Untangle Announces Wi-Fi Router Distro

[thiggins]

Security software and appliance company Untangle announced the release of a new operating system for consumer Wi-Fi routers today at DEF CON 24.

Untangle NG Firewall is aimed at SOHO and small-to-medium businesses that desire "enterprise-grade perimeter security" and Unified Threat Management (UTM) features with the ease of use of a consumer product.

Key features of Untangle NG Firewall include traffic logs, access management for websites, applications and content based on device, user, time of day, day of week and other criteria. Drill-down reports are available via the "360° Dashboard" feature.

NG Firewall is now available to be flashed onto the Asus AC3100 RT-AC88U. Visit Untangle for more information on Untangle NG Firewall.

 

[sfx2000]

Here's another view of that table - being in Wiki markup, they'll probably keep that more up to date..

https://wiki.untangle.com/index.php/Firmware_Feature_Comparison

 

[pete y testing]

NG Firewall is now available to be flashed onto the Asus AC3100 RT-AC88U. Visit Untangle for more information on Untangle NG Firewall.

for the complete package at a minimum $540 would it be worth it , there seems to be a free version but its limited

see

https://www.untangle.com/untangle-ng-firewall/software-packages/

 

[peraburek]

interested to hear feedback, AC88U with Untangle FW could be nice router for SMB, competitor to Synology AC2600 (with IDS/IPS)

 

[RMerlin]

How are they dealing with Broadcom's closed source and proprietary components?

 

[sfx2000]

How are they dealing with Broadcom's closed source and proprietary components?

My guess at the moment - It's via OpenWRT, or they've made a deal with Broadcom directly...

First thoughts is they've merged their stuff on top of OpenWRT. It's a more modern codebase, and cleaner build platform compared to the otherWRT's...

Second thought here - they've built on top of the "other" SDK/HDK, e.g. the "board bring up", not the "Router in a Box" platform that most OEM's get. I've been aware of this for a long time... since '07, and it hasn't changed that much, and it's full of closed source...

Won't know until someone gets one to dig into...

 

[RMerlin]

I had a quick look through their website documentation. I like the design they went with: you mostly flash a bootstrap, and the firmware itself is stored on USB.

Sent from my Nexus 9 using Tapatalk

 

[peraburek]

and what happens when USB stick/memory fail? router is "gone" together with configuration?

 

[thiggins]

and what happens when USB stick/memory fail? router is "gone" together with configuration?

Back up the stick

 

[abailey]

Untangle has several ways to back up, but in this instance simply backing up the stick is the simplest. There is also a built in nightly backup to the cloud (unless you disable it).

 

[RMerlin]

and what happens when USB stick/memory fail? router is "gone" together with configuration?

Same thing as with any computer: backups should be considered mandatory, not just "a nice suggestion".

 

[highwire]

NG Firewall is now available to be flashed onto the Asus AC3100 RT-AC88U. Visit Untangle for more information on Untangle NG Firewall.

Well, it sucks to be a Canadian because ASUS doesn't sell that model (the RT-AC88U) here. We get the RT-AC3100 instead.

The dashboard makes this look very compelling. If I had an RT-AC88U (I have a RT-AC3100), I would give it a try.

 

[Mordred]

Well their feature comparison is just a bunch of BS. At least for dd-wrt they do not list included features as supported. E.g.:

-IPV6, is integrated into webif
-snmp is integrated and it comes with even more powerful zabbix
-dos protection is included
-ad blocking is included, using it right now
-captive portal, never used it, but there are several included in webif
-qos webintegration in webif

they talk about radius, they don't mention if only client or server radius support is available, I doubt they have radius server support

I see lot of features missing compared to dd-wrt.

If they can't even do a proper comparison, how good can their product be.
I also doubt, that half of their apps will perform well. I have a IPS at work, this thing runs on a quad core 3Ghz and needs massive resources in order to handle a gigabit line for a couple of users.
With so many services on a cpu/ram limited router this thing will not only perform bad it will also open up a lot of new security issues.

 

[RMerlin]

Well their feature comparison is just a bunch of BS. At least for dd-wrt they do not list included features as supported.

Their Asuswrt feature list also contains a couple of errors.

If they ever add support for the RT-AC5300 (very similar hardware) I might give it a try to take a closer look. Don't want to do it with the RT-AC88U since it's my main router at the moment.

 

[abailey]

