Firewall Lab Setup: Untangle

What is Firewall? a firewall is a network security system that monitors, and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. Wikipedia

Firewalls are also categorized as network firewalls and firewalls depending on host. Network firewalls filter and run on network hardware from two or more networks. Firewalls based on host computers run in and out of such devices and control network traffic.

Here are the major types of firewalls.

• First generation: Packet-filtering firewalls
• Circuit-level gateways
• Stateful packet inspection
• Application-level gateway

Table of Contents

·         Downloading  untangle-15.1.0-amd64.ova

·         Introduction of Untangle NG Firewall?

·         Creating Virtual Machin with VMWare Workstation

·         Configuration of Untangle

·         Configuration of Untangle APPS Part I: Web Filtering & SSL Inspector

Introduction of Untangle NG Firewall

Untangle is NGFW/UTM software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. With a web-based friendly interface to help you track and filter traffic in your network, it is essential for us to make deployment and management simple.

Requirement: Minimum 2GB RAM, Dual Core processor, 8 GB hard drive space and minimum 2 LAN cards are required.

Creating a Virtual Machin with VMWare Workstation

Once untangle.ova file is downloaded Doble click and setup will start.

The Setup Wizard will open automatically when Untangle first boots.

Language selection

Before you begin the setup wizard, select your preferred language.

The next screen simply welcomes you to the Setup Wizard. Click next to continue. Untangle Software License click on Agree

Configure the Server, In the first step, you have set a password and select a time zone for the administrator account. The admin e-mail can also be listed for warnings and reports. Optional method of installation.

Now Click on Network Cards

Identify Network Cards, you can simply start with the next move if it's an Untangle unit.

Note: Be sure that the physical network cards are configured with the right (wanted) interface if this is a custom server.

Configures Interface

The default selection is Auto (DHCP). The automatically assigned address is displayed if an address was successfully acquired. Otherwise, click Renew DHCP to acquire an IP address. Click Test Connectivity to verify Internet access

Configure your Internal network interface

Configure your "Internal" interface (and DHCP server and NAT configuration.) There are two choices NAT or Bridge.

Untangle is the edge unit on your network in router mode and acts as a firewall and router. In this case you would need to correctly configure your external and internal interfaces for traffic to flow.

We must configure the internal interface and allow DHCP and NAT (Network Address Translation) with private static IP addresses to share one public IP on all the internal machines. It is generally called router mode.

In my testing lab I am not enabling DHCP

Automatic Upgrades are configured

If Automatic Upgrades is enabled, NG Firewall automatically checks for new versions and performs the upgrade.

In my testing lab I am not enabling “Connect to Command Center”

Setup Wizard – Finished That's it!

Click on Go to Dashboard

 

Configuration of Untangle

In part one we are going to learn how to configure web filtering

Congratulations! Untangle is ready to be configured Click on Continue

  

The next steps include registration.

After finishing registration click on continue

Now installing the desired apps and possibly tuning the configuration of Untangle NG Firewall.

In my testing Lab I am going with Install the recommended APPS.

Recommended apps now installed as you can see on the screen and you can install available Apps as per requirements.

On the Apps tab you will see the currently installed apps. 

  

Let’s come to the Dashboard of untangle & you can see almost all the information in one page.

To identify the configuration of Untangle network cards you can navigate to Config tab

The config tab holds all the settings related to configuration of the Untangle server itself and settings for components of the platform that apps may interact with.

Configuration of Untangle APPS Part I : Web Filtering

Let’s use the windows 10 system as untangle client

This client is internal system and we will set default gateway 192.168.2.1 .

Now you can see Internet is working and Social networking site Facebook.com is opening.

  

Block Categories

Now come back to the Dashboard of untangle Firewall go to Apps > web Filter > Categories Tab > Social Networking

Categories Tab: Categories allow you to change which website categories are blocked or highlighted. Blocked categories show the user's block page; flagged categories allow the user to access the site but will be secretly flagged as an infringement for event logs and reports. For all Web Filter options, these block / flag actions function the same way.

Now for our testing lab we are going to block Social Networking Sites. And click on Save.

 

Now you can see on client system Social Networking Site www.facebook.com is blocked and not opening.

Lookup Site Tab

Now again come to the untangle Dashboard: app > web filter > Site Lookup

Lookup Site offers you the possibility to categorize a URL. A dialog is generated by clicking on it. In the Web URL, enter the URL for the categorization of the URL and click search.

