About us   Solutions   Services   Contact
Astaro ASG220

Astaro Security Gateway 220 astaro-asg-220


Security of organizations connected to the Internet has become very difficult in recent years - organizations are protected by various tools such as antivirus and antispyware products, spam filters to prevent penetration (intrusion prevention systems), encryption technology to access corporate networks, encrypting e-mail communication, filtering of dangerous and for company unacceptable content, etc. We realize that in the world of security does not exist one remedy for everything, however, security products Astaro Security Gateway includes all the security elements needed for company network and the Internet. It is a device that combines the already mentioned elements and adds even a little more.
German Astaro was founded in 2000 and offers solutions particularly for security. The first products were Linux distributions aimed at securing the network - basically software equivalents of the current line of products. Company remained faithful to this feature and gives you option to decide whether you will use their products as software solutions (either on your own hardware or in virtual server VMWare) or as a pre-installed hardware device.

Astaro Security Gateway 220 is a hardware device that contains Intel Pentium 4 processor at a CPU frequency of 2.8 GHz, 1 GB RAM, 80 GB disk and 8 interfaces. Size of a device is 1 rack unit. However essential part of a device is software, which combines the operating system Linux, system to prevent the penetration of Snort (certified by Sourcefire), two anti-virus systems for web and email filtering, antispam filter, web content filter, router, VPN access, reporting interface, state packet filter, packet shaper and few other components. It can cover relatively wide range of needs that are normally entrusted to the web gateway.

Installation and Configuration
Under the Getting Started Guide, we have made the basic settings in several minutes. The wizard guides us through the basic setup, which enables us to set mainly internet connection (interface WAN) and IP-address. When you first log in you are welcomed by an intuitive, however rich in possibilities interface. Here should be emphasized the simplicity and especially speed of interface, which is not so common feature compared to other competitive products – they are often configured through a slow and cumbersome interface, for example by client application OS Windows or via a long-outdated and non-developing Java applet.

Configuration is possible with any operating system without having to install anything - and with the exception of using VPN with some protocols there is no need to install anything, not even in the use of gate.

Considering various possibilities and detailed settings we would not recommend the ordinary user, unfamiliar with computer networks terminology, to set the complex components himself. Documentation is detailed and transparent, however, it does not replace education in particular area. On the other hand the gateway is easily used after the initial setting without having to implement major changes during the operation. We appreciate the fact that the producer did not implement simple interface, which would not allow to make advanced settings - the gateway can work with the line aggregation, you can configure advanced routing rules (even dynamic using protocol OSPF) or bridging, activate NTP server or set in detail the quality of service (QoS) on the basis of individual protocols.

Network Security

Network layer security is provided by either classical packet filter, but also by IPS system Snort. There is possibility to decide whether the system will only log or eject the detected penetrations or misuse the vulnerabilities. It is also possible to disable some of the rules or even add your owns. The system will automatically update the samples. The advantage of this approach is efficient protection against common internet vulnerabilities, which may not yet be corrected on the client’s side – there might not even be issued an official  correction from the producer. Network security system includes also a networks classifier peer-to-peer according to the operation (i.e. not only according to the port), and thus can reliably detect, for example, operation of Skype or BitTorrent. On the basis of protocol detector it is possible to prohibit the operation or restrict it. The system supports also voice transfer protocols over internet (VoIP), namely SIP and H.323 – it can identify and release them reliably whenever needed (this is not granted especially with the SIP protocol, because the voice transfer uses secondary links using the RTP protocol).

Network security module can also detect the instant messaging communication (Yahoo! Messenger, ICQ / AOL, Google Talk, Jabber, IRC, MSN, Skype) and log it, disable the file transfer or block it completely. Packet filter is flexible, in addition to ports it can also use the dynamically defined objects (such as VPN users, whose IP address is not known in advance).

Web Filter

Protocol filter HTTP and FTP can provide on-line antivirus control by two independent
antivirus products. The advantage of such solution is the detection of malicious code at the network interface. Obviously, this is not a full replacement of antivirus program in a computer (malicious code can get into the computer by other channels, too, for example, via a USB key, encrypted connection or when the laptop is connected to another network outside of the company).

The second part of web filter consists of website filter, which allows the administrator to select the file of websites which he wants to enable or disable. Selection is done according to categories and administrator has a choice to permit certain sites to a certain groups of users. It is also possible to permit particular sites only in certain times (e.g. during the lunch break). The system recognized the web sites very well; it could even adjust it into correct category. In addition it supports all commonly available filters (suffixes, white list, black list ...) and supports verifying of user for authentication server.

E-mail filter

E-mail filter uses several filtering technologies - two antivirus products to filter
malicious code, and several ways to fight spam (RBL, Graylisting, SPF, BATV, heuristics, patterns, black / white lists, etc.).. Gateway does not include full-blown e-mail server, it intends only to "purify" incoming e-mails from malicious and unsolicited messages. However, it provides relatively advanced options - first of all it is the users’ portal, in which each user can define his own white list, peek relating log parts (i.e. it can
detect whether particular e-mail passed or not) and check e-mail quarantine system, eventually teach and correct the system in case of faulty classification of e-mails. User portal (and other parts of the gate) allow authentication using the authentication server (based on Active Directory, Radius, LDAP, eDirectory or TACACS +).
Second, relatively non-standard feature is the possibility of encryption, decryption, signing and e-mail signature verification using the standards S / MIME and OpenPGP directly at the gate. In the terms of safety is not the best choice to entrust to the gate this task - e-mails might be detected on the route from the gate to the user’s computer, eventually they can cloak themselves for someone else in the company. On the other hand this option is at least somewhat better than unencrypted communication for the company, which for some reason can not deploy encryption of e-mails directly with clients. However, we think that e-mail encryption and signing belongs to the e-mail client and not on gate. It is however just a possibility of the gate, you do not necessarily need to use it.

VPN and IPSec
Gateway allow creating encrypted connection between networks based on IPSec protocol. It uses pre-shared key or X.509 certificates as an authentication mechanisms, so in a very simple way is possible to establish encrypted connections with other devices (from other producers). The gate includes a full report of the certificates.

Very interesting is the support of Remote Access VPN - encrypted user access to internal network of an organization. Most gates support one or two protocols. Astaro supports PPTP, L2TP/IPSec, IPSec and SSL access (under the SSL access in Astaro we need to realize OpenVPN connection over encrypted TLS protocol). There are rich possibilities and is up to the user (and administrator) what kind of security he requires and whether he is willing to set complex VPN or to use external software, which sets the VPN automatically. Big advantage is that all settings are accessible from the user portal, including detailed instructions. The benefit is a good connection support from other operating systems like Windows, Linux using "SSL VPN" (i.e. OpenVPN software package), while maintaining decent level of security (connection through PPTP is possible from OS Mac OS X or Linux, but in this case it is not very safe way of access).

Administrator tools
System administrator has the option to see the reporting section, where there are both the gate system information (CPU usage, available RAM, network interfaces usage), but also reports on the activities of individual users (the most frequently visited sites). A minor disadvantage is the absence of the graphs for individual users ( it is not possible to monitor the "graphed" activity in the time – Astaro Report Manager, which we have not tested, serves this task). 

Administrator may have the reports to be send regularly by emails. The system can inform about the important events either by email or via SNMP traps, so the system can be easily linked to existing surveillance system. It is also possible to use Astaro Command Centre for centralized management of all Astaro products. This
product is not extra charged.

The system also gives the possibility to backup easily the whole configuration so that in case of problems or gate change it can be simply restored. The disadvantage of the gate from hardware point of view is that it contains only one hard disk and one source – the most defective components are not redundant. Subscription includes a prompt exchange of a faulty gate for a new piece in case of problems - and in this case the backup configuration certainly meets. However, it is a pity that in that case the users will loose the quarantine.

In emergency cases the administrator may use the access via SSH protocol. Somewhat discouraging (obvious) is a warning that in any changes made through the SSH like root the customer looses a technical support. However we think that this option should be used occasionally because almost everything can be done through a web interface.

Security and updates

The system, which technical support is paid for, automatically receives the right for software update which is applied manually. The system, however, can inform about any updates (by already mentioned e-mail and SNMP trap) so it is not necessary to monitor whether to install the update. Some updates require a restart of the system, that’s why they need to be applied when it suits the organization operation. The system is constructed in the way that all services are visible from the outside in so-called chroot cage and thus compromising of an individual service does not compromise the entire system (minimally follow-up compromise of the system substantially embarrasses).

Snort update rules and antivirus samples are performed automatically in the background.

High availability
Astaro Security Gateway 220 can work in the high availability regime (active / passive) together with the same second gate or cluster (active / active, 10 units - the burden lies). For this purpose the gates are required to interconnect by interface eth3, which is reserved for this. During the interconnection should come to auto-configuration of the second facility; however we have not tested this option as we had only one gate.

Aspect customizing
Gateway enables aspect customizing by changing the standard logo of the Astaro company and also the change of the individual faulty reports text explaining site blocking. 

License policy

In addition to the smallest gateway Astaro Security Gateway 110 all the gates have unlimited number of users (better said, the number of users is limited by gateway hardware capabilities). Each gate indicates the range which it is capable to filter. Reviewed Astaro Security Gateway 220 to 320 Mb / s via packet filter (firewall), 170 Mb / s VPN traffic, 140 Mb / s traffic through the penetration detector (IPS), 300- thousand e-mails a day and 400- thousand current connections. These figures are minimal, however they are not licensed or technically limited.

When buying gateways you need to face the gateway price, the annual fee for support (provided in two levels: Gold and Platinum, which differ in support response time and time guaranteed to exchange a faulty piece of device). 

The annual fee is also for optional component of the web and e-mail filter.
In case of software gateways (whether software appliance or virtual appliance) the number of users is limited, the user may use the software on any supported hardware. 

Conclusion
In our opinion this is very interesting security solution at the internal network interface of an organization and internet which combines several methods of protection and secure access to internal network from outside. The only negative feature from the hardware point is unredundancy of components (hard disk drive and the source). A higher product range ASG525 solves this problem. The possibility of two or more devices involved in the redundancy mode suppresses this negative feature. Therefore we reckon that this product is suitable for small and medium-sized organizations as a comprehensive solution to border security. For companies that already have solved the part of border security, Astaro offers individual e-mail and web security gateways.

 

Juraj Bednár, INFOWARE 10/2008

 
Juniper Fortinet white_00001 white_00008 white_00004 white_00005 white_00002 white_00009 white_00007 white_00010