Since then, Untangle has come a long way. I would like to revisit the untangle appliance as it has undergone numerous improvements, and in my opinion is now a fully capable replacement for an off-the-shelf firewall appliance.

Hardware update…

For a solid, and completely silent firewall for a business environment, here’s my current recommendation (Prices are for new components. Refurbished or used could result in a 30% – 50% reduction in price).
Server – ASUS rs100-x5/pi2: ~$300
Processor – Intel Core 2 Duo E7500: ~$105
RAM – 4Gb (2x2GB) DDR2667: ~$90
Hard Drive – WD RE3 or equivalent (200 – 500GB) SATA: ~$100

Total cost is under $600. This would be comparable to a $3000+ Sonicwall or similar appliance and would be significantly more quiet.

If you need more ports, a quality 4 port PCI-E Ethernet card runs about $350. The $1000 tag on this server with 6 Ethernet ports is still a bargain. A quality single port Ethernet card would run around $75. Don’t use a desktop Ethernet card in a server like this and expect good performance, you need a quality 3com, Intel or other enterprise quality card.

This is still a low-end server, but is silent and would work well for a moderate sized office. If you have the budget and usage to require it, you could put this on a dual quad-CPU server and put 32Gb or more ram on it. Additionally for any datacenter usage, you don’t need to worry about sound, so a more robust server could probably be setup for the same cost.

Unlike most human related computer activities, packet inspection and other firewall activities are very processor intensive. The faster the processors, the better a firewall appliance will perform. If you do decide to build a Untangle or other firewall appliance, keep this in mind. Embedded processors like Atoms, or VIA’s are not a good match for a firewall, even through they are designed to fit in compact sized enclosures. They work well for what they’re designed to do, but they are not designed for this.

Current hardware recommendations are as follows:

VPN

Something I didn’t discus in my last article was the VPN. Untangle comes bundled with openVPN. There is no limit other than that of your hardware for the number of VPN users your appliance can support. It is extremely easy to add, suspend and remove VPN users. VPN users are sent a custom key and connection for them to install on their computer. The VPN also supports site-to-site VPN allowing 2 or more offices to virtually share the same network no matter their distance from each-other.

Open VPN is much simpler than any VPN software I have used on either the client or host side. It makes VPN administration and setup a breeze. If you have used cisco, sonicwall or other VPN services, this will be a breath of fresh air in administration and setup.

Feature Improvements

When we started using Untangle, it was not designed to handle advanced protocols including some VPN services, and multi-protocol traffic like VOIP (Voice over IP) phone services.

I am happy to say that Untangle now fully supports multi-protocol traffic like VOIP or Ipsec. Some types of traffic will require custom configurations, but so far I haven’t found any sort of traffic that Untangle has problems with.

Untangle also now support firewall bypassing for high-availability applications, and supports a form of QOS (Quality of service). The QOS is very configurable, but still not quite a user friendly as other platforms. It is however usable despite some potential complicated setups. QOS is essential for running VOIP and other mission-critical applications. It can also be used to throttle down bandwidth eating services like online video.

OS Upgrades

Untangle is now offered in a 64bit operating system, something to satisfy the larger memory requirements for more robust servers. It is still a small custom Debian-linux build. The total install file size is around 500Mb, which is a fresh breath compared to the 3 – 4Gb sizes of many current Linux distributions.

There is also a Windows version for those who don’t have a dedicated server to run untangle on. In this case, Untangle works as a re-router, controlling the routing and traffic of a network, but on an existing windows XP computer.

Conclusion

Untangle has moved from an aspiring concept, to a true contender to established firewall appliances. At this point, I can’t see any reason why a business would spend the extra money on a Sonicwall or similar appliance. Pair this with OpenDNS, and you have a reliable system that can block websites on a DNS level, and a full featured firewall for spam, intrusion, phishing, viruses, and just about every other threat your users will encounter on the internet.

