Initial Endian Configuration

Access https://ip_server:10443

The first screen it's only to select >>>

Now we need to select the language and the timezone after that we need to select >>>

Now we need to accept the license and select >>>

Now we need only select >>> otherwise you can change the No to yes and restore your backup.

Now we need to set up the password to Web frontend (user: admin) and to SSH (user: root) after that we need to select >>>

Now need to configure the kind of WAN connection I shall select EHTERNET STATIC and >>>

Here we need to select >>>

Now we need to set up the LAN IP, select the interface that will work as LAN, need to set up the hostname and domainname and select >>>

Now need to select the interface that will work as WAN, we can set up the MTU and another options, select in DNS mantual and select >>>

Now we can set up the DNS servers and select >>>

Now we can set up the information about the email that will use to send information about the Endian and select >>>

Now is the last step so make sure that everything is ok and select OK, apply configuration.

Now we'll get an information about the configuration and a link that will redirect us to the new ip.

After some seconds the browser will require a user and password the user is admin and the password is the one that you configured in password configuration, after that we gonna get the follow screen.

Overview

Let's take a look in every menu.

Endian/System/Dashboard The Dashboard is the default page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its health. The top of each box reports the name of the box. The Dashboard has lately undergone some changes in its usability and new features have been added to improve the interaction with the user. The information visible on screen are updated at regular intervals.

Endian/System/Network configuration The configuration of the networks and of the network interfaces serving the zones is fast and easy with this 8-step wizard. It is possible to freely navigate back and forth the step, using the «< and »> buttons and even decide at any moment to cancel the actions done so far. Only at the last step it is required to confirm the new settings: In that case, all the changes made will be applied. Note that while applying the new settings, the web interface might not respond for a short period.

Endian/System/Event notifications/Settings Whenever some critical event takes place on the Endian UTM Appliance (e.g., a partition is filling up, or there are updates available), there is the option to be immediately informed by e-mail about it and to promptly take some actions to solve a problem, if required.

Endian/System/Event notifications/Events This tab shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.

Endian/System/Passwords In this page passwords can be changed for each of three default users, by writing each new password twice and then by pressing the corresponding Change Password button

Endian/System/Web Console The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.

Endian/System/SSH access This screens allows to enable remote SSH access to the Endian UTM Appliance. This is disabled by default and it is the recommended setting. There are two boxes in the page: Secure Shell Access Settings and SSH host keys.

Endian/System/GUI settings Two configuration options for the GUI are present here. The first option is the language that will be used for the section names, the labels, and all the strings used in the web interface and can be selected from a drop-down menu. The languages currently supported are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.

Endian/System/Backup In this section the management of the backups can be carried out: Creation of backups of the current Endian UTM Appliance configuration and system rollback to one of these backups when needed. Backups can be saved locally on the Endian UTM Appliance host, on a USB stick, or downloaded to a workstation.

Endian/System/Shutdown Option to either shutdown or reboot the Endian UTM Appliance, by clicking on the Shutdown or the Reboot button respectively, are provided in this page.

Endian/Status/System status The default page that opens when clicking on Menubar ‣ Status is the System status page, which gives a quick overview of the running services, memory, disk usage, uptime and users, loaded modules, and the kernel version, each in its own box. At the top of the page, there are hyperlinks to each box. In more details, these are the information presented in each box, which are usually the output of some Linux command.

Endian/Status/Network status This page contains several information about the running state of the network interfaces. Four boxes are present on the page, and, like for the System status, hyperlinks are provided at the top of the page for a quicker access. The boxes contain the following information, representing the output of different shell commands.

Endian/Status/System graphs The graphs displayed in this page present the usage of resources during the last 24 hours: CPU, memory, swap, and disk usage, each accompanied with a legend of the data included in the graph, their associated colour, and a summary of the maximum, average, and current percentage of use. Moreover, a message informs of the time and date of the last update to the graphs, which matches the last access to the page.

Endian/Status/Traffic Graphs This page contains the traffic graphs for the last 24 hours, divided by zone. Hence, depending on the zones enabled and configured, this page will contain 2, 3, or 4 boxes, each with one graphs. Like for the System graphs, the graphs are accompanied with a legend of the data displayed.

