Astaro Security Gateway 220
PROS: Broad feature set includes email encryption and signing, VPN, firewall, and antivirus; setup is easy, with many configuration options; Web-based administrative interface is very responsive; product is available both as an appliance and as software; licensing is favorable, including free use for as many as 10 IP addresses in home environment
CONS: Individual intrusion protection rules aren’t visible from WebAdmin
PRICE: $2550 for appliance with basic feature set; $6645 for appliance and annual subscription to email filtering and encryption, Web filtering, and support five days per week
RECOMMENDATION: The Astaro Security Gateway 220’s broad feature set and ability to be implemented on many platforms make it a must-see. Take this flexible, highly configurable perimeter security system for a test drive.
CONTACT: Astaro • 877-427-8276 • www.astaro.com
The Astaro Security Gateway 220 is an appliance that can be licensed and configured for a variety of network security functions, including firewall, VPN gateway, and intrusion prevention. Three subscription options enhance the basic functionality: Web Filtering adds virus protection and URL filtering to block access to certain Web sites; Email Filtering adds virus and spyware protection, phishing protection, and spam filtering; and Email Encryption supports digital signing and automated email encryption and decryption.
There are other models of this appliance that differ primarily in processing power; the ASG 220 is a 2.5GHz Intel Celeron–based system with 512MB memory and an 80GB hard disk. An LCD on the front panel displays basic system status, and seven of the eight 10/100 Ethernet ports are configurable; the eighth port is dedicated to a connection to other ASGs when running in high-availability or load-balancing configurations. Other ports support a serial console and a monitor. USB ports support operation with a UPS.
The ASG, built on a hardened SUSE Linux kernel, is a blend of open-source projects, inhouse developments, and components licensed from third-party vendors. The ASG implements a four-layer architecture: WebAdmin, the GUI-like administrative interface, works with a configuration daemon to run scripts in response to configuration requests; in turn, the scripts configure the middleware components (e.g., intrusion detection, email encryption), which are running in the hardened SUSE Linux kernel.
WebAdmin is a browser-based interface, developed using Ajax, that lets you move quickly between screens. Astaro manages updates through the ASG’s automatic update service and leaves you with the ease-of-use experience you expect from an appliance. WebAdmin’s interface, which Web Figure 1 shows, presents a set of expanding menus and submenus on the left that display tabbed sets of configuration screens on the right. The interface is well organized and gives you granular control. I counted 184 active status and configuration screens, although I needed only nine to initially configure the appliance.
A Getting Started Guide describes physical setup, and a brief Operating Instructions booklet describes initial configuration. During configuration, I also referred to the online Help and Administration Guide for a more thorough understanding of the configuration options. Both sources were very helpful. To start, I powered up the ASG 220, which was connected to a laptop configured with an address on the ASG’s default LAN subnet so that I could reconfigure it for my own LAN addresses. The ASG’s default configuration is an extremely secure mode, allowing no traffic through the WAN port. After I configured it for my own network, I completed the physical setup, connecting my ISP through the WAN port and connecting my wireless router to an unused port.
I configured the WAN interface in WebAdmin and reconfigured the LAN interface by bridging unused ports with the default LAN port so that I’d have several ports for LAN connections. I defined a static route for my wireless router, which I connected to one of the bridged LAN ports.
Using WebAdmin's Network Security screens, I configured dynamic Network Address Translation (NAT) for the WAN interface and enabled intrusion prevention. With a few extra mouse clicks, I disabled intrusion-prevention rules that protect against attacks on software systems that I don’t use on my network, reducing the processing load that the intrusion prevention system (IPS) imposed on the appliance.
Next, I configured packet filters. These filters are stored in the ASG as a manually ordered list; some administrators might prefer this ability to organize their filters, though automatically ordered lists typically work fine. Because a stateful packet inspection firewall is a standard ASG feature, all packets that are responses to established connections are automatically allowed; only packets that establish connections need to be explicitly permitted. The ASG has one preconfigured packet filter that allows all traffic, but it's disabled by default. I added packet filters to permit all traffic from my LAN and my wireless network. I reconfigured the default rule to drop all packets and moved it to the last position in the list. Had I also wanted to configure a demilitarized zone (DMZ) network segment or allow any WAN-initiated conversations, the configuration would have been more complex.
Antivirus scanning for Web traffic within WebAdmin’s Web Security section requires that you enable the Web proxy. I enabled the Web proxy’s transparent mode, which redirects all port 80 requests to the proxy and doesn’t require desktop configuration or user authentication. The ASG also supports standard and authenticated proxy modes.
