Lead Image © Dmitriy Cherevko, 123RF.com

Lead Image © Dmitriy Cherevko, 123RF.com

New versions of the Endian and Sophos UTM solutions

Warhorses

Article from ADMIN 20/2014
By
UTM systems combat all kinds of dangers under the policy of Unified Threat Management. The demands and expectations of customers fuel competition. Two of the most popular manufacturers – Endian and Sophos – have now released new versions of their solutions.

Unified Threat Management (UTM) stands for complete protection. UTM systems filter incoming and outgoing network traffic, detect and prevent attacks, and block and quarantine viruses. If an appliance takes care of all these tasks, it needs to meet the customer's individual requirements precisely.

The UTM Firewall by Endian, a company founded in 2003, is one of the few open source firewalls available in both free and commercial versions. According to the manufacturer, more than 4,000 customers deploy Endian Firewall Enterprise, and more than 1.2 million users have downloaded the community edition. Both are based on the IPCop Linux distribution.

Although the free community variant is available for unrestricted free use in the enterprise, it lacks many of the features of the Enterprise Edition. Only the commercial version offers hardware appliances, virtual network drivers, professional support, a hotspot feature, and commercial-grade spam and content filtering. However, the community edition does provide the basic UTM functions, including antivirus, anti-spam, URL filtering, IPsec, and OpenVPN. It even protects larger networks easily. The ISO image of the community edition is available online [1]. If you want to test the Enterprise version, you can request a test key and the download link from the website [2].

Sophos UTM – first introduced in 2000 as Astaro Security Linux – has consistently focused on the needs of customers; it accordingly bills itself as "the market leader for Unified Threat Management in Europe." Although Sophos does not offer a community version, it does offer a home-use license for personal and noncommercial use. This license protects networks with up to 50 IP addresses and includes almost all features of the commercial version. The Sophos UTM Home Edition is available from the company's website [3].

For companies, Sophos also offers the Essential Firewall, a free version which, however, again only provides basic security functions. Except for the DNS proxy, it lacks all proxy-based features such as HTTP(S), SMTP, and POP3 and thus antivirus scanning, URL filtering, and application control. In terms of VPN protocols, however, IPsec and OpenVPN are missing; only L2TP over IPsec and the obsolete PPTP protocol are on board. At least, the former lets mobile devices such as smartphones connect via VPN. The installation medium for the Essential Firewall is available from Sophos [4].

Dosage Forms

Both Endian and Sophos offer their firewalls as hardware and software appliances. The latter both run on physical hardware and as virtual appliances. Sophos supports VMware, Xen, KVM, and Hyper-V.

Endian lacks official support for Microsoft's Hyper-V hypervisor. Although it can also be installed in a Hyper-V environment, it lacks drivers for the native Hyper-V network adapter, which limits the network bandwidth to a miserly 10Mbps. Additionally, full support for VMware and Xen is only available in the Enterprise version. Endian provides optimized images or virtual machines for the various hypervisors. Safety considerations for operating virtualized firewalls are discussed in the "Virtualized Firewalls?" box.

Virtualized Firewalls?

A virtual firewall entails some risks: Its most important task is to isolate networks reliably from each other. However, in virtual environments, it is the virtual switches that keep the networks. This means the virtualization host is the highest authority. The security of a virtual firewall stands and falls with the security of the virtualization software used. If the host is compromised by a configuration error or a vulnerability in the hypervisor, the virtual machines and, ultimately, the firewall can be hijacked by an attacker. Most hypervisors have already been affected by such vulnerabilities [5] [6]. A report by the IBM Security X-Force in 2010 came to the conclusion that one third of all hypervisors suffer from vulnerability gaps [7].

Virtualizing a firewall on the same host as internal IT resources (e.g., domain controllers or file or web servers) is generally inappropriate. If you do not want to do without the benefits of a virtualized firewall – rapid deployment of additional resources, as well as simple and inexpensive high availability – you should at least run it on a dedicated virtualization host.

HTTP(S) transports far more than just websites: With manipulations and tricks, almost any application can be tunnelled through this protocol. This approach works even better if there is no proxy between the server and the client. URL or content filtering alone is no longer sufficient to block resources, which is where application recognition comes into its own. It analyzes web traffic and discovers applications such as Skype, Facebook, Dropbox, and Google services by referring to patterns. Application recognition needs to update these regularly.

Both the Endian Firewall and Sophos UTM have appropriate modules. Endian blocks applications with the outgoing firewall, Sophos also supports traffic shaping and download throttling (QoS) at the application level.

The hardware appliances have the advantage that manufacturers tune their equipment exactly to the requirements of the software. Sophos uses only Intel hardware, Endian also offers Endian Mini, an ARM SoC (System on Chip) variant. The use of appliances normally leads to a leaner kernel than with software appliances, which also potentially need to support exotic hardware. The hardware solutions do not envisage upgrading, for example, the memory or hard disk capacity; hence, a small appliance only effectively supports small networks.

Licensing for software and virtual appliances is by protected IP addresses and users (see the "Pricing Models" box). The reason is that the admin can expand the (virtual) hardware practically arbitrarily and thus significantly improve firewall performance.