Endian/Status/Proxy Graphs The access statistics of the HTTP proxy during the last 24 hours are shown here. There are no graphs in this page if the HTTP proxy service in not active and has never been enabled. However, if the service has been running even for a short period during the last year, the data produced are still accessible by clicking on the graph. Similarly to the other graphs, older statistics are shown for the last day, week, month, and year. In this page, a click on the BACK hyperlink on the bottom allows to go back to the main page.

Endian/Status/Connections This page shows a table containing the list of current connections from, to, or going through the Endian UTM Appliance. The data shown here are devised by the kernel conntrack table. The following colours are employed in the table and used as the background of the cells in the table to denote the source and destination of the connection.

Endian/Status/VPN connections When yon the Endian UTM Appliance there are OpenVPN or IPsec servers running, this page shows the connected users, along with the service they rely on for the connection (OpenVPN, L2TP, IPsec Xauth), the time stamp since they are connected, and the possible actions that can be carried out. Currently, only to disconnect the user.

Endian/Status/SMTP mail statistics Four boxes appear on this page showing graphs about the email sent by the local SMTP server on the Endian UTM Appliance for the current day, week, month, and year.

Endian/Status/Mail queue When the SMTP proxy is enabled, this page shows the current e-mail queue. With no e-mails in the queue, the message Mail queue is empty is displayed, but when some e-mail is there, it is possible to flush the queue by clicking on the Flush mail queue button. With the SMTP proxy disabled, only the message recalling its disabled status is shown.

Endian/Network/Edit hosts The page contains the list of hosts previously defined. Each line contains an IP address, the associated hostname, and the domain name, if specified. Two available actions are available for each entry.

Endian/Network/Routing/Static Routing A static route allows to associate specific source and destination networks with a given gateway or uplink. A click on the Add a new route link above the table allows create new routes by defining the following fields in the form that will appear.

Endian/Network/Routing/Policy Routing A policy route rule allows to associate specific network addresses, zones, or services (expressed as port and protocol) with a given uplink.

Endian/Network/Interfaces/Uplink editor By default, the uplink editor shows the available uplinks that have been created and the actions that can be executed on each of them, by clicking on the icons in the last column.

Endian/Network/Interfaces/VLANs The idea behind offering VLAN support in Endian UTM Appliance is to allow arbitrary associations of VLAN IDs to the zones and to provide an additional level of separation (and therefore adding another level of security) between the zones. The existing VLANS are shown in the table, if any had already been created.

Endian/Services/DHCP server The DHCP server page is divided into two or three boxes, namely DHCP, in which to configure the DHCP server, Current fixed leases, showing the fixed leases, and Current dynamic leases that shows up only if at least one client has obtained a dynamic lease. Dynamic leases are assigned on a network basis within a given range that is configured in the first box, whereas fixed leases are assigned on a per-host basis and are configured in the second box.

Endian/Services/Dynamic DNS DDNS providers, like DynDNS or no-IP, offer a similar service when the IP addresses is dynamic, which is normally the case when using residential ADSL connections: Any domain name can be registered and associated to a server with a dynamic IP address, which communicates any IP address change to the DDNS provider. To be compatible and to integrate with the root DNS servers, each time IP address changes, the update must then be actively propagated from the DDNS provider.

Endian/Services/Antivirus Engine On all types of Endian UTM Appliance, with the notable exception of the Mini Arm, there are two antivirus engines available, that can be used for the research of viruses and malware within files and documents: ClamAV and Panda, with Clamav installed by default. Depending on which antiviruses are installed, the page is organised into one or three tabs: If Panda is not installed, only the tab ClamAv antivirus appears, otherwise, also the Global Settings and Panda Antivirus tabs are present.

Endian/Services/Time server The Endian UTM Appliance uses NTP to keep its system time synchronised with time servers on the Internet. The settings available are grouped into two boxes.

Endian/Services/Spam Training The Endian UTM Appliance includes SpamAssassin as the engine to find and fight spam e-mails. While it is successful in the vast majority of the cases, SpamAssassin needs to be trained to improve its abilities to intercept spam e-mails. The configuration of the training for the antispam engine can be done in this page: Indeed, SpamAssassin can learn automatically which e-mails are spam and which are not (the so called ham mails). To be able to learn, it needs to connect to an IMAP host and check the pre-defined folders for spam and ham messages.

Endian/Services/Intrusion Prevention/Intrusion Prevention System The Endian UTM Appliance includes the well known intrusion detection (IDS) and prevention (IPS) system snort, which is directly built into iptables, to intercept and drop connections from unwanted or distrusted sources.

