And now we get to the meat (or if you are a vegetarian, the tofu) of Untangle: the Apps. Apps extend the basic functionality of the system and add the real security capabilities. I’ll take you through the four free ones (“Lite” versions) that I use for my home.
The Web Filter Lite app allows you to block or flag (log) traffic out of your network using categories. Below is a sample from the main page of categories to block.
We can block or flag on the categories above or, as shown in the top of the above picture, block sites that we don’t want people on our network visiting (i.e., bigbadsite.com.org.net, block file types such as EXEs or SWFs (Shockwave), or based upon MIME types. Pretty flexible for a free app! For the life of me I cannot understand why anyone would want to block or flag someone going to “Hacking” sites…but the options are there.
So, of course you can white-list sites too. So if I wanted to block all shopping sites except Amazon.com, I could add an exception.
The final section of this panel is the event log which records all the web traffic that passes, is blocked or flagged. If you are using the captive portal app (as I am) the traffic gets tagged by the user that generated it. Below you can see the date/time, which internal system (by IP) made the traffic, the user that did this, where the traffic was sent and its status (blocked or flagged).
Whereas the Web Filter Lite allowed us to control where traffic went to from our network, the captive portal app allows us to control what users do on it. This is a neat thing in my opinion. So, using the SecurityOnion system I set up at home I could tell that a computer in the house at a certain IP address did something (went to a certain site, etc.) but I couldn’t tell if it was my wife or kids or me generating that traffic. With this app, you can tie traffic to a user.
First thing to do is set up the rule for the traffic you want to capture. I chose all TCP and UDP traffic as shown below. This essentially is all the traffic leaving my network.
Once this is configured, you need to specify the hosts that should NOT be affected by the captive portal. Why would you want this? Well, things like a streaming TV device (Roku, AppleTV…etc), the SecurityOnion system, the Untangle server, your mobile devices might not need to be captive. I configured it so that only the common devices in our home use the portal. My wife’s and my work computers and phones do not.
Now we get to the page that will be presented to users when they try to get access to the Internet. It is a captive portal because it should capture a browser or other device and hold them until they authenticate. This is where the “Local Directory” users that we created earlier in the blog posts are used.
Here you specify what type of authentication you want to use. If you have an Active Directory in your home/office, you can leverage that. Otherwise, the Local Directory of user accounts are used.
The Idle Timeout and Timeout are important values that you’ll want to tinker with too. Make the idle timeout too short and your users (relatives?) will be very annoyed. Same for the timeout. At the end of the timeout period, your Internet shuts off. So, if you are watching Netflix or playing a game; down the Interwebs go. Not great. Make sure you and your users are OK with this time frame. Make it too long and, on computers that multiple people use, one user’s traffic will be attributed to another user.
This log just tells you who logged in and when and if there were login failures. Shows when people were using your resources. Helpful yes?
This log is really only useful if you have multiple rules set up to capture traffic. I created one rule that captures everything. So, this log tracks all that traffic. I probably should refine the rule to be more precise. Hmmm.
This is an easy app to discuss. It blocks cookies and ads based upon rules that it has and that you enter. Kinda nice. Not gonna drill down more into it as, well, it just works.
Finally we get to the reports app that is used to generate and send out reports. The reports are non-customizable (which is the only down side I’ve found to this system). Below is the schedule when I have the reports being sent to myself and my wife’s email.
The reports are pretty and very high level.
The Untangle server is a server and has system logs. Well, since we set up the ELSA syslog server in the SecurityOnion implementation (see previous blog posts) we can send these Untangle server logs to that device. Cool!
Last piece of this app is the name map. Think of this as a “hosts” file or local DNS where Untangle can translate IP addresses into names of computers. So instead of seeing that “18.104.22.168 went to a porn site” you’d see “Johnny’s Laptop” went there. Much easier to yell at Johnny then. 🙂
I’ve really enjoyed using Untangle and feel like my home is definitely more secure. I have a better handle on what is coming and going from my systems and what all my devices (printers, NAS, Roku…) are doing. Highly recommend Untangle for your home/SOHO.