Migrating to Astaro Security Linux

Fed up with expensive, complicated firewalls, e-gaming company opts for open-source security solution.
______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Astaro spam filter

Anonymous's picture

Speaking as someone that has 5 Astaro boxes, I like the firewall but the spam filter is the worst I have ever used.
I want to go back to my Barracuda spam filter. The astaro misses a LOT of spam!!!!!
That wouldn't be so bad if they gave you an easy way to blacklist domains, email addresses or IP addresses and/or subnets but they don't

Save yourself some major headachs and avoid astaro spam filter.

this shit is gay and i hate

Anonymous's picture

this shit is gay and i hate astaro

me too.

Anonymous's picture

me too.

problem that I am haveing with the astaro system

Dylan's picture

ok my name is Dylan and i am haveing a big problem with the Astaro Security system, I have been trying to figure out a way to get through the security system becouse im trying to see if i could do it, but im in a little bit of trouble becouse i dont know how to get through it and i was woundering if anyone knew anything that i could do to get around the astaro system?
e-mail about the info
at
118526@carthage.k12.mo.us

I'll bet if you spent as much

Anonymous's picture

I'll bet if you spent as much time on your school work and less time messing around, you would have better grades.

Re: Migrating to Astaro Security Linux

Anonymous's picture

LJ writers must be on vacation this month for the Holidays because this is another terrible article. It doesn't even list the URL for the distribution that it's trying to sell.

Re: Migrating to Astaro Security Linux

Anonymous's picture

All I can say is...This is a LAME article and an ad for Astaro.

Since the company is based in Australia (where I live as well), why not consider www.snapgear.com

This is HQ'ed in Australia. (Oh gee, how convienent!)

Yes, they were acquired by CyberGuard (large USA company), but CyberGuard is using Snapgear as a supplement to cover market areas that it couldn't.

Snapgear uses an Embedded Linux distro...What's good about it? Well, the same OS used in their routers is FREE to download!

Re: Migrating to Astaro Security Linux

Anonymous's picture

I'm a systems administrator at a construction company in York, PA. We added Astaro as a separate firewall. We used it to replace Computer Associates Inoculate IT anti virus software on my exchange server. It was out dated and we had to make a decision to either upgrade it or do something else. The guy at the time with the network recommended Astaro. He said he saw it somewhere so we gave it a try, I think it had a 30 free trial service or something like that. It impressed us so much we decided to buy it. So far it has worked great repelling viruses and since we haven't been "hacked" into, I can only assume this too is working.

They do make a good firewall

Anonymous's picture

They do make a good firewall but their spam filter is terrible.

Re: Migrating to Astaro Security Linux

Anonymous's picture

Check Point is complicated and expensive. Astaro is low-cost and effective. End of story. One product replaced another. Period. This is not a technical review. For a full in-depth review of Astaro, refer to July's issue:
http://www.linuxjournal.com/article.php?sid=6716

Re: Migrating to Astaro Security Linux

dijit's picture

I agree that it is a horrible article. I found it incorrect in a number of places and in others it didn't make any sense. Since this talks about Astaro versus Check Point, I'll cite 10 quick examples where it belittles Check Point incorrectly:

--------------

1. The article stated that the upgrades of Check Point required people in all their offices, but what did they do for putting the new systems in? Surely they didn't install themselves.

2. The article stated that the cost and complexity of the upgrade was a factor. Moving from 4.0 to the latest version of Check Point, NG, it would probably be easiest to just recreate the policies on a separate management station--it's their fault for getting this far out of date (measured in years) and they'd have to recreate things for the new solution anyways. As for cost, did they contact Check Point? They're quite flexible and from looking at the pricing of the two solutions, it would have been more than competitive.

3. As for redundancy, there is built-in redundancy for site-to-site and client-to-site VPN tunnels, management, logging, and gateways in Check Point. Where's the redundancy "limitation"?

4. Stating that different rules for different firewalls is a "complication" is also deceptive. Check Point handles this very handily which is why so many enterprises are able to use it.