Now we are searching for www.hackingarticles.in site, click on Search tab and see the result.

 

Block Sites Tab

Now again come to the untangle Dashboard: app > web filter > Block Site

Under Block Sites you can add individual domain names you want to be blocked or flagged - just enter the domain name (e.g. youtube.com) and specify your chosen action.

We are going to block www.ignitetechnologies.in site

Click on add > and type your site which you want to block. Then click on done.

 

And then click on save.

Let’s check on client System.

Type site www.ignitetechnologies.in and J Bingo now site is blocked.

Pass Sites Tab

Now again come to the untangle Dashboard: app > web filter > Pass Sites

Pass Sites is used to pass content that would have otherwise been blocked. This can be useful in "unblock" pages, which are not blocked by block settings.

Also if blocked with category or individual URLs, domains which you add to the Passed Sites lists will be permitted-just add and save the domain. When the pass option is unchecked, the link can be blocked as though the entry is not open.

I am going to pass www.linkedin.com/ site as an example.

Click on add > type required site and Done.

 

Then click on save.

Now on client system open browser and type www.linkedin.com/ in URL, see the result Site is opening.

Pass the Client

Let’s add another client and that client IP is 192.168.2.11 and default gateway is 192.168.2.1 untangle IP.

 

On this system, Let’s try to open www.linkedin.com site and see the result this site is under web filter block category.

 

Now again come to the untangle Dashboard: app > web filter > Pass the Client

Pass Clients Tab: If you add an IP address to this list, Web Filter will not block any traffic from that IP regardless of the blocked categories or sites.

 Just add the IP 192.168.2.11 & Enable the pass option, then save the configuration as followed in the given image.

Now on the client system, open browser and type www.linkedin.com J bingo see the result this system is working perfectly from Pass Clients settings option.

About SSL Inspector

The SSL Inspector is a special application that allows other Untangle applications processing HTTP traffic to process encrypted HTTPS and SMTP processing applications to process SMTP also via SSL. The software does this by manually encoding and encrypting SSL traffic via the Untangle server for verification by certain applications and services.

Navigate to Apps > SSL Inspector; Turn ON the SSL inspector for the HTTP site.

 

Now let’s check on the client site, open browser and type any site name in URL.

Now you can see after SSL Inspector is enabled all sites are blocked.  

 

How these sites will work on client system with SSL Inspector to be continue on Configuration of Untangle APPS Part II.

Defensive Evasion: Alternate Data Streams

Alternate Data Stream are artifact of New Technology File system (NTFS) which was introduced by Windows. It was traditionally introduced so that it could provide compatibility for file sharing with the older Hierarchical File system (HFS) of Macintosh systems where the data could be forked into different resources and to store additional data of a file which is called as metadata.
It was introduced for legitimate purpose but the attackers have found a method to exploit this feature by hiding payloads, malwares, keyloggers, etc in any type of file like text-file, audio -file, videos-video, images execute them without the knowledge of the users.
Many users still are unaware of this feature where there could be hidden files and could have a malicious intent as these files are nearly impossible to be detected.

Table of Contents
• NTFS
• Alternate Data Stream
• Key Notes on Alternate Data Stream
• Hiding a file
• ADS with PowerShell
• NTFS to FAT
• Hiding an image in text file
• Hiding Audio in a text file

New Technology File System (NTFS)
In the NTFS, all the allocated sectors in a volume are associated to a file. A file is composed of all the data within a file and that file’s metadata. The metadata usually comprises of items like file name, attribute type, attribute name, file security information etc. The file metadata and file data are considered as a combined set. The Master File Table contains the base file record for every file and directory within a NTFS volume apart from the other file details.
The name of the file and its time stamp are kept as resident attributes. If the attributes for a file cannot accommodate in the MFT file record, those file attributes are termed as non-resident. These non-resident attributes are allocated to one or more clusters in the disk.  These clusters hence become the alternate data streams within the NTFS volume.
The default stream is unnamed and the default stream type in NTFS is $DATA.
NTFS stores file in the following format.

Alternate Data Stream
Within NTFS, a file comprises of various data stream. The primary data stream is a unnamed stream which actually contains the data of the file that is visible when we open this stream and hence it is called as the default stream. The second stream is usually the alternate data stream. A file can have more than one Alternate Data Streams for various purpose which hold the metadata about the file. Any of the ADS file can have any malicious content within it which can be appended with the default stream. When you append an ADS file with a default stream file, there will be no change made to the size or the function of that file.

Alternate data streams usually deal with file integrity within the server. A user will never be able to recognise an ADS file by just looking at it and if it comprises of any extra executable or text element within it. Alternate data streams generally deal with maintaining the confidentiality of the file that are being sent or are at rest on the system.
ADS can be used by the attacker to evade any defenses such as static indicator scanning tools and anti-virus software that are implemented by the victim. It is a quite popular method used by attackers to cover their tracks on Windows systems with the use of ADS.

Hiding a file
So, here we are going to learn to make use of Alternate Data stream to hide a file using ‘command-prompt’ in your windows PC. To get you started, let’s start the windows system, and run command prompt as administrator so that these tasks can be performed.
Create a folder to locate your in-use files quickly. Here we have created a folder named jeenali.
Now make use of cd command to lead you to the path of your folder
Here, we are making use of .txt file as our primary stream to demonstrate ADS, you can use any file of your preference.
A .txt file is created and to add content in the file we can used the command;
echo Welcome to ignite Technologies > jeenali.txt
To display the contents of your .txt file, you can use;
type jeenali.txt
To display the contents in the folder including Alternate Data stream, we use
dir /r

In the above image, you can see that there is no hidden file displayed.  On directly visiting the GUI of the folder, you see that there is only one file. So now we will move to adding a hidden file in the folder.

Here we will proceed with creating a hidden file. A .txt file is created with hidden ADS and to add content in the file we can used the command;
echo Join Our Training Programs > jeenali.txt:hidden
To display the contents of your newly created .txt file, you can use;
type jeenali.txt: hidden
Here you see that the filename is not recognised, therefore, to see hidden file content, you can type;
more < jeenali.txt:hidden
To display the contents in the folder including Alternate Data stream, we use;
dir /r
Here we see that the ads are seen is also displayed.

To open the file and see the contents of the hidden file you can use
notepad .\jeenali.txt:hidden
here see can notice a notepad file prompts open and the contents are displayed.

ADS with PowerShell
Let’s begin running PowerShell as an administrator
A .txt file is created with hidden ADS and to add content in the file we can used the command;
echo Welcome to Hacking Articles! > raj.txt
Now to create an ADS file, add content and hide it you can use;
Set-Content .\raj.txt -stream text
Hello World
We can see the hidden ADS content using
Get-Content .\raj.txt -stream text
But when you use the dir command, you cannot see your hidden file
dir

To see all the files in the directory you can use
Get-Item -path .\raj.txt -stream *
Here you can see the primary .txt as well as the newly created ADS .txt .

NTFS to FAT
If you transfer an ADS file from NTFS to FAT32 you will be automatically destroying the Alternative Data Stream.
Here, an ADS file was created in an NTFS system but as soon as it is transferred to a FAT32 flash drive, you see the below prompt which won’t allow you to copy the file with ADS. This is because the ADS feature was introduced in NTFS and FAT#@ does not support it.

Hiding an image in text file
So, let us start command prompt as an administrator and change our directory to the folder in which we have our files. To check the contents of the file, type
C:\Users\raj\Desktop\ads> dir

You see that there are two files (one is a text-primary stream and other is a image file). So Now we will append the image file to the text file using;
type panda.jpg > jeeni.txt:panda.jpg
After we are done with appending the primary stream file, we will delete the image file from the folder.
del panda.jpg
Now, you will see that the image file is gone but a new ADS is created and you can check it using
dir /r

Change the directory to system 32, and you can see that your image file is executed when you open the text file which has ADS appended.
C:\Windows\system32>
mspaint.exe C:\Users\raj\Desktop\ads\jeeni.txt:panda.jpg

Hiding Audio in a text file
Now, we can start command prompt as an administrator and change our directory to the folder in which we have our files. To check the contents of the file, type
C:\Users\raj\Desktop\ads> dir
You see that there only a text file and an audio file.

So Now we will append the audio file to the text file using;
type ignite.mp3 > jeeni.txt:ignite.mp3
After we are done with appending the primary stream file, we will delete the audio file from the folder.
del ignite.mp3
Now, you will see that the audio file is gone but a new ADS is created and you can check it using
dir /r

C:\Program Files (x86)\Windows Media Player
wmplayer.exe C:\Users\raj\Desktop\ads\jeeni.txt:ignite.mp3

Conclusion: We hope this article has given you a better understanding of alternate data streams. There are many more methods with which Alternate Data Streams can be performed.