Untangle resources
Untangle Downloads (32bit, 64bit, and Windows)
Untangle guide (Wiki)
The Untangle Blog

If you don’t want to built an appliance yourself, there are plenty of approved untangle hardware vendors.

Zusman and Sotirov call their attack “SSL Rebinding” and claim that it can be used to sniff sensitive data as it leaves the user’s browser or to conduct a browser cache poisoning attack against EV SSL Web sites.

This is a major blow to EV SSL certificates and their significantly higher price tag. Something like this is significant enough, that if you are using an EV SSL, it may be a good idea to downgrade until the exploit is fixed.

The first reaction which generally is seen when a company declares bankruptcy or just before, is the add more fees without adding any value solution. Airlines are currently guilty of this, as most are adding fees everywhere without adding any additional value to their customers. I recently took a trip and was charged for curbside check-in, for checking a single bag, and for a soda while on the flight. The flight attendants and check-in receptionists were rude, no doubt because they have to deal with a bunch of angry customers. Southwest Airlines’ marketing team was just handed the golden platter of advertising opportunity, because people are angry at airlines for all the fees, and Southwest doesn’t have all the extra fees.

The second reaction which is actually consumer focused, is to change your business so it is more appealing adding value, in an effort to drive more business. Quiznos is a perfect example of this with their new pricing. I’m not sure if the end-user gets anything more from Quiznos, but the price / value point is far easier to understand which makes their restaurant more appealing.

Times are tough for a lot of retail businesses, and I can guarantee that simply raising prices will not create a more profitable or stable business unless you know for certain that your customers will happily pay the extra price.

Do not simply do these when times get tough:

• Add fees without adding some value with those fees (The airline raise).
• Grossly increase prices to accommodate for lost revenue.
• Unilaterally change contract terms (Think AT&T and Verizon).

Be careful doing these:

• Placing customers in opt-out programs.
• Cutting the variety of the products you offer.
• Dramatically changes or adding confusing policies and / or pricing structures.

Unfortunately there’s no magic recipe to making it through tough financial times, but these are some good ideas to help keep customers coming back to your business.

Here’s my recommendations to do before you ever get into real trouble:

• Make your price / value point more appealing (like Quiznos above). Be extremely cautious with this one because it can easily backfire if your customers think your smoke and mirrors are just an effort to pad your revenue.
• Offer rewards or incentives for frequent customers.
• Retail & Restaurants. Offer incentives to customer who bring their own cups or shopping bags. Ideas like this can help reduce overhead costs, and produce less waste. It’s win-win for everyone.
• Offer incentives to customers that refer their associates and friends to your business. If you’re not doing this already you’re doing something wrong.
• Diversify your marketing efforts. Don’t just use the Yellow Pages or radio ads. Puts your eggs in more baskets as long as they all provide business. You can try local PPC marketing, sponsoring events, newspaper ads, and more.
• Optimize your business. This is a great time to see if you can save money on the services that your business already uses. Internet, phone services, your merchant account, shipping costs and methods, are all great places to start. Find services that you don’t really need and cut those first.
• If you need to purchase new IT equipment look into low power consuming equipment. Low power servers, computers, and network hardware can save thousands per year in energy costs.
• Reduce staff. This is truly one of the hardest and most unpleasant aspects of owning a business, but realistically, if it’s going to potentially save your company then you should consider it. My personal opinion is that this is an absolute last resort, unless you have employees that you were planning on releasing anyway, but it is sometimes necessary.

Every dollar you can save will really help later when you’re completely cash strapped. Start doing these before you are looking an an insurmountable situation that will ultimately end with the end of your business.

Let me know if you have suggestions or experiences of your own.

The following is a quick guide on how to setup a Enterprise class firewall for a small to medium sized business. How good your firewall performs is dependent on the hardware that you use, but if you copied the specs of the one that I setup, it should easily handle 100+ computers and servers.

