Objective of this guide
[vc_separator css=”.vc_custom_1567441743182{margin-top: -20px !important;}”]In this guide we will discuss how to configure Kutter Content Filter and Malware Protection on the cloud and how to integrate it with our pfSense® and OPNsense firewall.JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVEThe hardware and software used
[vc_separator css=”.vc_custom_1557400611541{margin-top: -20px !important;}”]Tested hardware: We tested all our devices with kutter and pfSense and OPNsense systems.Since the computational load moved to the cloud, we did not experience any slowdown on the tested hardware.
Tested entry level firewalls:
The entire APU 2 NIC line:
The entire APU 3 NIC line:
The entire APU 4 NIC line:
Tested Corporate Firewall:
The entire Compact Small UTM line:
All the Small UTM line:
Tested data center firewalls:
A1 Server: Firewall
A2 Server: Firewall
A3 Server: Firewall
The software used on the appliance is pfSense® version 2.4.4-RELEASE-p3
The same settings can be performed on OPNsense using the same rules.
For those wishing to learn more about Kutter features, the specifications can be reached at the following link www.kutter.it
At the same link you can also ask for a free demo. The procedure is immediate.
Introduction
[vc_separator css=”.vc_custom_1557400611541{margin-top: -20px !important;}”]Before starting I will make a brief summary of what Kutter features are, and how to use them to add more security to navigation.Kutter is a powerful content filter and malware for the network. It protects over 1.2 billion clicks a day in 90 different countries by leveraging DNS-based technology for cloud filtering.
This technology, for the uninitiated, allows the control of the contents of the web pages requested by the users and devices of the network that we are “filtering”, without weighing it down with web proxies (sometimes not efficient), to the cloud.
The strength is the simple and immediate activation, unlike the old proxies, difficult to configure and often cause problems.
This type of filter is perfectly suited to businesses, schools, ISP / WISP and public administration.
Any device, be it a firewall like pfSense®, OPNSense®, Zeroshell®, IpFire®, or a router from our provider, will increase navigation security if configured with Kutter.
Furthermore, Kutter is compliant with GDPR standards
Before starting
[vc_separator css=”.vc_custom_1557400611541{margin-top: -20px !important;}”]Prerequisites- Have an active Kutter If you do not have an account, activate it immediately by clicking here or request a free 30-day demo. Registration is immediate and you will be up and running in seconds.
- Have an internet connection.
- A firewall (in this guide we will illustrate pfSense® but it is compatible with other systems – see below compatibility list).
Now let’s see how to proceed step by step.
Customizing the lists
[vc_separator css=”.vc_custom_1557400611541{margin-top: -20px !important;}”]First we need to access our configuration panel by going to the Kutter web page[vc_single_image image=”18323″ img_size=”full” onclick=”link_image”]Once logged in, we will access our configuration area as shown in the figure.[vc_single_image image=”18348″ img_size=”full” onclick=”link_image”]Click on the networks tab[vc_single_image image=”18368″ img_size=”full” onclick=”link_image”]By clicking on the add new network button, you will be able to configure your line whether it is dynamic (therefore without a static IP) or static (therefore with an IP perm.A small menu will open with a series of logos that, when clicked, show how to configure that device in dynamic mode. In our example, we will proceed with the “static” configuration and then click on the button Manual configuration at the bottom.[vc_single_image image=”18332″ img_size=”full” onclick=”link_image”]Simply by following the on-screen instructions, we have configured our network.[vc_single_image image=”18334″ img_size=”full” onclick=”link_image”][vc_single_image image=”18336″ img_size=”full” onclick=”link_image”][vc_single_image image=”18338″ img_size=”full” onclick=”link_image”][vc_single_image image=”18340″ img_size=”full” onclick=”link_image”][vc_single_image image=”18342″ img_size=”full” onclick=”link_image”][vc_single_image image=”18362″ img_size=”full” onclick=”link_image”]Now, move to the Lists tab. You have the possibility to immediately choose 3 profiles already preloaded and configured to block different types of sites.
