Migrating to Astaro Security Linux

Fed up with expensive, complicated firewalls, e-gaming company opts for open-source security solution.

Micah Lloyd, a senior systems administrator for eBet Ltd., knew that he needed to upgrade the security for eBet's distributed network. The company had been using Check Point 4.0 as a perimeter firewall solution for its five offices. The problem was, though, that upgrading to the latest version of Check Point would be a costly and time-consuming proposition. Not only would eBet need to pay for and manually install new software, but the underlying hardware also would need to be updated, further adding to the overall cost and complexity of the upgrade.

Headquartered in Australia and with operations and contractual arrangements in New Zealand, Singapore, Greece, the Philippines and the USA, eBet is a public company listed on the Australian and New Zealand Stock Exchanges (ASX/NZSE: EBT). The company is divided into a Gaming Systems Division and an Online Division.The Gaming Systems Division develops and markets a range of networked solutions for gaming machines. The Online Division develops and operates turnkey Internet-based wagering systems for licensed gaming operators in international markets. eBet operates Internet systems for the New Zealand TAB, Penn National Gaming and Playboy.com.

Micah Lloyd was hired by eBet to administer and upgrade the network serving eBet's two divisions. "When I came on board, it was immediately obvious that our security system was out of date, and it threatened to impact our business." Lloyd initially explored simply updating to the latest Check Point offering. He noticed several potential problems, however, such as high cost, lack of redundancy and a complicated upgrade process.

"To upgrade our remote firewalls, we had to rely on a central management console in our Australia office and local staff at each of the remote offices had to be present to manually complete the upgrades." Lloyd said that with as much as a 17-hour time difference between offices, simply coordinating updates was a problem. Staff at some of the offices would be forced to show up in the middle of the night. To make matters worse, each eBet office has a different mission: the ones that serve as gaming portals do so for different regions, while the Carlsbad office acts as a software development facility in addition to providing systems management. This meant that each firewall conceivably would need a different set of rules, which further complicated matters.

Facing a time-consuming and expensive upgrade process, Lloyd found an ideal solution: he turned to an all-in-one security product. Lloyd set up his own network at home where he downloaded a free 30-day trial of Astaro Security Linux. "To meet my own firewall requirements for my Linux- and Windows-based network, I investigated several open-source solutions. I looked at SmoothWall, IPCop and Astaro, among others, and as I investigated the features offered by each, I found that with Astaro I could turn an inexpensive server into an all-purpose security appliance", he said.

Lloyd also noted a key gap in the other open-source offerings: the lack of NAT support. "Without NAT, the other solutions may work for a single home or small office deployment, but they're inappropriate for a large network with a number of devices behind the firewall." Lloyd says that he further was won over by the fact that Astaro offers a simplified, standardized installation process, as well as providing several security features, including a firewall, packet inspection and antivirus protection, all in a single software product.

"After I had Astaro Security Linux up and running at home, I tried to link up with eBet's Carlsbad office in order to remotely manage that network", Lloyd said. It turns out that Astaro blocked this communication because the VPN he was trying to use was a relatively weak 40-bit DES VPN provided by the Check Point system. "In other words, Astaro protects you from yourself." At that point, he recommended to his company that they replace all of their existing firewalls with Astaro Security Linux.

Astaro Security Linux is a perimeter security solution that combines firewalling via stateful packet inspection filters, virtual private network (VPN - IPSec/PPTP) support, anti-spam and anti-virus protection, content filtering, URL blocking, application-level proxies, load balancing, QoS and user authentication. A global database of 20 million entries based on the analyzed content of 2 billion HTML pages is used to support URL blocking. Automated updates and remote administration are performed securely over the Web.

With help from Astaro's technical support team, Lloyd was able to migrate up from a weak 40-bit DES VPN to a robust 128-bit IPSec VPN. Astaro's team worked with Lloyd to get the VPN up and running, allowing him to securely administer the eBet network from home or even from his hotel while he's on vacation.

"Working with Astaro is much different than working with one of the large software vendors," Lloyd said. He noted that when eBet tried to move certain software licenses from another vendor to a new office, the company had to engage consultants from the vendor, which turned into a long, costly process that forced eBet to take one location off-line for an entire day. "With Astaro, I simply have a license for a certain number of IP addresses. If my office moves or my network changes, I simply update the IP address list. That's it."

