	√
OpenVPN	√	√	openvpn.net
Web Cache		√	www.squid-cache.org
Bandwidth Control		√
HTTPS Inspector		√
Policy Manager		√
Directory Connector		√
WAN Failover		√
WAN Balancer		√
IPsec VPN		√
Configuration Backup		√
Branding Manager		√
Live Support		√

Licensing Untangle

For free applications and free package, all you have to do is to create an Untangle account and download and install the applications or the package. For the paid applications and package, you will have to buy them. Untangle, Inc. offers monthly or annual subscription for its applications. The charges differ depending on the number of devices that Untangle NGFW will serve.

Note

Appliances are not licensed by the number of devices behind it; instead they are licensed based on the appliance's capabilities. You could use the appliance for any number of users, but you may notice performance degradation if the number of users exceeded the recommended number as the appliance hardware specifications are related to the number of users.

Untangle, Inc. will charge you based on the total number of unique IPs in your internal network. Untangle uses the classes method for their charging method. The available classes are: 1-10, 11-50, 51-150, 151-500, 500-1500, and 1501+.

Untangle, Inc. says that their customers prefer this method as they get a wide range of user licenses, which allows them to dynamically increase and decrease the number of computers inside the network. The disadvantage of this method is, for example, if you have 51 users, you'll need to purchase the 51-150 class and not the 11-50 class.

Note

Bypassed devices (traffic from these device won't pass through the UVM) will not count. An example of bypassed traffic would be a printer that needs Internet access, and scanning traffic to it won't be necessary.

If you are using Spam Blocker and the number of scanned e-mail addresses is bigger than the number of devices IPs, Untangle will charge you based on the number of e-mail addresses.

The subscriptions are per Untangle NGFW server, so if you have three servers on your network and each server will run the complete package, you'll need to purchase three complete package subscriptions.

Note

If you deployed two Untangle servers in the high availability mode, which is active/passive, you will need to purchase licenses for both servers.

Reviewing the change log

This section will cover the changes Untangle had from version 9.4.2 till version 10.2.1, which will be a good reference for readers with previous experience with Untangle. Untangle Version 10 had many major architectural changes. Thus, there is no upgrade path from version 9.x to version 10.x. A list of important changes is as follows:

Untangle is now based on Debian 6.0 (squeeze) and 2.6.32 kernel. This should result in slightly better hardware support.
The networking interface (where the users can configure network related settings) has been improved. If Untangle has more than 2 NICs, any additional interface will be disabled (which was not the default behavior earlier). In older versions, an Untangle user was not able to change any interface name.
Untangle Interfaces could now be configured with IPv6; however, the applications could not process the IPv6 till now. More information is available at http://wiki.untangle.com/index.php/IPv6.
HTTPS Inspector is a new application that allows Untangle NGFW to decrypt and scan the HTTPS traffic as HTTP-traffic.
Attack Blocker has been moved into the Untangle platform and can now be configured under the Shield tab located at Config | System.
Spyware Blocker has been merged with Ad Blocker and the remaining obsolete functionality has been removed.
Add the ability to set routes rules based on the port number and OS type in the WAN Balancer module.
OpenVPN now has a new simplified implementation (earlier the steps to configure it were too complex).
POP and IMAP scanning functionality has been removed from the platform due to rare of unencrypted POP and IMAP across WAN links and the delay caused by scanning.
For versions before 10.1, the application was downloaded from the Internet after installing Untangle. Now, Untangle NGFW comes with the applications preinstalled.
Beginning from version 10.1, Untangle NGFW could run in high availability mode, where the high availability mode is failover and not load balancing.
Some enhancements in the memory utilization used by applications (such as Virus and Spam Blocker) while they're not scanning any traffic.
Beginning from version 10.2, IPsec VPN now supports L2TP for remote access.
A new application for the Directory Connector that can be installed on domain controllers to monitor the login event logs and report them to Untangle is now available.
The DHCP Server and DNS Server tabs moved from Network | Advanced to Network.
Version 10.2.1 includes minor hotfixes such as fixing problems caused by HTTPS Inspector to Dropbox clients.

At the time of writing this book, Untangle announced the approach to release version 11.0, which is based on Debian wheezy (7.6) and the 3.2.0 kernel. It also comes with new commercial technologies for the Virus Blocker and Spam Blocker for better performance and efficacy.

Tip

This book should be enough for you to deal with the new version. As the book provides the theory behind each module, you'll be able to configure the modules regardless of any changes to the modules' GUI or their underlying technologies.