Very New to UT, Need Some Confirmation

[tezgno]

Hello all:

I am currently considering UT to replace my current Zyxel Zywall USG 100 UTM Firewall due to several extreme performance issues being experienced with the device. Before I purchase hardware and such, I would like to make sure that UT can do what I am wanting to do. My current logical setup is as follows:


Modem --> Zywall (Unit has 6 Interfaces)

Zywall P1 --> Modem (64 Public IP Addresses)
Zywall P2 --> Not Used (unit supports WAN Load Balancing)
Zywall P3 --> Internal LAN (10.0.1.1/24)
Zywall P4 --> DMZ LAN (10.0.2.1/24)
Zywall P5 --> Guest LAN (10.0.3.1/24)
Zywall P6 --> Dev LAN (10.0.4.1/24)

Each port is connected to smart switches and are on separate VLANs (No tagging is done at the Zywall or on the Zywall ports)

Essentially, traffic from the Internal LAN can go, mostly unrestricted, to any of the other LANs or to the Internet (a few ports are blocked to prevent spamming and such). Traffic on the DMZ LAN can go to the internet (mostly unrestricted). However, firewall rules are in place to only allow for certain communication from the DMZ LAN to other LANs (for example, DNS is allowed to internal DNS servers via specific IPs and ports, etc). Guest traffic is mostly unrestricted to the internet with the Zywall Captive Portal turned off (it doesn't work very well). The guest LAN cannot communicate with any other LAN on the network. Lastly, the Dev LAN can communicate with the internet mostly unrestricted and can also communicate with certain devices on the DMZ LAN. No other communication is permitted from that network (it's basically treated as a second untrusted DMZ that holds dev labs and dev machines).

There are a few SNATs (1:1 NATs) with port forwarding from IP addresses (I believe in UT, they would be aliases) that point to machines in the DMZ. There is one alias that SNATs to a machine that lives in the Internal LAN (single port forward).

So, my questions are this.

1. Can I do this with UT (community/lite edition)?
2. If not in the lite/community edition, what about the paid verions?

Thanks for your time.

[sky-knight]

Yes Untangle can do all that and more. But it won't be able to do all that without purchasing at least the policy manager.

[tezgno]

Thanks for the reply. Can you explain to me why I would need the policy manager to do that? That can't be done with just the firewall rules? Most of the features of policy manager, from what I am reading, I would never use.

[EDIT]

Nevermind my question, I just read through some documentation and saw where it says that. Thanks.

[sky-knight]

The Policy Manager allows you to create multiple virtual racks. These racks then have rules you can use to change what is subject to them. They allow you to define very granular security contexts and control your network with very high level of granularity.

If you attempt to do this without it, you will be severely limiting your options.

[tezgno]

Yes but, today, I do all of that with firewall rules on my Zywall. For example:

Rule 1: Permit 10.0.2.0/24 to 10.0.1.20/32 UDP 53
Rule 2: Deny 10.0.2.0/24 to 10.0.1.0/24 ANY ANY

Are you saying that I cannot do something as simple as that without policy manager? I don't need multiple racks or policies based on time, etc. Just the ability to make firewall rules that say I can permit or deny from A to B.

[sky-knight]

The firewall module only controls TCP/UDP, as does the rest of the UVM itself, which is all of the rack modules you're seeing in the GUI.

The way Untangle thinks is very different than the device you're replacing. Yes, you can use the firewall if you wish, but Untangle is a UTM. The purpose of a UTM is to destroy the static firewall you're speaking of.

You need the policy manager to define different filtration rules in specific modules. Those separate racks you say you don't need will simplify your management. Yes you can do all of this with the "free" toys. But those "toys" are exactly that, they aren't the tools you need. You can get away with the toys, but you will spend far more in time than you would have spent on the subscription.

[tezgno]

What you are describing is not the purpose of a UTM. The purpose of a UTM is to "destroy", as you say, the need for you to have a slew of devices to accomplish your goal of network security. And just in case you missed it above in my first post, the Zywall is a UTM as well.

This isn't about a free "toy" as you describe it. In fact, if you are calling what is included in the lite package "toys," then that makes me reconsider whether or not I want to deploy Untangle (because those "toys" are the core of the subscription versions).

I guess I should be more specific as to why I am considering UT. The issue that I have with the Zywall isn't about its features or how it does things. The issue is strictly with the fact that the unit does not provide enough throughput with its functions turned on. With just the firewall on, the maximum throughput that can be achieved through the unit is around 20Mbps. With the UTM functions turn on, it drops to 5-10Mbps. This means that if any communication goes through the firewall (let's say that it's going from the DMZ to a device on the Internal LAN), even though the ports are all gigabit, the maximum transfer speed that we could ever get is around 20Mbps, which is not fast enough. So, we are looking for something that would be better in terms of performance. I like the soft-appliance idea because one of the things that it eliminates is hardware vendor lock-in. Essentially, if we are not happy with the options from one vendor, we can simply look at another and see about acquiring their software as opposed to having to repurchase hardware all of the time. From a cost perspective, this is very cost effective.

Now, based upon what I have read up to this point, it looked as though UT provided, in the lite version, more than what my Zywall provides (the Zywall, like other hardware UTMs, has a yearly subscription). This would be really good for us because this would allow for us to eliminate some of the costs associated with maintaining a firewall appliance. But, if what you are saying is correct in that, really, to be able to do in UT what I do with just firewall rules, really requires the policy manager, then this actually would make UT more expensive to maintain than my Zywall or some of the other options that I have been looking at (both soft-appliance and hardware-based) since the licensing model that UT uses is per device. I'm not so much looking for free as much as I'm looking for better. But, if that "better" costs more than something else that is also "better," it becomes hard to justify.

[KinK Jugz]

Can I use Untangle 7.4 to fetchmail and forward it to an exchange server. I need Untangle to do gateway for internal network firewall and VPN, also the email is extremely important. I used Ebox/Zentyal before but would like to try Untangle. Also noticed that the free apps on Zentyal/Ebox are paid aps in Untangle, why is this.

[dwasserman]

What you are describing is not the purpose of a UTM. The purpose of a UTM is to "destroy", as you say, the need for you to have a slew of devices to accomplish your goal of network security. And just in case you missed it above in my first post, the Zywall is a UTM as well.

This isn't about a free "toy" as you describe it. In fact, if you are calling what is included in the lite package "toys," then that makes me reconsider whether or not I want to deploy Untangle (because those "toys" are the core of the subscription versions).

I guess I should be more specific as to why I am considering UT. The issue that I have with the Zywall isn't about its features or how it does things. The issue is strictly with the fact that the unit does not provide enough throughput with its functions turned on. With just the firewall on, the maximum throughput that can be achieved through the unit is around 20Mbps. With the UTM functions turn on, it drops to 5-10Mbps. This means that if any communication goes through the firewall (let's say that it's going from the DMZ to a device on the Internal LAN), even though the ports are all gigabit, the maximum transfer speed that we could ever get is around 20Mbps, which is not fast enough. So, we are looking for something that would be better in terms of performance. I like the soft-appliance idea because one of the things that it eliminates is hardware vendor lock-in. Essentially, if we are not happy with the options from one vendor, we can simply look at another and see about acquiring their software as opposed to having to repurchase hardware all of the time. From a cost perspective, this is very cost effective.

Now, based upon what I have read up to this point, it looked as though UT provided, in the lite version, more than what my Zywall provides (the Zywall, like other hardware UTMs, has a yearly subscription). This would be really good for us because this would allow for us to eliminate some of the costs associated with maintaining a firewall appliance. But, if what you are saying is correct in that, really, to be able to do in UT what I do with just firewall rules, really requires the policy manager, then this actually would make UT more expensive to maintain than my Zywall or some of the other options that I have been looking at (both soft-appliance and hardware-based) since the licensing model that UT uses is per device. I'm not so much looking for free as much as I'm looking for better. But, if that "better" costs more than something else that is also "better," it becomes hard to justify.

You can create your ACL inter lan with the packet filter, but I suspect cant reach the Gb speed you need. Its very hardware dependant.
Why not use one device in the edge (zywall, untangle) and other device designed to your needs and called Layer 3 switch

[tezgno]

The reason why we do not use a L3 switch is because we still want the UTM functionality between the DMZ and the internal LAN. We are not so much after gbps speeds although that is easily achievable if you purchase the right hardware. Further, with our bandwidth getting ready to increase significantly in the next couple of months, we need something that can handle that as well. Today, the Zywall can't do that.