5. With regard to NAT support, almost everything on the face of the planet does NAT--the $80 wireless router I have here at my house does it. The other solutions he mentions also do NAT, which shows how poorly he reviewed the other solutions as well.

6. The 40-bit VPN he was using was his fault, 4.0 included support for strong encryption (3DES) using IPSec so he was probably using FWZ, didn't check the 3DES box, or he did not have a license for strong encryption. At the time 4.0 was released, IKE and AES weren't even standards, so of course it didn't support them. The Astaro device wasn't protecting him from himself, it simply didn't allow anything lower than 3DES in the GUI, which presents a serious problem with creating tunnels to devices in specific countries which are not able to use strong encryption.

7. "Automated Updates" is also misleading. It either happens from an administrator going directly to each device to do the update (time consuming) or they are automatically pulled from the internet and not controlled by the administrator. In which case, when the device pulls something down from the internet and it breaks functionality, an administrator must go to each device to fix it. This is why centralized management is important. Unfortunately, Astaro does not provide it. This is probably because there's not a free utility out there that does it.

8. Licensing is no longer the way he mentions it and hasn't been for years. Check Point has removed the necessity to tie a license to an IP address on the firewall. This is called "Centralized Licensing" and all changes can be done via the web.

9. The ability to have a system running on a linux-based PC within 20 minutes isn't extraordinary. You must still spend time configuring the box all over again including rules, IPSec information and if you didn't have a backup file, you'll have to configure the VPNs on all the devices it is encrypting to using certificates. With Check Point's SecurePlatform (also a bootable, Linux-based installation) you can have a device up and running in under 10 minutes and with centralized management, you already have the configuration stored, so you just establish a trust between the device and the management station, push a policy, and it's done.

10. None of these changes are new to Check Point. Everything I mention has been around for over a year and if he actually did his homework he would have known this. And if he did his homework, I think it is likely that the outcome of his decisions would have been different--especially with other capabilities like being able to do user-based QoS, QoS inside the VPN, see logs in a useful manner (rather than just having them spew out into a window), do proactive attack detection and blocking with what Check Point calls "SmartDefense", etc.

------

Overall, he chose something he was comfortable with for home use and adapted it for the company he was working for instead of something that actually provided the security companies require. Most of the stuff he states here are simply rationalizations. He'll find this out the next time MSBlaster or SQL Slammer comes out and the response to the attack is "use packet filter to close the port". Hope you don't need to print, share files, or have your web server use that SQL server!

I really believe that he made a poor decision and put the company at risk. He has single-handedly placed the security of the eBet company in the hands of a small 40 person startup where it was on a platform which had over 300 developers alone to ensure the security of the software and local representatives all around the world. The article didn't mention support, which he will have to go through a local reseller to get, and if he wants support from Astaro directly, he will have to use the Bulletin Board. This entire article was self-serving for him and Astaro. I'm not surprised I saw part of it on the Astaro bulletin board.

Disclaimer: I know both Astaro and Check Point well and I think both are nice solutions with their places. Astaro works adequately for small companies or single firewall installations. However, a correctly architectured solution from Check Point would have been more managable and probably not too much more expensive. The reason I put all this here is because it hurts the linux community when biased or untrue allegations are purported as "fact" because all the postitives will get written off quickly when the incorrect pieces are brought to light.

Re: Migrating to Astaro Security Linux

Anonymous's picture

Was running a PIX firewall and had constant attempts to break in some of the better explorers actually got by the PIX. So I called up a local distributor in NYC, Systems Solutions nice group of people that are very knowledgeable and don

Re: Migrating to Astaro Security Linux

Anonymous's picture

How can it be doing NAT _with_ VPN? For NAT the source/destination addresses are rewritten which will screw up the checksum for the Authentication Header used by the VPN -- so you get a choice of _either_ VPN _or_ NAT.

This review should have had more technical detail. The assertion that the firewalls presented by SmoothWall or IPCop don't do NAT is ridiculuous.

