Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default

    Quote Originally Posted by sky-knight View Post
    Yeah, and Untangle is a UTM not a firewall. There are many things that claim to be a UTM, but aren't. If you're from that old school, then you'll know your OSI model? Watchguard is a layer 2/3 device, that has some layer 7 features. Untangle is a layer 7 device, that has some layer 2/3 features.

    The way it works is utterly different. And today, on Untangle, the total lockdown module is Web Filter. With SSL Inspector installed and active... And backed up with Application Control, and Bandwidth Control.

    The free Untangle isn't bad, you can see the visibility it provides in Web Monitor's logs. And in there, you'll find your primary shield, the malware Sites category. Now Monitor can't block these, but Web Filter will. And that engine updates dynamically on the fly. So your systems once protected by Web Filter simply can't get to places where viruses propagate. Because again, most of this traffic goes over TCP 443, and since you have blanket TCP 443 and TCP 80 egress rules defined...

    Well you've already opened the flood gates, so all you're doing with this general block methodology is making more work for yourself. It's not providing you additional security. This is no gain, all loss. If you want to keep beating yourself up over it, you can keep at it... but know that you've just ran face first into a massive fault. You have to use IP addresses in the rules, you cannot use DNS names, and the service you're trying to pass is delivered via CDN. Which means you'll never get a complete IP list, and in frustration you'll wind up using an IP range so wide you again may as well disable the block rule at the bottom.

    *Note* This post written by an IT Engineer that used to do exactly what you're doing... I get it, trust me I do. But, I've got years of beating my head against the wall... with the bald spots to prove it! Change course, before you meet the same fate!
    Thanks for the reply. I have many bald spots so I understand lol. If I'm reading the replies right, all my work should be focused on the Web Filter, SSL Inspector, and App Control apps and I can probably disable the firewall app altogether. Sounds reasonable?

  2. #12
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Quote Originally Posted by SirStiggie View Post
    Thanks for the reply. I have many bald spots so I understand lol. If I'm reading the replies right, all my work should be focused on the Web Filter, SSL Inspector, and App Control apps and I can probably disable the firewall app altogether. Sounds reasonable?
    I wouldn't turn it off, because it provides a wonderful set of logs. Even if it doesn't block anything, it's still a huge list of TCP and UDP sessions to investigate issues with. But these days I only use it to control access between internal IP ranges, and when I can't find that one problem device in a building somewhere... I just block it entirely, and wait for my phone to ring. It's a handy tool, just not for what firewalls used to be used for.

    It's a new world, and we have to use smarter tools now. And the tools we have a broken half the time... to be point blank the bad guys are winning right now. But in terms of viruses specifically, Web Filter + Windows Defender = infection free for 5 years for me.... And that's over my entire client base.

    Web Filter + Threat Prevention... now that's some magic. But not available for homes, and the latter is wound up a little too tight right now! Needs some time to cook!
    Last edited by sky-knight; 05-09-2020 at 07:45 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #13
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    Quote Originally Posted by SirStiggie View Post
    Thanks for the reply. I have many bald spots so I understand lol. If I'm reading the replies right, all my work should be focused on the Web Filter, SSL Inspector, and App Control apps and I can probably disable the firewall app altogether. Sounds reasonable?
    Reasonable, yes. But you can just remove the block all at the bottom instead.

    I use it for troubleshooting and investigating, like Rob.
    I also get unreasonable and use it to block some specific threats.
    For example, I don't want any cloud functions for my security camera's DVR. blocked by IP internal address.
    A tablet that wants to phone home? - blocked by server IP in China.

    I'll get my list cleaned up for public consumption to give an example of what I do with geo blocks (Inbound) - maybe - someday.

    Enjoy!
    Last edited by Jim.Alles; 05-09-2020 at 05:07 PM.

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Oh yeah there's that too, if you've got a VLAN full of special devices you want to control, Firewall is great at that.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untanglit
    Join Date
    May 2018
    Posts
    20

    Default

    Quote Originally Posted by sky-knight View Post
    Untangle's firewall doesn't support this, and no firewall that does can call itself "secure".
    That, quite frankly is complete bull$%^(. If you have an IOT device and you want to make sure it calls home, and only home, that is one scenario where a FQDN rule would be helpful. Are you telling me that Palo Alto firewalls and Sophos firewalls are not secure? Because they support FQDN rules and there is a hell of a lot more of those firewalls than Untangle.

    Quote Originally Posted by sky-knight View Post
    Untnagle's firewall doesn't block squat by default.
    And you call that secure? Maybe SirStiggie is not the problem, maybe you trying to defend and promote an inferior product is the problem.

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    I'm sorry my professional opinion upsets you.

    But, we have the ever present threat of DNS Cache poisoning, which when allowed to penetrate a firewall rule grants access to far more than what you'd intend, indeed it becomes an open door that swings infinitely, invalidating all control. Not to mention the performance problems injected by doing a DNS lookup and waiting for that to happen while trying to setup a network session. Which means such firewalls have to treat a DNS name as a variable, and pull DNS on a schedule to translate it into a huge list of IP addresses. All software impose limits on how large that list is, when up against the technical reality of a CDN enabled world... Not to mention the breaks that happen between when the IP address list associated with a given DNS record might change and we wait for the firewall to update itself.

    Nope... sorry, this doesn't work. And yes, in the products that have made it work they've by necessity utilized methods that are inherently insecure. At the very least, it's a risk point for a DOS. But, you seem to be having a bad day so I'll leave the rest where it sits.

    This isn't a new request, and I've been using firewall technology and watching people ask for this specific magic for over 20 years. It will never happen, and be secure. If it could, we'd not need all the other tools every UTM brings to the table. There's a reason why I suggest relying on Web Filter for egress control, not to mention network segmentation for the rest.

    This isn't just my opinion either, it's experience borne of decades of effort and study. Informed by people vastly more experienced than I am specifically on this topic.

    P.S. Sophos just got nuked for not validating inputs on their web UI a few months ago, anyone that says they are "secure" is just asking for it. This is 2020, not 1990. Palo Alto... well I'll keep my opinion on that to myself, they're a mixed bag and great at some things and not others, not unlike Untangle honestly. Market share doesn't determine capability, all it determines is investment in sales. Consider that a fault in our flavor of capitalism. If merit actually won the market, things would be very different.
    Last edited by sky-knight; 06-28-2020 at 11:06 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2