thunder04

iTrader: (1)

I finally retired our Cisco PIX 520 firewall.



In its 13 years of service with us it never failed. It even handled our fiber upgrade very well (the switch above was used as a media converter). However, it was time to say goodbye.

It has been replaced by a Dell PowerEdge 2950 III quad core Xeon 2.5Ghz, 8 GB RAM, and a 144GB RAID 10 server running Untangle.

I'll try to remember to snap a picture of the internals, as it's impressively unimpressive....

justnspace

iTrader: (1)

Rip.

thunder04

iTrader: (1)

And the inside:



Under the floppy drive is a Pentium II 350MHz processor and 128MB RAM. The flash memory for the PIX OS is the ISA card you see on the right.

A lot more empty space than I expected.

justnspace

iTrader: (1)

lulz!!!
i bet the new server is filled

PII!?! that was like my first ever built system

doopstr

Why did you go with Untangle instead of ASA?

thunder04

iTrader: (1)

$$$. We already had the server, and what we need for a firewall appliance is free with Untangle.

Whiskers

Is that a hamster inside?

thunder04

iTrader: (1)

^

#1 STUNNA

So why'd you replace it?

thunder04

iTrader: (1)

1. It was 13 years old

2. We wanted something that integrated intrusion prevention and Internet filtering (url and protocol based)

3. We wanted something that has interfaces faster than 100Mbps. We could have purchased a couple gigabit fiber cards for the PIX, but they are not cheap.

We replaced two devices (the PIX and our Internet filtering server) with one. Untangle does a lot of "cool" things that we can use:

• Web filtering (by URL)
• Virus filtering
• Spyware blocking
• SPAM filtering (using this in conjunction with our mail server's SPAM filtering capabilities)
• Phish filtering
• Application control (protocol monitoring/blocking)
• Intrusion prevention
• Ad blocking
• Tons of reporting/logging

Some of the features above are hard to verify in terms of how well they actually work, but the things I can test work very well.

#1 STUNNA

Phishing, virus and spyware blocking are always of iffy, don't put too much faith in those

I'm sure you could keep track of how many of those things it actually blocks and it ends up hardly blocking anything or has a bunch of false positives then I'm sure you could turn it off to increase performance...

thunder04

iTrader: (1)

Im going to leave them on for now. The logs for the phishing, virus, and spam filters look promising (definitely legit filtering happening), but well see what happens.

I've tweaked the spam filter on our mail server to weight messages flagged by Untangle's spam filter a little higher.

Multiple people have said web browsing feels a little faster. I think i notice it a little, but it could be a placebo affect .

I'm waiting for a gigabit copper GBIC to arrive. Once it's installed we'll have a gigabit link to our ISP. I can't wait to see what throughput is like then. I may be turning off some of the filters for performance then

thunder04

iTrader: (1)

With the gigabit GBIC:



Nowhere near 1Gbps, but definitely not too shabby.

This is from my desk, so it's pretty close to what someone connected to a gigabit port anywhere on our network would experience.

hornyleprechaun

thunder how many employees do you have in your company?

thunder04

iTrader: (1)

I work for a small school district and we have roughly 300 staff members and 2,700 students. The only reason we have an Internet connection like this is because the service is donated to us through a joint community project between a pool of local school districts and city governments.

thunder04

iTrader: (1)

Ok, so I discovered how to add IPs to what they call a "bypass filter list" which bypasses all of Untangle's processing. After running speed tests about 10-15 times, my best result so far with a system using an IP address that has been added to the bypass list is:





The above done on my Linux box (Lubuntu).

I did some more scientific testing on my MacBook and out of 5 tests my average down/up was 134.77Mbps/53.16Mbps non "bypassed" and 223.41Mbps/77.19Mbps using a "bypassed" IP.

I think it's time to look into optimizing this thing.

#1 STUNNA

Overclock that bitch! Liquid Nitrogen cooling!!!

ez12a

One thing i never really liked about Free Untangle is the lack of manual updating nor any real status on updating. Just wait...then suddenly things like content filtering start working. It's easy to configure though that's for sure. The throughput slowdown though probably has to do with Untangle's layer 7 capability.

I use pfsense and it's a lot faster, but works mainly at layer 3, blocking IPs and what not. Depending on the environment sometimes its just better to block the host vs. things at the app layer level.

thunder04

iTrader: (1)

^ What attracted me to Untangle was the integration of web filtering (url), since this is a must for a school environment (in fact, it's law). I also like the other integrated features, but web filtering was the biggest attraction.

If there are other firewall/router packages out there that have integrated web filtering, and do it for free, I'm open to evaluating them.

ez12a

yeah pfsense is free, a little less polished but a lot more robust in terms of customization as well as speed. The web interface is a lot faster.

Additional features can be installed via built in package manager for free. Pfsense is based off of the open source m0n0wall.

I used the content filtering of pfsense which also does it via blacklist freely available and updated often and it has worked pretty well. For an extra layer, i also had OpenDNS's free content filtering DNS as a fall back. (handy trick is to block DNS requests, port 53 iirc, to anything but OpenDNS (or the router's IP), so kids or faculty cant change their computer's DNS). Another thing you can add to block Torrenting and P2P is Snort IDS/IPS, also freely available as a package for pfsense and effective.

Doesnt hurt to throw it in a VM to see how it works. there are pros and cons of Untangle and PfSense. Some even run Untangle behind pfSense as a transparent filter.

#1 STUNNA

^That blocking of port 53 would block malware that changes dns settings like DNSChanger did from being effective. It'd still change it but then they wouldn't have internet access.

I use OpenDNS family filter at a couple of my clients. I'd recommend that too in addition to what ever you have in house. It's customizable, you can filter by content category and do manual black/white list additions

doopstr

I like OpenDNS. I also like getting emails from that little cutie Allison Rhodes.

thunder04

iTrader: (1)

We use OpenDNS and I've considered blocking port 53 for all except our DNS servers so that DNS requests must go through our servers which then forward requests to OpenDNS.

I'll have to check out pfsense. I've been tweaking with Untangle and when nobody is here I can get ~200Mbps speedtests with all of the traffic/content filtering turned on which I don't think is bad at all.

I'm trying to consider the future as well. Untangle is really easy to manage. If I got hit by a bus on my way in to work one day any of my colleagues could jump in and manage it if needed.

With our PIX and old web filter, I was the only one who knew how to manage it. It frightened everyone else .