Astaro Security Gateway 7 review
Astaro’s Security Gateway software is a Unified Threat Management (UTM) system that can be installed on any suitable hardware to provide network protection services. There’s a choice of three kernels. The standard kernel is designed to run on a single-processor system, or there’s a symmetrical multiprocessor alternative that can also be configured to run in single-processor mode. Finally, a single-processor kernel is available for older hardware that lacks support for features such as ACPI.
We installed the software on a system with a Supermicro P4DCE+II motherboard supporting two Intel Xeon 2.8GHz processors and 2GB of RAM. We used a single hard drive attached to a Parallel ATA interface. Security Gateway 7 also supports UPS devices from APC and MGE, and RAID controllers, such as the Adaptec 2010S, for extra resilience.
There have been a number of changes since the last release. The web management interface has been completely revamped. The changes are functional as well as cosmetic, providing setup wizards for those configuration options that previously needed to be set from the command line. A new dashboard feature gives an overview of the current system’s state as well. Performance monitoring provides a number of graphical displays for CPU, memory and disk usage, as well as network traffic, while statistical data can be retained and displayed for up to a year.
Reporting has been improved. It was always adequate, but the addition of new graphs and some layout changes gives greater clarity for managers. Executive reports can be displayed in a second browser window for a quick overview and can also be sent by email at daily, weekly and monthly intervals.
The basic system, which includes the management and reporting features, offers comprehensive protection features including a highly configurable firewall, an intrusion-protection system and wide-ranging VPN facilities using SSL, IPSec, L2TP and PPTP. Other features, such as email filtering, email encryption and web filtering, are also available at extra cost. User authentication was a strong point of previous releases and this continues to be the case, with support for RADIUS, Microsoft’s Active Directory, Novell’s eDirectory, TACACS+ and LDAP, as well as its own internal user database. Firewall policies can be linked to proxy profiles, and each profile can have its own authentication method. Although the choice is restricted to local authentication, Active Directory or eDirectory – and only one method can be specified for each one – this provides a fine-grained and secure way to control internet access.
The web-filtering option offers a range of protection, with two anti-virus scanning engines, content filtering, URL blacklisting and spyware detection. Email filtering remains effective, although the sender address verification feature available in earlier releases is no longer included. This shouldn’t pose any problems, since the technique is of limited effectiveness in preventing spam.
Installing the software on a normal system is an attractive proposition, saving money over the cost of a purpose-built appliance. However, if you need security certification then a dedicated appliance with security features such as tamper-evident cases and security keys is essential, since these features aren’t usually found on general-purpose systems. Of course, the same software runs on Astaro’s appliances as well.