Saturday, August 9, 2008

Astaro - Are Two Half Loaves Better Than One?

Astaro is a commercial distribution that presents itself as a 'Security Gateway'.
They bundle up their software with a hardware solution and sell it as a complete package or just the software.

Their target market is really SonicWall and similar products. They claim to use the best of both open source and closed source products. Their software is available without fees for home users.

Astaro promotional material shows a very slick professional looking GUI. Their list of firewall and security related options is really extensive. IPSec to IDS and all stops between are covered.

Astaro doesn't really qualify to be my home server for a couple of reasons. Like any true security/firewall solution it doesn't serve files. Most security professionals would tell you a server has no place on a firewall. On the other hand, with the number of bells and whistles they are all packing into their boxes these days, I can't see where adding Samba makes much of a change in their overall target footprint. And of course it's a proprietary product.

Nonetheless, I was curious. It was considered as a possible solution for work, so I thought I'd take it for a spin.

The installer would get roasted on your average Linux distro review site. It's littered with oddities. For instance, the first screen tells you to use the arrows to navigate the installer screens, hit Tab to change the option and hit Enter to accept the changes and move on. Then the next screen says it's going to wipe your hard drive, and tells you to hit F8 to continue :-/ Nowhere does the tab key seem to do anything, and there's never a 'back' option. You can hit escape though - and it'll quit right out of the whole installation proceedure....

The first couple of times I tried it I thought I had a bad CD because it kept saying 'Installation Failed - Restart' Turns out that was incompatible hardware, because when I changed boxes it got a little farther. That time it recognized half my ethernet cards and posted a message saying it couldn't be a good firewall on just one ethernet card.

Now it is linux, and if you do things like using control-alt-Fx to look for other consoles you can see a whole lot better what's going on, but the default install screen is pretty terse, and the options are few.

Once I had it installed it tells you to reboot and log in via the web gui to complete the installation. I did so, and imediately started seeing the polish that shows up in their marketing materials. It's a nice boot screen, and looks quite professional. The web gui is pretty too - at least what I saw of it.

I set the passwords, and ran thru the wizard, but once I turned a few options on it turned my target box into a complete waste of time. The GUI became so unresponsive that it was unusable. I actually rebooted sure that it must be hung or acting up, but no - it was DDOSing itself. I'm not sure why the hardware passed their check during the installer, because it was completely unable to run their product.

It's probably a good product for what it's designed for, and I'm guessing a gig of ram would have made it perform usefully, but I'm not wasting time here when it won't due what I need it to anyway. Onwards!

P.S. If this is really what you want, rather than a home server - take a look at IPCop, Smoothwall, Vyatta, and Untangle among others. Gotta be one there you like.


  1. Thanks for trying the Astaro package, and I'm sorry it didn't suit you- but as you mentioned it is not designed to do what you need.

    A note on hardware, with its multiple proxies and traffic flow analyzers, Astaro does require a moderately robust system to run optimally.

    One significant thing about the free home-use offering from Astaro; unlike the other systems, Astaro provides both commercial and Open Source patterns and definitions free (including Snort VRT rules).

    If you decide to try it again, let me know if need any tips on optimal setup.

  2. Thanks for commenting on my blog.

    I do think you guys should consider improving feedback on the installer, and maybe bumping your stated hardware requirements a bit - but reading your comments and re-reading my post I see I came off pretty negatively - which wasn't really my intent.

    As you said - it's not the right product for what I want. I didn't have the time or equipment to give it a fair trial at what it is designed to do.

    Hopefully someone who does want that kind of device will try out your product and make their own decisions.