Astaro Security Gateway: Rich in features, poor in performance

Astaro's Linux-based firewall appliance stands out with a laundry list of capabilities, but runs several steps behind top competitors

Page 2 of 3

Frills and drills

All the news about the interface isn't bad, though. We were quite pleased with the amount of information available right on the front dashboard. While other systems might have prettier interfaces, the Astaro dashboard is very clean, displaying a wealth of information without being cluttered. Another very cool feature is the ability to click on the tiny "I" icons in the Destination NAT (DNAT) interfaces to display where else these definitions were used. As with other systems, you sometimes have to disable linked rules (which depend upon other rules or objects) before you can make major changes. Having a quick way to see where else these rules were applied was very nice.

The HTTP proxy interface has a unique feature: a help section with a flowchart showing the order in which the rules are applied. Proxies have been the bread and butter of firewalls in the past, but they typically come with a cryptic interface. This is a wonderfully useful help file -- what a concept!

[ Read more about InfoWorld's UTM acid test and the test tools: "How to stress a UTM" | "Ixia IxLoad's multithreaded testing" | "Mu's Internet attacks in a can." ]

The responsiveness of the management interface certainly suffered when traffic ramped up, but the sluggishness wasn't anywhere near as dramatic as with the smaller ZyXel box. Although waits noticeably increased as the traffic load and number of attacks rose, the Astaro system remained responsive to management requests at all times.

The Astaro's throughput was a disappointment. The four units in this review ended up separating into two performance classes, with the SonicWall and WatchGuard far outpacing the Astaro and the much lower-priced ZyXel. At less than one-quarter of the Astaro's price, the ZyXel maintained slightly better throughput while under attack and blocked a slightly higher portion of the attacks. The Astaro could handle a WAN connection up to perhaps a couple of T-1s. For bigger pipes, you may need a UTM with more speed.

Server inside
Without having an insider's view, the Astaro Security Gateway looks to be a special-purpose server with a single CPU that handles all of the functions right down to a PCI Express interface for the Ethernet ports. It clearly has some sort of encryption processor in it, or the 200 VPNs we ran would have killed the performance. However, if you start turning on lots of features, you'll see a noticeable impact on performance, as UTM functions quickly suck up CPU cycles. Unlike the SonicWall, the Astaro clearly does not partition management operations from the general traffic handling in the CPU cores. All of these functions are competing for resources.

Despite the drawbacks, the Astaro Security Gateway offers a massive collection of services for the price -- much more than what you could get on a roll-your-own box -- and it provides a much cleaner and more coherent management interface than you're going to find in the wild.

The dashboard of the Astaro Security Gateway manages to impart a wealth of information without seeming cluttered.
| 1 2 3 Page 2