Re: Migrating to Astaro Security Linux

Anonymous's picture

it supports nat?

woop de doo, we've got a feature here! a key differentiation! Im going to upgrade NOW - NAT is a must have feature , a real killer app for Astaro Security Linux. Also the informed technical advice in this article swayed me, so knowldegable!

jokes aside - Astaro actually looks intresting, but where does he get the lack of NAT support, I cant think of anything that doesnt have nat support - every snapgear, dsl modem freesco or coyote linux firewall on a floppy has nat, doesnt windows 98 with internet connection sharing support nat??

Re: Migrating to Astaro Security Linux

Anonymous's picture

heck - even the phone boxes that come with vonage do NAT.

Re: Migrating to Astaro Security Linux

Anonymous's picture

No, the article was not good! It is clearly an advert not an article and includes lots of incorrect information. For example both SmoothWall and IPCop support NAT. Pretty much all the 'advantages' stated are actually advantages of SmoothWall. The *only* thing missing from SmoothWall that the article is singularly correct about is that it does not have AV. But a disadvantage of Astaro is they licence by IP address - with Smoothwall there is no need to even enter the IPs - it works with any number from home user to enterprise.

Altogther an awful an inaccurate article.

Not terribly inaccurate, but incomplete

Anonymous's picture

Yes, the other iptables/ipchains based firewalls all have NAT. Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI. But this is a "glossy", high-level overview, and very incomplete in its listing of the features of any of these softwares. As you say, it's mostly an advert for Astaro - "Our expert liked it, and used it successfully" - and not a comparison of linux firewall appliances. It doesn't seem to be trying to pretend otherwise.

Re: Not terribly inaccurate, but incomplete

dijit's picture

"Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI."

Isn't the point of having a Web-based user-interface that the end user will not have to use the command line and use utilities like gawk? For large entities, centralized management could simplify this significantly.

// dijit

Re: Migrating to Astaro Security Linux

Anonymous's picture

"Altogther an awful an inaccurate article."

True, no mention about a good option supported in Astaro, HA/Load-Balancing :-).

Re: Migrating to Astaro Security Linux

Anonymous's picture

Agreed.... Smoothwall is a great product. However, I think Astaro is much more feature rich and provides an easier interface than Smoothwall. It is well defined and does what it is supposed to do, very well. Although...Smoothwall doesn't have the hardware requirements of Astaro so you can run it on much lesser hardware.

I would tend to think of Smoothwall being good for a small to medium corporation while Astaro fits the bill for the Enterprise.

my $.02..

- jmb -

Re: Migrating to Astaro Security Linux

dijit's picture

Fits the bill for the Enterprise? How do you define Enterprise?

I'd find it a nightmare to manage 200 of these compared to managing 200 devices with Check Point's management capabilities...

// dijit

Re: Migrating to Astaro Security Linux

Anonymous's picture

article was good!
a more comparative study would have made it better.
Anyways..its good!

Re: Migrating to Astaro Security Linux

Anonymous's picture

Astaro also has:

advanced scan detection (Xmas, etc.) LOG, DROP
iptables-based with a good wed interface (mod_ssl)(httpd)
DHCP server onboard
support for Wifi segment
support for CSU/DSU cards
support for xDSL modem cards
auto-update
a very good user-based support group (on the astaro site)
every service is Chrooted from each other

can auto-email / auto-page[r] on certain events

need more?

Astaro disaster

Anonymous's picture

Yes - I need reliability.

We've had problems with our Astaro installation for the last 6+ months - there's a kernel bug which they acknowledge but seem to be unable to fix. The firewalls crash quite regularly, once in every couple of weeks.

The biggest joke is that we're running a HA installation which in theory should mitigate the problem but in fact the firewalls need rebooting with the power button.

The support has very poor language skills (at least their written English is terrible) and I don't consider it to be professional either.

I would not recommend Astaro to anyone. It may be good for home users but forget them in a corporate environment.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState