Serious concerns about the way Untangle tracks "active" devices

[d1rewolf]

Hi all.

I've been working towards a transition from pfSense to Untangle. However, after reading this (https://forums.untangle.com/installa...-question.html) I'm concerned that the Untangle license mechanism creates serious risk on a network. I'm a SOHO user who paid the $50 and I'm happy to do so. However, I really, really think you guys should strongly consider using a different mechanism.

As I understand it, any IP which goes through Untangle is considered an "active" device. If that is true, then as an attacker, I know that I only have to generate whatever number of requests (spoofing IP addresses on each one, which as you know is trivial) causes Untangle to think it's over its limit to effectively disable Untangle and open the outbound door, so to speak. This might not be a big concern for many SOHO environments where they let LAN -> ANY, but in a serious environment (or one run by someone who is security conscious ;-) this is a very big concern. Extrusion detection and prevention is equally important to Intrusion detection.

IMHO, this is a very big risk in moving to Untangle, and one that might prevent me from doing so. I may be paranoid, but I don't consider it overly so.

Thoughts?

[sharrisonUK]

Ouch! That'd be a great way for a school kid to get kudos from peers by allowing BYODs to go unfiltered!

Sent from my Nexus 5X using Tapatalk

[dmorris]

spoofing some packets is not enough to be considered "active"
the device has to actually "own" the IP and respond to requests.

if this is a major concern for you can:
1) just block all traffic from devices that are over your limit by just configuring policy manager and blocking all traffic in the default policy with a firewall rule.
2) just buy a right-sized appliance with an unlimited for that appliance license, just like most other vendors sell stuff

[docfuz]

Hi d1rewolf,
I'm answering just for the pleasure of discussion, since the topic is interesting per se. I certainly am not an Untangle advocate, I'm just a household user as you, but I daily dwelve in IT security.

Now let's talk about serious / security conscious environments, the one you rightly mention. I've never assessed one without redundancy and segregation, just for starters. Consider the typical attack tree of an IP/MAC outbound spoofing scenario:

- one local admin account has been compromised from the outside (or a privilege escalation of some kind got administrative access on a local compromised box)
- one local attacker with BYOD machine on a guest subnet/VLAN or
- one stealth box plugged in a network port

Let's forget the bottomline for a while: if a malicious administrative process that can forge (as well as monitor and corrupt) network traffic is present in your network, you've got a worse problem anyway. Even if outbound channel were blocked, I'd simply peruse the legit ones since I can do almost anything else on the local traffic and can propagate laterally in the local network, maybe using authenticated users' proxy access. As I say, let's put this consideration away for a while.

The aforementioned vectors fall under these consideration:

- monitoring of traffic before entering the border gw/fwall
- guest segregations
- BYOD segmentation and policy

In a serious environment there wouldn't be a single box monitoring/filtering everything. There would be more than a point of control/segregation/filtering/etc. But in case Untangle was the only one, yes, this could be a problem.

Please note, though, that I think they're using MAC addresses, too, not just IPs. In fact, if you look at the device tab, you won't see IP addresses. But you can spoof MAC too! Of course, you can. But in any serious/security consciuos environments, as soon as the switches I'm attested to see multiple ethernet frames with multiple MACs, the port will be shutdown or dynamically segregated. If you permit more than a few (or just one!) MACs on a single port, network security is not that high on the priority list, imho.

In the hosts tab, they discriminate between active and inactive hosts. The license limits the number of active hosts, as you note (they must traverse Untangle). Now, most network SOCs will be aware in a very short while of a MAC/IP spoof storms/bursts in their network, I can assure you.

But yes, I believe most Untangle customers don't fall in these kind of security conscious environments. Perhaps Untangle uses (or should use) authenticated user information as well? Core appliances and strictly controlled IoT/network devices could be manually setup, while the human traffic could be categorized (and quantified) with AD/Radius/Captive Portal authentication processes.

Last, I think the license limits refer to the Apps (and their rules) in the racks you define. Probably the usual iptables rules in Config->Network->Advanced->Filter Rules->Forward Filter Rules would still apply.

All of this apart, I'm curious as well. Let's see some other reply
doc

[docfuz]

spoofing some packets is not enough to be considered "active"
the device has to actually "own" the IP and respond to requests.

Well, if the switches let the spoofed traffic arrive to Untangle, they will let the attacker see the requests and reply to them. But as I said in the other message, this requires another process/mechanism to be controlled and enforced. It shouldn't be in the TODO list of the border gateway anyway.

if this is a major concern for you can:
1) just block all traffic from devices that are over your limit by just configuring policy manager and blocking all traffic in the default policy with a firewall rule.

This is interesting. In my current configuration, every device that hasn't got a username is pushed to a blackhole rack that simply drops everything. I'm doing this for another purpose but you're saying that it implicitly resolves the OP concern, did I understand? So if a host is not routed to the external interface (e.g. blocked by the Firewall app) is not considered active? Good.

doc

[dmorris]

Yes, the device must complete a tcp connection to a WAN address. The connection must be scanned and not blocked. Also the client must complete the connection, that means responding to ARP and the SYN/ACK response from that IP.

Yes, another approach is to control which devices or hosts or users are allowed on the network.
You can do this manually, or with tags, or with captive portal or any number of ways.

[docfuz]

The connection must be scanned and not blocked.

Great. In a typical allow some / block everything scenario, this resolves the concern.

Guests and BYOD should be allowed after authentication only, and different spoofed MAC/IP address processes that can reply to ARP and complete outbound TCP segments would not be authenticated (since they have to look as genuine different hosts when their frames reach Untangle internal interface).

I really, really think you guys should strongly consider using a different mechanism.

Such as?
I'm being curious, mind you, not polemic. Untangle just sees ethernet frames (MAC), IP datagrams, TCP/UDP/XXX headers and data that cannot be semantically trusted anyway, only formally (sometimes). It can associate usernames and higher level informations, but that's it.

What does pfsense use? Or it simply doesn't mind since there is no device limit license-wise?

doc

[d1rewolf]

Thanks for the discussion guys. I'm relieved that this can be handled through a combination of configuration settings.

docfuz, regarding pfSense, there is no license at all (completely open source) so you don't face the same concern.

Anyway, this gives me the comfort I need to transition with peace of mind.

Thanks guys.

John