The document summarizes an Astaro product presentation. It discusses Astaro's security gateway products which provide unified threat management for small and medium businesses. It covers their security features including firewall, VPN, intrusion prevention, email security, web security and application security. It also discusses their management tools and high availability/load balancing networking functions.
4. Our Business ASTARO is the leading European UTM Security provider for small to medium sized companies and organizations requiring integrated products for Email, Web and Network Security that are cost efficient and easy-to-use. In contrast to suppliers of single- or other multi-function products for internet security Only Astaro offers easy-to-use All-In-One security gateways with complete enterprise-class functionality specifically designed for SMEs
15. Awards SC Magazine - Best SME Security Solution 2010 The final verdict "a great product at a highly competitive price. Overall a great value for the money." SC Magazine - 5 Star Rating Astaro Security Gateway is a "very responsive and strong appliance. Contains all the necessary security and content management features." WINMAG Pro - MKB Best Choice 2009 WindowSecurity.com - Software-Based Firewall Readers Choice Scholastic Administr@tor - Best in Tech for Network Security 2009 VAR Business 2009 Partner Program Guide - 5 Star Rating Linux Magazine - Top 20 Companies to Watch in 2009
16. Awards Technology Innovation of the Year Award 2008 „ superior performance” (Frost & Sullivan) Top 100 Innovator 2008 „ exceeding creative and innovative research and development” (Compamedia) PC Praxis Testsieger „ technically outstanding“ (PC Praxis) 2008 Editor’s Best Award „ competitive advantages, value to the customer“ (Windows IT Pro) 3x Best of the Year Award 2x Editor‘s Choice „ To call Astaro‘s Appliance just a UTM would be a major understatement.“ (SC Magazine) 2x Product of the Year „ Among the array of contenders, one product managed to stand out.” CRN Magazine
17. Certifications TOLLY Up-to-Spec Certified independent test lab (Tolly Enterprises, LLC) Common Criteria First UTM appliance to receive the Common Criteria certification from the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) ICSA Labs Firewall Certification security industry's central authority for research, intelligence, and certification testing of products (ICSA Labs) VMware - VMware Ready Certification Products that carry the VMware Ready logo have passed specific VMware integration and interoperability criteria and are ready to run mission critical business applications and operations with full VMware support.
18. Recognitions “ Frost & Sullivan believes that Astaro is to be a leading company in the UTM market…” - 2009
33. Deployment Models Hardware Operating System Application First UTM Appliance that passed VMware validation program Hardware Operating System Application Hardware Appliance Software Appliance Virtual Appliance
Astaro‘s goal is to provide complete IT security solutions which integrate the right technology and are also understandable, easy to use and pragmatic to employ. Furthermore, the solutions should be independent from the platform. Through the Astaro Security Gateway product family, you are able to establish a central component for the protection of Internet traffic as a whole. The solution can be adopted as self-managed solution, a managed Gateway solution for the customer (CPE) or as cloud-based service available through service providers or partners. Astaro Mail Archiving is a hosted service which simplifies mailbox management and legal compliance requirements. The image in the slide above illustrates the possible deployment scenarios for Astaro products.
The different threat scenarios for a company's IT infrastructure has heavily evolved over the past 10 years, to the point where new technology updates are constantly required for sufficient protection. This is partly due to the continuous increase in complexity of the IT landscape. The threats themselves are also rapidly evolving and can often only be fought through a combination of different technologies.
The number and complexity of the tools, which are required for IT security, is also on the rise. Firewalls and VPN gateways no longer provide sufficient protection. The use of Intrusion Detection and Prevention Systems (IPS) has become a mandatory asset and the demand for tools which check e-mails and web downloads for dangerous content such as spam, viruses, spyware, phishing is also on the rise. With every additional tool employed in your IT security infrastructure, the costs, expenditure of time for installation, training and maintenece will also increase. As as result, many company's today cannot cover this requirement.
