 |
|
Astaro Firewall - Secure Gateway
Intrusion Protection detects and blocks probes and application-based attacks using heuristics, anomaly detection, and pattern-based techniques.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
| Choose a SOFTWARE or APPLIANCE SOLUTION |
The Firewall
The Astaro firewall manages inbound and outbound communications traffic, as well as traffic between internal networks.
Administrators can block or allow access, for each protocol, to each internal network, server, service, and user group.
The firewall inspects both networking information (packet headers) and application information (payloads) to detect and block suspicious traffic.
Application-Level Deep Packet Filtering
Astaro’s firewall provides both stateful packet inspection and application-level deep packet filtering. Packet headers are inspected, and ongoing connections are monitored, to make sure that they conform to the appropriate policies.
Application-level proxies scan content (payloads) to ensure conformance with rules specific to web traffic, email, DNS, and other broad application types.
With the easy-to-use WebAdmin graphical interface, administrators can quickly set rules to block or allow traffic, by protocol and by port, between pairs of source and destination addresses.
Security Proxies
A comprehensive set of proxies are provided for HTTP and HTTPS, SMTP, POP3, DNS, SIP and SOCKS.
These proxies simplify management by allowing administrators to quickly and easily enable and disable protocols and features such as virus scanning, content filtering, caching, whitelists and blacklists, file extension filtering, and MIME error checking.
Web and email proxies can be run in transparent mode, so that each users’ packets can be redirected to the proxy without having to reconfigure desktop settings.
NAT, Masquerading and DOS Protection Dynamic and static Network Address Translation (NAT) and masquerading conceal internal IP addresses behind a “public” IP address, to prevent hackers from learning about internal networks, servers, and users.
Astaro’s firewall protects against common Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks such as TCP SYN flood, ICMP flood, UDP flood, Smurf, Trinoo, and IP spoofing.
Transparent Firewall Mode
Packets can traverse the firewall in transparent mode without modifying any of the source or destination information in the packet header. The firewall can be inserted or removed from the network without needing to reconfigure IP addresses.
Time-Based Rules and Policy-Based Routing
Packet filter rules can be set for specified time periods. User groups can be granted access to networks and servers at certain times of day and denied access at others.
Astaro’s firewall can forward and route packets based on destination IP address, source IP address, source port, and destination port. Traffic can be spread over multiple Internet uplinks to improve application performance, reduce bandwidth use, and control costs.
Traffic Shaping and QoS
Administrators can increase or decrease the priority of different types of traffic between specific endpoints, providing quality of service (QoS) for critical transactions.
Detailed Reporting
Astaro Security Gateway provides detailed reporting on network traffic, connections, packet filter violations, hardware utilization on the firewall system, and other information for managing the firewall.
Accounting reports provide detailed data on traffic to and from network segments.
Detailed logs can be stored and viewed in text format, or exported to spreadsheets and reporting systems for ad-hoc or specialized analysis.
Astaro’s Intrusion Protection utilizes a database of over 3,000 rules to detect patterns indicating:
|
Anomaly Detection
“Zero-day-attacks” are malicious threats that attack networks before signatures have been developed. To protect against them, Astaro’s Intrusion Protection identifies typical network traffic patterns via statistical and heuristic analysis. It then alerts administrators when it detects anomalies that indicate attacks, such as new network services or previously unseen hosts.
Intrusion Detection and Prevention
Astaro’s Intrusion Protection application performs can notify administrators about suspicious behavior (“intrusion detection”) and work with the firewall to immediately block incoming traffic associated with intrusions (“intrusion prevention”).
New threat patterns are installed frequently through the Astaro Up2Date service. Astaro utilizes new threat patterns from the Snort project and from Sourcefire, the leading Open Source and commercial sources of intrusion patterns.
Performance and Control
Because intrusion protection is in-line with the firewall, all Internet and VPN traffic is inspected, and there are no delays as traffic is routed to a separate sensor. Rule changes are applied immediately, without any need to reboot the firewall or change network configurations.
The administrator can also tailor intrusion testing to each network by:
| Enabling or disabling any of the over 3,000 rules. |
| Customizing existing rules and creating new ones. |
| Performing tests only where they are needed (for example, email-related tests only on traffic to email servers). |
Selected Classes of Intrusion Detection Rules
| Probes and Attacks: | Applications and Services: | Protocols: |
| Backdoor software | Messaging and chat | DNS |
| Denial of service | MySQL Server database | FTP |
| Distributed denial of service | Oracle database | ICMP |
| Network scanning | CGI scripts | IMAP |
| Unwanted traffic | P2P networks (Napster, Kazaa) | NetBIOS |
| Coldfusion | NNTP | |
| FrontPage | P2P | |
| Microsoft IIS | POP2 | |
| Multimedia streaming software | POP3 | |
| RPC | ||
| SMTP | ||
| SQL | ||
| TFTP | ||
| X11 | ||
Virtual Private Network (VPN)
The Astaro VPN (Virtual Private Network) gateway uses a variety of data encryption methods to create a secure communications “tunnel” over the public Internet.
Multiple Architectures
To accommodate the needs of branch offices, home users, and “road warriors”, the VPN gateway supports a variety of VPN architectures, including Net-to-Net, Host-to-Net, and Host-to-Host.
Broad Protocol and Client support
The Astaro VPN gateway supports a broad range of VPN protocols like IPSec, L2TP over IPSec, and PPTP.
Administrators can select from a broad range of VPN clients, including the native Windows and Windows Mobile PPTP and L2TP over IPSec clients, the Mac OS X VPN client, and other VPN clients that follow the IPSec standard, including the Astaro Secure Client. Different clients can be mixed in an Astaro VPN environment.
Certificate Authority
The Astaro Security Gateway includes an internal certificate authority with authentication based on PKI-trustchain. This enables the use of digital certificates without requiring that certificates be generated centrally and distributed to remote sites.
Certificates from external and public Certificate Authorities can also be used. X509 CRL support means that Certificate Revocation Lists can be imported to revoke disabled or expired certificates.
IPSec Dead Peer Detection
The Astaro VPN gateway automatically detects when IPSec gateways and clients become unavailable, so that network outages and IPSec peer crashes can be detected and remedied quickly.
Simplified Remote Access
Dynamic IP addresses and DNS/WINS server addresses, taken from a virtual address pool or provided by an DHCP server, can be distributed automatically to simplify remote access. IPSec client configurations can be distributed from a central point, simplifying mass rollouts of IPSec VPNs.
Integrates Into Existing Environments
Astaro’s VPN gateway is easy to integrate into existing environments. It can authenticate VPN users against local databases, Radius Servers, Novell eDirectory, Microsoft Active Directory, and LDAP-compliant enterprise directories. It can also apply access policies based on users and groups, IPs and networks, and PKI-based IPSec user groups. Connections to LDAP servers can be encrypted using SSL/TLS standards, so that authentication against LDAP data sources can be performed securely over the Internet
Firewall Integration
Astaro’s VPN gateway is fully integrated with Astaro’s firewall. IPSec VPNs can utilize NAT traversal and virtual IP addresses. Firewall settings are generated automatically when VPN clients are configured. Packet filter policies can be specified on a per-user basis. VPN user groups can be created and used to grant access rights.
| Encryption algorithms supported: | Authentication methods include: | IPSec protocols include: |
| AES (Rijndael) | Passphrase (PSK) | Internet Key Exchange (IKE) |
| DES | Certificates (X.509v3) | Encapsulated Security Payload (ESP) |
| 3DES | Raw RSA Keys | Layer 2 Tunneling Protocol (L2TP) |
| Blowfish | CHAP, MSCHAP, MSCHAPv2, and PAP | NAT-Traversal |
| Serpent 128-bit | RADIUS (for L2TP, IPSec and PPTP) | |
| Twofish 128-bit | ||
| MPPE (40 and 128 bit) | ||
 |