It has been some time since I’ve written so I figured I better get on this one while I had a little time. I recently demoed a TippingPoint IPS as a potential security product for my network. I’ll refrain from going into too much detail but due to budgetary issues we where unable to gain approval for the actual purchase. I was also given a challenge, we had to do something without any money. I’m sure many of you will point out the risks and liability associated with this. I recently read a post on LinkedIn Answers on this very topic. To summarize, when an organization purchases security equipment they transfer some of their risk and liability to the company selling the product. To put it another way, you have someone else to blame when things go wrong. The problem with ‘free’ software is that their is no one else to blame, no technical support to call, you’re on your own. I’ll leave the bantering at that, just know that these are not ideal circumstances and a more ideal solution can be found with a proper budget.
So on to Google I went, with the requirements that it needed to be an inline IPS that was reasonably simple to setup and maintain. Now in the past I’ve used Snort as an IDS and it worked well enough for the particulars of that setup but I was looking for an inline IPS. So I started searching for inline Snort in IPS mode and many articles came up but my requirement of a simple setup where far from met. I had to consider that others unfamiliar with Snort or Linux would need to assist in the maintenance of this system. So after some creative searching the Google Gods shined on me and I stumbled upon Untangle. Now there have been many free applications I’ve been impressed with but Untangle takes the prize. It incorporates both free and paid components into a very simple to install framework that even a novice can use.
There are two options for running Untangle, Untangle Server and Untangle for Windows. Untangle for Windows is advertised to run on your desktop PC and will work in environments of 10 or fewer PC’s. For my setup I downloaded the Untangle Server which is said to be ideal for networks with more then 10 people connecting to the Internet. Simply burn the ISO to CD and boot a computer with 2 or more network interfaces and follow the bouncing ball. Once installed the system works just like any other security appliance, no real need for KVM unless you have an issue. All management is performed through the web interface (which you can also access with KVM if needed).
The Untangle interface resembles a computer room rack and has places for the different components that are available for installation. Installing the different components is very straight forward. You select one on the left side menu and a popup prompts you to download if its free or provides pricing information if not. You can also install several components at once by selecting the Open Source or Professional packages. The paid packages are more cost effective over the individual paid components.
So what does Untangle do? Well it all depends on what you want it to do. The components that met my needs where Spyware Blocker, Web Filter, Virus Blocker, Intrusion Prevention, Attack Blocker, and Reports. All of which utilize open source freely available software. For example the Virus Blocker is based on ClamAV and Intrusion Prevention is based on Snort. The other free components are Spam Blocker, Ad Blocker, Phish Blocker, Firewall, Routing & QoS, Protocol Control, and OpenVPN. All the components I installed where very simple to configure and provided a very intuitive and homogenous interface. The most difficult component to configure was Intrusion Prevention but only because of the number of signatures available.
The only complaints I have thus far are limitations in the reporting and event logging. The daily and weekly reports are fine for review but there is no option to generate adhoc reports. There are also a few limitations in the event log areas. For one there is an individual event log for each component. A centralized event viewer that displays an event source would be helpful. There are also no filtering options for events, I think it would be helpful to filter based on source or destination address, ports, or some other relevant condition. This would aid in troubleshooting issues. Lastly in the Web Filter it doesn’t provide which category blocked a specific site. This would come in handy if you’re unfamiliar with a specific site and are unsure what category it falls under. Your organization may react one way if for example someone browses to a game site but another if its pornography.
Overall the developers at Untangle have integrated a number of tools into a nice simple to build appliance. As always there is room for improvement but I think they’ve done an excellent job so far. If you have any questions about my experience with Untangle or if you have any experience yourself please let me know.