The ASG product line covers models for small networks and remote locations with up to 10 users to large networks with up to 5000 users. As opposed to other UTM solutions, Astaro software can be also installed on your own servers. The same set of security applications, including features such as Active/Active Clustering, WAN Uplink Balancing or Active Directory Integration, is available on all Astaro Security Gateway models - no matter if the hardware, software or virtual appliance is deployed. Furthermore, every hardware appliance contains an integrated hard drive for local spam quarantine and log/reporting information. Therefore, even the smallest remote office can get the same protection as a company's central office - without compromise. The ASG 525 and 625 models offer the highest availability through a redundant hard drive and power supply.
Routers for private users are cheap. However, to install these individually and to manage them requires a lot of time investment. Very often, important security functions, which business customers require, are not present. Low-end UTM appliances usually have the obligatory security features. However, if you sum up the effort and the hidden costs for roll out, maintenance, subscriptions and management software, these products are everything but "simple" and "affordable". MPLS and Managed VPN Services are comfortable but require high budgets. Furthermore, they are not available everywhere.
Routers for private users are cheap. However, to install these individually and to manage them requires a lot of time investment. Very often, important security functions, which business customers require, are not present. Low-end UTM appliances usually have the obligatory security features. However, if you sum up the effort and the hidden costs for roll out, maintenance, subscriptions and management software, these products are everything but "simple" and "affordable". MPLS and Managed VPN Services are comfortable but require high budgets. Furthermore, they are not available everywhere.
The small and affordable Astaro RED appliance creates a secure VPN tunnel to a central Astaro Security Gateway. This works like a direct Ethernet cable between the central and remote offices. Astaro RED appliances work similar to a "thin client" in regard to the central Astaro Security Gateway. This means, the entire traffic is redirected to the central office, where the security functions of the central Gateway are running. Through this, remote offices which are connected via an Astaro RED, are able to have the same level of security as their central office location. Astaro RED therefore offers complete enterprise-class security for small remote and home offices (depending on the security features running on the central Gateway).
Astaro RED is the first complete Security Gateway which does not require configuration or special technical know-how at the local office. The configuration is carried out at the headquarter location and automatically distributed to all Astaro RED devices. Even mass roll outs for up to 100 appliances per day is realistic. Configuration and setup are carried out automatically and are ready in just a few steps: - Appliance can be sent unconfigured to the remote office - At the remote location, an employee will communicate the Device ID to the IT department at the headquarter location (found on the bottom of the appliance) - The IT department will give the RED device a name within the central ASG - A new configuration will be automatically generated - Connect the Internet cable to the Astaro RED - Connect to a computer - Plug it in - The tunnel will be created automatically Requirements: Central ASG needs to run at least V7.505 with the Network Security Subscription (minimum). The remote office needs an Internet connection (Router/ Cable modem with DHCP and Port 3400 open)
The Astaro Security Gateway works as an "Astaro RED controller" and centrally manages all Astaro RED appliances via a cloud-based provisioning service. The complete configuration, logging and bug fixing is carried out at the headquarter location. Individual administration for each unit is not required. With Astaro RED, the administration of the IP addresses of the remote offices are reduced to child's play. The DHCP and DNS server configuration is carried out centrally in the Astaro Security Gateway and distributed over to the connected Astaro RED appliances. The individual creation and administration of security policies for every single location is also not necessary. You need only to create and administer a global policy which is valid for all remote locations. A further advantage is the integrated reporting function from Astaro which delivers information to all connected networks - without the need for a separate reporting tool.
Technical facts about Astaro RED
A WLAN solution needs to be: - simple to administer No WLAN expertise required through auto configuration Fast and simple provisioning of many Access Points for central management - reliable Uninterrupted signal for the entire office - secure Integrated UTM functionality Strong encryption Supports the latest Wi-Fi standards (802.11n)
Access Points for home users (D-Link, Linksys) Such consumer products are affordable, but offer only a limited amount of features. These are usually restricted in the WLAN area (for authentication, multiple and guest zones) and also in the security area (for content filtering). They are also hard to individually manage, especially when there are more than one in use. Low-end UTM appliances with integrated WLAN (Watchguard, Fortinet, Cisco) These appliances require a substantial initial investment and offer integrated UTM security. However, they have only a restricted areas of application. Since these appliances are usually located in the server room, the whole office will not receive a signal. Enterprise WLAN Soltuions (Aruba, Belden/Trapeze, Meru Networks) These solutions offer comprehensive WLAN functionality, but are relatively expensive and through it's complexity often hard to manage. Furthermore, they require an additional security solution for the protection of the network.
This slide shows our Access Points (the AP 10 on the left and AP 30 on the right). The AP 10 is for up to 10 users with a maximum throughput of 150 Mbit/s. This WLAN solution is directed towards smaller office environments. The AP 30 is for up to 30 users with a maximum throughput of 300 Mbit/s. This PoE aligned Access Point is available in the design of a smoke detector for a ceiling mount and is directed towards larger office environments. This appliance covers higher requirements for amount of users, signal reach and performance.
Astaro Wireless Security is a new approach, which serves to simplify the secure and reliable availability of WLAN environments. The integrated wireless controller in the ASG ensures that the affordable Access Points do not require any manual configuration. Astaro Access Points can be positioned anywhere in the office and offer a strong WLAN signal all over the office - the placement behind an Astaro RED is also possible, WLAN access for guests is also available in minutes and many clients can also be protected through the UTM security of the central ASG.
Plug & Play Implementation Configuration and implementation of the Access Points require only a few steps: - Create a new WLAN in the WebAdmin (network name, zone and encryption should be specified) - Connect the Access Points to anywhere in the network - All Access Points appear automatically in the WebAdmin as "Pending Access Point". - Click on "Accept" and the Access Point automatically creates a tunnel and allows for a secure connection Requirements: Min. V7.507 Min. Wireless Security Subscription
The Astaro Security Gateway works as a WLAN controller and centrally administers all Access Points. Configuration, logging and bug fixing are all carried out in the Astaro Security Gateway. Astaro Access Points act in regard to the Security Gateway's WLAN Controller as a thin client. The Astaro Access Points do not require any configuration. This means, the controlling functions in the Access Point devices are reduced to a minimum and are found in the WLAN controller instead. A further advantage is the integration of Astaro's reporting function, which delivers information to the connected WLAN clients without the need for a separate reporting tool. An active Wireless Security Subscription is required for the Astaro Security Gateway as a minimum requirement in order to use and administer the Astaro Access Points.
Placement Choice Astaro Access Points can be placed anywhere in your organization, providing a strong wireless signal all over the office. This allows mobile users the possibility, also in different locations like the conference room, corridors or reception, uninterrupted access to networked data. Multiple Zones All Astaro Access Points support up to 8 WLAN zones (SSIDs), each providing different authentication and privacy settings. This enables wireless guest Internet access without the risk of compromising the integrity of your network. The capacity of broadcasting multiple SSIDs allows the creation of what is often called a "virtual access point", the partitioning of a single physical access point into several virtual access points, each of which have a different set of security and network settings.
Wireless Access Points seamlessly integrates in Astaro Security Gateway and instantly protects all wireless clients through complete UTM security, as provided by Astaro‘s award winning security technology. With Astaro Wireless Security, all security applications are executed within the central gateway, and all wireless traffic is forwarded to the Astaro Security Gateway. Thus, the wireless clients obtain the same level of UTM security as if they were physically connected to your internal network. Astaro Wireless Security supports state-of-the-art wireless encryption and authentication standards, ensuring the wireless connection is as secure as it gets: PA2-Enterprise in combination with IEEE 802.1X (RADIUS authentication) The Astaro Wireless Security monitoring function also enables users to easily recognize rejected authentication attempts.
This slide details the technical information of the AP devices. The AP30 is delivered with a PoE Injector as standard! For larger installations, in which a PoE Injector already exists, AP devices without the PoE Injector and mains supply are available.
Remote access to corporate network data from any location at any time is a necessity for mobile or home workers in many businesses. However, setting up these clients on individual PCs often becomes a huge administrative burden. Astaro VPN clients offer secure and flexible remote access for any type of network environment and operating system with minimal administrative effort. Astaro offers two different clients for IPsec and SSL connections. Depending on your individual requirements and client operating systems in use you can easily deploy both clients to securely connect to any Astaro Security Gateway.
