At a Glance | |
---|---|
Product | Untangle at Home [Website] |
Summary | Home version of powerful open source solution for blocking spam, spyware, viruses, adware and unwanted content. |
Pros | Very full-featured UTM feature set Runs on ASUS RT-AC88U $5 / month for all Untangle features / apps |
Cons | Might be too challenging for networking novices to set up No other consumer routers supported yet |
Introduction
Untangle is a security software company that creates a firewall product currently called Next Generation Firewall (NG Firewall). They have been around since 2003, founded as Metavize and renaming to Untangle in 2007.
Untangle has created an open source firewall platform aimed at helping small to medium businesses secure and protect their networks. More than just a firewall, Untangle raises the job of the simple firewall to a much more advanced category, a Unified Threat Management firewall (UTM). Untangle NG Firewall can be installed on a PC hardware platform, there are 32 and 64 bit ISO downloads available, as well as be virtualized via an OVA download, or even an image for a USB stick, giving end users tremendous flexibility to the size of the network it will protect, as well as flexibility in budget.
I reviewed Untangle Gateway, an earlier version of NG Firewall, over eight (!) years ago. So when Untangle asked me to look at NG Firewall, I figured it was time. Specifically, they wanted me to review a version aimed at home and SOHO users, appropriately named Untangle at Home.
A little background first. While NG Firewall is based on open source, it pulls together hundreds of technologies, from open source, commercial, or in-house home grown, into a powerful platform that provides many different functions. These functions include such features such as web filtering, bandwidth management/QoS, application control, antivirus, antispam, phish blocking, ssl inspection, advanced firewall, ad blocking, VPN, intrusion inspection and detection, active directory connector to tie in with users, and policy management to define access and control by users or devices.
NG Firewall also has a very flexible routing component that supports multiple WAN and LAN interfaces, and virtual interfaces added to a physical interface including virtual VLANs. The applications, most of which run at layer 7 on the OSI model, can be individually installed from an “App Store”. This allows customizing your instance of NG Firewall to your needs and not waste compute resources on unused modules.
As a network professional, I often tinkered at home, and years ago I became interested in the many open source firewall distros available. I had downloaded, installed, and played with just about all the various Linux router distros out at that time. Since I am an IT consultant for SMBs for a living, I saw the need for firewall protection above what a traditional NAT router provided. I was a firm believer in “layered protection” before it became a trendy name in the IT consulting world. In the mid 2000’s I spent a lot of time playing with various *nix firewall distros, and then I discovered Untangle…back when it was around version 5.
Our SMB consulting group then had quite a few “MSP clients”, meaning clients on fixed monthly fees for unlimited support. I immediately saw the value of layered protection, since adding protection to a client should result in fewer malware calls, thus less time spent having to support the client, thus, the client is more profitable. So I started installing the base/free version of a few of the UTM *nix distro products, and I definitely saw a reduction in malware related calls to our clients.
Over time, Untangle developed nicely, had a great, active support forum, and I began using it as our “go-to firewall product” and became a reseller around the time of the previous review.
Untangle at Home
Today’s homes have a lot more connected to the internet than computers. Home automation, security systems, appliances, media streamers and game consoles share your internet connection with computers, smart phones and tablets. These new devices increase the possible vectors of attack and raise your network’s threat profile significantly.
Untangle has to date been aimed at small to medium businesses, so needed some “good horsepower” to run on. It likes at least a multi-core processor, a Gigabyte or more of RAM, and good hardware-based network cards to run on. Fortunately, some consumer routers now have quad-core processors, over a Gigabyte of RAM and USB 3.0 ports that enable storage expansion via SSD or hard drives.
So with increased need plus reasonably priced hardware, “Untangle at Home” was born!
Untangle at Home is a special package designed to be affordable for the home user at $50.00 per year or $5.00 per month! Compare this special “Home” price, to the normal NG Firewall Complete bundle for businesses that starts at $540.00 annually for up to 25 devices! So, for $50.00 per year, you can run Untangle at Home that provides the same features as the full Complete Package on a home-built or repurposed computer, any Untangle hardware appliance, or ASUS RT-AC88U.
Since Untangle has developed features for business networks, the services that a growing number of home users desire are already included in Untangle for Home. Features include:
- Parental control. Log or block websites based on category or specific addresses.
- Robust bandwidth control
- VPN
- Guest device management
- Multiple layers of security, including dual antivirus engines (Clam and BitDefender), webfiltering, anti phishing, deep SPI and intrusion prevention.
- Reporting and a dashboard of their network
- It even has a darned good SPAM filter.