Hardware:
Tyan transport GS12 or GS14 – $100 – $500 (Used – New)
Intel Pentium 4 – 3.4Ghz HT – $30 – $75
4Gb DDR2 RAM $150 (Cheaper if bought on eBay)
Additional Ethernet card – $50 – $200 (Optional for DMZ)

Total – $300 – $900 (depending on configuration and cost of components.)

The Tyan transport GS12 and GS14 are perfect servers for a dedicated firewall. They both are small, sub-1U rack mountable, and they take Pentium 4 processors with hyper-threading. The come standard with 2 Ethernet connections, and have a PCI card slot so a 3rd Ethernet card can be added for a DMZ port. The GS14 supports on-board RAID and SATA drives, and used a better processor core (LGA775) so we went with it. We bought a brand new GS14 for under $400 and it came with all of the installation hardware, rails, CPU heat-sink, power and internal connections, and everything else we needed, minus the CPU, RAM, and hard drive. We opted for a 3.4 Ghz Pentium 4 processor with Hyper-threading, and the Pentium D is also supported. Because of potential cooling issues with the Pentium D and the fact that there is not a lot of room for airflow inside a 1U case, we went with the Pentium 4. We maxed out the RAM at 4GB, and installed it with an 80Gb SATA RAID 1 hard drive setup. We’re only using this as a content filter, but in this configuration it could easily scale to be a primary firewall for a medium size business. My guess is that this setup could handle an office of 50 – 500 computers depending on web usage, bandwidth and what applications are being used within the firewall.

For the software:
I was recommended to checkout the Untangle internet gateway which was exactly what I was originally looking for. Untangle is an open source firewall operating system based on Linux, and includes a firewall, web filter, content and application filter, virus, phishing and spyware blocker, intrusion prevention, and a full VPN server. It also includes advanced logging and reporting, which is essential to ensure that a network is actually secure. All of these features can be configured using a nice graphical interface which also includes a remote management console. This software is designed to replace existing high-end firewall appliances.

As far as installation, the Operating System ISO file can be downloaded here. The operating system installs very easily like most Linux OS’s. There are simple questions during the install, and the entire process took about fifteen minutes.

Once installed the next step was to configure the network on the firewall. There are two basic ways to install use this system as a firewall with a number of additional advanced configuration options.

Firewall as Primary / Router:

The first is to use it as a primary firewall and DHCP server. You would use this option if it was going to be the only, or primary firewall in a network.

Firewall as Bridge:

The second option is to install the firewall as a bridge, where it sits between the primary firewall and the primary network switch. In our case we were setting it up as a bridge, which was a little confusing because the IP address is the same on both the external and internal network port, but works perfectly once you understand that minor detail.

Once the network is setup, the firewall is ready to be configured. For the initial setup, I recommend just connecting one port to the network, and configuring everything from there. Since both ports have the same IP address, it can cause problems if you connect them both to a single switch. Once connected, you can install individual packages, or install all of them at once. Each package can be also individually configured or deactivated. Here’s some screenshots of the management console. Everything can be configured to the smallest detail. Some of the settings will require some solid networking knowledge to properly configure, but there is nothing that I was looking for that was not in the console.

Once you have the firewall configured as you want, you should plug a single computer into the other network port and do some testing to make sure that it is working properly. Make sure you use a cross-over cable if you plug a computer directly into the firewall. Since there is no network switch, a standard Ethernet cable will not work from the firewall directly to a computer.

Assuming that everything is working correctly, you can now switch over to using the new firewall. You don’t need to reboot it or anything, just plug the correct network ports on the firewall into the correct nodes on your network and you’re good to go.

Cost comparison:
If you consider that a new firewall appliance (Sonicwall, Firebox, Cisco, Barracuda, Astaro, etc.) with similar specs, not including any filtering subscriptions, would easily cost $5,000+, then this is a really cheap alternative. Add in the content, virus, spam, and spyware filters, and you are easily adding a recurring cost of $5,000+ per year on top of the $5,000 price tag.

