On their web site ClarkConnect says this is a “ClarkConnect Server and Gateway” which:
- Provides core server applications
- file and print services
- Protects network and data
- intrusion prevention.
- Enforces Internet usage policies
- content filter
- peer-to-peer filter
- bandwidth manager
- Simplifies management and monitoring
- system monitoring
- software updates
- mail backup
So I decided to check it out, here’s what I found.
The installer for the Community Edition uses the ncurses interface for set up. It goes through familiar configuration options, WAN ip information, gateway, etc. There are also configuration options to set up the LAN. There are two major configuration pages during the install that allow you to make choices of software to install.
First one give you the following options:
- [*]DHCP and Cacheing DNS server
- [*]Intrusion Detection and Prevention
- [ ]DMZ and 1 to 1 NAT (not available in community edition)
- [ ]Multi-WAN Support (not available in community edition)
- [ ]Bandwidth Manager
- [ ]Web Proxy Server
- [ ]Content Filter Server
- [ ]VPN PPTP Server
- [ ]VPN IPSEC Server
- [ ]VPN OpenVPN Server
- [ ]Server Anti-virus
The first two are installed by default.
Second One calls them “Software Modules” and your options here are:
- Mail – SMTP Server
- Mail – POP and IMAP
- Mail – Anti-Virus Server
- Mail – Anti-spam Server
- Flexshare File Manager
- Web Server
- File Server (Samba)
- Print Server
- Database Server
Nothing on this selection page is installed by default.
Since I’m doing an evaluation, and not implementing this firewall right now, I installed everything. This would not be my normal choice. Once everything finished, a screen asks you to hit “Return” to reboot. First thing I noticed is that as soon as the server starts setting up the frame buffer device during boot up the screen goes wonky. Looks like ClarkConnect doesn’t have the hardware detection pieces working quite right. I tried with two different monitors, one an old CRT the other and LCD. Every time I tried going into the GUI configuration console, the monitor screen would go blank and I would get a “Out Of Range” message on the screen. I tried the text based console, which seems to me to be essentially a lynx browser connecting to the webconfig server on localhost. It looks like this was an afterthought. There are no navigation links in the screen, once authenticated. The lynx browser works fine for web pages properly configured to use it. Either my inexperience with lynx is at fault or ClarkConnect didn’t take the text browser into account when designing the interface.
I connect the ClarkConnect Gateway Server to my network and start with the web interface at https://192.168.0.254:81. The web interface runs on non-standard ports, because of the proxy services on this system in gateway mode.
From this screen there are menus to manage Administrators, Users and Groups. The My Account menu is for managing Security and Keys. There is also a menu for managing LDAP and the Organizational information.
The Network tab contains a lot of services to configure, in addition to the network interface. Five items comprise the Firewall Menu. There is Groups, Outgoing, Incoming Peer to Peer and Port Forwarding. The Outgoing menu provides access to rules for allowing outbound access. If you want to restrict what network users have access to, you can configure it in this page.
You can configure Intrusion Detection, which uses snort. The system seems to have a lot of built in rules. This may be the default set that are delivered when you install snort.
Bandwidth management allows the administrator to allocate for applications that are business critical, to insure proper and trouble free operation. Things like VOIP that are sensitive to delays, need to have their own bandwidth allocation.
Clark Connect provided three different methods for creating VPNs. There is the old standby ipsec. The reliable and easy to configure OpenVPN is there. Last but not least there is PPTP, Point to Point Tunneling Protocol, though I would personally recommend against using it.
Clark Connect includes an Intrusion Detection System, snort.
Although Clark Connect seems to be entirely based upon open source packages, some software cannot be configured through the web interface, unless the system is registered.
Clark Connect offers a large selection of Services, some of questionable value on a firewall. There is, for example a sql database, MySQL. Other services available on Clark Connect are FTP Server, something called FlexShare that allows you access through Web FTP File and Email. The administrator can configure Windows File Sharing.
The System tab discloses an array of tools for managing the system. You can check or change the Date Language and Webconfig under the Settings menu. The System Administration menu provides Antivirus Updates, a view of the Mail Que and Processes, options for working with RAID and managing Services. You can choose three “skins” or visual configurations for Clark Connect under the Webconfig option. There’s 3.x, 4.x and Huron. The Tools menu under the System tab provides web access to important software for keeping the system secure.
There’s a backup manager for saving a snapshot of your configuration. There’s an option to configure an encrypted file system. The administrator can set up an SMTP Relay. SSL Certificate Manager is a web interface to generate and manage certs. Shutdown Restart is method to restart the server through the web.
Although it has a pretty face, Clark Connect would not be my first choice for a gateway server. It’s pretty complete for a departmental server and probably could act as a departmental gateway. Like a lot of these server/firewall implementations I find this a little to complicated to be a first line protection of a network. I want a simple firewall to guard my network. Something with a known secure configuration out of the box, and not running any more than is required to get the job of network guardian. If I’m really concerned about virus inside my network, I might consider using one of the various proxies that incorporate virus detection. YMMV