Untangle NGFW is the simplest firewall you will ever use. Untangle Inc. really has done a very good job of simplifying the graphic interface and customizing the firewall settings to suit most companies' needs. Untangle NGFW is a network security device that is placed at the network edge to scan traffic and protect the network from threats. Let's identify the meaning of NGFW, but before identifying NGFW, we will need to explore other terms that may lead to term conflicts:
Firewall: This blocks traffic based on the predefined port and IP-based policies.
Stateful firewall: The firewall sets a stateful table that remembers the user's traffic. The firewall will block all traffic initiated from outside the network and not by an internal user. If the incoming traffic was requested by the internal user (which is determined based on the stateful table), the firewall will allow this traffic.
Proxy: The user sends traffic to the proxy, which will send the traffic to the external world on behalf of the user. The incoming traffic will be ended on the proxy, which will forward it to the appropriate user. As the traffic passes through the proxy, the proxy could scan the traffic and implement policy control based on the IP address, user ID, and so on.
Security gateway: This is also known as application aware firewall or layer 7 firewall. This has the ability to look at the application layer while the traffic passes through it to identify and stop the threats.
Unified Threat Management (UTM): Instead of buying multiple security devices with different roles and putting them in series (for example, using IPS device and spam filtering device), you can buy an UTM that combines all these roles into one device.
NG firewall: While the UTM is just about collecting services together, NGFW has other specifications, as defined by Gartner:
The UTM collocates security services under a single appliance, whereas NGFW integrates them. For example, in UTM, the packet is scanned by the firewall role, then passed to the IPS role and finally to the antivirus role. Whereas in NGFW, the firewall is integrated with the IPS, antivirus, and so on, resulting in a single-pass engine (that is, the packet is scanned by the different rules simultaneously).
Include the first generation firewall capabilities, for example, network address translation (NAT), stateful protocol inspection, virtual private networking (VPN), and so on.
Application awareness, full-stack visibility, and granular control.
The ability to set directory-based policies (for example, policies based on Microsoft Active Directory group membership).
The ability to decrypt and scan HTTPS traffic.
Based on Gartner's definition, we could say that every NGFW is in necessity a UTM, but not every UTM is a NGFW. So, our Untangle product is a next generation firewall as it perfectly meets the Gartner definition.
Note
Keep in mind that Untangle scans the traffic while it passes through the device, thus it's not a proxy device.
Untangle NGFW is based on the Debian distro. Untangle NGFW includes the basic networking functionalities such as providing DNS, DHCP, NAT, and static routing. It also provides additional modules to provide antivirus, antispam, and antiphishing solutions. The complete set of Untangle modules will be covered in the next section.
Untangle has two operation modes: it could run as the primary firewall, which is the preferred mode for Untangle NGFW, or it could run behind another firewall, which is useful if you have an in-place firewall and you don't want to risk the headache of removing the other firewall, or if the other firewall provides a functionality that Untangle NGFW is not providing, such as Data Loss Prevention (DLP).
In this section, we will see the modules provided by Untangle NGFW to achieve network security and control.
Untangle NGFW can be divided into the kernel, Untangle VM (UVM), and Apps. The UVM controls all the routing and networking functions of Untangle. In addition, any traffic directed to the Untangle NGFW itself is processed by the UVM. The additional functionalities (such as antivirus and antispam) are provided by the modules (Apps), which run inside the UVM.
Untangle NGFW uses the concept of virtual racks, which is a set of modules. Different virtual racks could be assigned to different users. Untangle NGFW has two types of modules, applications and services, based on their functionality on the virtual racks concept.
Applications are unique to each rack. Thus, a rack can include antivirus application while the other doesn't, or one rack can include antivirus application that scans the .exe files and the other rack scans other extensions expect for the .exe files.
Services are shared between racks. So if we configured the Untangle NGFW to integrate with Microsoft Active Directory, all virtual racks can benefit from that.
The Untangle applications are as follows:
Web Filter Lite: This is used to block access to certain websites such as social networking, spyware, and malicious websites. It's open source and free under GPL.
Web Filter: This is a paid application based on zVelo technologies, which have a lot of features over the Lite version.
Virus Blocker Lite: This is used to protect against viruses. It's based on the open source CalmAV and it's provided by Untangle for free.
Virus Blocker: This is a paid version based on the Commtouch, which is an effective antivirus engine for network gateways.
Spam Blocker Lite: This is used to protect against spam. It's based on the open source SpamAssassin project and it's provided by Untangle for free.
Spam Blocker: This is a paid version that uses an additional anti-spam database based on the cloud services from Commtouch, besides the SpamAssassin project.
Phish Blocker: This is used to prevent phishing sites and e-mails. It's open source and free under GPL.
Web Cache: This is used to enhance user experience by storing parts of websites. This will make the websites load faster the next time the user requests them. It's a paid application that is based on the Squid project.
Bandwidth Control: This is a paid application that is used to control bandwidth utilization by allowing higher priority traffic to utilize more traffic than the traffic with lowest priority.
HTTPS Inspector: This is used to allow Untangle to scan encrypted HTTPS traffic. It's a paid application.