Conclusion:
You may need someone to setup and manage this for you, but most businesses that I know of would love to save $5,000 per year for web security and end up with a much better and more configurable system. Someone with moderate networking knowledge could easily set this system up and maintain it. Untangle offers professional support and better virus scanning packages if you need a little more support and protection. They also offer fully built Untangle servers if you don’t want to set one up yourself.

Overall, Untangle gets a 10/10 from me. Saved thousands of dollars, and it took less than an hour total to setup. Truly a remarkable piece of software.

Just to dispel any theory dissolving that old ‘Death and Taxes’ quote, internet purchases are not tax free. That’s right. As the wording goes, most internet companies don’t have to collect out of state sales tax. However, consumers, businesses and any end users still must pay a “Use Tax” on non-taxed purchases that they make through mail-order or online.

Most states currently have Use Tax which specifically requires consumers to pay their state sales tax on purchases they make online that are not taxed by the business. There are some exemptions for certain types of products and for states that do not have any sales tax, but for the most part, taxes on these purchases are required to be paid to your state government. With the exception of very large purchases, use tax is rarely if ever monitored, as it would simply be an impossible feat for any state government to handle. However, we can all be sure that states are losing out on millions if not billions in uncollected taxes, so if you aren’t paying them, enjoy the free ride while it lasts.

Here’s a Use Tax table that I came up with covering which states require it:
(Let me pre-apologize about all of the PDF links here, Government websites are about as bad as they come, and in many cases PDF’s are the only pages available.)

The same company that designed configserver firewall, has two security packages that are designed to help maintain a cpanel/whm dedicated server.

I recently purchased the “cPanel Service Package + MailScanner” package for one of the servers that I manage.

Here’s what you get for $125:

• iptables SPI firewall (csf)
• Login failure detection (lfd)
• Stop unnecessary processes
• Logcheck
• Logwatch
• WHM configuration check
• OpenSSH configuration check
• Install and configure Rootkit Hunter
• Install and configure Chkrootkit
• install mod_security
• Host spoof protection
• Operating System check
• Name server configuration check
• Disk check
• Kernel check
• Apache tune and check ***
• MySQL tune and check
• Enhanced log rotation
• Day of the week backup rotations
• Secure /tmp /var/tmp /dev/shm
• Install and configure ConfigServer Explorer (cse)
• Install and configure ConfigServer Mail Queues (cmq)
• Install and configure ConfigServer Mail Manage (cmm)
• Perl installation check
• Delete unnecessary OS users
• Disable open DNS recursion
• Enhance path protection
• Remove SUID/GUID from binaries
• PHP hardening
• Exploit check
• Disable vulnerable phpBB installs
• Initial cPanel configuration
• Enhance MailMan performance
• Install MRTG graphs
• MailScanner Server service
• One week of informational tickets

While this is all great, what really caught my attention was the improvement with the email that the server was handling. Security is something that you don’t actually notice, but when you see email spam drop to nearly ZERO, it’s worth taking note of. On an average day the server was getting about 20,000 spam emails a day, and since the upgrade about 99.9% are properly being marked as spam, with roughly 5 false positives for every 20,000 emails (.025%). Prior to this upgrade, spam assassin alone was catching only 85% with 3 – 5% false positive rate.

The security, vulnerability checks, and cpanel add-ons are something that every server should have, but to simply save the time by not having to do all of this yourself, is worth well over $125. This is about as perfect of a system as I have ever seen when it comes to email.

Here’s a few images of the new add-ons:

Any drawbacks?
This package has the ability to put a lot of stress on a server. If you are receiving high volumes of email, then you will definitely want to have some very high quality processors, and a lot of RAM. We are running 2 – Quad Core Xeon processors, and about 4Gb of RAM and our server has gotten stressed a few times during very high load. With some good configuring, it is possible to use this on just about any server, you will just want to reduce the scanning to a level that the server can handle. There is virtually unlimited options for configuring this, and if you purchase the package it comes with a week of support.

