Migrating to Astaro Security Linux

LJ writers must be on vacation this month for the Holidays because this is another terrible article. It doesn't even list the URL for the distribution that it's trying to sell.

I'm a systems administrator at a construction company in York, PA. We added Astaro as a separate firewall. We used it to replace Computer Associates Inoculate IT anti virus software on my exchange server. It was out dated and we had to make a decision to either upgrade it or do something else. The guy at the time with the network recommended Astaro. He said he saw it somewhere so we gave it a try, I think it had a 30 free trial service or something like that. It impressed us so much we decided to buy it. So far it has worked great repelling viruses and since we haven't been "hacked" into, I can only assume this too is working.

I agree that it is a horrible article. I found it incorrect in a number of places and in others it didn't make any sense. Since this talks about Astaro versus Check Point, I'll cite 10 quick examples where it belittles Check Point incorrectly:

--------------

1. The article stated that the upgrades of Check Point required people in all their offices, but what did they do for putting the new systems in? Surely they didn't install themselves.

2. The article stated that the cost and complexity of the upgrade was a factor. Moving from 4.0 to the latest version of Check Point, NG, it would probably be easiest to just recreate the policies on a separate management station--it's their fault for getting this far out of date (measured in years) and they'd have to recreate things for the new solution anyways. As for cost, did they contact Check Point? They're quite flexible and from looking at the pricing of the two solutions, it would have been more than competitive.

3. As for redundancy, there is built-in redundancy for site-to-site and client-to-site VPN tunnels, management, logging, and gateways in Check Point. Where's the redundancy "limitation"?

4. Stating that different rules for different firewalls is a "complication" is also deceptive. Check Point handles this very handily which is why so many enterprises are able to use it.

5. With regard to NAT support, almost everything on the face of the planet does NAT--the $80 wireless router I have here at my house does it. The other solutions he mentions also do NAT, which shows how poorly he reviewed the other solutions as well.

6. The 40-bit VPN he was using was his fault, 4.0 included support for strong encryption (3DES) using IPSec so he was probably using FWZ, didn't check the 3DES box, or he did not have a license for strong encryption. At the time 4.0 was released, IKE and AES weren't even standards, so of course it didn't support them. The Astaro device wasn't protecting him from himself, it simply didn't allow anything lower than 3DES in the GUI, which presents a serious problem with creating tunnels to devices in specific countries which are not able to use strong encryption.

7. "Automated Updates" is also misleading. It either happens from an administrator going directly to each device to do the update (time consuming) or they are automatically pulled from the internet and not controlled by the administrator. In which case, when the device pulls something down from the internet and it breaks functionality, an administrator must go to each device to fix it. This is why centralized management is important. Unfortunately, Astaro does not provide it. This is probably because there's not a free utility out there that does it.

8. Licensing is no longer the way he mentions it and hasn't been for years. Check Point has removed the necessity to tie a license to an IP address on the firewall. This is called "Centralized Licensing" and all changes can be done via the web.

9. The ability to have a system running on a linux-based PC within 20 minutes isn't extraordinary. You must still spend time configuring the box all over again including rules, IPSec information and if you didn't have a backup file, you'll have to configure the VPNs on all the devices it is encrypting to using certificates. With Check Point's SecurePlatform (also a bootable, Linux-based installation) you can have a device up and running in under 10 minutes and with centralized management, you already have the configuration stored, so you just establish a trust between the device and the management station, push a policy, and it's done.

10. None of these changes are new to Check Point. Everything I mention has been around for over a year and if he actually did his homework he would have known this. And if he did his homework, I think it is likely that the outcome of his decisions would have been different--especially with other capabilities like being able to do user-based QoS, QoS inside the VPN, see logs in a useful manner (rather than just having them spew out into a window), do proactive attack detection and blocking with what Check Point calls "SmartDefense", etc.

------

Overall, he chose something he was comfortable with for home use and adapted it for the company he was working for instead of something that actually provided the security companies require. Most of the stuff he states here are simply rationalizations. He'll find this out the next time MSBlaster or SQL Slammer comes out and the response to the attack is "use packet filter to close the port". Hope you don't need to print, share files, or have your web server use that SQL server!

I really believe that he made a poor decision and put the company at risk. He has single-handedly placed the security of the eBet company in the hands of a small 40 person startup where it was on a platform which had over 300 developers alone to ensure the security of the software and local representatives all around the world. The article didn't mention support, which he will have to go through a local reseller to get, and if he wants support from Astaro directly, he will have to use the Bulletin Board. This entire article was self-serving for him and Astaro. I'm not surprised I saw part of it on the Astaro bulletin board.

Disclaimer: I know both Astaro and Check Point well and I think both are nice solutions with their places. Astaro works adequately for small companies or single firewall installations. However, a correctly architectured solution from Check Point would have been more managable and probably not too much more expensive. The reason I put all this here is because it hurts the linux community when biased or untrue allegations are purported as "fact" because all the postitives will get written off quickly when the incorrect pieces are brought to light.

How can it be doing NAT _with_ VPN? For NAT the source/destination addresses are rewritten which will screw up the checksum for the Authentication Header used by the VPN -- so you get a choice of _either_ VPN _or_ NAT.

This review should have had more technical detail. The assertion that the firewalls presented by SmoothWall or IPCop don't do NAT is ridiculuous.