Endian/Services/Intrusion Prevention/Rules On the Rules tab appears the list of rule sets that are stored on the Endian UTM Appliance, along with the number of rules they contain and the actions that can be done on them. The yellow triangle with exclamation mark means that the packet will be log and pass if you click in it, will be changed to a shield that means the packet will be block and log

Endian/Services/Intrusion Prevention/Editor At the top of the Editor page are shown the rulesets that can be edited. To chose more than one ruleset at once, hold the CTRL key and click on the rulesets.

Endian/Services/Traffic Monitoring Traffic monitoring is done by ntopng and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to its new administration interface appears in the lower section of the page. There, the traffic can be visualised and analysed by host, protocol, local network interface and many other types of information: All these operations can be carried out directly from the Traffic Monitoring module in The Logs and Reports Menu.

Endian/Services/SNMP Server The SNMP is used to monitor network-attached devices, and can be used e.g., to control the status of the internal infrastructure.

Endian/Services/Quality of Service/Devices The purpose of the QoS module is to prioritise the IP traffic that is flowing through the Endian UTM Appliance depending on the service. In other words, the QoS is a convenient way to reserve a given amount of the available bandwidth (both incoming and outgoing) for a given service. Applications that typically need to be prioritised over bulk traffic are interactive services such as SSH or VoIP.

The Device tab is also the starting page for the QoS and is initially empty. Once populated, a table showing a list of all the Quality of Service devices appears and for each device, some parameters and the available actions are displayed.

Endian/Services/Quality of Service/Classes This tab shows a list of all Quality of Service classes that have been created, if any. For each entry, several data are shown. New items can be added by clicking on the Add Quality of Service Class link above the list of classes. The parameters to configure are the same shown in the list.

Endian/Services/Quality of Service/Rules The third tab displays a list of the already defined Quality of Service Rules and allows to specify which type of traffic should belong to each of the classes. To add a new Quality of Service rule click on the Add Quality of Service Rule link. In the form that will open, which is very similar to the one used to define firewall rules, several values should be configured. Many drop-down menus are employed here to ease the choices and guide through the configuration.

Endian/Firewall/Port forwarding/ NAT/Port forwarding/Destination NAT Destination NAT is usually employed to limit network accesses from an untrusted network or to redirect the traffic coming from the untrusted network and directed to a given port or address-port combination. It is possible to define which port on which interface should be forwarded to which host and port.

Endian/Firewall/Port forwarding/ NAT/Port forwarding/Source NAT Source NAT can be useful if a server behind the Endian UTM Appliance has an own external IP and the outgoing packets should therefore not use the RED IP address of the firewall, but the one of the server. To add a new rule, click on Add a new source NAT rule and proceed like in the case of adding a port forwarding rule.

Endian/Firewall/Port forwarding/ NAT/Port forwarding/Incoming routed traffic This tab allows to redirect traffic that has been routed through the Endian UTM Appliance. This is very useful when having more than one external IP addresses and some of them should be used in the DMZ without the necessity to use NAT. The fields shown for every rule in the list are the traffic source and destination, the service, the policy to apply, a remark, and the available actions.

Endian/Firewall/Outgoing traffic The Endian UTM Appliance comes with a pre-configured set of rules for outgoing traffic, i.e., to allow traffic flow of specific services, ports, and applications from the various zones to the RED interface and therefore the Internet. These rules are needed to ensure that the most common services always be able to access the Internet and work correctly. Two boxes are present on this page, one that shows the current rules and allows to add new ones, and one that allows to set the outgoing firewall options.

Endian/Firewall/Inter-Zone traffic This module permits to set up rules that determine how traffic can flow between the local network zones, excluding therefore the RED zone (traffic through the RED zone can be filtered in Outgoing traffic and Port forwarding / NAT). To activate the inter-zone firewall, click on the grey switch swoff. Two boxes are present on this page, one that shows the current rules and allow to add new ones, and one that allows to set the inter-zone firewall option

Endian/Firewall/VPN traffic The VPN traffic firewall is normally not active, which means that, on the one side, the traffic can freely flow between the VPN hosts and the hosts in the GREEN zone, and on the other side, VPN hosts can access all other zones. Please note that VPN hosts are not subject to the outgoing traffic firewall or the Inter-Zone traffic firewall. Two boxes are present on this page, one that shows the current rules and allow to add new ones, and one that allows to set the VPN firewall options.

