Speaking as someone that has 5 Astaro boxes, I like the firewall but the spam filter is the worst I have ever used.
I want to go back to my Barracuda spam filter. The astaro misses a LOT of spam!!!!!
That wouldn't be so bad if they gave you an easy way to blacklist domains, email addresses or IP addresses and/or subnets but they don't
Save yourself some major headachs and avoid astaro spam filter.
this shit is gay and i hate astaro
ok my name is Dylan and i am haveing a big problem with the Astaro Security system, I have been trying to figure out a way to get through the security system becouse im trying to see if i could do it, but im in a little bit of trouble becouse i dont know how to get through it and i was woundering if anyone knew anything that i could do to get around the astaro system?
e-mail about the info
I'll bet if you spent as much time on your school work and less time messing around, you would have better grades.
LJ writers must be on vacation this month for the Holidays because this is another terrible article. It doesn't even list the URL for the distribution that it's trying to sell.
All I can say is...This is a LAME article and an ad for Astaro.
Since the company is based in Australia (where I live as well), why not consider www.snapgear.com
This is HQ'ed in Australia. (Oh gee, how convienent!)
Yes, they were acquired by CyberGuard (large USA company), but CyberGuard is using Snapgear as a supplement to cover market areas that it couldn't.
Snapgear uses an Embedded Linux distro...What's good about it? Well, the same OS used in their routers is FREE to download!
I'm a systems administrator at a construction company in York, PA. We added Astaro as a separate firewall. We used it to replace Computer Associates Inoculate IT anti virus software on my exchange server. It was out dated and we had to make a decision to either upgrade it or do something else. The guy at the time with the network recommended Astaro. He said he saw it somewhere so we gave it a try, I think it had a 30 free trial service or something like that. It impressed us so much we decided to buy it. So far it has worked great repelling viruses and since we haven't been "hacked" into, I can only assume this too is working.
They do make a good firewall but their spam filter is terrible.
Check Point is complicated and expensive. Astaro is low-cost and effective. End of story. One product replaced another. Period. This is not a technical review. For a full in-depth review of Astaro, refer to July's issue:
I agree that it is a horrible article. I found it incorrect in a number of places and in others it didn't make any sense. Since this talks about Astaro versus Check Point, I'll cite 10 quick examples where it belittles Check Point incorrectly:
1. The article stated that the upgrades of Check Point required people in all their offices, but what did they do for putting the new systems in? Surely they didn't install themselves.
2. The article stated that the cost and complexity of the upgrade was a factor. Moving from 4.0 to the latest version of Check Point, NG, it would probably be easiest to just recreate the policies on a separate management station--it's their fault for getting this far out of date (measured in years) and they'd have to recreate things for the new solution anyways. As for cost, did they contact Check Point? They're quite flexible and from looking at the pricing of the two solutions, it would have been more than competitive.
3. As for redundancy, there is built-in redundancy for site-to-site and client-to-site VPN tunnels, management, logging, and gateways in Check Point. Where's the redundancy "limitation"?
4. Stating that different rules for different firewalls is a "complication" is also deceptive. Check Point handles this very handily which is why so many enterprises are able to use it.
5. With regard to NAT support, almost everything on the face of the planet does NAT--the $80 wireless router I have here at my house does it. The other solutions he mentions also do NAT, which shows how poorly he reviewed the other solutions as well.
6. The 40-bit VPN he was using was his fault, 4.0 included support for strong encryption (3DES) using IPSec so he was probably using FWZ, didn't check the 3DES box, or he did not have a license for strong encryption. At the time 4.0 was released, IKE and AES weren't even standards, so of course it didn't support them. The Astaro device wasn't protecting him from himself, it simply didn't allow anything lower than 3DES in the GUI, which presents a serious problem with creating tunnels to devices in specific countries which are not able to use strong encryption.
7. "Automated Updates" is also misleading. It either happens from an administrator going directly to each device to do the update (time consuming) or they are automatically pulled from the internet and not controlled by the administrator. In which case, when the device pulls something down from the internet and it breaks functionality, an administrator must go to each device to fix it. This is why centralized management is important. Unfortunately, Astaro does not provide it. This is probably because there's not a free utility out there that does it.
8. Licensing is no longer the way he mentions it and hasn't been for years. Check Point has removed the necessity to tie a license to an IP address on the firewall. This is called "Centralized Licensing" and all changes can be done via the web.
9. The ability to have a system running on a linux-based PC within 20 minutes isn't extraordinary. You must still spend time configuring the box all over again including rules, IPSec information and if you didn't have a backup file, you'll have to configure the VPNs on all the devices it is encrypting to using certificates. With Check Point's SecurePlatform (also a bootable, Linux-based installation) you can have a device up and running in under 10 minutes and with centralized management, you already have the configuration stored, so you just establish a trust between the device and the management station, push a policy, and it's done.
