Unified Threat Management (UTM) devices unify all network security elements into a single device. They often include a combination of routing, firewall, intrusion detection, content filtering, URL filtering, spam filtering, VPN, and antivirus functionalities. These devices usually cost thousands of dollars and require subscriptions. However, you can secure your network and save money at the same time with Endian Firewall Community, a free, open source alternative to costly UTM devices.
Endian Firewall Community is a Red Hat-based OS running on kernel 2.6.9-55. Endian designed this UTM with usability, flexibility, and ease of deployment in mind. It includes a stateful packet inspection firewall, an application-level proxy with antivirus support, content Web filtering, spam filtering, and VPN support that uses Internet Protocol Security (IPsec) or OpenVPN. The latest version is v2.2 RC2, but it's still in the development stage. The current stable version, which I used, is 2.1.2.
Endian's Web site doesn't list hardware requirements for the community edition, but it does list the hardware requirements for the commercial software. Your machine must be x86-compatible with at least a 500MHz (1GHz recommended) processor, 256MB (512MB recommended) of RAM, 4GB of disk space, and two available network cards. If you're planning to use a demilitarized zone (DMZ) or wireless zone (WZ) you must add an additional network adapter for each.
The Community edition has some limitations. Obviously, commercial support is not provided. It also lacks virtual LAN (VLAN) support, group-based Web access policy, time-based access control, a wireless hotspot portal, live logging, high availability, and policy-based routing. The lack of group-based Web policy and time-based policy can be annoying when you have a large number of users. Using groups makes setting up policies easier to manage, and a time-based policy is useful for maintaining flexible access control, because you can set specific times for a policy to take effect. In addition, a wireless hotspot can be useful when you have many wireless clients; it provides easy access control of wireless guests within your network. On the other hand, one advantage of using the Community edition is that the number of users it can support depends entirely on your hardware specs; you're not limited by license constraints. For a full comparison of the features, refer to Endian's comparison chart.
Installing and deploying
Installation is easy; download the software, which is just a little more than 100MB in size. If you're planning to use it in production, stick with the stable version. Burn the image to a CD and boot from it. I used an old Pentium 4 1.6GHz box with 512MB of memory and 10GB of disk space, which worked fine.
You don't need to enter any configuration parameters during the first stage of the installation; simply click some simple Yes or No dialog boxes. For example, Endian asks you if it can format your hard drive before proceeding with the installation. You do need to enter the IP address of the management interface (eth0 or private LAN interface) at the end of the installation.
Once the installation finishes, the machine restarts and displays the login prompt. You may now configure the newly installed Endian box by accessing it with a browser. When you type in the box's IP address, you're redirected automatically to an HTTPS connection. Accept the Secure Sockets Layer (SSL) certificate for the connection, and the configuration wizard starts. Enter the password for the admin account that will manage Endian's configuration and the root for console access. Proceed to network configuration, and indicate the appropriate physical interfaces for the WAN and LAN. You can also optionally configure the DMZ or WZ connection. The WAN connection supports most types, including static, Dynamic Host Configuration Protocol (DHCP), Point-to-Point Protocol over Ethernet (PPPoE), Integrated Services Digital Network (ISDN), and Asymmetric Digital Subscriber Line (ADSL) connections. Choose the appropriate one, and enter other parameters such as the gateway and DNS.
At this point, a quick initial test should show that you can browse the Internet successfully using Endian's connection. The next step is to configure the firewall and proxy, so it can function as a UTM platform.
Configuring firewall, proxy, and other features
The default setting allows all types of traffic, so security configuration is a primary concern. Endian uses the ClamAV antivirus program; update it manually to download the latest virus signature file. Endian uses Snort for intrusion detection; select the interface to monitor and the type of update. You can choose community rules, Vulnerability Research Team (VRT) rules for registered users, or VRT rules for subscribed users. Community and VRT rules are free, but you have to register for VRT (official) rules. If you subscribe in Snort, you can use the most updated VRT subscribed rules.
Endian's firewall configuration is pretty much the same as that of other security devices. Here you can set up port forwarding and firewall policies. In the firewall policies, you only have the option to block or deny IP addresses, protocols, and ports (services). By default, Endian allows HTTP, HTTPS, FTP, SMTP, POP3, IMAP, and DNS services. Adding firewall rules is easy: state the source, the destination, the protocol, the service port, and the type of action (allow or deny).
Endian's main security features are bound to its proxy service, DansGuardian, a popular content and Web filter. Here you can filter contents, MIME type (for file type filtering), type of browser, and authentication method. Proxy configuration is effortless, because content- and Web-filtering patterns are already predefined using the DansGuardian service. The content filter is categorized so you can check the categories for which you want to deny access, and you can add URLs if necessary. You can also enable an antivirus setting if you want to scan traffic coming from the Internet. You can configure a spam filter too, which uses the SpamAssassin service. In my experience, spam filters like this can filter only simple spam, and you need to train them to filter most of the spam coming from the Internet. Even commercial UTMs rarely use the spam filter; most enterprise applications rely on dedicated antispam boxes to secure their email. However, for simple spam filtering, Endian's spam filter should suffice.
For authentication, Endian uses local, Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and Remote Authentication Dial-In User Service (RADIUS) servers. I tried connecting to an AD server, and it detected the users for that domain.
Testing Endian's firewall and proxy security features yielded good results. The proxy effectively blocked most sites and keywords that were associated with the categories I selected. It didn't detect any false positives, but it also didn't block one of the blog sites I browsed that contained adult material. The browser access control worked effectively, as Endian prevented Internet Explorer from accessing the Internet while allowing Firefox.
Although I'm satisfied with the results, I wish Endian would integrate its content filtering, related services, and firewall rules into one centralized policy. Most UTM boxes, including the open source Astaro, offer a single policy that incorporates firewall rules, content filtering, antivirus, and other features. With Endian, you still need to set the proxy settings of clients' browsers for the security to work. This can be cumbersome in a large environment.
VPN configuration in Endian Firewall Community is easy. Compared to some commercial UTMs, there is little hassle in configuring a VPN tunnel. Even someone with minimal knowledge of VPNs can do it. The Community edition supports IPSec and OpenVPN for its VPN service, as well as both site-to-site and client-to-site connections. It does not support older VPN protocols such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Few people use these older technologies, but it wouldn't hurt to include them as options. Even open source firewalls like pfSense and open source boxes like Astaro support PPTP.
Endian logs all types of events, including intrusions and blocked pages, and it monitors traffic with the use of the ntop add-on. The log reports are sufficient to tell you who accessed blocked pages.
If you need help configuring Endian Firewall Community, check the documentation.
Is Endian UTM software unified enough?
For a UTM box, Endian still needs improvement. Any UTM solution works better when you don't have to configure anything on the client side for the security to work. Endian doesn't have policy control for peer-to-peer (P2P) applications and instant messaging services such as Yahoo! Messenger and Skype. Most commercial UTMs, and even the free Astaro, include these capabilities.
Endian's main advantage is its ease of use. The configuration is simple enough for most people to understand without asking for support. While Astaro and commercial applications can be more flexible, they're for the more technically inclined. Because Endian Firewall Community is licensed under the GPL, nothing prohibits its use for any purpose. Astaro, on the other hand, is limited to noncommercial use.
Although Endian Firewall Community is not yet a complete UTM solution, I recommend it for organizations that want simple configuration and basic UTM security.