Astaro IPsec Client is a powerful and feature rich client for IPsec based remote access from Windows XP, Windows Vista or Windows 7 based PCs (32 and 64 bit support). Many encryption types available: AES (128/192/256), DES, 3DES (112/168), Blowfish (128/448), RSA (up to 2048 Bit), DH groups 1/2/5/14, MD5, SHA-256/384/512 Windows 7 (32 and 64 Bit support).
Astaro SSL Client is an easy-to-use client for transparent SSL access to all company applications (no “Webifier” required). Installs on Windows, Linux, MacOS and UNIX operating systems. Available free of charge with any Astaro Security Gateway!
The Astaro Smart Installer is a special USB device that contains a unique chip which allows emulation of a USB CD-ROM. With it you can place the latest version of an Astaro image on an Astaro Gateway, if for example the installation is many updates or major versions behind. This saves the long process of applying many updates or moving across major versions all at once. Furthermore, a configuration backup can be easily installed after a system crash - without manual intervention.
What are the challenges when many Gateways are used in one comapny?
How are central management tasks approached today?
Different types of attacks require different mechanisms for recognition. One mechanism is the use of patterns, similar to that in a IPS-System. With this, many of the usual SQL injection and XSS attacks can be recognized and prevented. Astaro WAS uses a comprehensive set of patterns, which are updated live. - Over 350 patterns dedicated to this single area of protection - Live-updated in real time using Astaro Up2Date technology - Can be configured by any administrator, no special training is required - Support for multiple profiles which can be applied to different servers separately - No complex regular expressions to master - Reduces the risk of data theft and site tampering.
Astaro WAS inspects all outgoing and returning cookies <click> - Outgoing cookies are stamped with a digital, tamper-proof signature Returning cookies are inspected by WAS - Invalid or missing signatures will cause cookie to be discarded (Cookies not issued by the server will have no signature at all)
URL hardening checks every website request that a visitor is allowed to make; restricting them to valid ones only. For this, the administrator needs only to define the initial URL (for example www.astaro.com). When a page is then requested, WAS checks the links to the sub pages and objects and saves these as &quot;allowed&quot; URLs. For our example, allowed URLs would be \\products, \\solutions etc… <click> If someone tries to access www.astaro.com\\admin.php for example via manual intervention, WAS will reject the request. Additionally, the URLs and objects which are sent to the browser from the server will be signed. <click> Through this, the manipulation of single parameters such as /resources.php?userID=123 can be prevented.
Another feature of Astaro’s Web Application Security is the Antivirus features. With two engines which operate separately in parallel it is possible to scan uploads and downloads <click> This prevents users from uploading files like email attachments (OWA) or posting infected content to your bulletin board (UBB). On the other side it prevents customers/visitors from becoming infected should your site attempt to distribute a virus to them.
WAN Link Balancing enables the simple and simultaneous use of many Internet connections. With this extension, Astaro allowed the option of an active/passive setup (the second connection will then only be used when the first connection is not available). Alternatively, the new Multipath-Balancing can be used. The new active/active balancing enables you to distribute many connections and fix standard priorities for respective connections in case of a sytsem crash. This scenario shows a configuration with a special type of data transfer (Web/Mail) which is connected to a special uplink interface. Both connections serve as opposing security systems in the case one fails.
Incoming data traffic can be dynamically divided over many servers in a cluster. The failure of a server in the list (dead peer) will be immediately recognized through a customizable availability test (health-check - TCP, ICMP (Ping), HTTP Connect or HTTPS Connect). Session persistence guarantees that clients are always connected with the same server. This should prevent the crash of existing sessions, which the client would be forced to usually do, and the information would need to be reentered (for example with online shopping).
With active/passive HA, a slave system operates in stand-by operation. In normal operation, all tunnels, firewall connections and quarantined objects are synchronized. <click> In the case that the master fails, the slave takes over in less than 2 seconds. -> After the take over, the IPsec tunnels do not need to be rebuilt. Both devices are logically available for management, but only one is visible.
