Disclaimer: This is not a Windows app specifically, but there is an Untangle build for Windows. In this article, I will be talking about the Linux-based Untangle appliance OS.
You ever get the feeling that the big security companies are conspiring against us? You know what I mean; new viruses and malware are released and you just need to have the shiny new hardware appliance to plug into your rack to keep it all out, right?
If you are a small (or heck, let’s face it, medium too) IT shop, you know it’s hard to budget for those items like a decent spam blocker, new firewall, or a web filter. Rejoice my friends, here’s a free offering that can help you along the path of a secure Internet and keep those nasties at bay.
Untangle is an open-source project based on the Debian Linux Kernel which allows you to easily (and I mean EASILY) plug in new virtual security appliances to your network with hardly a dime spent.
My test setup:
- HP dc7100 Ultra-Slim form factor PC with 768Mb RAM, 3.0Ghz Intel HT and 40Gb Hard Disk
- 1 x 1Gb internal LAN adapter (inside interface)
- 1 x 100Mb PCI LAN adapter (external interface)
- 4-port NetGear switch
Download and install
Downloading the ISO was a cinch (as they all are, right?) from Untangle’s website. I burned the image to a disc using CDBurnerXP. I then booted the disc in the 7100 and ran the installation using the install wizard, usually accepting all defaults - - again, this was not a difficult install at all.
Once the installation was completed, I was presented with a screen to configure my network adapters (you’ll need two for a bridged/internal and external interface). You’ll be prompted at this point to decide whether you want to set the Untangle OS up as a DHCP server or not – most likely, you probably won’t, but in my scenario (for public kiosk stations), I did.
The interface
The entire OS interface is essentially a wallpaper and a series of buttons at the bottom of the screen which allow you to do a few basic things like shutdown, restart, change resolution, etc. – however, the button with real power here is the ‘Start Untangle Client’ button.
Once opened, Untangle presents you with an empty (think 2-post) “rack”. To get started with new applications and functionality, you simply browse and install them from the left-hand pane. Once again – the install is as simple as a single click. When you find and click on your app of choice, you then click ‘download’, the appliance will download in the background and install itself into the rack when it is done. Alright, so I guess that’s two clicks…
Open Source and Paid
A word of warning: Untangle has an Open-Source and paid category of appliances. They are all listed together on the left, but you can download all the freely available apps in a package by downloading the ‘Open Source Package’ at the top of the left-hand pane (the picture above doesn’t show it, since I had already downloaded it). Once this is done, all the free appliances will show up with an ‘install’ link instead of ‘more info’. Kind of an easy way to separate the two.
Of course, the Open-Source apps aren’t quite as nice as the paid versions in some cases, but they aren’t anything to sneeze at either.
Hardware layout:
In my setup, the PCs are connected to the NetGear switch, which is plugged into the internal interface on the Untangle box. The external interface is then plugged into the Comcast cable modem.
Kiosks, those dirty little computers…
Like I mentioned before, we have a few kiosks here at work, and their primary focus is to log on to our patient portal, fill out some surveys, and perhaps log into the patient’s webmail to retrieve some important information from our system.
As far as the kiosk OS configuration goes, another of our technicians had installed the Microsoft Windows SteadyState software on them, which essentially “freezes” the configuration, disallowing anyone from making any changes to the system (akin to Deepfreeze) upon system restart. If you run public computers, you should check it out.
These PCs are connected to a shared Comcast Internet connection, which are not connected to our production network in any way, so as such, they are not part of our system-wide policies or filters (or firewall, for that matter).
Now, these computers are pretty safe, since they are running with a SteadyState configuration – however, there is still the problem of potential misuse by the occasional child-of-a-patient-waiting-in-the-lobby scenario.
Web filter
For the purposes of this post, I’ll chat a little about the ‘Web Filter’ appliance, which was the primary reason for our test at work.
Our Untangle box is replacing the D-Link router that was previously configured (basically acting as a DHCP server and rudimentary firewall). We configured Untangle so that we were running a DHCP server and set the internal interface to bridge to the external interface (set for a dynamic address to be assigned by Comcast’s connection).
After that, we installed the Open-Source Web Filter appliance (and a few others!).
Now, let me say that the Open Source Web Filter is pretty no-frills, but it will do exactly what some people want; global blocking of websites. With that said, you can specify certain categories you wish to block or merely log – you know, the usual suspects: gambling, social networking, pornography, hacking, etc. You can also specify sites in particular you wish to allow or block.
In the regular Open-Source version, you can’t block or allow certain people by groups or username, but you can do it by IP address. To me, this isn’t realistically feasible for most shops, as they are typically DHCP, but perhaps blocking by range may work…
On a side note, there is an AD Connector appliance you can install to aid with user policy mapping, but it isn’t free, so alas, I couldn’t really speak to this. Some people may really need this so there is true auditing capability, but then again, many businesses might be OK with just simple blocking (as long as the stuff is being blocked, right?).
Quick test: Network admin vs. pre-adolescent boy or ‘tweaking the settings right away’
As with any web filtering tool, there is some logging available, which is a necessity to review in your early implementation phase so you can tweak the settings accordingly. In my case, I had to block ‘www.freeonlinegames.com’. So, you’ll see that while the built-in filters are good, they aren’t 100%…as such, you may want to review them occasionally to look for anything that slips through the cracks.
When I saw that the freeonlinegames website was being passed, I took a quick trip by the kiosks, and noticed that yep – there was a slouching 10-year old boy happily tapping away on the keyboard; playing online games in our lobby. A quick trip back downstairs, a click on the the ‘block lists’ tab and I had him locked out within a minute.
Heh.
Ok, stupid network admin power trip aside, it was reassuring that we can indeed block sites as necessary. Not only does this protect our overall image (who wants to see kids playing games in the lobby of an Orthopedic clinic? Let’s not even think about the nasty websites they might click on and leave on the screen), but it also protects our patient’s privacy.
In addition to the Web-Filter, we installed the firewall, intrusion protection, protocol control (block instant messaging and more), attack blocker and reports appliances. I’ve not been able to fully explore these, but one interesting appliance of note was the Open VPN (set up site-to-site VPNs with two Untangle boxes?)…
So, if you are a small IT shop finding it hard to leverage your favor with the boss to approve the budget for a firewall, web/spam filter or other niche appliances, Untangle might be your answer. At the very least, you can use it to show the benefit of having such a device on your network and get those dollars approved for either the paid appliances or something bigger. At the very least, you can breathe new life into an older PC that may work just fine, but is otherwise sitting around!
Do you use Untangle? If so, let us know in the commments!
4 comments:
Great writeup. This has been on my list of things to play with for some time now. Thanks again.
We really appreciate the work that you do here! Untangle was a great addition to our public kiosk area.
Nice job! We really appreciate the work that you do here! That untangle will make a great addition to the public kiosk area. TAKE THAT USERS!
I like the RSS feeds, but it's been awhile since you posted! Thanks for your articles. This was helpful for me.
Post a Comment