I am a fairly regular listener to Leo Laporte’s Security Now Podcast. I finally broke down the other day and decided to give the Astaro Security Gateway product that Leo is always pitching a try – particuarly since all it would cost me was my download time and an old computer. Currently, I run a SonicWall TZ170 at home and while I have no complaints, it does bug me that I have to write a check to SonicWall every year for a couple hundred dollars to pay for the security subscription that I have. The SonicWall has anti-virus, anti-spam, and anti-malware filtering plus it can do some outbound content filtering should I want to enable it (not a big deal right now, but as my kids get older, something to look into). Anyway, if the Astaro gives me the chance to get all of that filtering without the $210 annual fee, I’m all for it (Astaro used to charge something like $40 per year for home users, but they have eliminated that fee – home users get all of the subscription features for free).
So, in the interest of letting others learn from my experience, I am going to document my life with the Astaro over the next few weeks. I have already encountered some minor warts along with some relatively cool features. Let’s see what else we can find.
Okay, installation went well – blow away whatever was on the disk and install the Astaro software. I was pleasantly surprised to see that Astaro includes a driver for the Biostar LAN adapter that is on the motherboard of the small formfactor PC I am using for the install. I dropeed a standard Intel 82559 card into the open PCI slot and I now have a firewall. Once the install is finished, you need to go to another computer to connect to the web interface of the Astaro. This may be the first knock for the serious programmer – it appears that everything is done through the web interface. Not sure how much scripting or command line access is available.
When you complete the initial step of giving it a new admin password, the Astaro wants to run a set-up script. I highly recommend that you do not cancel that script. I did and could not figure out how to start it again. I finally had to choose the option to restore factory defaults which allowed me to start over. For a new user, the setup script asks you some pretty simple questions and configures a few rules and a Web Proxy. Note that this is not an appliance for the newbie. You need to know what you are doing to properly answer the questions. One thing that bugged me is that while the setup script configured my external card to use DHCP from my cable modem and created a NAT rule and a DHCP scope, it did not activate the DHCP server automatically. I had to do that manually. Once that was set, it was good to go.
One thing that I noticed is that when you download a file from the web (I am using the web proxy capability), the Astaro first downloads the file to itself, performs a virus scan, and then determines if the file should be released to you or not. By default, files with an .exe extension are automatically blocked, so you need to go and change this if you want to download .EXE files.
Another thing to keep in mind is that this is a true firewall in that if there is not a rule allowing something to go in or to go out, that thing is not going anywhere. Those of you who are used to using the consumer firewalls know that while they block inbound traffic, they allow everything outbound. Not so with the Astaro. If you do not have a rule that permits for example an FTP outbound session, you are not gonig to get one.
So far so good. As I mentioned, this not the device for the novice, but it seems pretty configurable and looks fairly powerful. Look for more posts as I play with it more.
Re: Using the Astaro Security Gateway
I have been struggling for some time with Astaro ASG V7 so I am interested in your further experiences. Since I am using the free home version, Astaro Tech Support would not help me at all and suggested I call their sales department to see if I could pay for some hand-holding — No call back from them twice. I also learned of product from SecurityNow!
I also thought this would be a great idea for the future….. not so sure now. I’m no linux expert at all, but I have dabbled in it for a few years, so I thought I’d figure it out……. lol….NOT
I do have an old OEM w/1Ghz, 512MB RAM, dual port PCI NIC (Thankfully recognized by Astaro) and an 80GB HDD. What am I missing?? LOL – probably the knowledge to figure it out!!!
Anyhow, the initial install went well; I gave it an IP addy of 192.168.2.1 (My home network is 192.168.0.x/24) and I have a Vonage VOIP device that is 192.168.15.1 that is working; my logical route being the TimeWarner cablemodem —> Vonage VOIP device –> Netgear Router(FVS3115) –> PC’s
What I planned was to put the Astaro Gtwy BEFORE the Vonage device, but so far not working at all.
The issue is I cannot connect via web interface to the Astaro device, no matter what IP addy I give it, or so it seems.
I’ve been using Astaro at home for a month now and just about have all the issues ironed out. So right now i kinda like it. I’m running a web server behind it and setting up the NAT for the services was the most challenging part for me but the help files are surprisingly helpful.