Astaro's Linux-based firewall appliance stands out with a laundry list of capabilities, but runs several steps behind top competitors
Frills and drills
All the news about the interface isn't bad, though. We were quite pleased with the amount of information available right on the front dashboard. While other systems might have prettier interfaces, the Astaro dashboard is very clean, displaying a wealth of information without being cluttered. Another very cool feature is the ability to click on the tiny "I" icons in the Destination NAT (DNAT) interfaces to display where else these definitions were used. As with other systems, you sometimes have to disable linked rules (which depend upon other rules or objects) before you can make major changes. Having a quick way to see where else these rules were applied was very nice.
The HTTP proxy interface has a unique feature: a help section with a flowchart showing the order in which the rules are applied. Proxies have been the bread and butter of firewalls in the past, but they typically come with a cryptic interface. This is a wonderfully useful help file -- what a concept!
The responsiveness of the management interface certainly suffered when traffic ramped up, but the sluggishness wasn't anywhere near as dramatic as with the smaller ZyXel box. Although waits noticeably increased as the traffic load and number of attacks rose, the Astaro system remained responsive to management requests at all times.
The Astaro's throughput was a disappointment. The four units in this review ended up separating into two performance classes, with the SonicWall and WatchGuard far outpacing the Astaro and the much lower-priced ZyXel. At less than one-quarter of the Astaro's price, the ZyXel maintained slightly better throughput while under attack and blocked a slightly higher portion of the attacks. The Astaro could handle a WAN connection up to perhaps a couple of T-1s. For bigger pipes, you may need a UTM with more speed.
Without having an insider's view, the Astaro Security Gateway looks to be a special-purpose server with a single CPU that handles all of the functions right down to a PCI Express interface for the Ethernet ports. It clearly has some sort of encryption processor in it, or the 200 VPNs we ran would have killed the performance. However, if you start turning on lots of features, you'll see a noticeable impact on performance, as UTM functions quickly suck up CPU cycles. Unlike the SonicWall, the Astaro clearly does not partition management operations from the general traffic handling in the CPU cores. All of these functions are competing for resources.
Despite the drawbacks, the Astaro Security Gateway offers a massive collection of services for the price -- much more than what you could get on a roll-your-own box -- and it provides a much cleaner and more coherent management interface than you're going to find in the wild.
This weekend's Windows 10 upgrade has users angry, and it's unclear if the ploy will continue
Here’s the best of the best for Windows 10. Sometimes good things come in free packages
Speaking at the O'Reilly Fluent conference, Eich also endorsed the Service Workers mobile app...
After Microsoft rolled out its Linux subsystem for Windows 10, users worked out a number of surprising...
Hackers are maliciously manipulating both sides of the web experience, but a little due diligence goes...
OpenStack is set to become a Docker-ized app that runs on Kubernetes and help Google's plans for an...
Would you commit to a platform for internet applications? Then why would you do so for IoT...