Astaro ASG 425a

Score: 2.93

Editor’s note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across 10 UTM categories, please see our full coverage.

The ASG 425a is a sleek 1U appliance with six 10/100/1000 Ethernet and two SFP (copper/fiber gigabit Ethernet) ports. Astaro has a single higher-end system, the 525, which adds more Gigabit fiber capabilities, and several systems smaller than the ASG 425a. Astaro also sells its firewall package as a “software appliance” if you want to bring your own hardware to the party.

Astaro is a relative newcomer to the firewall business, bringing both software and appliance-based hardware to the U.S. market from their home-base in Germany in 2002. Astaro’s value proposition is simple: It aims to bring the best open source technologies together into a single product, with a layer of management, control and configuration wares that are proprietary to Astaro. (This is not to say that other firewalls we tested don’t contain open source software; almost all have some open source components. What’s different is the ratio of open source to proprietary components.)

This strategy has both a cost and a benefit. The obvious benefit is that Astaro can pick and choose among the best open source technologies and immediately incorporate them into its systems. For example, when Astaro does elect to support IPv6, it should be able to do it very quickly by simply incorporating the open source code and tools already available, making a huge leap forward very quickly.

The drawback, though, is that open source can only take you so far in the security world. The challenge is whether that’s going to be good enough for enterprises. For example, in our testing, Astaro’s IPS (based on Snort) certainly did as well as other Snort-based IPSs. But Snort was designed as an IDS, not as an IPS, and therefore Astaro’s IPS was only half as effective at blocking client attacks as Juniper's, and a quarter as effective as ISS's, both of which have proprietary IPS engines.

Some aspects of the Astaro ASG 425a were amazingly good and frighteningly bad at the same time. High availability is the best example. The ASG 425a beats out every other firewall we tested in the simplicity and ease of setup for high availability. All you have to do is plug the cable in between two dedicated ports and you’re done. Even SonicWall, where all you have to do is put in the serial number of the backup gateway, isn’t that easy.

But the problem is that the ASG 425a’s high availability didn’t work consistently. We had the high availability lock up during load testing, and had two nodes both claiming to be master at another point in time.

A more fundamental issue that came up with the ASG 425a was the integration of the parts within the firewall itself. While Astaro has done a huge amount to make open source security-product management palatable, there are still rough edges. We noted design issues related to adding UTM features to traffic flows elsewhere, but IPS management is a particularly weak spot from an enterprise viewpoint. With the IPS, Astaro has broken up Snort’s huge rule base into digestible chunks, but there is no way to drill down and get to individual rules, as would be needed in an enterprise network.