If anyone is really interested in giving the Untangle firmware a try I strongly suggest you do a little research about the product, and more specifically the firmware product, before you jump into it. I certainly would never pick a product (any product) based on a comparison chart. They never list everything. I run Untangle at home and I can tell you many of the features Untangle has are not listed on the comparison chart. That being said, it seems like Untangle's marketing is similar to Ubiquity's. They don't tell the entire story on the surface, you have to do a little research. For example here is a quote from an Untangle employee "For those familiar with Untangle this is just regular v12.1 Untangle especially tuned for this router." That makes it sound like all the features of the normal 12.1 will be there, with some "tuning" differences. Well come to find out through some digging that some of the tuning differences are the reduction in features vs the full version. An example is the IPS. The IPS is not available on the firmware version.
He is a quote from Untangle:
"We won't be able to support the AC87U because it only has 128 meg of RAM.
We hope to certainly support more routers soon, but we'll likely only ever support routers with 512 megs of RAM. All the layer-7 inspection and apps and logging and reporting requires a lot of RAM. It was very difficult to get it working at 512 megs - especially if you lose 128 megs to a ramdisk for the database!
The good news is that DD-WRT and OpenWRT already provide really good options for these IMO. They just don't give you the UTM/security and reporting/logging functionality, but that wouldn't be possible in 128 meg anyway. Hopefully we'll find some cheaper 512-meg models to support soon from vendors that intend to support open source firmwares - stay tuned.
As for running on an ARM vs bigger x86 server, aside from the cost and form factors, its the same software. The AC88U and routers similar to it are amazingly capable. 1.4Ghz dual core is capable of a lot.
But with only 512 meg we did remove some of the apps because there is no way they will fit in 512 meg:
Intrusion Prevention (snort is way too big)
Web Cache (no disk)
Web Filter Lite (the non-premium version stores the DB in memory but there is no room for this)
All the SMTP apps that require clam or spamassassin daemons.
Additionally other apps have been modified to work differently.
Virus Blocker uses a cloud lookup only. It doesn't run the bitdefender daemon locally.
And Reports will log to a ramdisk if you run off a USB key. If run off a disk it logs to the disk normally.
Other than those and some other minor tuning changes its pretty much the same as running on x86."

 

[RMerlin]

That's kinda underwhelming then. Might as well stick to Asuswrt (the Trend Micro DPI engine is quite nice), or go with OpenWRT if you have really special networking needs.

 

[Mordred]

So it is just a bunch of opensource tools (snort, clamav...) with a frontend. LOL

I have been working with snort for several years in an enterprise environment. Snort requires a professional admin, it is completely useless to a regular computer enthusiast.

A cloud lookup virus blocker, wtf, this is a huge privacy issue. Even if it just transfers hashes, it would know everything I download.
But hashing needs cpu power and I doubt it can hash large downloads etc. Cloudscan will always have issues.

Thus as I thought just a bunch of useless features, that come with a nice looking gui. My privoxy running on an R7000 needs around 100MB of RAM if a bunch of clients surf the net and it can't really handle more then 100mbps.

The whole security concept of running such services on your router is bad. In professional networks you separate these things. IDS etc. only receive mirrored traffic, have no access to the network so an attacker cannot use vulnerabilities in those apps to gain access.

The webfilter is like these stupid adblock scripts pulling in filter list from remote sites, this alone is a huge risk.

Sorry to be so negative, but I'm just sad, that so many companies make their profit with oss, while the developers behind these projects can't even pay for their server costs, e.g. bsd, openssl etc.

 

[abailey]

That's kinda underwhelming then. Might as well stick to Asuswrt (the Trend Micro DPI engine is quite nice), or go with OpenWRT if you have really special networking needs.

I agree. When they first announced the firmware, they said it was Beta. Have not seen that since but to me it still looks Beta. If they really want it to take off they need to clearly show the differences between the normal Untangle and the stripped down firmware version. The confusion can lead to some unhappy people and some bad publicity. Now the full version of Untangle, I think is awesome (especially for home use). I have looked high and low for something like Untangle, and have had three similar setups at my house but none worked as well as Untangle and all the others were more expensive. The closest thing I had to Untangle was the Zyxel USG series firewall, but it was more expensive per year and much less powerful.

 

[RMerlin]

So it is just a bunch of opensource tools (snort, clamav...) with a frontend. LOL

And what's wrong with that?

A cloud lookup virus blocker, wtf, this is a huge privacy issue. Even if it just transfers hashes, it would know everything I download.

That's how a lot of modern antivirus software work now. Local based signatures are half useless as they would be far too large, and require constant updating, so most of them now leverage the cloud for more accurate detection.

An hash isn't enough to identify "everything you download". They have databases of known bad files, not of known good files (which would be endless!)

Sorry to be so negative, but I'm just sad, that so many companies make their profit with oss, while the developers behind these projects can't even pay for their server costs, e.g. bsd, openssl etc.

I can't speak for Untangle, but I'm aware of at least one company that sells routers loaded with customized firmwares, which does send money back to the developers of those software projects. I know this for a fact because I've received donations from that company in the past (and they don't even sell products running my firmware, but the Tomato code they ship with does include some of my work.) And, you also have others that will sponsor development. Fairly sure the snort devs are well compensated, considering they also sell a commercial product, and considering who owns them now.

Yes, some companies are a bit "rotten". I know a few that take open source projects, customize it, resell it, and never give anything back (neither money nor code). But that doesn't mean they are all like that. I'm not very familiar with the Untangle folks, but I have no reason to think they are part of the rotten ones at this time, unless proven otherwise.

So no, nothing wrong with companies selling a product leveraging open source products, as long they do it properly.

 

[RMerlin]

I agree. When they first announced the firmware, they said it was Beta. Have not seen that since but to me it still looks Beta.

Since they only support a single model at this point, I suspect that they are just getting their feet wet, and evaluating how the market reacts. There's definitely some market potential there with that approach. As mentioned, those dual-core CPUs are quite capable (as long you don't involve any cipher work).

If that proof-of-concept works well, imagine that on the next Broadcom generation, with dual-core, 64-bit and AES acceleration support.

A lot of advanced routers are fairly complicated to configure/manage when you start dealing with a more complex network environment. Never underestimate the value of a well-designed UI. That alone can be reason enough for someone to buy your product, as spending hours around a CLI can be more expensive than spending some money toward a well designed management interface. Especially if you have to pay someone to do that configuration work.