Astaro Security Linux V4

Jeremy Impson

Issue #111, July 2003

Astaro delivers an impressive array of security features in one package.

Astaro Security Linux (ASL) V4 is a nifty all-in-one firewall product. Billed as an affordable enterprise-level security solution, Astaro delivers an impressive array of security features in one package. ASL V4 is a software product, not an appliance, so you need to provide your own hardware for it.

The ASL feature set leaves little to be desired. It uses the journaling features of the ext3 filesystem for rapid recovery from unplanned reboots. All administration is performed from an SSL web front end. It also comes with an SSH server that provides command-line access, a fact that pleases this reviewer. Astaro does state that SSH access is intended only for advanced users, because users would have to edit the configuration files by hand. Still, I was pleased to have the option of getting down and dirty with the system if necessary.

ASL performs packet filtering, just as you'd expect a Linux- and iptables-based system would. Source NAT, destination NAT and IP masquerade are all supported. The default ruleset is quite locked down and is modified automatically when you add or modify services. But ASL adds further value with its use of network groups. ASL has a single set of user interfaces to let you define networks, network group, service groups and user objects. Once defined, ASL lets you use them for all sorts of access control lists (ACLs). For example, once a network group is defined, it can be used when configuring NTP services and defining IP-masquerading rules. Another example can be seen with the predefined service group called netbios, defined as netbios-dgm (port 138), netbios-ns (port 137) and netbios-ssn (port 139). With this group, one can set various rules that consistently affect all three of these services.

As with packet filtering, ASL comes with the various proxy packages we expect. This includes an HTTP cache that can be configured to work transparently to the client, SOCKS proxy and SMTP relay. The SMTP relay includes antispam and virus scanning subsystems. ASL V4 also includes IPSec, DHCP, PPTP, identd, POP3 with virus scanner and DNS forwarding services. Service includes a virus scanning subsystem.

For all the proxies and services that can make use of user accounts, such as SOCKS, HTTP and SMTP, ASL can use your existing LDAP, RADIUS or Windows Domains to provide authentication, or it can use its own user account database. Once identity has been established, access controls can be placed on users to control access to different services.

ASL has a port-scan detection system that sends e-mail to an administrator when it detects port-scan activity. It also can be configured to drop or reject the port-scan traffic. Interestingly, the source of the port-scan traffic is allowed to communicate again after the port-scan traffic has ceased.

Astaro has incorporated an automatic update function into ASL, called Up2Date. (It isn't clear what relation, if any, this software has with Red Hat's up2date update tool.) All patches are signed digitally, and all communications are encrypted. Besides patches, virus and spam signatures also are updated with this mechanism. Updates can be made manually—scheduled hourly, daily or weekly—or can be downloaded by hand from Astaro's FTP server. System configuration backups can be exported either manually or automatically. These backups can be encrypted and e-mailed.

ASL offers load balancing, using iptables NAT rules to split incoming connections between two or more actual servers. ASL seems to be protocol-agnostic; that is, it performs load balancing for any service protocol. Naturally, it remains for system administrators to ensure that the servers sharing the load are able to synchronize themselves if necessary.

Even the user guide has value beyond explaining how to use ASL. It provides a short but accurate tutorial of the various technologies involved in network security. For example, it discusses transparent vs. application proxies, and it contrasts them to IP masquerading.

ASL really has too many features to discuss fully in this review, including syslog support, wireless LAN access point mode, WEP support, the capability to plug in to an untagged port of a VLANed switch (why this can be beneficial could be the subject of a whole other article), a network time protocol client, high availability and quality of service.

You can configure the system logs for authorization, dæmons, kernel, notifications and SMTP relay messages to be logged independently.

Astaro recommends a minimum system configuration of a single Intel Pentium II (or equivalent) processor, 128MB of RAM, an 8GB disk drive (ASL supports IDE and many popular SCSI cards) and two or more PCI network cards. If you wish to use wireless network PCMCIA cards, you should use one based on the Prism2 chipset. Certain other configurations, such as high availability or the VLAN subsystems, may require other specialized hardware.

The installation happens with a text/curses-based menu and is fairly quick and simple. It asks a few questions and then proceeds to repartition and reformat the hard drive, so be sure you're ready to let that happen.

Figure 1. Manage Astaro Security Linux with an SSL Web Tool

Once installed, you point a web browser at a secure web GUI. The best adjective to describe the look of ASL's web GUI is slick; it is well designed and has some impressive functions. One function allows you to kick off other administrators, with the option of providing them a reason for the boot. Logged-in sessions have an automatic timeout as well. There's easy access to the system's uptime, last login, date and time.

ASL has a nice iptables/firewall display, with GUI interfaces to add your own rules, and easy-to-understand ICMP settings, including options to make firewall visible to traceroute, make firewall forward traceroute, make firewall ping visible and make firewall forward pings and so on. This reviewer was most impressed with the live log of filtered packets, whose regularly updating display shows recent network activity. The only thing this display lacks is some way to know which firewall rule caused a packet to be denied. Such information is essential for rule debugging.

ASL's slickness extends to the SMTP GUI and its options for access control and many ways to try to fight spam, such as verify address, black holes, file type filter and expression filter. If you've ever tried to configure sendmail, you know what a daunting task this can be.

Besides configuration, the web GUI also contains a number of graphs. The graphs plot statistics for CPU, RAM and swap; current hard-disk usage and process list; total network connections; and each network interface for the past 24 hours.

ASL has a few other remarkable features. The first is the IPSec interface has a certificate management option. It can generate or upload its own Certificate Authority (CA), and it can receive and even fulfill requests for new client certificates. If your organization does not have a certificate authority, ASL can provide its own CA key material. Remember, a whole slew of policies and procedures should be defined before one could consider one's CA actually to be secure.

An ASL machine beeps five times at boot and shutdown, letting you know its status with certainty. Most of the system services run in a chroot()ed environment. Some even have their own disk partition, which helps to prevent disruption of other services that might otherwise result from a denial-of-service attack on one service. The administrator can install custom software. ASL could be a nice starting point for your own Linux-based projects.

ASL is not a typical home-use broadband firewall-router. It certainly can be used for that, but because ASL can do so much more than DHCP and IP masquerading (or NAT, if you prefer), typical home use would be a waste of its features. Out of the box it requires some setup, but if you already know you need more than a typical broadband firewall-router appliance, chances are you already know how to achieve this. ASL would make a good home-use firewall-router for the network-savvy power user, someone comfortable with or interested in learning the ins and outs of SMTP configuration, SSH keys, RADIUS configuration and/or IPSec. So it's fortuitous that Astaro provides a free home-use license, which does not include the antivirus protection.

I do have a few minor reservations about ASL V4. I admit that ASL impressed me with the sheer number of features it supports. It is common security policy to limit the functional responsibilities of each infrastructure node on your network. For instance, a router should stick to routing, a firewall should stick to packet filtering, a proxy server should stick to application protocol proxies and an SMTP relay should stick to e-mail. The justification is that a separation of functions limits the overall damage should any one service suffer a security exploit. With everything in one box, ASL might encourage an all-in-one approach. On the other hand, such a configuration may be desired if there are cost, space or administration constraints or, simply, if the risks aren't as high. Indeed, there's no reason one couldn't install ASL on numerous machines and turn on only certain services in each node. But this illustrates another potential problem. Aside from the ability to export and import configurations, there is no apparent support for a single point of administration for multiple ASL nodes. In other words, there's no policy manager that can push configurations to multiple ASLs.

At installation time, you receive a 30-day license, after which you need to purchase a full license. At the time of this writing, prices range from $390 US for a ten-IP network and a one-year Up2Date subscription to $6,895 US for unlimited IPs with three years of Up2Date. Virus protection, high availability and surf protection are priced separately. Astaro has a free personal use license, and this reviewer intends to take advantage of it.

Product Information

Jeremy Impson is a security and network consultant in Upstate New York. Send your questions and comments to jdimpson@acm.org.