In addition to features such as a firewall and VPN support, a software security appliance needs to be reliable, manageable and current. If the appliance server hardware fails, Lloyd says he can install the Astaro software on a different server or even a Linux-based PC within 20 minutes. Because Astaro software contains its own IP address, it functions as a self-contained entity capable of automatically making its own updates, such as patches and new virus signatures, saving Lloyd the hassle of manually collecting and pushing out all of these updates to each of the five locations.

In addition to managing eBet's network and developing gaming systems, eBet's development and administration office also does outside system integration work for companies without their own in-house networking expertise. "After I sold my company on Astaro, I found myself bundling it with the systems we were designing for our customers", Lloyd said. eBet's customers knew they needed firewalls, but most also requested something to help them block spam and filter out unwanted Web content, both of which are available with Astaro. "Astaro provided me with all of my security needs in one package, at a fraction of the cost of other solutions", Lloyd continued. "And when you add to that the fact that it is simple to install and easy to manage, while also keeping itself up-to-date, Astaro is a compelling alternative to the other security offerings on the market."

Victor Cruz is a consultant and writer living in Boston who has published articles in American Venture, Boston Business Journal, Harvard Review and Wireless Business & Technology. Write him at vcruz1@comcast.net.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Astaro spam filter

Anonymous's picture

Speaking as someone that has 5 Astaro boxes, I like the firewall but the spam filter is the worst I have ever used.
I want to go back to my Barracuda spam filter. The astaro misses a LOT of spam!!!!!
That wouldn't be so bad if they gave you an easy way to blacklist domains, email addresses or IP addresses and/or subnets but they don't

Save yourself some major headachs and avoid astaro spam filter.

this shit is gay and i hate

Anonymous's picture

this shit is gay and i hate astaro

me too.

Anonymous's picture

me too.

problem that I am haveing with the astaro system

Dylan's picture

ok my name is Dylan and i am haveing a big problem with the Astaro Security system, I have been trying to figure out a way to get through the security system becouse im trying to see if i could do it, but im in a little bit of trouble becouse i dont know how to get through it and i was woundering if anyone knew anything that i could do to get around the astaro system?
e-mail about the info
at
118526@carthage.k12.mo.us

I'll bet if you spent as much

Anonymous's picture

I'll bet if you spent as much time on your school work and less time messing around, you would have better grades.

Re: Migrating to Astaro Security Linux

Anonymous's picture

LJ writers must be on vacation this month for the Holidays because this is another terrible article. It doesn't even list the URL for the distribution that it's trying to sell.

Re: Migrating to Astaro Security Linux

Anonymous's picture

All I can say is...This is a LAME article and an ad for Astaro.

Since the company is based in Australia (where I live as well), why not consider www.snapgear.com

This is HQ'ed in Australia. (Oh gee, how convienent!)

Yes, they were acquired by CyberGuard (large USA company), but CyberGuard is using Snapgear as a supplement to cover market areas that it couldn't.

Snapgear uses an Embedded Linux distro...What's good about it? Well, the same OS used in their routers is FREE to download!

Re: Migrating to Astaro Security Linux

Anonymous's picture

I'm a systems administrator at a construction company in York, PA. We added Astaro as a separate firewall. We used it to replace Computer Associates Inoculate IT anti virus software on my exchange server. It was out dated and we had to make a decision to either upgrade it or do something else. The guy at the time with the network recommended Astaro. He said he saw it somewhere so we gave it a try, I think it had a 30 free trial service or something like that. It impressed us so much we decided to buy it. So far it has worked great repelling viruses and since we haven't been "hacked" into, I can only assume this too is working.

They do make a good firewall

Anonymous's picture

They do make a good firewall but their spam filter is terrible.

Re: Migrating to Astaro Security Linux

Anonymous's picture

Check Point is complicated and expensive. Astaro is low-cost and effective. End of story. One product replaced another. Period. This is not a technical review. For a full in-depth review of Astaro, refer to July's issue:
http://www.linuxjournal.com/article.php?sid=6716

Re: Migrating to Astaro Security Linux

dijit's picture

I agree that it is a horrible article. I found it incorrect in a number of places and in others it didn't make any sense. Since this talks about Astaro versus Check Point, I'll cite 10 quick examples where it belittles Check Point incorrectly:

--------------

1. The article stated that the upgrades of Check Point required people in all their offices, but what did they do for putting the new systems in? Surely they didn't install themselves.