Pricing Models

Sophos and Endian offer their products both as hardware appliances and as software for installation on your own hardware or as a virtual appliance. Both provide licenses for their software and virtual appliances on the basis of user or IP addresses; no restrictions apply to physical appliances. Both manufacturers always provide software with identical functionality with their physical appliances. Small and large appliances do not differ in this respect; the usability scope depends solely on the hardware resources. An exception is the Sophos UTM 100 appliance with a BasicGuard subscription, whose license artificially restricts throughput and functionality.Whereas Sophos offers a purely modular subscription model, Endian adds a maintenance model. Maintenance covers the basic functions of the Endian Firewall Enterprise, including Endian Network, and already includes  – at Advanced Maintenance level  – support by the manufacturer. Only third-party software such as the Panda antivirus scanner and Commtouch Content Filtering require an additional license from Endian.Another difference exists in licensing for high-availability (HA) mode: In Endian's case, all appliances in active/passive HA mode of operation require maintenance and corresponding subscriptions. For Sophos, a license is sufficient, in principle, for active/passive mode.Tables 1 and 2 contain the entry-level and mid-sized appliances from Endian and Sophos, with the recommended pricing when this issue went to press.

Table 1

Endian Pricing

Model Price Maintenance Price (1 year) Total price (1 year)
Mini US$ 995 Advanced US$ 385 US$ 1,380
Mercury 50 US$ 1,510 Advanced US$ 715 US$ 2,225
Mercury US$ 2,794 Advanced US$ 850 US$ 3,644

Table 2

Sophos Pricing

Model Price Subscription Price (1 year) Total price (1 year)
UTM 110  – BasicGuard Bundle  – US$ 695
UTM 110 US$ 595 Hardware Only  –  –
UTM 220 US$ 1,275 Hardware Only  –  –
UTM 220  – FullGuard Bundle  – US$ 2,870

Endian 3.0

Endian released the new version of its firewall in January. The version jump from 2.5.2 to 3.0 already shows that this is a major release. With the latest version, the developers have visually modernized the user interface and extended it to include other languages. In addition to English, Italian, and German, it now supports Japanese, Spanish, Portuguese, Russian, Chinese, and Turkish.

Cleaning up the GUI has also had a positive effect, especially in the VPN configuration dialogs. The dialogs in the past were not very intuitive, and the system lacked its own certification authority (CA) for certificate management. Additionally, several new features have been introduced, including the previously missing HTTPS proxy.

The outgoing firewall is now familiar with applications like Dropbox, Facebook, Twitter, and Skype and thus allows more finely tuned firewall rules (Figure 1). In version 3.0, the Endian Firewall also replaces the ntop tool for visualizing network traffic with its successor ntopng [8] (Figure 2). It also uses the new Application Control Module (ntop Deep Packet Inspection library).

Figure 1: The new application control in the Endian Firewall now also blocks specific applications and services.
Figure 2: In version 3.0 of the new Network Monitor, ntopng finds its way into the Endian firewall; it also detects applications in the network traffic.

Installing Endian Firewall

If you want to test the Enterprise Edition before buying, you will find an online demo on the Endian site. Alternatively, Endian provides test licenses for the commercial version but only with registration [2]. The activation code required for the installation and a download link for the ISO image are sent to you by email. Also, the community edition is available for free downloading.

Whether you use a physical system or a virtual machine for the test, you need a dual-core processor clocked at 2GHz, 1GB of RAM, and 20GB of free hard disk space. After completing the installation, you can initially access the web interface on the default IP address of http://192.168.0.15:10443 . You need to use the passwords for the root user for shell access and admin for the web interface and register your account with the Endian Network for the Enterprise version. This cloud-based management center for Endian Enterprise installations lets you monitor the remaining maintenance period, as well as the hardware resources and your licenses – for example, for the commercial antivirus and URL filters.

The Endian Network also handles the installation of updates and the remote management of Endian Enterprise installations. Access for this purpose is via a reverse HTTPS or SSH tunnel. Additionally, the Endian Network provides a free OpenVPN client for Windows, Mac, and Linux as well as disaster recovery keys (USB images) for restoring Endian hardware appliances.

The Endian Firewall enables the most important services in the direction of the Internet following a default installation: HTTP(S), FTP, SMTP, POP3(S), IMAP(S), DNS, and ping. You can configure this under Firewall  | Outgoing traffic . New firewall rules need to specify the source and target networks or the interface and the desired protocol.

Endian uses the same color coding as IPCop for the network interface (Figure 3). Green refers to the internal network (LAN), red to the external WAN interface, orange the DMZ, and blue the WiFi network. The new Endian version has an Application field that also lets you ban individual protocols or applications. For example, it prevents the use of Facebook and Skype:

Source: Interface Green/Blue
Target: Interface Red
Service: HTTP
Application: Facebook, Skype
Guideline: Reject
Figure 3: Color highlighting enhances readability of the information.

This rule must come first in the outgoing firewall configuration. It is followed by a rule that allows HTTP to the outside and with no restrictions for applications.

The integrated open source ClamAV antivirus scanner can be supplemented in the commercial version of Endian UTM by a license for the Panda antivirus scanner. IT works with HTTP, SMTP, FTP, and POP3 proxies; the configuration is found below Services | Antivirus Engine .

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus