Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Newbie
    Join Date
    Dec 2009
    Posts
    1

    Default How is untangle not a massive security hole?

    Am I missing something?

    The product can be installed, but not really used, without establishing an account with the company. That company then has complete access to the security system, and openly admits that they modify the software when they feel is appropriate. There are many environments where once software is installed, it cannot be changed without a long recertification process.

    How can a security system be a security system when 3rd party sources have access to the system? This is against multiple security standard principles. It seems like the product is only suitable for low security situations.

    Tell me I'm somehow missing something, and the product is somehow secure? If not, how can you have a security product with a potential known back door waiting to be compromised?

    This really isn't a troll. Its a legit question. I'd love to evaluate this for my environment, but I'd never be able to get it certified (as I understand it).

  2. #2
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    What specifically are you talking about.
    What massive security hole?

    Module Updates?

    There isn't a security appliance I've run across that offers this many functions without updating, because with updates for the ever changing environment, the units effectiveness would quickly taper off as exploits progressed.

  3. #3
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    Are you talking about the support features?

    []Allow secure access to your server for support purposes.

    []Send data about your server for support purposes. This will send status updates and an email if any unexpected problems occur, but will not allow support secure access to your server. No personal information about the network will be transmitted.

    They are opt-in features.

  4. #4
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,050

    Default

    The only way to give Untangle access to your system is to "allow secure access to support"

    And forcing you to register is one way to keep the upgrade system working.
    As they push out the updates to a couple of "keys" every time.

    And to my knowledge all UTM devices have one or more update services for signatures.

    And if you don't want your system to change you always have the option to turn off the updates.

    heck it is even open source so you can even go through the hole system and search for hidden stuff..

    Give cisco a call and see if you can do the same on there OS

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    you guys are full of it. we read your email all the time!
    muhahahahaha



    sorry I couldn't resist.

    They are correct - the settings to make untangle's control over your box is total under your control and the defaults are fairly conservative (only updates)
    IMO, this is what most users want. But you are free to turn off auto-upgrades. The only thing you can't turn off is signature updates (which don't come from us usually anyway)

    You don't have to register to download apps just buy them - maybe you're talking about the step in the setup wizard?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Untangle's automatic update feature is a documented security problem. However, it is a security problem that exists with any product that automatically applies software updates. This applies to Windows server and desktop OSs, Mac server and desktop OSs, and more and more systems of every type shape and size.

    Somewhere along the line, most of us that deal with these issues figured out that the dynamic nature of security requires a dynamic solution. The most reasonable dynamic solution is to have a trusted vendor take care of one threat vector while building relationships with others to cover the rest. This is where automatic updates come into play.

    Untangle by default has the SSH service disabled, it also doesn't allow for remote administration via http or https. It doesn't allow for anonymous usage statistics collection, nor does it allow untangle corporate employees to access the installation.

    What it does allow by default is access to the Untangle web farm. The farm is running a web server that hosts the APT repositories responsible for maintaining the Untangle software. Untangle installations are configured to go against this SSL enabled web back end to get AV/Spam/Spyware updates, and software updates as they become available.

    All of this behavior is customizable, and because the administrator of the unit is allowed at the linux under the hood, it is trivial to use default linux software to monitor the box outside of the Untangle scope and ensure the unit fits within established security guidelines.

    All other behaviors are simply configurable. If you have a specific question about how the appliance works within a given context, ask these forums. There are many here that are willing to give you the information you seek.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler mikepb's Avatar
    Join Date
    Oct 2009
    Posts
    49

    Default

    I was wondering what the OP was talking about.....My system does nto allow UT folk in. My system does not allow modifications to the code without my explicit approval. I do work somewhere, now, that would never allow UT on their network. But it is because they cannot review the source code or they don't think the Vendor has deep enough pockets if something goes wrong.
    Michael P. Brininstool, CISSP
    OLD Unix Geek
    OLD Network Engineer
    Untangle noob!

  8. #8
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Quote Originally Posted by CuriousNoob View Post
    Am I missing something?

    The product can be installed, but not really used, without establishing an account with the company. That company then has complete access to the security system, and openly admits that they modify the software when they feel is appropriate. There are many environments where once software is installed, it cannot be changed without a long recertification process.

    How can a security system be a security system when 3rd party sources have access to the system? This is against multiple security standard principles. It seems like the product is only suitable for low security situations.

    Tell me I'm somehow missing something, and the product is somehow secure? If not, how can you have a security product with a potential known back door waiting to be compromised?

    This really isn't a troll. Its a legit question. I'd love to evaluate this for my environment, but I'd never be able to get it certified (as I understand it).
    Untangle is open source. If you like , download source, edit and modify them, compile, and install. Are Cisco, Microsoft, Fortinet, Barracuda, and many others offer this?
    For example, you know sureness what tasks run svhost in your windows systems? I dont know, or WGA or many others proccess and task.
    Who is your authority of certified? the market? yourself?
    From my point of view the only computer secured is a commodore 64 , in a bunker under 30 feet underground, and whitout any connection to the world, but not too useful .
    Ok Ok I need my pills anti paranoia, i know.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    *Off Topic*
    If you have svhost.exe processes and you can't figure out what they are, it's time for you to do a google for process explorer.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Quote Originally Posted by sky-knight View Post
    *Off Topic*
    If you have svhost.exe processes and you can't figure out what they are, it's time for you to do a google for process explorer.
    Which all of svhost proccess? PID 333, 1030, 2355 ?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2