2. The article stated that the cost and complexity of the upgrade was a factor. Moving from 4.0 to the latest version of Check Point, NG, it would probably be easiest to just recreate the policies on a separate management station--it's their fault for getting this far out of date (measured in years) and they'd have to recreate things for the new solution anyways. As for cost, did they contact Check Point? They're quite flexible and from looking at the pricing of the two solutions, it would have been more than competitive.

3. As for redundancy, there is built-in redundancy for site-to-site and client-to-site VPN tunnels, management, logging, and gateways in Check Point. Where's the redundancy "limitation"?

4. Stating that different rules for different firewalls is a "complication" is also deceptive. Check Point handles this very handily which is why so many enterprises are able to use it.

5. With regard to NAT support, almost everything on the face of the planet does NAT--the $80 wireless router I have here at my house does it. The other solutions he mentions also do NAT, which shows how poorly he reviewed the other solutions as well.

6. The 40-bit VPN he was using was his fault, 4.0 included support for strong encryption (3DES) using IPSec so he was probably using FWZ, didn't check the 3DES box, or he did not have a license for strong encryption. At the time 4.0 was released, IKE and AES weren't even standards, so of course it didn't support them. The Astaro device wasn't protecting him from himself, it simply didn't allow anything lower than 3DES in the GUI, which presents a serious problem with creating tunnels to devices in specific countries which are not able to use strong encryption.

7. "Automated Updates" is also misleading. It either happens from an administrator going directly to each device to do the update (time consuming) or they are automatically pulled from the internet and not controlled by the administrator. In which case, when the device pulls something down from the internet and it breaks functionality, an administrator must go to each device to fix it. This is why centralized management is important. Unfortunately, Astaro does not provide it. This is probably because there's not a free utility out there that does it.

8. Licensing is no longer the way he mentions it and hasn't been for years. Check Point has removed the necessity to tie a license to an IP address on the firewall. This is called "Centralized Licensing" and all changes can be done via the web.

9. The ability to have a system running on a linux-based PC within 20 minutes isn't extraordinary. You must still spend time configuring the box all over again including rules, IPSec information and if you didn't have a backup file, you'll have to configure the VPNs on all the devices it is encrypting to using certificates. With Check Point's SecurePlatform (also a bootable, Linux-based installation) you can have a device up and running in under 10 minutes and with centralized management, you already have the configuration stored, so you just establish a trust between the device and the management station, push a policy, and it's done.

10. None of these changes are new to Check Point. Everything I mention has been around for over a year and if he actually did his homework he would have known this. And if he did his homework, I think it is likely that the outcome of his decisions would have been different--especially with other capabilities like being able to do user-based QoS, QoS inside the VPN, see logs in a useful manner (rather than just having them spew out into a window), do proactive attack detection and blocking with what Check Point calls "SmartDefense", etc.

------

Overall, he chose something he was comfortable with for home use and adapted it for the company he was working for instead of something that actually provided the security companies require. Most of the stuff he states here are simply rationalizations. He'll find this out the next time MSBlaster or SQL Slammer comes out and the response to the attack is "use packet filter to close the port". Hope you don't need to print, share files, or have your web server use that SQL server!

I really believe that he made a poor decision and put the company at risk. He has single-handedly placed the security of the eBet company in the hands of a small 40 person startup where it was on a platform which had over 300 developers alone to ensure the security of the software and local representatives all around the world. The article didn't mention support, which he will have to go through a local reseller to get, and if he wants support from Astaro directly, he will have to use the Bulletin Board. This entire article was self-serving for him and Astaro. I'm not surprised I saw part of it on the Astaro bulletin board.

Disclaimer: I know both Astaro and Check Point well and I think both are nice solutions with their places. Astaro works adequately for small companies or single firewall installations. However, a correctly architectured solution from Check Point would have been more managable and probably not too much more expensive. The reason I put all this here is because it hurts the linux community when biased or untrue allegations are purported as "fact" because all the postitives will get written off quickly when the incorrect pieces are brought to light.