- Built in Ad Blocker….block ads at the edge, save on network traffic, and cut down on your exposure to malware since poisoned advertisements are widely used for drive by malware exploits/installs.
After building your Untangle firewall and booting it up for the first time, you run through a quick configuration wizard. You get to select your login credentials and how you want to use Untangle. You can use it either as your main router/firewall/gateway, or in bridged model (transparent proxy) behind your existing firewall. Usually you’re going to have it be your router/firewall/gateway, so you’ll configure the WAN connection type, internal IP and DHCP server. From there, you’ll select the default apps to install. More on apps later.
Let’s start by taking a look at the Untangle management page. Untangle currently maintains an online demo you can log into and poke around in. Username and password are already filled in. Just click Login and go ahead and look around. Clicking through this will allow you to better see what we’re talking about.
The new Dashboard page is greatly improved from prior versions of Untangle. You can manage widgets to customize it to your preferences. By default, the Dashboard provides a quick glimpse of your network, hardware resources being used (CPU, memory, disk), active sessions on interfaces, traffic flow on interfaces, overall bandwidth being used, global map showing where traffic is going, and some high level views of bandwidth usage per host and by application.
Untangle Dashboard
Apps
When you go to the Apps panel, you’ll find a look similar to prior versions of Untangle before the new Dashboard page. Untangle continues to use an equipment rack as its user interface model. Untangle’s “Rack” is much like a server cabinet / equipment rack. Each app shows up like a 1U "pizza box" appliance in the rack. So each rack looks like it has a collection of servers / network appliances in it. Untangle has a section where you can change skins for different appearances.
Since Untangle is a Layer 7 firewall, traffic flows through down the virtual pipe, enters an app, is processed and passed on to the next app. So that stack of apps in the rack is what traffic passes through between the WAN and LAN sides of your network.
You install virtual functions into the rack from the Untangle App Store. Untangle allows you to build multiple “Racks” / sets of Policies. Clicking onto the Apps page shows the Default Rack / Policy set.
Notice in the partial screenshot of the Apps page below, you’ll see the dropdown menu for Policies in the upper left corner. This example has three Racks defined: Default Policy; Staff and Library. You can install, remove, and configure each App in the Rack. Apps are added from the App Store.
Untangle Apps in Rack
By default, when you first build Untangle, the default Rack has no apps installed. At this point, Untangle is running just like any plain NAT router. The advantage of a full fledged UTM firewall such as Untangle is you get to install additional Apps to create a custom firewall based on your needs. Once you’ve installed your apps and optionally done any configuration changes, what you’re looking at is the default Rack / policy.
The apps you can install are determined by the Untangle subscription you have and what your needs are. You can also purchase apps à la carte from the collection shown below. Untangle for Home includes access to all Untangle apps, which is quite a bargain.
Untangle App Collection
You can set Untangle to auto update or manually update it. Individual apps that require frequent updates also automatically update themselves, such as antivirus and intrusion detection.
Racks / Policies
As noted earlier, you can create additional racks via that dropdown menu in the upper left corner. You install and configure Apps for each new Rack you build. You typically do this so you can create different policies and rule sets for different groups of users. In this example, I have created Racks for office staff, students (the default), and the Library computers. The web filter, bandwidth control, and application control is set much stricter for the student Rack and more relaxed for Staff.
You use the Policy Manager App to place users into their racks. This can be done via quite a few ways, such as by IP address, or by active directory objects, host name, MAC address, quotas, etc. It is not hierarchical, it is simply…rules based on how you want to define clients.
The Config page is where you get a bit more of the setup of the primary firewall features.
Untangle config
The Network tile brings you to where you manually set Ethernet interface settings. Here is where you set the address type, external or internal, additional aliases, DHCP, port forwarding, VLANs, QoS, DNS, filtering rules, UPnP, and many other advanced network settings.
Configuring Untangle Network interfaces
The flexibility you have here really lets you easily build a rather complicated network. The interfaces shown above are on an Untangle system I’ve installed at a school. Untangle at Home can also support all these interfaces; you just need hardware that has all of them! You can now drag-and-drop interfaces to move them and rename them so you can better manage the Interface section.
The ASUS RT-AC88U Untangle is supporting as the first consumer hardware for Untangle at Home can support all the above interfaces. You can see I have two WAN connections. One is a DSL connection that the school has used for years. I added the second WAN connection a few months ago with a faster cable connection.
