/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsJust about every organization today is trying to cope with the growing variety of security threats. Whether you're the CIO of a multi-national bank wanting to secure the thousands of ATM branches or several hundred bank branches across the country. Or maybe you are spearheading the IT operations of a retail chain and want to ensure that all your retail outlets are secure while communicating online with the head office. Whichever type of organization it is, you need to ensure that its IT infrastructure is free from all security threats. Today, the answer to most of the security threats seems to be a UTM appliance.
|
|
/pcq/media/post_attachments/6f09a91065fd448f3aa6851c9b05f049a0d0124784d56cf19192fd85a8461b19.jpg)
Just to refresh your memory, UTM stands for Unified Threat Management, and a UTM appliance is a device that' s a one stop solution to combat any type of network security threat. For instance a UTM device can combat viruses, spam, malware, hacking and phishing attacks. Plus it can also do content filtering,
firewalling, IDS, etc. Moreover, all this can be managed from a single management
interface. While the concept of UTM may sound exciting, you need to ensure that you choose the right one and determine its total cost of ownership. A typical commercial UTM appliance would cost anywhere between 2 to 5 Lakhs. Soo if a bank wants to deploy it across its thousands of ATMs, then that's a huge investment. When making such a significant investment, you would also have to consider its manageability. Can you for instance, manage it from your existing network management system? If you're using an OpenView or a Tivoli for instance, then would you be able to manage your fleet of UTM devices directly from those software? Here, we'll talk about a device that takes care of both issues.
|
|
|
Select the type of Red interface amongst the ones shown. For example, you could mark an ADSL or ISDN network as a Red one |
/pcq/media/post_attachments/e7c6efd299ad1a967085629ad9bd90e4d3d249445a6a2c93bea45f481465ff25.jpg)
We'll be talking about an Open Source software called Endian. It let's you build your own UTM appliance, and we'll tell you all about it in this article. Building such a device is in fact no rocket science. To start with, all you need is one server class machine, preferably a rack mountable one, which you can plug into your rack like an appliance. We'd suggest that the server should at least have an Intel Xeon Processor, 2.8 or 3.0 GHz. In fact, when we were experimenting with it, we first set it up on an ordinary P4 based desktop machine. The moment we put it on a live network with around 500 users, it froze after a few hours. The hardware was just not able to handle the load. So, don't use an ordinary PC when building your own UTM device. You'll need at least 1 GB RAM and any where between 20 to 60 GB of HDD for the UTM server. The hard drive is required for the proxy cache and for storing quarantined viruses. The OS itself of Endian has a very small footprint, taking less than 1 GB for the installation. Other than that you will also need multiple LAN cards in the server. You'll need at least two if you plan to build a network with a Public and a Private network. You'll need three if you also want a DMZ network. You can also add more network cards depending upon the number of Internet connections and LAN subnets you want to connect to the device.
|
|
|
Select whether you have a DMZ or a Wi-Fi network. Select Orange if you need a DMZ and Blue if you have a Wi-Fi network. If you don't have any, select None |
/pcq/media/post_attachments/fe49a9a462e0976f440e16295a73740eaef9db5e3da97a9bb666a1fd8ddb5690.jpg)
We zeroed in on Endian after evaluating several Open Source Linux distros. Endian has been specifically to become a UTM. It consists of packageslike SpamAssassin, CLamAV, Ntop, Snort, IPTables, dansguardian and Squid. These give you anti spam, anti virus, firewall with DMZ, content filtering, bandwidth shaping, IDS and monitoring capabilities. We'll now go ahead and install Endian.
Installing Endian
To install Endian, all you have to do is boot the machine with the Endian ISO and follow the installation process. The first two screens are for welcome and language selection. So press Enter and proceed. The third screen warns you by saying that if you proceed further, the distro will form on your full partition and all previous data will be gone. So keep in mind that the hard disk you use does not have any valuable data in it. Make your choice and proceed. The installer will ask you whether you want Display support on the console.
This means you can activate the terminal display on the com port, which can be accessed through hyperterminal. This way you do not need a display card and get a true headless appliance. In case you are using a rack mountable appliance such as a cabinet for the UTM, this would be the ideal way to go. After you are done with all these, the installer will start installing packages. If you have installed it on the machine specs we suggested, then the installation should not take more than 10 mins. When all the packages are installed, the installer will ask you for the IP address of the Green (internal or private) network. Here assign any free IP address of your network.
|
|
|
Select the network card associated with Green network & give an IP to it. You can even change settings here |
/pcq/media/post_attachments/594ecd44fceb1b7645d5a884d06f23429e55b6d73e8a93abd91aa3838aa94a28.jpg)
Make sure that you provide it a static address and
remember it else you will not be able to access the management interface of the device. After that, you will be presented with two more screens—one each for keyboard and time-zone selection. After you are done with the settings, move ahead where you have to set the hostname for the UTM device and then the domain name. Next, you will be asked to provide the password for the ‘root’ user. Key it in and proceed. On the next screen, it will again ask for a password. But this time it is the password for the ‘admin’ user by which you will be accessing the management console of the device. After this is done, reboot once and your UTM is ready for configuration.
Configuring the UTM
Endian’s web based interface can be
accessed from https://
|
Port Problems |
||||||||||||||||
|
When we deployed Endian in a live environment, we found that by default it only allowed HTTP, SMTP, POP3 and FTP traffic to pass. But there are quite a few other protocols that are used in an enterprise. We’ve given a list of some of these applications along with their port numbers for your reference. You might need to open them manually to allow the services
|
||||||||||||||||
|
|
|
|
|
Enable the proxy settings from the window. You can even set the port and transparency of the server |
Select the categories/types of content which you want to block on your network |
/pcq/media/post_attachments/ef86e01ce34dbf9348d6f7b97e97df5c2ad21df2025694f45cc78e9c545188c4.jpg)
/pcq/media/post_attachments/a4505c150a42101d0319f6f76d7cc000ace70a1cf07f070d42f5ddb5b304699c.jpg)
The Network setup
When you are running the UTM for the first time, you have to first configure the network and subnets for all the three networks (or two if you don’t have a DMZ). Here the three networks are Green (internal or private), Red (External or public) and Orange (DMZ). To start with the configuration, click on ‘Network Configuration’ on the left side of the first page. It will ask you for the type of the Red interface you have and how it will get an IP, that is, whether you have an ADSL Internet line or an Ethernet one. Further if it is Ethernet, will it get an IP from your ISP’s DHCP or you have to give it manually. Select the relevant value.
|
|
|
|
Select the networks on which you want to activate the IDS. You can view IDS logs at Logs>IDS Logs section |
To enable anti virus and anti spam, select all the check boxes you can see in this window |
/pcq/media/post_attachments/0f29d62624f6e1323ec43837e7057c582c1117dd06be9cfd3195841e68474518.jpg)
/pcq/media/post_attachments/7a7c03bc89ea8495a070de4748a1691db6fd46f225ef533da1ffc3f25e8eee00.jpg)
Configuring the proxy
Endian can be configured as a proxy service that will cache web pages to make your Internet browsing faster. To configure it, go to the Proxy Menu at the top of the page. Enable the proxy, which is essentially Squid, by selecting the ‘Enable on Green’ check box. If you want to make the proxy transparent, which means you don’t have to provide Proxy address and port in every machine, enable the ‘Transparent on Green’ checkbox. In the proxy field, provide the proxy port on which the proxy server will
receive the client requests. By default, it is ‘8080’. If you also want to enable anti virus and content filtering over your proxy or web traffic, enable the ‘Content enabled’ and ‘Anti virus enabled’ options. These settings should take care of most of the settings for a standard proxy server. For fine-tuning, you can scroll down.
Content filtering
Endian uses dansguardian for content
filtering. Unlike the original dansguardian application that provides text based configuration files, in Endian, everything is GUI based. Using it is pretty straightforward. First click on the ‘Content Filter’ link in the proxy page and you will be presented with a page with four sections.
The first asks you the score to use for blocking sites. By default, its value is 160, which is suitable for any adult. You can change the score depending upon your own requirement. Just remember that the larger the number, the more liberal is the blocking. The next section has 23 different categories of words. Select the categories that you want to block. Then scroll down to the next section to see another 11 categories. Select the ones you want to block the content of. In the last section, you can explicitly allow or deny any website.
Enabling spam filter
Endian lets you configure spam filter and anti virus on both your POP3 and SMTP mail. To do that, go to the ‘POP3’ and ‘SMTP’ links inside the proxy menu and enable both, the anti virus and the spam filter in it. You can then click on the ‘Spamfilter’, define the keywords you want to add, and tag incoming spam. By default, it is tagged as ‘****SPAM****’. You can add links to the black and white lists. The links can be in both username@xyz.com and *@xyz.com forms. You can configure other types of proxies in Endian too, such as SIP, FTP and DNS.
Enabling IDS
Endian uses Snort for intrusion detection. To activate it, go to Services>Intrusion Detection’ and enable snort for both Green and Red networks. The IDS logs can be seen at Logs>IDS Logs section. Here you can also select the type of license you want to use for snort signatures. There are three options to select from—the community, the registered users and the paid customers. The first two are free but you have to buy a license from Snort for the third one. ¨