It starts with the Base profile, up to the more protective and aggressive Alto profile which imposes many more restrictions. It is possible to read below a brief description of the blocked contents.
If you want to customize the blocks, click on Custom configuration.
Notice below, the classic White and Black lists to add or remove sites (or entire domains) by customizing the profile more.
Finally, Kutter is able to filter the searches respecting the blocks of your profile, excluding the results also from the search results of Google and Bing search engines.
For example, if I have excluded pornographic content from my profile, I will not see these results from Google and Bing engine searches.
In this example, we will proceed to perform a custom configuration.[vc_single_image image=”18350″ img_size=”full” onclick=”link_image”]The list configuration home page looks like the following figure. A list of categories and 3 columns indicating: Allow, Block, Program the block[vc_single_image image=”18352″ img_size=”full” onclick=”link_image”]Clicking on the arrow to the left of the category will open the list with the content.[vc_single_image image=”18354″ img_size=”full” onclick=”link_image”]In this example we will show the Social Network category and show how to authorize access only during the lunch break. Clicking on the clock-shaped icon in the third column (Schedule Block), a menu will open in which to insert the block time slots.[vc_single_image image=”18356″ img_size=”full” onclick=”link_image”][vc_single_image image=”18358″ img_size=”full” onclick=”link_image”][vc_single_image image=”18360″ img_size=”full” onclick=”link_image”]We continue in this way until the complete customization of our list (in the Base example).
You can create a different list every 5 coins; that is to say that an office with 25 nominal users can create up to 5 different lists (employees, administration, management, etc.) to balance the different needs of the company. By selecting the basic profile, and then clicking on the pencil icon, we will be able to choose one of the 5 useful dns pairs, precisely, in case we want to diversify the lists.
PfSense® configuration
[vc_separator css=”.vc_custom_1557400611541{margin-top: -20px !important;}”]Now that our network and our lists have been configured, let’s move quickly to our firewall. Here we should simply insert Kutter dns as shown in the figurego to the pfSense menu under System, General Setup.[vc_single_image image=”18366″ img_size=”full” onclick=”link_image”]In order for Kutter to start browsing control, our network will have to use the firewall as a dns server.
There are three possible solutions to achieve this behavior:
- force the network devices to use the pfSense DNS forwarder.
- oblige network devices to use Kutter’s DNS.
- Redirect traffic on port 53 to kutter DNS.
In this guide we will illustrate the first solution:
we now enable the DNS service from: Services -> DNS resolver
Enable it and configure it so that requests can be forwarded:
check the checkbox “Enable DNS resolver” and “Enable Forwarding Mode” selecting the interfaces on which the DNS service will respond (in our case only the “LAN”)[vc_single_image image=”18413″ img_size=”full” onclick=”link_image”]Next we will create two rules.
We will then go to Firewall -> Rules.
Let’s create a rule that allows access to the dns service of the firewall, the second rule that prevents access to the DNS service for the rest of the traffic.[vc_single_image image=”18415″ img_size=”full” onclick=”link_image”]At this point the firewall will allow the use of only the pfSense DNS Server, which will resolve the names via the kutter DNS.
All systems must use the firewall as DNS, manually configuring the DNS or properly configuring the DHCP Server.
If you use pfsense DHCP go to Services -> DHCP Server and configure the DNS section with the IP of the firewall of the LAN (configure as below if it is assumed that the firewall has ip 192.168.1.1 on the LAN).[vc_single_image image=”18417″ img_size=”full” onclick=”link_image”]
Conclusions
The ease of use and configuration, make Kutter a powerful ally to increase corporate security. The implementation methods are sufficiently “elastic”, and allow its use in practically every context and with every device.
Kutter is compatible with any device that allows the forwarding of dns requests, and with devices that allow the use of the ddns service.