EXCLUSIVE: Astaro Security Gateway 120 Appliance

IT Pro Verdict

The hardware specification isn't anything to write home about but the ASG 120 is offering a veritable feast of security measures in a well built and easily configured appliance that's priced about right for SMBs.

Astaro's latest family of security appliances bring together an impressive range of features that look to offer a complete umbrella of protection to small businesses and enterprises alike. They all use the same preinstalled Security Gateway Linux based software so you just choose the hardware platform that best suits the amount of traffic you expect it to handle.

In this exclusive review we take a look at the diminutive ASG 120 appliance which is aimed at small offices and its unrestricted user license means it should be able to cover quite a few bases. Astaro's choice of hardware platform for the ASG 120 isn't visually inspiring but it is built like a tank. The 667MHz VIA processor is a reasonable choice but as we found during testing the 512MB of memory really could do with being boosted to 1GB as usage rarely went below 65 per cent even with only few clients using it.

The latest v7 brings in a range of new features which include an improved management interface, support for SSL-VPN remote access, email encryption and high availability options. Ever after a brief glance it's clear the ASG 120 is offering as lot more as along with a standard NAT/SPI firewall you get optional web and email anti-virus scanning, anti-spam, web content filtering, intrusion detection and prevention and even the ability to control IM and P2P apps.

Access security is extensive as the appliance maintains a local user and group database but can also integrate with Active Directory, RADIUS and LDAP servers and even Novell's eDirectory. Password complexity for local users can also be configured to stiffen up security even further. To manage web traffic the appliance employs HTTP and FTP proxies which we found easy enough to configure. The HTTP proxy operates in a range of modes but have a care if you choose the transparent method. Whilst this doesn't require you to configure your client's browser connection settings it only supports HTTP over port 80 and won't work with FTP or HTTPS.

General installation is fairly straightforward as the new web interface offers a couple of quick start wizards to help you get going. The LAN interface is automatically configured but we did need to assign a DHCP server and address range to it first. Next came the WAN port and you can pick either of the spare ports and use a variety of connection methods. We opted for a simple intelligent ADSL modem which provided DHCP services to the appliance's WAN port but you can opt for PPPoE or PPPoA as well.

To make general configuration easier it's worth spending some time creating network and service objects. These definitions can be used in a range of functions such as packet filtering rules and proxies and are simply dragged from the side bar to the relevant setting. The new web interface certainly looks good as the home page opens with the new dashboard feature which provides information on the status of hardware resources such as memory and CPU utilisation, a rundown on detected threats and lists of spam and viruses that have been picked up and dealt with.

Whilst it is commendable, the fact that the appliance defaults to blocking all web traffic means you need to create packet filtering rules for access to certain services. However, with your definitions to hand these won't take long and Astaro does provide a pile of predefined services ready for use. Packet filters are applied strictly in the order they appear in the filter table and can be moved up and down the table. A live log shows in real-time what your filters are doing and a colour coded system makes it easy to see what is being dropped, blocked and allowed.

Anti-virus measures are activated from the web and mail proxies and Astaro uses both Authentium and the open source ClamAV although it's a shame Astaro dropped Kaspersky as this vendor has always had a good reputation. Web content filtering comes courtesy of Cobion which is now under the auspices of IBM. From the HTTP proxy page you have eighteen main categories to play with and each of these have up to seven sub-categories attached which can also be customised to suit. During testing we found the filtering worked well with the appliance blocking all our attempts to accessed banned sites and providing a warning webpage for each transgression.

Anti-spam measure are activated separately for the POP3 and SMTP proxies and Astaro employs a range of detection methods including RBLs, heuristics, a spam database and reverse DNS lookups. We found these worked well with only a small number of spam messages slipping past them. The appliance's quarantine area can be accessed directly from the web interface where you can review all dodgy messages being held and release or delete them.

The SSL-VPN feature is actually rather limited as you simply provide a list of users and groups that are allowed to call in and which local network objects they are allowed to access. The ASG 120 provides controls over seven IM apps including AIM, MSN Messenger and Yahoo! Messenger and eight P2P apps such as Bittorrent and Gnutella and allows you block them or alert you to their use. You don't get anywhere near the same level of control as dedicated security appliances but Astaro does let you block file transfers for each listed IM application.

With such an extensive range of security features on offer reporting needs to be good and Astaro doesn't disappoint. For each proxy you get a real-time rundown on the top web domains being accessed, the busiest users and the top blocked sites along with the top email senders and receivers and even the worst spam countries. The Executive Report option provides a complete summary of the day's activities which, for us, extended to no less than eight pages of reports and graphs.

Considering the price includes unlimited user support, the ASG 120 is offering a lot for your money. More memory wouldn't have gone amiss and some feature such as SSL-VPNs and IM/P2P controls are fairly basic but the main players in Astaro's team look capable of delivering a highly effective and affordable network security blanket to the majority of small businesses.

Verdict

The hardware specification isn't anything to write home about but the ASG 120 is offering a veritable feast of security measures in a well built and easily configured appliance that's priced about right for SMBs.

Desktop chassis

667MHz VIA Nehemiah processor

512MB of 400MHz memory

40GB Hitachi Travelstar IDE hard disk

3 x 10/100 Ethernet; 2 x USB 2.0 ports

9-pin serial port

Monitor and keyboard ports

External power supply

CLI and web browser management

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.