LJ Archive CD

AstroFlowGuard Appliance

José Nazario

Issue #118, February 2004

Along with a nice reporting system, this package delivers an integrated and easy-to-manage interface with a good feature set.

The AstroFlowGuard appliance is a combined bandwidth management system, a VPN gateway, an IDS, a firewall and a NAT device. Along with a nice reporting system, this package delivers an integrated and easy-to-manage interface with a good feature set. Being an appliance, as opposed to a software distribution, it can be less error-prone—for a cost.

These boxes have been shipping for several months now, and the company has several customers both large and small. This means the company has been improving its product and proving itself in trials and deployments. Offmyserver and NetSoft teamed up to bring this appliance to market, with NetSoft doing the software and Offmyserver bundling it with the hardware. Offmyserver isn't that new, either, as it is an employee buy-out of iXsystems, formerly BSDi. Because of this, there's experience and market understanding behind this product, and it shows.

Setup Out of the Box

The AstroFlowGuard system ships as an appliance, so you get a box, a few cables, a manual and the system. The hardware is based on a Pentium 4 processor and should fit nicely into a 19" rack. Be warned, though; it's got a noisy fan, comparable to a medium- or large-sized router or enterprise switch, so this isn't for an open equipment room.

Initially, you have two big options to configure the system. The first is to use the LCD front panel to configure basic services. Here you can configure the basic IP networking parameters (address, netmask and gateway) along with the enabling or disabling of services. You navigate with a small number of easy-to-use buttons, almost like a network printer. Alternatively, you can hook up a PS/2 keyboard and a VGA monitor and use a curses-based configuration menu. You get the same basic menu items with this option that you do with the LCD screen. There isn't a command-line option, but most of the reporting is done better in the GUI. I was surprised a serial console interface wasn't included.

Once you have the basics set up, you can begin the final setup stages using your Web browser. This process isn't as easy as it sounds. I couldn't get the system to respond to HTTPS until the firewall was disabled, but after that I didn't have much difficulty. The login and product navigation is straightforward, so you don't need to consult the manual much except for a few tasks.

Hardware-wise, the box for the AstroFlowGuard should be enough to manage anyone's network. The system comes with four to six 10/100bT interfaces, which should work for most networks. Gigabit Ethernet is not an option at this time. AstroFlowGuard also lets you break out a DMZ network and a management network, all on one device.

A likely scenario for deployment would be to rack the box and configure the management address for the system. Once that's done, you would log in to the UI and configure the networks for the system to route. There, you can begin setting up your network management and enforcing that policy through the VPN (for secure Internet endpoints), the firewall and the bandwidth monitor.

The traffic shaping module is one of the more novel features in this class of device. With it, you can set up per-host and per-service bandwidth caps, which can help make the best use of a small network pipe. For example, you can configure a 50% maximum for Web traffic with an optional 10%, if needed, for short bursts. If you find peer-to-peer communications are hogging bandwidth, you can shape that down as well. Finally, if downloads from the outside world are consuming bandwidth from a server you run, you can back that off too. The UI makes all of this management relatively easy, and the reporting interface helps you make those decisions quickly.

Strengths

Under the hood is a Linux system, modified to boot without much issue or interaction, and various applications for network monitoring. These components include iptraf, rrdtool and Apache. This list probably gives the impression that you could build something like this for your own network, given an engineer or two for a few weeks. You probably could, but maintenance would be a consideration in this scenario.

Maintenance, then, is probably the biggest selling point for this product—AstroFlowGuard fairs very well in the build vs. buy comparison. Although it's based on open and available components, it would take some effort to build a system like this and work out the kinks, keeping it usable for a staff of administrators. Because of this, what at first appears to be free quickly consumes a lot of money and time.

AstroFlowGuard goes well beyond this point, however. By being an appliance through and through, it's a simple matter of loading the box in a rack and maintaining it from there. Even upgrades are painless. You simply select the upgrade option from the menu, it tells you what changed and you go to it—painless, and the upgrade to 1.002 happened without a hitch.

The price of AstroFlowGuard, under $6,500 US, puts it well below its competition. For a bandwidth appliance, you could use a Packeteer or similar product; there are various (and expensive) traffic monitors. VPN appliances also can be quite expensive. Firewalls have been known to be expensive at times, too, and finally, an IDS appliance typically costs this much without the other features. Although the price may seem a bit steep, for that amount of money you'd have difficulty finding an appliance that does one or two of these tasks.

One of those features typically found only in expensive commercial firewalls is the support for failover. Parallel AstroFlowGuard devices can communicate and detect when the other one has failed and begin routing around it. This is a very useful feature for networks that require high availability.

Overall, the feature list of the AstroFlowGuard makes sense as a network edge device. Most people deploy their IDS functionality here, and the other modules (bandwidth shaping and monitoring, VPN tunneling and firewalling) all make sense in a policy management device. This single box can meet the needs of various small- and medium-sized business networks in a single relatively easy-to-use package.

As of version 1.002, the on-line help for the product is solid and easy to navigate. It's task-based, as opposed to feature-based, so it's easy to use when you're actively trying to set up a new management rule.

Drawbacks, Big and Small

There are, of course, a handful of drawbacks. The biggest one at this time is the fact that this is a new product, still forming and working out some creases. Although the major components are done, it has room to grow. Given this package's price, I recommend you examine it closely in relation to your network's needs before you dive in to a purchase, but you probably will like this product.

The biggest drawback to the AstroFlowGuard's newness is the work flow within the application. The reporting interface is done well, and it allows you to drill down to various levels of detail. But, the configuration interface for adding bandwidth and firewall rules, for example, is in need of some maturity. The biggest complaint I had was figuring out the order in which various options should be configured—it's by adding classes and then specific rules.

A second complaint some may have is the Web UI uses several Microsoft Internet Explorer HTML and JavaScript extensions. This isn't a strict requirement, however, and my contact at NetSoft tells me they're working on changing that; expect this work to be done by the time you read this review. With a quick read of the source code to the pages, you can find the right entry points and use Mozilla on most pages without much difficulty.

One feature I found lacking is the IDS functionality. It seems to be a minimized feature in version 1.002; one that probably will receive an overhaul in the future. The configuration interface in this version was rather thin and didn't give much detail to the signatures within the IDS database, nor was there any way to configure new rules. When I enabled it on my home network, I received various alerts for traffic that didn't make much sense, but I didn't find the reporting interface for the IDS module very helpful either. I'd probably skip the IDS functionality at this point and hope it improves in future revisions.

What's Coming Next

Matt Olander, from Offmyserver, the company that distributes the AstroFlowGuard system, tells me that many of these issues will be addressed in the next revision of the software. The browser dependency will be removed. Secondly, the IDS functionality will be improved, allowing you to edit and escalate classes and events more significantly. And finally, the host management internals will be more automated, using automatic host detection on your local network. Combined, these new features significantly improve an already good product.

Conclusion

The AstroFlowGuard device certainly is a product worth looking at to bring a small network up to speed. Because it's an appliance, hardware and software configurations are kept at a minimum, meaning the staff can focus on other aspects and not have to worry about compatibility or installation issues. Currently at a 1.0 revision, some kinks need to be worked out, and not all of the features are mature at the time of this writing. Despite this, AstroFlowGuard compares favorably to other commercial offerings and beats them in terms of price.

José Nazario, PhD, works as a software engineer and security researcher for an unnamed Internet security company. He also develops on several open-source projects, has contributed to various Linux publications and likes to travel and give presentations.


LJ Archive CD