Back to article
Astaro: A "Swiss-Army Knife" of Security Software
Astaro Features Bundled Security Package
April 30, 2002
As more servers open themselves up to the benefits of online communication and e-commerce, it is good to know that there are open source software firms stepping up to fill the security needs of this online world.
One such company, Astaro, released the latest update to its security software for Linux this week, a downloadable product combining firewall protection with intrusion detection, VPN support, and content filtering.
Touted by German-based Astaro as a security "Swiss army knife," the Astaro Security Linux (ASL) software is also resold by Astaro partners such as Cobalt, Pyramid, and EDS in their Internet appliance hardware.
The software product is aimed mostly at mid-sized organizations that don't want to invest in more expensive solutions from vendors like Checkpoint, says Steve Schlesinger, Astaro's managing director. Astaro is also targeting branch offices of big corporations.
ASL brings together Astaro's proprietary middleware, user interface, and Web-based administration tools with a hardened Linux kernel and several open source security components.
Bundled in, as well, is antivirus software from Kaspersky Labs. "We also resell (SSH's) SSH Sentinel as a VPN client for road warriors. Or, you can use a PPTP client, which comes with practically every Windows machine," Schlesinger says.
"Astaro has a strong, vocal, easily targeted market in the open source community. The active support and contributions in the community often point to lower support and development costs, as do Astaro's modifications to existing open source databases," according to a recent report by Hurwitz Group.
Specifically, Astaro's open source componentry includes an Apache Web server; IP tables, for stateful packet inspection; FreeSwan, for VPN services; and two proxy servers: Squid and eXim, Schlesinger says.
"We want to provide a supported hybrid which is based on open source. We pick the best components that RedHat, SuSE and Mandrake have to offer. Without middleware, though, the onus would be on the user to glue everything together," he contends.
"Open source is probably the most tested of all software. Bugs are reported as soon as they're found. We not only do we use open source, but we improve on existing open source stuff by posting fixes back."
Astaro got its start in January of 2000 in Karlsruhe, Germany. More than 185,000 users have downloaded trial versions of ASL by now, according to Schlesinger. "We're on an honor system," Schlesinger adds. The company also has more than 5,000 paying customers at this point.
Many users say they like the fact that Astaro pre-integrates Linux security components for them.
Joe Little, principal systems architect at Stanford Universitys School of Engineering, has been testing USL for use as a general proxy server and VPN server for deployment among 60 Macintosh and Windows users at Stanford University.
"ASL is a catch-all solution for a lot of different security needs. You could combine a bunch of off-the-shelf components by yourself, but the integration and testing wouldn't be trivial. There are a few other 'catch-all solutions'out there, but none offer the same combination," Little maintains.
Little is also pleased that ASL lets administrators isolate, or "sandbox," various security functions. "People get nervous about 'featureitis.' But with Astaro, you can do sandboxing, so if someone accidentally misconfigures one thing, it doesn't necessarily open up the entire network."
The graphics group within Stanfords engineering and computer science schools is looking at using ASL in conjunction with a "virtual environments" Web server, Little says.
For its part, EDS is using ASL in a firewall and VPN appliance for credit unions. "Each credit union has its own Internet connection. The credit union resells the box to its own customers, integrates it, sets it up, and does monitoring," explains Buddy Baxter of EDS.
"Credit unions don't want to spend $20,000 on a solution. They want to spend on the lower end, but at the same time, they don't want to compomise security."
Baxter is likewise impressed with Astaro's performance "Astaro's product is very reliable, almost like a lightbulb," he says. "The company is also very responsive. At one time, the software supported IDE drives only. When we wanted to use SCSI drives, though, Astaro added SCSI support."
Astaro issues bug fixes and minor enhancements through the Up2Date Web-based service. Version 3.051, the latest update, includes fixes to IPsec security, to HTTP and DNS proxies, and to the "look and feel" of WebAdmin.
In an earlier bug fix in February, Up2Date 2.022, Astaro responded to some users complaints of an "improper file permissions flaw" by remedying the problem.
Wrote Astaro's Markus Hennig to the Bugtraq Newsgroup: "All Astaro users please note, (though), that none of the wrong permissions (were) usable for an exploit to gain root privileges, and none of them (contained) any remote vulnerabilities."
Astaro provides VPN support through IPSec and PPTP. Proxy support includes SMTP, for virus protection; HTTP, for content filtering, cache, and authentication; and HTTPS, DNS and SOCKS 4.0/5.0, also for authentication.
WebAdmin, Astaro's proprietary administration tool, incorporates SSL security. Astaro offers a free demo of WebAdmin on its own Web site. Alternatively, ASL can be remotely monitored through SNMP or Syslog, according to Schlesinger.
ASL is priced from a low of about $400 to $5,000 for an unlimited license. Astaro also offers optional service packages, ranging from 24-by-7 support to smaller call packs. For round-the-clock worldwide phone coverage, Astaro runs call centers in the US (Massachusetts); Canada (British Columbia); and Europe (Germany), for example.
For free user self-help, Astaro operates a bulletin board on its Web site (http://www.astaro.com ). Recent postings have included "RoadWarrior configuration," "SMTP relay from Internet," and "VPN using 3.050," for instance.