Price: £6,897 excluding VAT. Annual subscriptions: email filtering: £2,122; web filtering: £2,722
Part of Astaro's improved line-up of UTM appliances, the ASG 425 offers an extensive range of security features aimed at mid-sized to large businesses. At its centre is Astaro's Security Gateway Linux-based software, which provides a standard NAT/SPI firewall, plus intrusion detection and prevention. This is augmented with a host of options such as web content filtering, web and email anti-virus scanning, anti-spam and anti-spyware. The latest ASG software (version 7) all the appliances run introduces email encryption, SSL VPNs and high availability among its new features.
The device is equipped with a 3.4GHz P4 processor partnered by 2GB of memory, while a SATA hard disk handles quarantining. You get an octet of gigabit ports that support a variety of functions, and the ASG 425 is equipped with hardware acceleration courtesy of a NodalCore c-2000 content-security accelerator card. The control panel at the front can be used to reboot, power off or reset the appliance, but we couldn't see any means of disabling this.
The freshly designed web interface opens with a very efficient quick-start wizard. This takes you through configuring LAN and WAN ports, choosing which services should be allowed to run and whether intrusion detection should be active, as well as picking content-filtering categories. There is more to do, because the internal interface will need a DHCP server and address range assigned to it.
At this stage it's worth thinking about your deployment, because Astaro makes extensive use of network and service objects that are referenced by packet-filtering rules and application proxies. Some predefined objects and services are provided, but you'll need to add custom definitions for mail servers and domains, groups of systems, networks and so on. The manual could be more helpful as it merely describes the features in the order they appear.
Application proxies are used for the majority of security services. The HTTP proxy is easy enough to activate, and you can drag and drop selected objects and services into the allowed networks. If you don't want to reconfigure your client's browser settings, the proxy can run transparently, but this mode is unable to filter HTTPS or FTP traffic. You can implement proxy authentication and use the appliance's local user and group database or employ Active Directory, Radius and LDAP servers or Novell's eDirectory. For the SMTP proxy, you need to provide details of your internal mail servers and mail domains, while the POP3 proxy just needs to know which network entities are allowed.
For anti-virus measures, Astaro employs a pincer movement using the open-source ClamAV and the lesser-known Authentium scanner, which takes over from Kaspersky. For each proxy you can activate either or both and bring in the might of the hardware accelerator as well. During testing, the scanners worked well, blocking all our attempts to access infected web and FTP sites. Infected mail attachments were also dealt with efficiently, and you can add custom footers to outbound messages and use an attachment-blocking list for both SMTP and POP3. Anti-spam measures include RBLs, heuristics, a spam database and reverse DNS lookups. It's not the biggest arsenal we've seen, but it worked well enough during testing. All suspect messages are held in the appliance's quarantine area for further inspection.
IBM's Cobion handles web content filtering and offers 18 main categories. These can be customised through a range of sub-categories. Once again, we found this worked well in the lab, with the appliance delivering a customisable warning page when we attempted to access restricted sites. The anti-spyware measures also swung into action and blocked access when we tried to access known dubious sites.
Along with the ability to classify and prioritise both SIP and H.323 VoIP traffic, the appliance now offers SSL VPN features as standard. However, these are very basic since all you can do is create a list of remote users and groups and decide which network resources they can access once authenticated. Astaro uses the open source OpenVPN, which requires a Windows utility to be downloaded and installed. It works well enough but is not the most sophisticated appliance we have seen. Controls are also provided for seven IM and eight P2P applications, including MSN Messenger, Bittorrent, Yahoo! Messenger and Gnutella.
High availability was impressively easy to set up. We linked two ASG 425 appliances together across their Eth3 ports and our main system declared itself as master as it had the greater period of uptime. The secondary unit was then automatically configured as a slave and the link used for heartbeat monitoring and to keep the appliances in sync.
The ASG 425 clearly delivers a comprehensive security solution with hardly a chink in its armour. We found it comparatively easy to deploy and configure, and Astaro completes the package with some choice reporting tools.
SC MAGAZINE RATING
Ease of use ***
Value for money****
Overall Rating ****
For: A complete range of network security measures, good overall value, unlimited user licence, plenty of reporting tools, easy HA set up
Against: Documentation could be more helpful, basic SSL VPN features, a lot of open-source components
Verdict: A comprehensive network security package that's easy enough to configure and comparatively good value.