| Astaro Security Linux vs. IPCop Firewall |
|
| Written by Eric | ||||||||||||||||||||||||||||||
| Sunday, 11 September 2005 07:53 | ||||||||||||||||||||||||||||||
|
If you are a linux fan and
have ever looked around at a few of the linux firewall distros you
have probably seen both
Astaro Security
Linux and IPCop
Firewall. Both are widely used products that have a ton
of features packed in. Of course IPCop was originally based
off of the
Smoothwall Firewall project. IPCop appears to have more
features and better security(NOTE: After putting up
this article I was informed that this is no longer the case,
Smoothwall now reportedly runs the latest patched versions and
updates come out regularly) than Smoothwall so we will focus
strictly on Astaro and IPCop for the purposes of this review.
The review will cover the main features, performance, ease of
installation and configuration, and management and reporting
capabilities.
If you are a linux fan and
have ever looked around at a few of the linux firewall distros you
have probably seen both
Astaro Security
Linux and IPCop
Firewall. Both are widely used products that have a ton
of features packed in. Of course IPCop was originally based
off of the
Smoothwall Firewall project. IPCop appears to have more
features and better security(NOTE: After putting up
this article I was informed that this is no longer the case,
Smoothwall now reportedly runs the latest patched versions and
updates come out regularly) than Smoothwall so we will focus
strictly on Astaro and IPCop for the purposes of this review.
The review will cover the main features, performance, ease of
installation and configuration, and management and reporting
capabilities.
Features The features of both of these products on initial glance appear very similar. The primary feature any good firewall needs is packet filtering. Both of these products have the iptables package for packet filtering. NAT(Network Address Translation) is also required for any good firewall. Once again both support this. Web administration is also a key feature that both firewalls support. Other features that both include are traffic analysis, caching web proxy, port forwarding, dmz support, ssh access, vpn support, etc.. The only notable difference in the feature set is that Astaro supports Webtrends statistical tools for in depth analysis of your network traffic. Astaro also supports virus scanning and spam filtering but these are features best left to another device inside the network to avoid network slowdowns and reduce chances of the firewall being exploited. These features also require a corporate license so they will be discounted for the ratings.
Performance Both products are based on linux so one would expect the base performance to be almost the same. With no features enabled other than packet routing this is mostly the case. IPCop appears to function slightly faster but this could be because they are running a newer kernel(2.4.21) which provides some speed enhancements, albeit very few. Astaro runs on the 2.4.19 kernel, even after the most recent updates which is a slight negative for them. The overall configuration for the main speed tests are as follows:
The first speed test was a 10MB file. This file was placed on an infrequently accessed web server and downloaded from one system ten times, the next was connected, and the downloads were repeated. The download average was 31.23 seconds through the IPCop Firewall. The average was 35.61 seconds for the Astaro firewall. These results could be affected by network performance but the fact that the lowest download time for the Astaro firewall was 30.78 in comparison to 27.43 for the IPCop seems to indicate that this was more than network lag. The second test run was web surfing with the transparent proxies enabled. These tests were more subjective as there was no easy method for timing. Both firewalls appeared to load in about the same time, with some lag from the Astaro box. Again, these results are not precisely timed though
Ease of Installation and Configuration Installation of a product is always a major factor. Astaro has almost no prompts during the installation. The problem with this is that there is a lot of configuration to do after the install completes. IPCop on the other hand has several easy to understand prompts during installation that configure, almost completely, the entire system. Neither firewalls require disk partitioning as they do this completely on their own during installation. Once the system is up and running the configuration of either firewall is extremely easy. Again, Astaro comes out a little harder as you need to configure the external interfaces and NAT whereas IPCop has already taken care of this during installation. The VPN configuration, especially if you want to connect in via Windows, is much easier through Astaro though. Bonus points to them for easing the roadwarrior's job. The ratings here are equal. The VPN setup helped to equal out the ratings so if you don't want a VPN I would go with IPCop as the overall installation and configuration seems much easier. Neither firewall receives five stars though because each lacks what the other is best at.
Management and Reporting Capabilities Management is done primarily through a web interface for both firewalls. SSH can be enabled but is not by default for either. My only complaint with IPCop is that by default it operates on port 445 instead of the standard https port 443. This is a minor annoyance though. The web interfaces for each are incredibly easy to understand and use. Astaro comes out with a more professional look but that really doesn't add to the ease of use. Even linux newbies can administer these firewalls once installed with the web interface. Of course for advanced features you need some understanding of how things work in linux though. Only a couple of minor tweaks required SSH access. Almost everything can be done via the web interface which is quite impressive. Astaro has the biggest benefit here, iptables configuration from the web interface. This is due to be added to the IPCop distro shortly. The reporting capabilities are almost exactly the same. Traffic graphs, firewall connections, detection logs, basic system logs, etc. are all available very easily through the web interface. The only advantage of the Astaro firewall is if you also have Webtrends Analysis tools. Astaro allows for easy dumping of information into a compatible format for Webtrends products or even emailing results to yourself. This allows far more analysis of information, not that the onboard diagnostics are lacking. Both products have great analysis tools right onboard. Once again both products come out equal in the ratings with 5 stars each.
Conclusion The only downside to the Astaro product not mentioned in detail above is that it is not completely free. Home users can get a free license but it does not activate all the functionality of the product. IPCop is a completely free product with constant open source development and upgrades. The rest of this review is strictly this writers opinion. I personally find IPCop easier to install and configure. Although there is slightly less reporting than I would like it is far from inadequate. I have to admit the high availability features(redundancy) of Astaro sound great but most home users don't have the hardware to support this type of setup. Large businesses would, in my opinion be better off using Astaro as its integration with Webtrends will greatly ease administration and monitoring. Home users and small businesses would be far better off with IPCop. The overall ratings of these products are very close but I have to give IPCop 5 stars and Astaro an overall 4 stars.
Have a different opinion? Email me at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or head over to the forum. |
||||||||||||||||||||||||||||||