Endian/Firewall/System access There is a list of pre-configured rules that cannot be changed, whose purpose is to guarantee the proper working of the firewall. Indeed, there are services, among those supplied by the Endian UTM Appliance, that require to be accessed from clients in the various local zones. Examples include using the DNS (which requires that the port 53 be open) to resolve remote hostnames or using the administration web interfaces (which uses port 10443): Whenever one of these services is activated, one or more rules are automatically created to allow the proper efficiency of the service itself.

Endian/Firewall/Firewall Diagrams This page shows, for each of the modules described in this page, a diagram that shows how the traffic flows among the zones, and which is the firewall module that takes charge of the various flows. The green arrowed lines show which traffic is allowed in each zone and in which directions. If the case of VPN, the arrows from/to the RED interface are marked with a red ‘X’, meaning that the traffic is not possible between them.

Endian/Proxy/HTTP/Configuration The HTTP proxy employed in the Endian UTM Appliance is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is composed of six tabs that organise a myriad of options: Configuration, Access Policy, Authentication, Web Filter, AD join, and HTTPS Proxy.

Endian/Proxy/HTTP/Access Policy The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g., the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).

Endian/Proxy/HTTP/Authentication The Endian UTM Appliance‘s proxy supports four different authentication types, that are shown in the drop-down menu at the top of the page: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the access credentials on the Endian UTM Appliance, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server.

Endian/Proxy/HTTP/Web Filter The Endian UTM Appliance‘s content filter abilities are based on the Cyren (former Commtouch) URL filtering solution, that uses two filtering techniques which can be defined per filter profile.

Endian/Proxy/HTTP/AD Join In this section it is possible to supply the credentials required to join the Active Directory Server, an operation that is only possible if in the Authentication tab the option Windows Active Directory (NTLM) has been selected.

Endian/Proxy/HTTP/HTTPS Proxy In this page it is possible to configure the proxy server for the scan of SSL-encrypted traffic, i.e., traffic through the 443 port. When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP requests. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client who requested it.

Endian/Proxy/POP3/Global settings On this page, by ticking the appropriate checkboxes, a few global configuration settings of the POP3 proxy can be enabled.

Endian/Proxy/POP3/Spam filter This page allows to configure how the POP3 proxy should proceed when it finds a spam e-mail.

Endian/Proxy/FTP/FTP virus scanner The FTP proxy is available only as a transparent proxy in the zones that have been enabled and allows for scanning the files downloaded via FTP to search for viruses. The Endian UTM Appliance employs frox as FTP proxy.

Endian/Proxy/SMTP/Configuration The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

Endian/Proxy/SMTP/Black - & Whitelists In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.

Endian/Proxy/SMTP/Incoming domains When incoming mail has been enabled (i.e., clients outside the RED interface can send e-mails from a local SMTP server) and e-mails to be sent should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone - it is necessary to declare the domains to be accepted by the SMTP proxy and to which of the e-mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.

Endian/Proxy/SMTP/Domain routing The page shows a list of domains along with the smarthost responsible for the e-mails’ delivery to or reception from those domains. The information shown by the list are the same that shall be provided when adding a new domain. Available actions are:

Endian/Proxy/SMTP/Mail routing This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions:

Endian/Proxy/SMTP/Advanced In this page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the expand or collapse icons on the left of the panel title.

Endian/Proxy/DNS/DNS proxy Enable the DNS proxy as transparent on the GREEN, BLUE, and ORANGE zone, respectively. They appear only if the corresponding zones are enabled. Here we can create exceptions bypassing some subnet/ip/mac

Endian/Proxy/DNS/DNS Routing This page allows the management of custom domain - nameservers pairs. In a nutshell, whenever a sub-domain of a domain is queried, the corresponding nameserver in the list will be used to resolve the domain into the correct IP address.

Endian/Proxy/DNS/Anti-spyware This page presents configuration options about the reaction of the Endian UTM Appliance when asked to resolve a domain name that is known to be either used to propagate spyware or that serves as phishing site.

Endian/VPN/Server configuration This page shows a switch Enable OpenVPN server swoff, that will start the OpenVPN server and all services related to it (like e.g., the VPN firewall if enabled) once clicked. Below, there is one box, OpenVPN settings, that allows to set up some global settings. Right below, a link allows to define a new server instance while at the bottom of the page there’s the list of the available OpenVPN servers running on the Endian UTM Appliance, if any has already been defined. The list shows the following data about each OpenVPN server instance defined: The name, remark, and details about the configuration, namely: The port on which it is listening, the protocol, the type of device, and the type of network.

Endian/VPN/OpenVPN tunnel to In this page appears the list of the Endian UTM Appliance‘s connections as OpenVPN clients, i.e., all tunnelled connections to remote OpenVPN servers. For every connection, the list reports the status, the name, any additional option, a remark, and the actions available:

There are two types of settings that can be configured for each tunnel configuration: The basic one includes mandatory options for the tunnel to be established, while the advanced one is optional and normally should be changed only if the OpenVPN server has a non-standard setup. To access the advanced settings, click on the » button next to the Advanced tunnel configuration label.

The second possibility to add an account is to directly import the profile from an OpenVPN Access Server: In this case, the following information must be provided.

Endian/VPN/IPsec In this box a few global IPsec options can be set, namely two for Dead peer detection, and quite a lot debugging options. Additionally, configuration of certificates used in IPsec tunnelled connections is also carried out here.

Endian/VPN/Authentication In this page, all users that have an account on the Endian UTM Appliance‘s VPN server are displayed in the table, and for each the following information are shown.

Endian/VPN/Certificates/Certificates The Certificates page allows the management of the certificates that are needed by the various OpenVPN server instances running on the Endian UTM Appliance and is composed of three tabs: Certificates, Certificate Authority, and Revoked Certificates.

Endian/VPN/Certificates/Certificate Authority This page allows to manage the CA, which are necessary for the correct working of an OpenVPN encrypted connection. There are two ways to add a CA: Either by clicking on the link above the table of already existent certificates to generate a new certificate, or by uploading one using the widgets below the table.

Endian/VPN/Certificates/Revoked Certificates The certificates that have been revoked are listed in the table, that show the serial number and the subject of the certificate.

Endian/VPN/Certificates/Certificate Revocation List In this page can be managed all the Certificate Revocation lists that have been uploaded.

Endian/Logs and Reports/Live Logs When entering in the Logs section, or clicking on the Live entry on the sub-menu, the Live log viewer is shown, a box showing the list of all the log files available for real time viewing. Any number of logs to see can be chosen by ticking the corresponding checkboxes, that are displayed in a new window upon clicking on the Show selected logs button. To watch all the log files at once, simply tick the Select all checkbox right above the Show selected logs button and then click on the latter button. Otherwise, to view only one log file, simply click on the Show this log only link.

Endian/Logs and Reports/Summary This page presents summaries for the logs produced by the Endian UTM Appliance, separated by days and generated by the logwatch log monitoring software. Unlike the other parts of the log section, it has its own settings to control the level of details shown. The following control elements are available in the first box at the top of the page.

Endian/Logs and Reports/System In this section appears the log viewer for the various system log files. The upper box, Settings, defines the criteria to display the entries in the lower box. Besides the common actions, one additional control is available.

Endian/Logs and Reports/Service In this section appear the log entries for three of the most important services provided by the Endian UTM Appliance: IDS, OpenVPN, and the anti-virus, each in its own tab. Only the common actions are available.

Endian/Logs and Reports/Firewall The firewall log viewer contains the messages that record the firewall’s activities. Only the common actions are available.

Endian/Logs and Reports/Proxy The proxy log viewer shows the logs for the four daemons that use the proxy. Each of them has its own tab: squid (HTTP), icap (Content filter), sarg (HTTP report), and smtpd (SMTP, email proxy).

Endian/Logs and Reports/Settings This page contains all the global configuration items for the Endian UTM Appliance‘s logging facilities, organised into four boxes: Log viewing options, Log summaries, Remote logging, and Firewall logging

Endian/Logs and Reports/Trusted Timestapming Trusted timestamping is a process that log files (but in general any document) undergo in order to track and certify their origin and compliance to the original. In other words, trusted timestamping allows to certify and verify that a log file has not been modified in any way by anyone, not even the original author. In the case of log files, trusted timestamping proves useful for example, to verify the accesses to the system or the connections from the VPN users, even in cases of independent audits.

References