The Active-Active (Cluster) mode offers high availability as well as integrated load balancing for up to 10 nodes. The load balancing is steered by the master, therefore an external load balancer is not required. As opposed to other cluster solutions, the master node inspects every data packet before it is forwarded to the other nodes. This ensures that only the performance intensive tasks such as virus scanning, IPsec or Intrusion Prevention are distributed to the other nodes. The existing network environment does not need to be updated - the complete cluster is considered as &quot;one&quot; routing device inside of the network. New nodes can be added during live operations. The whole configuration, all connections and Firmware releases will be automatically synched during operations. The synch load between the node is minimal thanks to the innovative Astaro algorythem. Astaro Active-Active HA enables the use of fully networked configurations via redundant switches (intern/extern). Advantages Drastically improved performance (up to 1 Gbps) for complex scanning tasks. Makes ASG to one of the most performance strong security solutions on the entire market.
Through &quot;Zero-Config HA&quot;, configuring HA environments is reduced to child's play. All devices are set to “Automatic Configuration“ as standard With the connection of double devices via the HA interface, configuration follows independently in Active-Passive HA mode. In order to configure a Active-Active (Cluster), you need only to change the HA-mode on the master to &quot;cluster&quot;. All devices then independently register in the cluster No additional configuration is required for the slave nodes of the cluster
Astaro Security Gateways support the uninterrupted power supply (UPS) from APC and MGE. This works by the signal of a power cut (change to battery supply) via the USB port, then a message is sent to the admin. After a critical battery level has been reached, the ASG is &quot;ordered&quot; to then power down.
Astaro Security Gateways offer different routing functions: Static routing enables the manual entry of routers in the WebAdmin. Via policy routing, the paths are independently defined by the source and target address as well as by the data type in order for VoIP data to find the least low-lag path or for unimportant information to find the cheapest connection route for example. Dynamic OSPF routing enables the automated recognition of current network topologies and the selection of the most optimal route. Changes to the topology (for example with power loss) will be automatically recognized. Astaro supports OSPF V2 - RFC 2328 inclusive of MD5 and password authentication. OSPF is the most used protocol inside of large backbone networks and offers many advantages as opposed to older protocols such as RIP. Multicast routing allows for the distribution of single packets to many recipients, which for example makes the assignment of media streams much more efficient.
The integrated DHCP proxy can be used as a server to supply clients in local networks with dynamic IP addresses. It can also be appointed as a relay in order to forward address requests to an external server. For every network Interface, different DHCP configurations are possible.
The integrated DNS proxy allows for flexible resolution of domain names in IP addresses. Not only can different external DNS servers be used, but also unique static entries in the ASG can be administered. A local cache accelerates the requests to the DNS server. Split DNS allows the possibility for requests to specific domains to be forwarded to a local DNS server.
Astaro QoS can guarantee bandwidth availability for certain types of outgoing network traffic. This bandwidth is however not continuously reserved and blocked off for other applications but only applied when the bandwidth availability becomes tight. For example, when unimportant data is taking up too much of the whole bandwidth availability. Applications (for example P2P, Surfen, ERP, VoIP) can be simply defined through a data selector (also when used by ToS and DiffServ flags) and certain bandwidth pools with priorities can be allocated. For certain data types, (such as Skype, Bittorent etc.) there are predefined selectors. All settings can be made by each Interface. Incoming traffic is optimized by different techniques such as Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED) in order to avoid data queues.
When it comes to e-mail management, we find three challenges which administrators face all the time: The first and most unpopular, due to its complexity, is compliance, as in most countries e-mail communication has to be archived by legal or regulatory compliance requirements. Tools are therefore required to archive e-mails securely for defined periods of time and also make sure they are deleted when expired. The next challenge is the sheer e-mail volume clogging valuable storage space on your mail server as well as the growing amounts of individual mail files (PST files) that are simply not manageable on a larger scale. They are often not backed up and also are slow when searching through them (which is not possible with OWA at all). And last but not least, e-mail discovery is a very important task, as the vast amount of information formed by all those messages must be searchable to produce fast and reliable results – also a task often left to the pc-client and end-user who must browse through large e-mail folders to retrieve specific e-mails which is slow and frustrating.
When you are looking into solving these kind of problems, you will find that an e-mail archiving solution will just the answer. However, looking at today‘s offerings you will also quickly realize that there are three different types of solutions available. The first type are pure software solutions. As a pure on-site software installation, it fits quite nicely into your corporate environment, but at high cost: You will have to provide your own hardware - which also is the limiting factor, it‘s expensive in terms of initial investment AND maintenance. And last but not least, when it comes to scalability, you will find that it doesn‘t really scale well at all. The same is more or less true for appliances. Slightly lower maintenance costs and a less tight integration into existing environments but still the same scalability issues and hardware limitations. A newer and far better approach comes with the hosted archiving services. They offer very low initial investments and are mostly easy to use solutions that don‘t require installation efforts on-site – if at all. However, most of the services you will find today have additional hidden costs and storage limits. They do a very good job in hiding these facts with very intransparent licensing models.
Astaro solves all of the challenges we have just talked about by offering a cloud-based e-mail archiving service that is easy to setup, accessable from everyware and scales with your growth. Astaro Mail Archiving is easily setup after a simple registration and automatic provisioning process and archives e-mails from MS Exchange Servers over an encrypted internet tunnel, storing them securely into data centers. Once in the archive, you can access all of your corporatate e-mail from anywhere, anytime through an Outlook Plugin or WebGUI that allows an instant and easy, Google-like search. To get deeper into the beauty of our solution, let‘s first look at the setup...
To set up Astaro Mail Archiving, you practically don‘t need to install any additional hardware or software at your site. By using the Journaling function of your existing MS-Exchange server (MS Exchange 2003, 2007 and 2010 are supported), the installation is complete within 15 minutes of registration and you can start to archive your e-mails. This enables you to archive all incoming, outgoing, and internal e-mails and transfer the majority of your e-mails to the cloud - so that the required storage space on your mailbox server can be reduced.
Compliance is usually the main challenge when considering an e-mail archiving solution. Astaro Mail Archiving makes the task simple: Only archive what you really need to by filtering out undesired messages and individually selecting the archiving period for the messages that you want to archive: whether you archive messages for a year or a decade, Astaro will not charge you any more! Of course, all actions are carefully monitored and logged so that evidence can be provided whenever necessary. There are also special auditor roles, which provide auditors with the ability to access all company messages, for example. If desired, these roles can be secured by a dual control principle.
Whether auditor or end-user: Your search will produce results in seconds and will not only search e-mail content but also all attachments. You can choose between two Google-like search options: Use a web interface when on-the-go or if you need to perform auditor searches or choose an Outlook plug-in (for MS Outlook 2003, 2007, 2010) which seamlessly integrates into your familiar work environment.
Users practically don‘t have to learn or even change the way they work with e-mail. The plugin integrates seamlessly into the Outlook clients and messages can be handled the same way as you are used to. Even drag and drop operations are possible and for convenience, searches are automatically saved! As an extra advantages, you will even get the possibility to upload existing e-mails such as PST-files or older mailbox folders into the archive.
When it comes to storing your valuable e-mail communication into the cloud, the Astaro Mail Archiving service ensures that your data stays secure: High availability data centers receive your e-mails via a TLS encyrpted link to your corporate e-mail server. Once processed, the data is encrypted and stored in redundant storage networks, where it is also automatically backed up to a separate data center. Astaro Mail Archiving is flexible and convenient to use with support for user synchronization through your local Active Directory or for example support for multiple transport forms and formats. Even importing exisiting data is easy through the PST-file import.
Licensing for Astaro Mail Archiving is straight-forward and transparent: The product is licensed per mailbox and has typical user scales as shown in the slide here. Beside your appropriate scale, you only have to choose whether you want to sign for a 1, 3 or 5 years period. And to be clear: this not only includes the right to archive e-mails for the amount of users, you will also truly have no limitations: - No storage limit This means that for licensed users and regular business use, you will be able to archive messages without worrying about growing disk space - No retention time limit This means that only you decide whether you want to store an e-mail for 1 or 10 years, no additional fees are applied if you want to store for longer. - No additional fees for PST import Have tried to get existing PST files into any other cloud from our competitors? We not only can tell you how this is easily done, we tell you also how much it additionally costs: Nothing!