Page 1 of 8 123 ... LastLast
Results 1 to 10 of 71
  1. #1
    Untangler
    Join Date
    Feb 2021
    Posts
    36

    Default Home User with Bypass Rules

    Hello all,

    I am considering purchasing the 50 device limited Untangle home version, but I have right around the 50 device mark. I emailed support, and they advised me to setup bypass rules for my IoT devices, but I'm not certain of the security risks this might present. Would bypassing IoT devices such as Alexa, Ring, Nest, Hue, etc. cause any security concerns? I'm trying to wrap my head around this whole bypass thing and how it might affect my setup. I will also have some computers, iOS devices, and gaming consoles on my network. I'm planning on putting my IoT devices on a separate VLAN too. I have some kids on my network so I will be planning on using the Webfliter along with any other suggested apps to keep the kids off unsafe or adult sites.

    Thanks in advance.
    Sean

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,517

    Default

    I personally put IoT devices are a separate VLAN from my main internal traffic to avoid any issue with those devices. Firewall is not going to stop an actor which has control of the phone home server of the IoT.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,865

    Default

    Do they? That's a question you need to ask yourself.

    If you don't trust them, and you want Untangle's paid apps to cover them then you'll need to upgrade your license to cover them.
    If you do trust them, then you bypass them and use the smaller package.

    I do NOT trust them. So I isolate them, and bring every Untangle tool I can on them to contain them.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Feb 2021
    Posts
    36

    Default

    Quote Originally Posted by jcoffin View Post
    I personally put IoT devices are a separate VLAN from my main internal traffic to avoid any issue with those devices. Firewall is not going to stop an actor which has control of the phone home server of the IoT.
    Thanks jcoffin. Do you bypass these IoT devices on your separate VLAN?

    Quote Originally Posted by sky-knight View Post
    Do they? That's a question you need to ask yourself.

    If you don't trust them, and you want Untangle's paid apps to cover them then you'll need to upgrade your license to cover them.
    If you do trust them, then you bypass them and use the smaller package.

    I do NOT trust them. So I isolate them, and bring every Untangle tool I can on them to contain them.
    Thanks sky-knight. I really don't know that I do trust them, but I know that I want to limit the amount of damage IoT devices can do on my network. If I don't use any IDS/IPS, would they need to go through the Untangle firewall?

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,865

    Default

    And the answer is once gain... it depends...

    Bypassed devices will never see any Untangle app. So you're limited to features configurable in config -> networking.

    So, you could put all your IoT devices into their own VLAN, and use the filter to block all access to the Internet... or all access to any LAN network... or whenever you can come up with in there. But, you're limited to very basic firewalling, handled by the Linux kernel itself, and no logging.

    Is that good enough? That depends on your goals.

    I prefer to have everything in the apps as much as possible because reports makes troubleshooting a breeze, and I can see stuff that happened after the fact I wouldn't otherwise. But since apps only see TCP and UDP traffic, even that picture is incomplete.

    So as you can see, this is very much a tangled situation, even with Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,517

    Default

    Quote Originally Posted by sclawrenc View Post
    Thanks jcoffin. Do you bypass these IoT devices on your separate VLAN?
    I don't have license limit but I only use firewall and Bandwidth Control on the policy for that interface.
    Last edited by jcoffin; 02-09-2021 at 04:06 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangler
    Join Date
    Feb 2021
    Posts
    36

    Default

    Quote Originally Posted by sky-knight View Post
    And the answer is once gain... it depends...

    Bypassed devices will never see any Untangle app. So you're limited to features configurable in config -> networking.

    So, you could put all your IoT devices into their own VLAN, and use the filter to block all access to the Internet... or all access to any LAN network... or whenever you can come up with in there. But, you're limited to very basic firewalling, handled by the Linux kernel itself, and no logging.

    Is that good enough? That depends on your goals.

    I prefer to have everything in the apps as much as possible because reports makes troubleshooting a breeze, and I can see stuff that happened after the fact I wouldn't otherwise. But since apps only see TCP and UDP traffic, even that picture is incomplete.

    So as you can see, this is very much a tangled situation, even with Untangle.
    Thanks again sky-knight. I don't want to block outbound traffic from the IoT devices since they will need that to function, but I am planning on blocking them from reaching out to my LAN (private devices) on their own. I will allow my LAN (private devices) to reach out to the IoT VLAN so that certain things will still work.

    Am I able to still view the traffic and reports from devices that are being bypassed? I would like to utilize the reports, if possible, for all devices on my network.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,865

    Default

    Bypassed sessions do appear in reports, but not for long. They aren't recorded, they're BYPASSED, and the reports app is yet another app. Ergo, bypassed stuff is visible to reports while it happens, but not stored long term.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Feb 2021
    Posts
    36

    Default

    Thanks for your help. It sounds like I need to stay with my current firewall (pfSense) since it doesn't have the device limit. I'm open to suggestions as I was looking forward to using Untangle for some of the ease of use and reporting features.

  10. #10
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,528

    Default

    I am guessing the iot devices are on wifi? Try setting the wifi as a router instead of as an access point. Wouldn't that make them all look like one device?

Page 1 of 8 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2