Re: Migrating to Astaro Security Linux

Anonymous's picture

Was running a PIX firewall and had constant attempts to break in some of the better explorers actually got by the PIX. So I called up a local distributor in NYC, Systems Solutions nice group of people that are very knowledgeable and don

Re: Migrating to Astaro Security Linux

Anonymous's picture

How can it be doing NAT _with_ VPN? For NAT the source/destination addresses are rewritten which will screw up the checksum for the Authentication Header used by the VPN -- so you get a choice of _either_ VPN _or_ NAT.

This review should have had more technical detail. The assertion that the firewalls presented by SmoothWall or IPCop don't do NAT is ridiculuous.

Re: Migrating to Astaro Security Linux

Anonymous's picture

it supports nat?

woop de doo, we've got a feature here! a key differentiation! Im going to upgrade NOW - NAT is a must have feature , a real killer app for Astaro Security Linux. Also the informed technical advice in this article swayed me, so knowldegable!

jokes aside - Astaro actually looks intresting, but where does he get the lack of NAT support, I cant think of anything that doesnt have nat support - every snapgear, dsl modem freesco or coyote linux firewall on a floppy has nat, doesnt windows 98 with internet connection sharing support nat??

Re: Migrating to Astaro Security Linux

Anonymous's picture

heck - even the phone boxes that come with vonage do NAT.

Re: Migrating to Astaro Security Linux

Anonymous's picture

No, the article was not good! It is clearly an advert not an article and includes lots of incorrect information. For example both SmoothWall and IPCop support NAT. Pretty much all the 'advantages' stated are actually advantages of SmoothWall. The *only* thing missing from SmoothWall that the article is singularly correct about is that it does not have AV. But a disadvantage of Astaro is they licence by IP address - with Smoothwall there is no need to even enter the IPs - it works with any number from home user to enterprise.

Altogther an awful an inaccurate article.

Not terribly inaccurate, but incomplete

Anonymous's picture

Yes, the other iptables/ipchains based firewalls all have NAT. Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI. But this is a "glossy", high-level overview, and very incomplete in its listing of the features of any of these softwares. As you say, it's mostly an advert for Astaro - "Our expert liked it, and used it successfully" - and not a comparison of linux firewall appliances. It doesn't seem to be trying to pretend otherwise.

Re: Not terribly inaccurate, but incomplete

dijit's picture

"Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI."

Isn't the point of having a Web-based user-interface that the end user will not have to use the command line and use utilities like gawk? For large entities, centralized management could simplify this significantly.

// dijit

Re: Migrating to Astaro Security Linux

Anonymous's picture

"Altogther an awful an inaccurate article."

True, no mention about a good option supported in Astaro, HA/Load-Balancing :-).

Re: Migrating to Astaro Security Linux

Anonymous's picture

Agreed.... Smoothwall is a great product. However, I think Astaro is much more feature rich and provides an easier interface than Smoothwall. It is well defined and does what it is supposed to do, very well. Although...Smoothwall doesn't have the hardware requirements of Astaro so you can run it on much lesser hardware.

I would tend to think of Smoothwall being good for a small to medium corporation while Astaro fits the bill for the Enterprise.

my $.02..

- jmb -

Re: Migrating to Astaro Security Linux

dijit's picture

Fits the bill for the Enterprise? How do you define Enterprise?

I'd find it a nightmare to manage 200 of these compared to managing 200 devices with Check Point's management capabilities...

// dijit

Re: Migrating to Astaro Security Linux

Anonymous's picture

article was good!
a more comparative study would have made it better.
Anyways..its good!

Re: Migrating to Astaro Security Linux

Anonymous's picture

Astaro also has:

advanced scan detection (Xmas, etc.) LOG, DROP
iptables-based with a good wed interface (mod_ssl)(httpd)
DHCP server onboard
support for Wifi segment
support for CSU/DSU cards
support for xDSL modem cards
auto-update
a very good user-based support group (on the astaro site)
every service is Chrooted from each other

can auto-email / auto-page[r] on certain events

need more?

Astaro disaster

Anonymous's picture

Yes - I need reliability.

We've had problems with our Astaro installation for the last 6+ months - there's a kernel bug which they acknowledge but seem to be unable to fix. The firewalls crash quite regularly, once in every couple of weeks.

The biggest joke is that we're running a HA installation which in theory should mitigate the problem but in fact the firewalls need rebooting with the power button.

The support has very poor language skills (at least their written English is terrible) and I don't consider it to be professional either.

I would not recommend Astaro to anyone. It may be good for home users but forget them in a corporate environment.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix