The AstroFlowGuard appliance is a combined bandwidth management system, a VPN gateway, an IDS, a firewall and a NAT device. Along with a nice reporting system, this package delivers an integrated and easy-to-manage interface with a good feature set. Being an appliance, as opposed to a software distribution, it can be less error-prone—for a cost.
These boxes have been shipping for several months now, and the company has several customers both large and small. This means the company has been improving its product and proving itself in trials and deployments. Offmyserver and NetSoft teamed up to bring this appliance to market, with NetSoft doing the software and Offmyserver bundling it with the hardware. Offmyserver isn't that new, either, as it is an employee buy-out of iXsystems, formerly BSDi. Because of this, there's experience and market understanding behind this product, and it shows.
The AstroFlowGuard system ships as an appliance, so you get a box, a few cables, a manual and the system. The hardware is based on a Pentium 4 processor and should fit nicely into a 19" rack. Be warned, though; it's got a noisy fan, comparable to a medium- or large-sized router or enterprise switch, so this isn't for an open equipment room.
Initially, you have two big options to configure the system. The first is to use the LCD front panel to configure basic services. Here you can configure the basic IP networking parameters (address, netmask and gateway) along with the enabling or disabling of services. You navigate with a small number of easy-to-use buttons, almost like a network printer. Alternatively, you can hook up a PS/2 keyboard and a VGA monitor and use a curses-based configuration menu. You get the same basic menu items with this option that you do with the LCD screen. There isn't a command-line option, but most of the reporting is done better in the GUI. I was surprised a serial console interface wasn't included.
Once you have the basics set up, you can begin the final setup stages using your Web browser. This process isn't as easy as it sounds. I couldn't get the system to respond to HTTPS until the firewall was disabled, but after that I didn't have much difficulty. The login and product navigation is straightforward, so you don't need to consult the manual much except for a few tasks.
Hardware-wise, the box for the AstroFlowGuard should be enough to manage anyone's network. The system comes with four to six 10/100bT interfaces, which should work for most networks. Gigabit Ethernet is not an option at this time. AstroFlowGuard also lets you break out a DMZ network and a management network, all on one device.
A likely scenario for deployment would be to rack the box and configure the management address for the system. Once that's done, you would log in to the UI and configure the networks for the system to route. There, you can begin setting up your network management and enforcing that policy through the VPN (for secure Internet endpoints), the firewall and the bandwidth monitor.
The traffic shaping module is one of the more novel features in this class of device. With it, you can set up per-host and per-service bandwidth caps, which can help make the best use of a small network pipe. For example, you can configure a 50% maximum for Web traffic with an optional 10%, if needed, for short bursts. If you find peer-to-peer communications are hogging bandwidth, you can shape that down as well. Finally, if downloads from the outside world are consuming bandwidth from a server you run, you can back that off too. The UI makes all of this management relatively easy, and the reporting interface helps you make those decisions quickly.
Under the hood is a Linux system, modified to boot without much issue or interaction, and various applications for network monitoring. These components include iptraf, rrdtool and Apache. This list probably gives the impression that you could build something like this for your own network, given an engineer or two for a few weeks. You probably could, but maintenance would be a consideration in this scenario.
Maintenance, then, is probably the biggest selling point for this product—AstroFlowGuard fairs very well in the build vs. buy comparison. Although it's based on open and available components, it would take some effort to build a system like this and work out the kinks, keeping it usable for a staff of administrators. Because of this, what at first appears to be free quickly consumes a lot of money and time.
AstroFlowGuard goes well beyond this point, however. By being an appliance through and through, it's a simple matter of loading the box in a rack and maintaining it from there. Even upgrades are painless. You simply select the upgrade option from the menu, it tells you what changed and you go to it—painless, and the upgrade to 1.002 happened without a hitch.
The price of AstroFlowGuard, under $6,500 US, puts it well below its competition. For a bandwidth appliance, you could use a Packeteer or similar product; there are various (and expensive) traffic monitors. VPN appliances also can be quite expensive. Firewalls have been known to be expensive at times, too, and finally, an IDS appliance typically costs this much without the other features. Although the price may seem a bit steep, for that amount of money you'd have difficulty finding an appliance that does one or two of these tasks.
One of those features typically found only in expensive commercial firewalls is the support for failover. Parallel AstroFlowGuard devices can communicate and detect when the other one has failed and begin routing around it. This is a very useful feature for networks that require high availability.
Overall, the feature list of the AstroFlowGuard makes sense as a network edge device. Most people deploy their IDS functionality here, and the other modules (bandwidth shaping and monitoring, VPN tunneling and firewalling) all make sense in a policy management device. This single box can meet the needs of various small- and medium-sized business networks in a single relatively easy-to-use package.
As of version 1.002, the on-line help for the product is solid and easy to navigate. It's task-based, as opposed to feature-based, so it's easy to use when you're actively trying to set up a new management rule.
- Nmap—Not Just for Evil!
- Resurrecting the Armadillo
- High-Availability Storage with HA-LVM
- March 2015 Issue of Linux Journal: System Administration
- Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
- DNSMasq, the Pint-Sized Super Dæmon!
- Localhost DNS Cache
- Days Between Dates: the Counting
- The Usability of GNOME
- Linux for Astronomers