Compromised servers, lost data … The consequences can be very bad in indeed if you get the configuration of your firewall, intrusion detection system or VPN servers wrong. But correct configuration is tricky and time consuming, and once you change them at your peril. Being responsible for security can be a dirty job, but someone has to do it.
So it’s no surprise then that Unified Threat Management (UTM) appliances are becoming increasingly popular, especially with small and medium sized organizations. A UTM can be plugged in to the network and configured with a few mouse clicks, providing a network firewall, intrusion detection, and remote access using a variety of VPN technologies including SSL and IPSec.
Many well known security vendors sell appliances which run their own proprietary software, but the Astaro Security Gateway appliance is unusual because the device, made by Germany-based Astaro, runs on a Linux kernel and uses a selection of open source security software. This is rounded out using a small number of commercial applications and software developed in-house by Astaro. Plug in an Astaro box and you’re actually using the open-source netfilter/iptables framework for firewall protection, the de-facto standard open-source Snort intrusion protection and detection system, and StrongSWAN (IPSec) OpenVPN (SSL) and PopTop (PPTP) open-source VPN servers.
But what’s clever about the Astaro Security Gateway is that all of the underlying applications – open-source and proprietary – are effectively invisible to anyone managing it: Configuration for all applications is done using Astaro’s easy-to-use GUI (either directly, or via configuration wizards.) For example, trying to configure Snort from the command line is not for the fainthearted, but using Astaro’s interface it’s possible to make the system (for example) notify the administrator or to drop packets if it detects port scans in a matter of seconds. Equally, you could set up the firewall to provide (some) protection from DDOS attacks by specifying that no machine on the network should have to process more than a set number of TCP SYN packets or receive more than a set number of ICMP pings every second just by pointing and clicking.
The Astaro Security Gateway also includes optional e-mail and Web security modules which can scan email and Web traffic for viruses and spam, block specific Web sites or whole categories (such as nudity or weapons) and block specific protocols such as eDonkey or AIM traffic. The appliance uses the commercially developed Authentium anti-virus engine (which will shortly be replace by another commercial one from Avira,), Commtouch anti-spam software, and the open-source ClamAV anti-virus engine as well.
Other open source software built in to the appliance includes:
- BIND (DNS-proxy)
- syslog-ng: syslog server:
- rrd-tool (reporting)
- exim (mail transfer agent)
- OpenSSL (certificate PKI)
- frox (FTP proxy)
- Postgresql (database)
while Astaro provides its own HTTP and POP proxies.
The thinking behind the Astaro gateway is simple: the power of multiple open-source security applications, in a convenient, professionally supported appliance which updates itself with new firmware and attack signatures automatically. “We started by addressing the needs of small and medium sized businesses which find it difficult to install and configure security devices,” says Gert Hansen, Astaro’s co-founder and CTO. “As it turned out we have found that many large enterprises also want a powerful device that is easy to configure.”
A typical customer is Underwriters Safety & Claims, a Kentucky-based insurance agency and service provider with about 300 servers and end users on its network and many customers visiting its web server. The company runs a combination of Windows, AIX, Solaris, Netware and Linux servers, with an Astaro appliance at the gateway. “We looked at building our own security system using open-source software, but what’s nice about the Astaro box is that it brings all the pieces we would have used together and integrates them,” says Grant Nickle, the company’s director of technology. “What we get with an appliance is ease of use, the functionality we wanted, and excellent reporting. And we don’t have to worry about updating individual applications: any time there is an update we just press a button and the Astaro box does it for us.”
To cater for companies of all sizes Astaro has a range of hardware available, from its smallest appliance which can handle up to ten users to the very largest which can cope with 2,000 users or more. Organizations with five or more appliances in any geographical location can manage them all from centrally using Astaro’s free Command Center management software. This is also available to resellers who manage Astaro devices remotely for their clients.
Astaro also makes its Security Gateway available as a software-only product for organizations which want to run it on their own hardware. Currently about 30 percent of customers choose to install it in this way.
Pricing is split into a number of components: a one off payment for the appliance (or software), a maintenance subscription which includes support and hardware replacement and updates, and separate subscriptions for Web security and mail security if use of those modules is required. (Astaro offers free licenses and subscriptions, including security updates, to non-commercial users including home users using the software appliance.)
The actual subscription amounts depend on the capacity of the appliance or the number of users connected to the software. As examples, for a mid-sized company (using the Astaro 320 appliance) this breaks down to:
- Appliance cost: $5,750
- Maintenance: $1,045 per year
- Optional Mail Security module: $1,895
- Optional Web security: $2,395
For a software-only appliance with 500 users this breaks down to:
- Base license: $5,995
- Maintenance: $1,494
- Optional Mail Security module: $5,045
- Optional Web security: $,5245
(The functionality of the mail security module only or the Web security module only is also available in two standalone appliances – Astaro’s Mail Gateway and Web Gateway)
Astaro is not the only company making security appliances, nor is it the only one using open source software. But it ‘s certainly worth considering if you’re the one who gets lumbered with the dirty job of making sure your network is protected.