March 9, 2005

Review: Astaro Security Linux 5.1

Author: Preston St. Pierre

One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project
and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance.

Unlike the firewall and router distros mentioned above, ASL is not entirely open source. Rather, ASL is built upon an open source base, but adds a well-designed but proprietary HTTPS graphical user interface that facilitates advanced system administration by users who aren't Linux gurus. Astaro provides technical support for configuration through the GUI but specifically disclaims support for changes made by root via Secure Shell login.

ASL is not distributed entirely under the GNU GPL. Obviously, Astaro cannot claim control over the base operating system, but in order to use ASL with the GUI you need to obtain a license. A license for use of the basic firewall and proxy features is available for free to home users, but commercial users need to buy a license at a cost that varies
according to which options they use and how many users will be routing traffic through the box. A 10-user license for using the firewall, intrusion prevention, and virtual private networking feature starts at $290 per year. Adding Web content filtering tacks on another $390 per year, and email virus scanning another $310 per year. Multiple year subscriptions can bring the per-year price down a bit.

ASL's security features include:

  • A packet-filtering firewall
  • A caching proxy server
  • Multiple virtual local area networks (VLAN)
  • Intrusion detection and prevention
  • PPTP, IPSEC, and L2TP virtual private networks (VPNs)
  • POP3, IMAP4, and SMTP proxying and virus scanning, using
    Kaspersky Antivirus
  • Web content filtering using Proventia Web Filter (formerly Cobion)
  • Logs accessible via downloaded files, remote syslog servers, or
    HTML reports generated on the ASL box

ASL can also act as a DHCP and DNS server for the computers on your LAN.

To test ASL, I first downloaded an ISO image from Astaro's Web site, verified the MD5 sum, and burned it to CD using K3B on a Dell D600 laptop running SUSE 9.2 Professional. I registered with Astaro to obtain a 30-day evaluation license, which I saved as a text file to the laptop's hard disk.

My test box was a 2.4GHz Pentium 4-based Dell Dimension with 512MB of RAM, an IDE hard disk (6.4GB is the minimum required), an onboard Intel 10/100 Ethernet card, and an RTL8139-based Ethernet card scavenged from our storage closet. I connected an old Dell P/S2 keyboard and a Dell 15-inch LCD display for use during installation.

To install ASL you need to be able to boot from the installation CD, so you may need to switch the order of boot devices in your computer's BIOS. After booting into the text-mode installer, you must answer a few questions, including which network interface card (NIC) to use for management access. You can use the same NIC for management as you do for LAN access through the box, or you can install a separate NIC for this, further restricting administrative access.

I recommend you have all the hardware you plan to use installed in the machine when you load ASL. Although you can add hardware later, doing so requires you to log in via SSH and manually edit configuration files to get ASL to recognize them. Unless you do so, ASL's GUI won't recognize the new hardware. This is something I'd like to see rectified in future Astaro releases.

Installation took only about 12 minutes on my test machine. After the installer finished copying files from the CD, I ejected the disc and rebooted.

The system came back up quickly on reboot. The first time I accessed the Web GUI I was prompted to set passwords for the Web admin, root, and console login users. Upon logging in I found a system that was quite locked down. Very few services were running, and in fact, you need to manually activate the WAN interface. This is the kind of
initial setup I like to see in a firewall, because it reduces the chance that an unneeded service will provide an exploitable hole to outside attackers.

I should note that while ASL provides an easy-to-administer interface to Linux's routing and firewalling capabilities, a slick GUI cannot substitute for an administrator's understanding of TCP/IP networking.

When activating the WAN interface you must specify which networks it's considered to be part of. Options include any, internal network, internet address, internal broadcast, external network, and external broadcast. Since I was configuring mine as a router and firewall protecting a LAN from the Internet, I assigned the WAN port to the
external network.

The default configuration of the packet filter blocks all inbound and outbound traffic going through the router. If as in my setup you're using ASL to share one public IP address among the computers on your LAN, you'll have to enable IP masquerading. You can then create packet filter rules to allow applications running locally to access the
Internet. For example, if you want to be able to use AOL Instant Messenger, you'll need to open outbound TCP port 5190.