The configserver blog is where updates and security notices are posted if you want to stay up-to-date on any of their software. (Updates are also available in the control panel).

ConfigServer Security & Firewall (csf)

This is essentially an extension of iptables firewall that integrates with a nice GUI in the WHM interface. It makes configuring the server’s firewall a snap, and also suggests other security fixes based on how your server is setup.

The installation took about 5 minutes to complete and another half hour to fully configure. You will need ssh or other shell access to install it on a server. This is an absolute necessity for any server. I only wish I would have found it a long time ago, as it is a huge time-saver.

I was installing a password managing program this morning and during one step of the installation process, I unexpectedly saw that all of my user names and passwords popped up completely visible. What this means is that if someone gained access to your computer, they could have full access to any password that you saved in auto-complete with internet explorer. It wouldn’t take someone with the least bit technically competency to steal all of this information.

As far as data vulnerabilities go, this is about as big as it gets. Imagine that if someone logged onto your computer, they could access your online email, bank account, car insurance, and every other place where you clicked ‘Save Password’.

Do yourself some good and get a password management program, or just remember your passwords. It is so irresponsible for Microsoft to release a new internet browser and not encrypt information like this. Both internet explorer 6 and 7 store passwords without any encryption.

How to store passwords securely in FireFox (FireFox still auto-completes, but password file is encrypted and unreadable).

How to clear passwords in Internet Explorer 6 »

How to clear passwords in Internet Explorer 7 »

UPDATE ON THIS:
Before this gets out of hand, I want to clarify that the passwords are actually not stored in a flat file, but rather in a section of the computer’s registry. They are also not readable under every circumstance, but in my case and probably many other people’s, the user names and passwords can be easily extracted by the correct program. I read an incorrect source, that at the time seemed credible which I will reference if I can find it again. I apologize for the error.

There are so many how to guides that people need for running their ecommerce website’s. With that in mind, this is a list of very useful how to’s related to ecommerce. Hopefully this post will be a good resource for site owners, and those looking to get into ecommerce. Topics include everything from setting up a web server, marketing, to integrating a website with a payment gateway.

Please send me some feedback if there are some good how to’s that should be on here.

Servers / Networking / Programming Setup:

• The perfect Fedora 5 server setup – While I don’t like the virtual control panel that the guide recommends at the end, this is a perfect step-by-step guide to setting up a Fedora 5 Linux server. This guide covers setup for PHP5, mysql, SSL Support, ProFTP, and a few others. The guide states that it is for 64 Bit systems, but I have setup five, 32 Bit systems without any additional modification.
  Fedora Core 4, Fedora Core 3 setups are also available.
• Setup a Windows XP Web Server – Also php.net has an excellent guide on the overall steps to setup php and Apache on windows. The php.net version tends to leave out some things that later may cause errors, but the comments section of the article probably cover all of the missing information.
• Windows XP Apache Virtual Hosting – Having needed to setup a Windows XP server recently, this guide covers both the setup, and how to use virtual hosting on the server allowing multiple websites to exist at the same time. I have a company server that was setup using this and the previous guide running several websites, very effectively.
• How to make Cat 5 / 5e Patch Cable – I’ve saves myself a few hundred dollars in under a year, by making all my own Ethernet patch cable. You can get cat 5e cable and connectors really cheap when you buy them in bulk. If you think you may be needing a lot of cable in the future, this is the way to go. It may take a few tries to get your cables nice, but once you get it down, you cables are just as good as anything.
• 13 *nix command line tricks – A quick tutorial on a few command line codes that are very useful but often not known, not used, or one’s that we forgot.
• Top 5 PHP security holes – After running a server scan I was referred to this excellent resource on the major security problems that websites commonly have with php. Since almost all of these problems are due to use error and poor programming, they are all fixable.
• Integrate Linux PHP with a MSSQL database – After working on a few of these integrations, one successfully, and one failing, this is the best overview on the topic that I have found. Easysoft.com also has another good guide, but it is geared to using their own paid extension, which is expensive. I don’t recommend performing this integration unless you absolutely have to (Just save yourself the time, and switch the site to a windows server), but these should get you pointed in the right direction.