With my basic configuration complete, I enabled the WAN interface. My Skype and T-Mobile Wi-Fi connections came online, indicating a successful configuration. I accessed a few standard (HTTP) and secure (HTTPS) Web sites to further confirm that all was working. I also enabled the POP3 proxy, which enables the ASG’s antivirus and antispam features for POP3 requests originating from designated internal networks. The ASG also has a proxy to internal SMTP servers, which supports the ASG’s scanning of mail sent to designated domains hosted by an internal mail server.
The IPS is extremely easy to configure on initial setup, and the Network Security status page shows statistics for the top IPS attacks blocked by IPS rule number. Although WebAdmin lets you disable a rule or alter the action taken when a rule is triggered, it has no interface to display individual IPS rules so that you can learn what a rule detects. The online Help provides a link to a list of rules on the Astaro Web site, but it would be useful to have the link to IPS rule definitions available from WebAdmin's IPS configuration pages. Also, each rule number listed on IPS status displays and logs should be an active link to the rule’s definition and a configuration screen. Two attack rules logged during my test—WebAdmin reported them as originating from two of my own systems—weren't in Astaro’s list. It turns out that they weren’t really IPS rule references, but rather Snort (the open-source project the IPS subsystem is built upon) informational codes; Astaro plans to filter these codes from displays in a future release as well as adding links to IPS rule information within WebAdmin.
The ASG has full site-to-site and remote-access VPN support for connection via Secure Sockets Layer (SSL), PPTP, IPsec, and L2TP over IPsec. The product supports both local-user and Remote Authentication Dial-In User Service (RADIUS)–based user authentication, as well as certificate-based and pre-shared key session authentication.
Automatic email signing and encryption is an interesting feature. The ASG supports both S/MIME and OpenPGP standards. It automatically signs and encrypts outgoing messages when the recipient’s S/MIME certificate or OpenPGP public key is known to the ASG. Similarly, incoming messages will be decrypted and scanned when the recipient is known to the ASG. WebAdmin has tools to let you load and manage keys and certificates, and you can configure the ASG to extract and use S/MIME certificates that it finds in signed email messages. This feature lets you implement email encryption and signing without the need for user involvement or desktop encryption software.
The ASG has several logging and reporting features that let you review its activities. As a Linux-based system, it produces a variety of text-based log files. You can view these files using WebAdmin, designate a syslog device to send log records to, and designate a Common Internet File System (CIFS) share that the ASG can copy archived log files to. The ASG also creates daily, weekly, and monthly executive reports and automatically emails them to addresses you configure. These reports include numerous Top 10 lists in a variety of categories, including packets dropped by source and destination IP, and intrusion prevention attacks by source IP, target IP, and IPS rule detected. Astaro offers a separate reporting package that lets you offload more detailed log file–based reporting to another server.
The ASG worked well in my tests, although my experience wasn’t uniformly perfect. WebAdmin seemed to lock up at times; the menu pane updated as I clicked in different areas, but the detail pane didn't update accordingly. I had to refresh the browser window and log back on to correct the problem. An Astaro spokesperson told me that this problem results from clicking to a new page before the current page finishes displaying; Astaro has a fix in the works.
A few of the default settings, although promoting security, got in the way of normal use. By default, Web antivirus scanning disables download of several file types, including .exe files, which can be a problem for software distribution. Instead of simply blocking the files, an option to permit the download would be useful. Also, I thought I hadn't enabled any content filtering, but one Web page was blocked when I browsed a retail Web site. It turns out that filtering uncategorized Web pages is enabled by default, but WebAdmin shows no sign of that on higher-level configuration screens. A graphical representation (e.g., a grayed check box) when some but not all options are enabled would be helpful here.
In addition to the appliance, Astaro Security Gateway Software Appliance—a software version of the ASG—can be licensed by number of protected IP addresses. Astaro offers a free license for noncommercial home use for 10 IP addresses or fewer, which includes the Web Filtering and Email Filtering subscriptions. Astaro also sells a VMware-based virtual appliance. The availability of software versions lets you quickly bring a software-based ASG into operation if the appliance fails. Not having to wait for a replacement appliance reduces the exposure to downtime that smaller shops (i.e., shops that can’t afford to purchase a backup standby unit) often face.
I'm impressed with the ASG's feature set. It isn't the easiest firewall appliance to configure, but it isn't far off the mark—which is really extraordinary considering its broad feature set and plethora of configuration options. The ability to quickly configure a software-based backup unit will appeal to SMBs, and the ability to configure several appliances into a high-availability or load-balancing pool will appeal to larger environments. The inability to see details of individual IPS rules within the WebAdmin interface is the only significant shortcoming I found. The ASG is a must-see. If you're in the market for a perimeter security appliance, you should definitely try the Astaro Security Gateway.