Untangle has load balancing and failover capabilities. I usually have 100% of the traffic on the AirFiber WAN, since that supports 170 Mbps download. But if AirFiber drops for any reason, Untangle will seamlessly route traffic over the slower 3 Mbps DSL connection, automatically flipping traffic back over to the AirFiber link once that’s restored. I can also balance those WAN connections with a 50/50, 75/25 or whatever ratio desired in increments of 1%.
On the LAN side, I have three internal networks. The 192.168.1.0/24 primary network is the main school network. I have a WiFiGuest network (192.168.254.0/24) on the last interface, for smart phones, tablets and guests. Finally, I have a little NUC computer and some other hardware tucked behind another interface at 10.50.3.0/24 for remote management.
If your hardware has wireless network cards that are supported by Untangle, you’ll have the standard wireless settings you can manage in this section. Untangle at Home supports all the RT-AC88U’s wireless settings.
Untangle directly supports VLANs. You can even add a virtual VLAN interface to an existing interface and create your IP network within that virtual VLAN interface. I typically spread network clients to their appropriate interfaces on Untangle using VLANs from a managed switch. I’ll untag a VLAN on an uplink port on the switch and uplink it to the appropriate interface on Untangle.
Untangle also supports multiple IP aliases per interface. So if you have a block of public IP addresses, you can add them to the WAN interface. Or if you run multiple subnets on your LAN, all of which you want to access, just add multiple internal IPs to the internal interface. An example, our main network at my office is 10.50.1.0/24. But I set up quite a few devices on other common IP ranges, such as 192.168.1.0/24 and 192.168.2.0/24. So I’ve aliased those IPs on the internal Ethernet port of our Untangle firewall at our office to make life easier. I can just reach them from my computer right across the network without having to change the IP address on my workstation. Untangle takes care of all the routing.
Closing Thoughts
Untangle has really grown and matured over the years. It has turned from a little-known firewall distribution that a small enthusiast community used, to a solid competitor in the SMB and even enterprise market. It holds its own against well-known names like Sonicwall, Fortinet, Watchguard, Sophos, Juniper, and others. Stability, performance, and hardware compatibility has increased, as well as features have been updated or added.
Since my earlier review, the secondary antivirus scanner changed from Kaspersky to Bitdefender. In some recent updates towards the end of 2016, Untangle introduced UPnP, and blocking by GeoLocation. UPnP addresses complaints from home users about problems with online gaming. UPnP support enables Untangle to automatically open ports needed by many online games.
Geo Blocking is important for businesses to help secure their networks. Businesses often have ports open to their network for services like mail servers and remote access portals. So being able to deny traffic originating from certain countries is a big boost to security, potentially reducing attempts to break into the network.
The Geo Blocking rules are nicely done. You simply create rules for “is” or “is-not”, with check boxes listing countries….and whether traffic is going “to” or “from”. With over 40% of hacking attempts coming from China,…just a couple of clicks of the mouse in Untangle can block any traffic coming from there or anyplace else.
The availability of all Untangle’s features running on a widely available consumer wireless router costing less than $300 is a big step forward for Untangle. Up until now, Untangle’s u25w at $419, based on an Intel dual-core Atom processor, was the cheapest way to get Untangle at Home with Wi-Fi support and it has only three Gigabit Ethernet ports.
Although I didn’t run formal performance benchmarks, my impression was the performance of Untangle at Home running on the RT-AC88U was quite similar to small Atom based systems we’ve deployed several dozen of. Prior to this Untangle at Home image for the ASUS, the least expensive hardware you could install Untangle on were Atom based systems, which still cost a decent amount of money (hard to find anything decent under $600).
Note that the RT-AC88U has only a dual-core Broadcom BCM4709C0 processor, which uses an ARM Cortex-A9 core with only 512 MB of RAM and 128 MB of flash. If Untangle ported at Home to a more powerful (and expensive) router like NETGEAR’s R9000 Nighthawk X10, it would be interesting to see how it would perform with a quad-core processor. At this point, however, Untangle has not announced support for any other Wi-Fi routers.
There are other recently-released security firewalls for the residential market looking for their share of the market. But Bitdefender’s own Box appliance, Norton/Symantec’s Core, or the new Cujo Smart Internet Security firewall have higher annual subscription costs, and don’t have nearly as many features as Untangle does.
Untangle adds a very effective UTM layer to antivirus packages you may already run on some devices and provides protection you need to have for IoT and other devices that are poorly or not at all secured. Combined with safe DNS services instead of your ISP’s DNS, these layers of protection are relatively easy to implement and help protect you from the ever increasing number of internet-based threats.
For $5 / month or $50 / year, plus around $300 for an ASUS router you may already own, Untangle at Home brings enterprise grade firewall features to the home user at an affordable price that’s hard to match!