Web Design / Hosting / Usability:

• How to make a horrible Oscommerce site – From Jason Chance, this is a great, humorous guide on how not to make your oscommerce website.
• 10 Ways to ruin visitor experience on your website
• 10 easy steps to a horrible ecommerce site – Another from Jason on sitepoint.com, this is an extension of the oscommerce version, and covers mistakes that all websites should avoid.
• B2B Usability – From Jakob Nielsens Alertbox, a guide to usability from a B2B vs. a B2C standpoint.
• Top 10 mistakes of web design – One more from Dr. Nielsen, on the top 10 mistakes that website creators make. Weblog mistakes is another valuable article for blog owners out there. I admit that ‘Irregular Publishing Frequency’ is one that I rarely adhere to…
• Shopping Cart Abandonment – Don’t do this… – 3 simple tips to lowering shopping cart abandonment rates.
• How to ruin a web design – This is a good article covering how to not over think a design project, and that often more people working on something means less quality.
• How to choose a web host – This is a good overview to help people that aren’t quite sure what they need, pointed in the right direction in choosing the company to host their website.

SEO and Marketing:

• How to Conduct Keyword Research – This is a great introductory guide on finding relevant keywords for a SEO or PPC campaign.
• 5 most common SEO mistakes – 5 simple SEO mistakes that are often overlooked.
• Ultimate guide to link-baiting and social media marketing – From one of the most authoritative persons on link building anywhere, Andy Hagens tells us how to properly build linkbait. I would consider this the definitive guide to linkbaiting. What is linkbaiting you say?
• List of the best directories – This is the best list of web directories out there. Directories are separated by value, and prices are listed next to each directory.
• How to market to other business owners – From entrepreneur.com, this is my ’7 commandments’ on marketing B2B products and services. I highly recommend printing this one out and looking it over any time you need to deliver a message to a B2B audience.
• How to add $1 Million in revenue to your business in 1 year – From Andy Beal at marketingpilgrim, this is written with an SEM agency as the intended industry target, but it can be applied in theory to almost any ecommerce business.
• How To Generate Targeted Site Traffic Without Search Engines – This is an awesome guide on building traffic without completely relying on search engines for it.
• Top 10 business mistakes, marketing firms make – Another from marketing pilgrim, this can also be applied to just about any business.

Payments:

• Six Payment Gateways Reviewed, The Chargeback Challenge, and Solve the Payment Processing Problem are all written by John Conde from the merchant-account-services.org blog. These are all great articles and should be considered essentials for website owners looking to accept credit cards on their website.
• How to accept credit cards on your website – This is a simple guide that I wrote a few months ago covering basic option to accepting payments online.
• Integrate a website with Authorize.net using php 5

Other / random useful stuff:

• Microsoft Windows Power Toys – If you don’t know what these are, check them out. Extremely helpful, and can safely change a lot of things on your computer that you couldn’t before. I highly recommend the Tweak-UI, Clear Type, Virtual Desktop, and the Image Resizer toys.
• Magazines for small business owners This is an article covering some good business magazines for print and online for business and website owners.

Web Server Control Panels:

• Plesk
• cPanel
• Webmin
• cube panel
• CWIPanel
• ISPConfig

Getting Information (Where I go when I need help):

• Digitalpoint Forum
• Sitepoint Forum
• Webmasterworld
• WebProWorld

Freelance Marketplaces (If I need programming/ design work):

• GetAFreelancer – #1 choice
• Rent A Coder

If you know of any really good how-to’s or guides for ecommerce do-it-yourself’ers send them to me. I may add them to the list.