Product Review: UTM – Astaro Security Gateway 425

June 1, 2007

Supplier: Softek

Price: £6,897 excluding VAT. Annual subscriptions: emailfiltering: £2,122; web filtering: £2,722

Contact: www.astaro.com

Part of Astaro's improved line-up of UTM appliances, the ASG 425 offersan extensive range of security features aimed at mid-sized to largebusinesses. At its centre is Astaro's Security Gateway Linux-basedsoftware, which provides a standard NAT/SPI firewall, plus intrusiondetection and prevention. This is augmented with a host of options suchas web content filtering, web and email anti-virus scanning, anti-spamand anti-spyware. The latest ASG software (version 7) all the appliancesrun introduces email encryption, SSL VPNs and high availability amongits new features.

The device is equipped with a 3.4GHz P4 processor partnered by 2GB ofmemory, while a SATA hard disk handles quarantining. You get an octet ofgigabit ports that support a variety of functions, and the ASG 425 isequipped with hardware acceleration courtesy of a NodalCore c-2000content-security accelerator card. The control panel at the front can beused to reboot, power off or reset the appliance, but we couldn't seeany means of disabling this.

The freshly designed web interface opens with a very efficientquick-start wizard. This takes you through configuring LAN and WANports, choosing which services should be allowed to run and whetherintrusion detection should be active, as well as pickingcontent-filtering categories. There is more to do, because the internalinterface will need a DHCP server and address range assigned to it.

At this stage it's worth thinking about your deployment, because Astaromakes extensive use of network and service objects that are referencedby packet-filtering rules and application proxies. Some predefinedobjects and services are provided, but you'll need to add customdefinitions for mail servers and domains, groups of systems, networksand so on. The manual could be more helpful as it merely describes thefeatures in the order they appear.

Application proxies are used for the majority of security services. TheHTTP proxy is easy enough to activate, and you can drag and dropselected objects and services into the allowed networks. If you don'twant to reconfigure your client's browser settings, the proxy can runtransparently, but this mode is unable to filter HTTPS or FTP traffic.You can implement proxy authentication and use the appliance's localuser and group database or employ Active Directory, Radius and LDAPservers or Novell's eDirectory. For the SMTP proxy, you need to providedetails of your internal mail servers and mail domains, while the POP3proxy just needs to know which network entities are allowed.

For anti-virus measures, Astaro employs a pincer movement using theopen-source ClamAV and the lesser-known Authentium scanner, which takesover from Kaspersky. For each proxy you can activate either or both andbring in the might of the hardware accelerator as well. During testing,the scanners worked well, blocking all our attempts to access infectedweb and FTP sites. Infected mail attachments were also dealt withefficiently, and you can add custom footers to outbound messages and usean attachment-blocking list for both SMTP and POP3. Anti-spam measuresinclude RBLs, heuristics, a spam database and reverse DNS lookups. It'snot the biggest arsenal we've seen, but it worked well enough duringtesting. All suspect messages are held in the appliance's quarantinearea for further inspection.

IBM's Cobion handles web content filtering and offers 18 maincategories. These can be customised through a range of sub-categories.Once again, we found this worked well in the lab, with the appliancedelivering a customisable warning page when we attempted to accessrestricted sites. The anti-spyware measures also swung into action andblocked access when we tried to access known dubious sites.

Along with the ability to classify and prioritise both SIP and H.323VoIP traffic, the appliance now offers SSL VPN features as standard.However, these are very basic since all you can do is create a list ofremote users and groups and decide which network resources they canaccess once authenticated. Astaro uses the open source OpenVPN, whichrequires a Windows utility to be downloaded and installed. It works wellenough but is not the most sophisticated appliance we have seen.Controls are also provided for seven IM and eight P2P applications,including MSN Messenger, Bittorrent, Yahoo! Messenger and Gnutella.

High availability was impressively easy to set up. We linked two ASG 425appliances together across their Eth3 ports and our main system declareditself as master as it had the greater period of uptime. The secondaryunit was then automatically configured as a slave and the link used forheartbeat monitoring and to keep the appliances in sync.

The ASG 425 clearly delivers a comprehensive security solution withhardly a chink in its armour. We found it comparatively easy to deployand configure, and Astaro completes the package with some choicereporting tools.

SC MAGAZINE RATING
Features *****
Ease of use ***
Performance ****
Documentation**
Support ****
Value for money****
Overall Rating ****

For: A complete range of network security measures, good overall value,unlimited user licence, plenty of reporting tools, easy HA set up

Against: Documentation could be more helpful, basic SSL VPN features, alot of open-source components

Verdict: A comprehensive network security package that's easy enough toconfigure and comparatively good value.

prestitial ad