The packet filter supports very granular rule sets. For example, a system administrator at a company running an ASL firewall could enable AIM for certain users while blocking it for other uses. This is useful in corporate environments where certain departments need more restricted Internet access than others, such as a stock brokerage.

My main reason for trying ASL was to evaluate its Web content filtering abilities. I am opposed to government censorship, but in my opinion it is appropriate for private companies to limit access to non-work related content. For example, companies may risk liability for sexual harassment if they fail to limit employees' access to online
pornography. Even if liability isn't a concern, lost productivity can be.

ASL's Web content filtering engine is Internet Security Systems' Proventia Web Filter, which allows an administrator to set up filtering rules based on user, time of day, one or more of 17 Web site categories, and whether to block or permit access. Particular sites can be whitelisted, so that they'll be accessible even if they fall into an otherwise prohibited category. Aside from standard Web page blocking, the filter can also be configured to block objects like JavaScripts and ActiveX controls. So, besides being a way for a company to cover itself against liability or limit unproductive Internet usage, the content filtering can bolster security by blocking malicious content. Proventia logs the Web pages that users access, so the administrator can see how his bandwidth is being used.

To test the content filter I created a profile that blocked access to sites relating to weapons, pornography, and employment. Most of the "bad" sites that I attempted to access were blocked, and I got no false positives. However, I was a bit surprised to see that one or two URLs containing the F-word were not blocked. It's my understanding that URLs that pass through the filter and aren't blocked are forwarded to ISS for review, so as more users pass traffic through Proventia servers the various site classification lists should become more comprehensive. But this points to a fault shared by all list-based content filters: if a site isn't classified, access will be allowed. Other content filters that engage in on-the-fly content analysis may block sites that would not be blocked by list-based products, at the risk of false positives generated by incorrect analysis.

It's possible to set up the content filter so that different users are granted different levels of Web access. For example, a school running ASL could give very restricted access to freshmen and sophomores, less restricted access to upperclassmen, and unrestricted access to the Internet for faculty. Which profile is applied to a particular user is determined by user authentication, which can be handled by local accounts, RADIUS, Microsoft SAM, Active Directory,
NTLM, or OpenLDAP.

I found the ASL Web GUI very responsive over my 100Mbps LAN when performing administrative tasks. Layout is logical and easy to navigate and worked well in Firefox, although the cursor became invisible when in some dialog boxes. I was able to use the GUI with equal facility from my D600 whether it was booted into SUSE or Windows XP.

It's important for an administrator to be able to get good information about what's happening on his systems, and Astaro's reporting features are excellent. For a lot of users, the Executive Summary report will provide enough detail without becoming overwhelming. If administrators need more detail they can obtain it via the GUI or by downloading the raw log files for off-box analysis.

My evaluation of ASL didn't encompass the mail proxying functions, due to my project's focus on content filtering. However, Astaro does make it relatively easy to protect email servers behind a proxy. A good use case for this would be to protect your network's main SMTP server behind an SMTP proxy handling antivirus and antispam filtering.

Another Astaro feature I didn't have the chance to try is VPN support, which enables an admin to grant remote access to a LAN via PPTP, IPSEC, or L2TP. Similarly, you can link two LANs at different locations via an encrypted tunnel over the Internet.

Overall, Astaro Security Linux is an impressive package which allows a network administrator to set up a secure firewall with advanced functions. Using the appropriate hardware it can support LANs ranging from small home setups to large corporate networks. ASL offers a comprehensive suite of security functions easily accessible through a
well-designed graphical interface, which makes it accessible to network admins who aren't necessarily Linux gurus. Beyond that, ASL is backed by a company that's been in business since 1999 and which can provide technical support. This combination of open source and proprietary software with corporate backing may make it easier to sell ASL to
managers otherwise leery of putting Linux systems into production use.

Dave Markowitz works in commercial product development for a large broadband ISP, and also provides LAN consulting to small businesses in the Philadelphia area. The opinions in this article are his entirely his own and not representative of his employer.

Click Here!