Untangle Firewall: Uncluttering the Mess
There is an update at the end of this article!
I replaced my Watchguard Firebox security appliance a few weeks ago with Untangle Firewall because the Firebox just wasn’t holding up to the increasing demands on our network. Since the start of this new school semester, we’ve been adding new clients to our network about two a week and we could definitely tell the bottleneck on our network lay with our firewall.
When we deployed our network originally, we were using a Watchguard Firebox X15 upgraded to X50 to handle the bandwidth and traffic demands and border control between the LAN and Internet. I’ve had success before with the Firebox and don’t get me wrong; if you are running a huge network (hundreds to thousands of systems) or are comfortable with the Firebox then it might be your solution. I deployed an X700 at First Baptist Church of Slidell and Blaize deployed an X2500 at New Orleans Baptist Seminary.
But the drawback with the Firebox was that a fee, or annual license, is required to run the device then a separate, additional fee, was required to install a content filter and some other needed modules, then an additional fee is needed to use those modules yearly this on top of the fact that you have to purchase the initial hardware device. Due to the fact that this network is a free semi-public access network (by semi-public I mean an ask-to-use as opposed to unsecured and completely open) we needed a free or VERY inexpensive solution to our problem. I am shelling out the monthly bill for Internet access out of my pocket without a supplement so free and good were key.
What was our problem? Well for starters we needed:
*It is key for network administrators to be able to combine all of these cool modules into a form in which it is quick and painless to monitor. Unfortunately Watchguard Firebox is a pain in the butt when it comes to log viewing.
Now we come to Untangle Firewall. When Blaize told me he tried out a new firewall I was skeptical. I mean, how could something free be better than Watchguard Firebox? Well I dismantled my webserver (which is why johndball.com was down for a week) and reconfigured it to run Untangle. Within the hour we had Untangle Firewall up and running on the network and had replaced the Watchguard Firebox. We ran into a few bumps; 1) there was a known bug with the attack blocker which required a little modifying of some files that was beyond my skill level which Blaize had to fix and 2) I had taken some NyQuil and it was kicking in hard and fast and I had about 5 more minutes before I crashed so we put off the actual tweaking of the web filter and IPS until the following day.
Once my body recovered from NyQuil shock, I started working with the different modules on the firewall. For me, this was similar to Watchguard but a heck of a lot easier. Drag and drop can’t be easier… well maybe voice commands, but for now drag and drop will do. I configured the modules I wanted and within the day it was already filtering different “stuff”. Ads, cookies, spyware websites, attacks, etc.
Managing the Untangle firewall is a lot easier than it was with the Firebox. 
I can do everything via a web interface and I believe a Java console which is launched from the web interface. Even if you don’t have Java installed, they include both the online and offline Java installer right there from the web front-end so you don’t have to go digging around Sun’s website trying to figured out which software package you need. Somebody needs to slap a Sun web designer, their site is confusing.
Once you are in the virtual “rack” then everything is in front o
f you.
No Firebox System Manager, Watchguard Log Manager, and Watchguard System Manager with MUVPN software running in the background; just Mozilla Firefox to launch and run and that is it!
I mentioned to Blaize yesterday that the Untangle reports have a very professional look to them and they are so simple to go through. You can print this report out and hand it to your CIO or e-mail the same report to your assistant net admin and it would be adequate enough for both individuals.
Untangle also offers some pre-configured hardware options with their software client that you can purchase. If you are like me then you would probably want to build your firewall. I’m running Untangle with hardware that is more than required, less the RAM. I believe min recommended was 1gb.
If you are interested in their products, check out their website @ http://www.untangle.com/. If you decided to Untangle your firewall mess leave a comment or send me an e-mail and let me know, I’d be more than glad to link your story here on my blog!
Update: See a related article by Blaize Stewart @ http://www.blaize.net/cms/index.php?option=com_content&task=view&id=547&Itemid=10
[...] helping you stay protected in the digital age wrote an interesting post today on Untangle Firewall: Uncluttering the MessHere’s a quick excerptAds, cookies, spyware websites, attacks, etc….Spyware and IPS [intrusion prevention system] modules… [...]
Spyware » Untangle Firewall: Uncluttering the Mess said this on February 17th, 2008 at 4:35 pm
I am a longtime Watchguard Users (X700) However, I found while their equipment is good, I have lots of problems with site to site VPN with equipment from other vendors. Even with the Live Security, I have had issues with their support.
Untangle looks good. Have you all looked at ipcop as well? or the SME Server ? I have used both with much success. I will be downloading untangle tonight to give it a try
Adam said this on February 20th, 2008 at 12:26 am
Adam, Watchguard’s support is something I’ve never enjoyed, but that should be taken into consideration if you have a large IT staff and only a few people understand an open-source firewall product.
I’ve never used IPcop, but considered it as a firewall solution to replace my Firebox before going with Untangle. I know Blaize (my friend and web host) tried out IPcop and then recommended, and implemented, Untangle after comparing the two firewalls. I hadn’t looked at SME Server except for a quick Google search. I saw “pre-configured Linux server” in the “About product”. Untangle firewall is also a pre-configured Linux distro and coming from me, a strictly Microsoft guy, I can say that Untangle was the easiest thing I’ve EVER deployed!
johndball said this on February 20th, 2008 at 2:19 am
Did you realise that some Watchguard models are nothing more than x86 motherboards with compact flash ide drives? The only thing special is the network hardware. The network hardware will still work under other software, but the crypto hardware might not.
Others have completely replaced the software on Watchguards. Something more advanced may be to mix in your desired software with the existing Watchguard software. The so called Watchguard OS is Redhat with a 2.4 kernel. This way the crypto hardware might still function under through the modified crypto libraries.
spenser said this on July 23rd, 2008 at 6:26 am
That I did not know Spenser. Have you or do you know of any articles detailing the instructions on flashing new software to Watchguard boxes? I’d be interested in reading some! Shoot me an e-mail if you have any.
johndball said this on July 23rd, 2008 at 10:38 am
head over to the pfsense forums. some good results so far.
Jake said this on August 6th, 2008 at 5:15 pm
Untangle is the best solution for enterprise.
Jash Sayani said this on August 8th, 2008 at 9:23 am