Application Control Lite: This is used to block certain applications such as IM and BitTorrent applications from accessing the Internet. It's open source and free under GPL.
Application Control: This provides better application detection and a larger database than the lite version. It's a paid version and is based on Procera Networks' technologies.
Captive Portal: This is used to achieve user authentication before they could use the network resources. It's available for free.
Firewall: This provides the ability to block certain ports, IP addresses, and protocols from accessing the network. It's open source and free under GPL.
Intrusion Prevention: This scans the incoming traffic for malicious traffic and stops it. It's based on the Snort project and is available for free.
Ad Blocker: This is used to prevent sites' advertisements and cookies. It's free and based on the Adblock Plus project.
The Untangle services are as follows:
Reports: This provides summarized details of the Untangle NGFW events. It's open source and free under GPL.
Policy Manager: This allows the creation of different policies for different users, or in other words creating other virtual racks. It's a paid application.
Directory Connector: This is a paid application that provides integration with Microsoft Active Directory and Radius servers, which allow Untangle NGFW to set rules and provide access based on the usernames and group membership.
WAN Failover: This is a paid application that allows an uninterrupted Untangle NGFW WAN service as it moves traffic to/from a failed WAN NIC to other NICs.
WAN Balancer: This allows the use of multiple ISPs to provide a higher bandwidth for your network. It's a paid application.
OpenVPN: This provides free SSL-based VPN services based on OpenVPN.
IPsec VPN: This is a paid application that provides IPsec-based VPN.
Configuration Backup: This is a paid application that automatically backs up Untangle NGFW to the Untangle cloud.
Branding Manager: This allows you to customize how Untangle NGFW looks. It's a paid application.
Live Support: This is a paid application that allows you to profit from the Untangle official support.
In addition to the preceding services, there is the Shield module, which runs on the Untangle platform level, which protects against the DoS attacks.
A concept that is worth being discussed here is the false positive and false negative alarms, as the different applications scan the traffic they would generate alarms. The false positive alarm means that the application has classified the traffic to be a malicious traffic while it's a legitimate traffic. This would result in a lot of overhead for the firewall administrator to review all these incorrect alarms.
The false negative alarms means that the application couldn't detect malicious traffic and classified it as legitimate traffic. This is the most dangerous type of alarm as this implies that the traffic has already entered your network and the attack may have been done.
You can use and buy individual applications or use packages, which are a complete set of applications. Untangle, Inc. provides two packages: the free and the complete one. The free package includes all the free applications and services, while the complete package includes all the paid applications in addition to the free ones. The following table summarizes the applications that can be found in each package:
|
Package name |
Free package |
Complete package |
Notes |
|---|---|---|---|
|
Web Filter |
Untangle open source | ||
|
Virus Blocker | |||
|
Spam Blocker |
and commtouch.com | ||
|
Application Control | |||
|
Phish Blocker |
√ |
√ |
Google's safe browsing API |
|
Captive Portal |
√ |
√ | |
|
Firewall |
√ |
√ | |
|
Intrusion Prevention |
√ |
√ | |
|
Ad Blocker |
√ |
√ | |
|
Reports |
√ |
√ | |
|
OpenVPN |
√ |
√ | |
|
Web Cache |
√ | ||
|
Bandwidth Control |
√ | ||
|
HTTPS Inspector |
√ | ||
|
Policy Manager |
√ | ||
|
Directory Connector |
√ | ||
|
WAN Failover |
√ | ||
|
WAN Balancer |
√ | ||
|
IPsec VPN |
√ | ||
|
Configuration Backup |
√ | ||
|
Branding Manager |
√ | ||
|
Live Support |
√ |
For free applications and free package, all you have to do is to create an Untangle account and download and install the applications or the package. For the paid applications and package, you will have to buy them. Untangle, Inc. offers monthly or annual subscription for its applications. The charges differ depending on the number of devices that Untangle NGFW will serve.
Note
Appliances are not licensed by the number of devices behind it; instead they are licensed based on the appliance's capabilities. You could use the appliance for any number of users, but you may notice performance degradation if the number of users exceeded the recommended number as the appliance hardware specifications are related to the number of users.
Untangle, Inc. will charge you based on the total number of unique IPs in your internal network. Untangle uses the classes method for their charging method. The available classes are: 1-10, 11-50, 51-150, 151-500, 500-1500, and 1501+.
Untangle, Inc. says that their customers prefer this method as they get a wide range of user licenses, which allows them to dynamically increase and decrease the number of computers inside the network. The disadvantage of this method is, for example, if you have 51 users, you'll need to purchase the 51-150 class and not the 11-50 class.
Note
Bypassed devices (traffic from these device won't pass through the UVM) will not count. An example of bypassed traffic would be a printer that needs Internet access, and scanning traffic to it won't be necessary.
If you are using Spam Blocker and the number of scanned e-mail addresses is bigger than the number of devices IPs, Untangle will charge you based on the number of e-mail addresses.
The subscriptions are per Untangle NGFW server, so if you have three servers on your network and each server will run the complete package, you'll need to purchase three complete package subscriptions.