Product Reviews

Astaro's ASG120 provides the same UTM (unified threat management) features found in its larger siblings, just in a smaller package. Contained in a tiny desktop case, the ASG120 includes an ICSA-certified firewall with stateful packet inspection and application proxies, an intrusion-protection system using Snort, and an IPSec VPN Gateway.

Denial-of-Service (DoS) protection and port-scanning detection are also available. Anti-virus duties for web browsing and email traffic are taken care of by scanning engines from Clam AntiVirus and Kaspersky Labs, while Cobion Security Technologies' database is used for content filtering. Anti-virus, anti-spam and intrusion-protection data can all be updated using the Up2Date online services, although only 90 days of updates are included in the basic price.

The system's default configuration follows good security practice and blocks all traffic, so a few packet-filtering rules have to be set up to allow traffic to flow between networks. Rules can be set to activate at preset times, and can be applied to particular groups of network addresses, either to allow privileged access for some systems or to restrict access for others. Application proxies are provided for standard services such as HTTP and SMTP, while generic proxies can be constructed for any special services that might be needed. This is useful if you've created your

ADVERTISEMENT

own services using the system's service definition facility. Enabling an application proxy does more than simply turn it on. The HTTP proxy configuration, for example, gives access to the virus-scanning, content-filtering and spyware-protection modules as well. Similarly, the SMTP proxy can configure anti-virus scanning for all incoming mail, and can also configure the anti-spam feature, using real-time black-hole services and local blacklists, as well as grey listing and sender verification techniques.

The system supports Microsoft's Active Directory and its Security Accounts Manager predecessor, as well as Novell's eDirectory, RADIUS and LDAP. The system can also authenticate users against its own local database. User authentication is used to control who has access to the firewall's management interface and also to control access to services through their associated proxies. Each proxy can have a user-authentication mode specified, and can be further restricted to nominated users only.

VPN services are unrestricted, but in practice the unit's processing capacity would impose its own limitations. L2TP and PPTP are offered, and once again Microsoft clients are catered for with their own specific connection type. System monitoring is provided by a number of graphical displays covering CPU, memory and disk usage, as well as traffic and connection statistics. Monitoring and reporting facilities are adequate, utilising graphs and tables to give a comprehensive overview of the key areas of system performance, network activity and security functions.

The system offers a wide range of features that can be combined to provide a detailed level of control over user access to services and resources. It's an attractive proposition for small businesses looking to grow. The VPN support and user authentication options also make it a good fit for larger businesses with branch offices to support or with specialist departments on separate networks.