10. None of these changes are new to Check Point. Everything I mention has been around for over a year and if he actually did his homework he would have known this. And if he did his homework, I think it is likely that the outcome of his decisions would have been different--especially with other capabilities like being able to do user-based QoS, QoS inside the VPN, see logs in a useful manner (rather than just having them spew out into a window), do proactive attack detection and blocking with what Check Point calls "SmartDefense", etc.
Overall, he chose something he was comfortable with for home use and adapted it for the company he was working for instead of something that actually provided the security companies require. Most of the stuff he states here are simply rationalizations. He'll find this out the next time MSBlaster or SQL Slammer comes out and the response to the attack is "use packet filter to close the port". Hope you don't need to print, share files, or have your web server use that SQL server!
I really believe that he made a poor decision and put the company at risk. He has single-handedly placed the security of the eBet company in the hands of a small 40 person startup where it was on a platform which had over 300 developers alone to ensure the security of the software and local representatives all around the world. The article didn't mention support, which he will have to go through a local reseller to get, and if he wants support from Astaro directly, he will have to use the Bulletin Board. This entire article was self-serving for him and Astaro. I'm not surprised I saw part of it on the Astaro bulletin board.
Disclaimer: I know both Astaro and Check Point well and I think both are nice solutions with their places. Astaro works adequately for small companies or single firewall installations. However, a correctly architectured solution from Check Point would have been more managable and probably not too much more expensive. The reason I put all this here is because it hurts the linux community when biased or untrue allegations are purported as "fact" because all the postitives will get written off quickly when the incorrect pieces are brought to light.
Was running a PIX firewall and had constant attempts to break in some of the better explorers actually got by the PIX. So I called up a local distributor in NYC, Systems Solutions nice group of people that are very knowledgeable and don
How can it be doing NAT _with_ VPN? For NAT the source/destination addresses are rewritten which will screw up the checksum for the Authentication Header used by the VPN -- so you get a choice of _either_ VPN _or_ NAT.
This review should have had more technical detail. The assertion that the firewalls presented by SmoothWall or IPCop don't do NAT is ridiculuous.
it supports nat?
woop de doo, we've got a feature here! a key differentiation! Im going to upgrade NOW - NAT is a must have feature , a real killer app for Astaro Security Linux. Also the informed technical advice in this article swayed me, so knowldegable!
jokes aside - Astaro actually looks intresting, but where does he get the lack of NAT support, I cant think of anything that doesnt have nat support - every snapgear, dsl modem freesco or coyote linux firewall on a floppy has nat, doesnt windows 98 with internet connection sharing support nat??
heck - even the phone boxes that come with vonage do NAT.
No, the article was not good! It is clearly an advert not an article and includes lots of incorrect information. For example both SmoothWall and IPCop support NAT. Pretty much all the 'advantages' stated are actually advantages of SmoothWall. The *only* thing missing from SmoothWall that the article is singularly correct about is that it does not have AV. But a disadvantage of Astaro is they licence by IP address - with Smoothwall there is no need to even enter the IPs - it works with any number from home user to enterprise.
Altogther an awful an inaccurate article.
Yes, the other iptables/ipchains based firewalls all have NAT. Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI. But this is a "glossy", high-level overview, and very incomplete in its listing of the features of any of these softwares. As you say, it's mostly an advert for Astaro - "Our expert liked it, and used it successfully" - and not a comparison of linux firewall appliances. It doesn't seem to be trying to pretend otherwise.
"Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI."
Isn't the point of having a Web-based user-interface that the end user will not have to use the command line and use utilities like gawk? For large entities, centralized management could simplify this significantly.
"Altogther an awful an inaccurate article."
True, no mention about a good option supported in Astaro, HA/Load-Balancing :-).
Agreed.... Smoothwall is a great product. However, I think Astaro is much more feature rich and provides an easier interface than Smoothwall. It is well defined and does what it is supposed to do, very well. Although...Smoothwall doesn't have the hardware requirements of Astaro so you can run it on much lesser hardware.
I would tend to think of Smoothwall being good for a small to medium corporation while Astaro fits the bill for the Enterprise.
- jmb -
Fits the bill for the Enterprise? How do you define Enterprise?
I'd find it a nightmare to manage 200 of these compared to managing 200 devices with Check Point's management capabilities...
article was good!
a more comparative study would have made it better.
Astaro also has:
advanced scan detection (Xmas, etc.) LOG, DROP
iptables-based with a good wed interface (mod_ssl)(httpd)
DHCP server onboard
support for Wifi segment
support for CSU/DSU cards
support for xDSL modem cards
a very good user-based support group (on the astaro site)
every service is Chrooted from each other
can auto-email / auto-page[r] on certain events
Yes - I need reliability.
We've had problems with our Astaro installation for the last 6+ months - there's a kernel bug which they acknowledge but seem to be unable to fix. The firewalls crash quite regularly, once in every couple of weeks.
The biggest joke is that we're running a HA installation which in theory should mitigate the problem but in fact the firewalls need rebooting with the power button.
The support has very poor language skills (at least their written English is terrible) and I don't consider it to be professional either.
I would not recommend Astaro to anyone. It may be good for home users but forget them in a corporate environment.