IDG News Service >
 

Astaro Security Gateway boasts rich features

o Brian Chee and Curtis Franklin Jr.
27.05.2009 kl 17:55 |

How important are flexibility and a rich feature set to you? If these elements are your top considerations, then the Astaro Security Gateway should be high on your short list. With roots in the Linux world, the Astaro is a serious firewall with serious capabilities for a distributed enterprise UTM box.

 

How important are flexibility and a rich feature set to you? If these elements are your top considerations, then the Astaro Security Gateway should be high on your short list. With roots in the Linux world, the Astaro is a serious firewall with serious capabilities for a distributed enterprise UTM box.

Although not a top performer by any stretch, the system truly stood out because of its kitchen-sink take on features, including proxies, cache, server load balancing, destination NAT, routing, bridging, packet filters, IDS/IPS functions, anti-virus, anti-spam, and so on. Along with a Web GUI not tied to any particular browser, this system has a bit of extra security with user and admin log-ins on different TCP ports.

[ Read the overall results of the InfoWorld Test Center's great UTM challenge. Read the other reviews: SonicWall NSA E7500 | WatchGuard Firebox Peak X5500e | ZyXel ZyWall USG1000 | Compare the UTMs feature by feature. ]

Most products in the UTM category reward careful study before the management interface is touched. WatchGuard, in particular, requires a fair amount of planning before deployment because of its whitelist approach to traffic flow (you start by allowing all outbound traffic). For the Astaro, though, our suggestion is to try clicking on stuff; there are lots of buttons and widgets that give you access to features.

An upside, this method of learning is likely to expand your concept of what the system can do for you. The downside is that it tends to expose drawbacks in the user interface. One that threw us for a bit was the side-by-side red/green button that served to turn interfaces on/off. We were expecting it to be merely an indicator and not a button. If you're one of the many men who are somewhat color-blind, you'll want to pay very close attention to starting states and make sure you keep track of what you've done, since the green and red buttons won't really help you.

Test Center Scorecard

Astaro Security Gateway

ASG425

Attack blocking (15%): 5

Ease of setup (15%): 8

Features (15%): 8

Management (15%): 8

Scalability (15%): 8

Throughput (15%): 7

Value (10%): 7

Overall score: 7.3 (good)

Frills and drills

All the news about the interface isn't bad, though. We were quite pleased with the amount of information available right on the front dashboard. While other systems might have prettier interfaces, the Astaro dashboard is very clean, displaying a wealth of information without being cluttered. Another very cool feature is the ability to click on the tiny "I" icons in the Destination NAT (DNAT) interfaces to display where else these definitions were used. As with other systems, you sometimes have to disable linked rules (which depend upon other rules or objects) before you can make major changes. Having a quick way to see where else these rules were applied was very nice.

The HTTP proxy interface has a unique feature: a help section with a flowchart showing the order in which the rules are applied. Proxies have been the bread and butter of firewalls in the past, but they typically come with a cryptic interface. This is a wonderfully useful help file -- what a concept!

[ Read more about InfoWorld's UTM acid test and the test tools: "How to stress a UTM" | "Ixia IxLoad's multithreaded testing" | "Mu's Internet attacks in a can." ]

The responsiveness of the management interface certainly suffered when traffic ramped up, but the sluggishness wasn't anywhere near as dramatic as with the smaller ZyXel box. Although waits noticeably increased as the traffic load and number of attacks rose, the Astaro system remained responsive to management requests at all times.

The Astaro's throughput was a disappointment. The four units in this review ended up separating into two performance classes, with the SonicWall and WatchGuard far outpacing the Astaro and the much lower-priced ZyXel. At less than one-quarter of the Astaro's price, the ZyXel maintained slightly better throughput while under attack and blocked a slightly higher portion of the attacks. The Astaro could handle a WAN connection up to perhaps a couple of T-1s. For bigger pipes, you may need a UTM with more speed.

Server inside

Without having an insider's view, the Astaro Security Gateway looks to be a special-purpose server with a single CPU that handles all of the functions right down to a PCI Express interface for the Ethernet ports. It clearly has some sort of encryption processor in it, or the 200 VPNs we ran would have killed the performance. However, if you start turning on lots of features, you'll see a noticeable impact on performance, as UTM functions quickly suck up CPU cycles. Unlike the SonicWall, the Astaro clearly does not partition management operations from the general traffic handling in the CPU cores. All of these functions are competing for resources.

Despite the drawbacks, the Astaro Security Gateway offers a massive collection of services for the price -- much more than what you could get on a roll-your-own box -- and it provides a much cleaner and more coherent management interface than you're going to find in the wild.

It's worth noting that the Astaro Security Gateway is the only UTM in our shoot-out that can also be purchased in a software version. After our testing was complete, Astaro announced that it had been certified on the Intel Modular Server Platform, which makes this an interesting option for SMB and branch office applications. Whether for virtualization environments, server-room optimization, or the need to run on higher-performance hardware, the software option should resonate with many buyers.

All in all, the Astaro Security Gateway is a very flexible platform that maintains a reasonable level of security even when pushed to the limits of its packet-passing performance. Considering just how popular virtualization has become, the software version of the Astaro platform is a welcome feature that may be the deciding factor for a growing number of customers.

Astaro Security Gateway ASG425

Pros: Enormous set of features provides great flexibility. Separate port for management. Available in a software-only version for x86 hardware.

Cons: Throughput lagged all competitors tested, including systems costing thousands less. Some aspects of GUI not especially intuitive. Some configuration (such as VPNs) requires traversing many screens.

Cost: Base price: US$9,750. Price as tested: $18,565 including Secure Web, Secure Mail, maintenance updates, and support

Platforms: Linux-based 1U appliance with 6 Gigabit Ethernet port, 2 SFP GBIC, firewall, VPN, IPS/IDS, anti-malware, content filtering, and anti-spam

Bottom Line: Astaro's ASG425 offers a massive collection of services for the price -- much more than what you could get on a roll-your-own box. However, performance is disappointing. You have to want its copious feature set to consider it over more affordable competitors.

Brian Chee is a senior contributing editor to the InfoWorld Test Center and the founder and manager of the Advanced Network Computing Laboratory at the University of Hawai'i School of Ocean and Earth Science and Technology.

Curtis Franklin Jr. is a senior contributing editor to the InfoWorld Test Center.

Keywords: Security  
Latest news from IDG News Service

Copyright 2009 IDG Magazines Norge AS. All rights reserved

Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000

Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen