Astaro Security Gateway 8.200 Public Beta

Following months of planning and development, today I am happy to announce we have started a public Beta of our upcoming 8.200 release of Astaro Security Gateway.  This is shaping up to be one of our biggest releases ever. You will find major new features like Application Visibility and Control to give you absolute dominion over your Internet connection, new Web Security reporting with custom reactive filters and email subscription lists for distribution, and a user authentication client which adds detailed per-user reporting and control. You are invited to test out this version and participate in our dedicated 8.200 Beta Forums to share your feedback, impressions, and report any bugs. Several members of our various teams will closely interact with the participants of this forum to ensure the best possible polish and quality of 8.200 for the GA release at the end of June. We also reward our testers! Several of the top contributers and testers will receive great Astaro swag for their efforts! You can win access points, Astaro RED's, and your own ASG appliance for personal home use. For all the details of the 8.200 Beta program, and information on the release itself, read on!

Following months of planning and development, today I am happy to announce we have started a public Beta of our upcoming 8.200 release of Astaro Security Gateway.  This is shaping up to be one of our biggest releases ever. You will find major new features like Application Visibility and Control to give you absolute dominion over your Internet connection, new Web Security reporting with custom reactive filters and email subscription lists for distribution, and a user authentication client which adds detailed per-user reporting and control. You are invited to test out this version and participate in our dedicated 8.200 Beta Forums to share your feedback, impressions, and report any bugs. Several members of our various teams will closely interact with the participants of this forum to ensure the best possible polish and quality of 8.200 for the GA release at the end of June.

We also reward our testers! Several of the top contributers and testers will receive great Astaro swag for their efforts! You can win access points, Astaro RED’s, and your own ASG appliance for personal home use. For all the details of the 8.200 Beta program, and information on the release itself, read on!

General Beta Information
Why Participate?
You get to see and play with things before they are Generally Available, and have a chance to shape features and functionality based on your comments and findings. We closely monitor all our Beta feedback, and over the years have worked hard to listen to our market in order to build products that people like you want to buy. By helping us, we gain insight as to how we are doing and have the chance to identify bugs, polish some features, and make corrections in hundreds of different installation scenarios which is extremely useful to our QA and testing efforts. You get to see new features early, and we get an increased test landscape.

How to be a Beta tester:
No forms, no pesky emails or submission process with a bunch of information to provide. We know that’s not fun. To test ASG 8.200 Beta, just download the latest Beta ISO image via our forums (first version is 8.160), burn it to a CD and install it to your ASG software installation or appliance. Please be sure to download the appropriate ISO for your intended use platform. Once you are using the 8.200 Beta, you can continue to use Up2Date and install the next Beta releases for 8.200 without needing to re-install again. Just restore your backup file and you are up and running for the entire 8.200 Beta. So as to make your life even easiser, we will release a final Up2Date package at the end of the 8.200 Beta which will take your installation to the GA release of 8.200, saving you a re-install and restore once again.

How you can contribute:
During the period of the Beta for 8.200 (which will run until approximately late June), we would encourage you to post your impressions, feedback, bug reports, and all the associated things you like (and don’t like!) in our offical 8.200 Beta forums.  At the end of the Beta, we will reward our most active contributors; there are great prizes and rewards to be had!

 

Astaro Beta 8.200 Download Information:
For the first release of the Beta, version 8.160 is the version we’ll start with. Future updates and releases will be communicated soley through the forums and not via this blog, so check there often for all the updates and news around the 8.200 release! You will find many answers to early questions, test license downloads, and general Beta information can be found in the launch overview for 8.200 here.

Initial Beta 8.200 Links (V8.160):

ASG ISO for Software/Virtual appliances (Your own hardware):
Download:  ftp://ftp.astaro.de/pub/ASG/v8/beta/asg-8.160-7.1.iso
ISO size: 466Mb (489097216 bytes)
ISO md5sum: 8c9a113d75159bef1484b6339a577090
ISO sha1sum: a33ed194e0d25f2f0641c5f9c09536e40648d8be

SSI ISO for Astaro Hardware appliances (eg. an ASG 220):
Download: ftp://ftp.astaro.de/pub/ASG/v8/beta/ssi-8.160-7.1.iso
ISO size: 468M (490358784 bytes)
ISO md5sum: de678b45f2e289d54e180943b779e51f
ISO sha1sum: a60c3c2c85bb457ad1571e29c5f627fbf0dabbcb 

 

 8.200 Beta Feature Quick-Overview*
*Note that the Beta is subject to have features re-worked or changed, entirely new things may be added at anytime, and features which are not up to our standards may be delayed. There will always be new things and changes to test throughout the Beta.
Major New Things

  • Network Visibility and Application Control (Layer 7 Classification/Next Generation Firewall)
  • New Web Security Reporting
  • User Authentication (Windows Client) for Policies and Reporting

Minor New Things

  • 3G/UMTS USB modem interface
  • KVM virtio support
  • WiFi improvements
  • Web Application Security improvements
  • Integration of Log Management cloud service
  • IPv6 support for SMTP proxy and HTTP proxy in "full transparent" mode
  • Packetfilter optimization (IPSet)
  • HTTP proxy multi-threading performance optimization

8.200 Beta Extended Feature Overview*
*Extended documentation with feature descriptions, along with Release Notes, will be posted for the GA release.

Network Visibility and Application Control (L7 classification)
Also known as "Next Generation Firewall", this new classification engine analyzes all network traffic and determines which "Application" this traffic is for. "Application" in this context can simply be a protocol (e.g. SSH, DNS, Bittorrent), but in many cases will be quite specific, like HTTP (Web) traffic will be classified in fine-grained way for Web Applications like Facebook or various Google Apps.
You can enable this at Web Security >> Network Visibility. This information will be used (so far) for:
    Web Security >> Network Visibility >> Application Control Rules: Block/Log application usage.
    Reporting >> Network Usage >> Accounting: Top Apps, Top Categories, Top Users.
    Interfaces & Routing >> Quality of Service: Shape traffic per application.
    Dashboard: Enhanced Bandwidth monitor (Show User/Hostname/Apps)

-This is a superset of the functionality offered of the old IM/P2P classifier and thus completely replaces it.

New Web Security Reporting
The Web Security Reporting was completely overhauled to give a better user experience tailored with how you expect to see data and get the information you are looking for easily.

  •     Reactive filtering (filters build as you click)
  •     Save custom filters, subscribe to periodical mail reports based on saved filters
  •     Everything clickable, sortable, no dead ends
  •     Search Engine report (search terms, users)

User Authentication (Windows Client) for Policies and Reporting
With the new Astaro Authentication Client (AAC) for Windows users can directly authenticate to the ASG.
This has two advantages:

  1.     Reporting will display user names instead of raw IPs if possible
  2.     You can use User Network and Group Network objects in e.g. packetfilter rules and they will only match for logged in users

(You can get similar benefits from a combination of static DHCP and DNS mappings, but with probably much more effort)
See Users >> Client Authentication for the configuration. You can also download the client there or via the User Portal.
You can also use this authentication for the HTTP proxy. Choose Transparent Client Authentication as the operational mode.

WAS (Web-Application Security) Improvements:

Form Hardening
Form hardening will check HTML form data submitted by clients. It ensures that clients do not submit fields they weren’t offered, will make basic sanity checks of the submitted values according to their HTML specification.

Reputation-based Client blocking
The Web Application Firewall can now check clients against certain blacklists.
Block clients with bad reputation will currently block open proxies by using certain DNSBLs.
Block anonymizer proxies uses a static list updated by the pattern mechanism.

Sitemap-XML Support
If you have a Google Sitemap you can now use it in your Web Application Firewall profile to specify valid entry pages for URL Hardening. You can either upload the file or tell the ASG to download it from a given URL. In the latter case the ASG can also check the URL periodically for updates.

UMTS Modem Interface
Support for 3G/UMTS modems is now official (it was already present in 8.100 but not officially supported and only visible if you had a modem connected). Configure as usual over Interfaces & Routing >> Interfaces, type 3G/UMTS. For now, newly plugged-in modems will only be detected during boot-up, so you need to reboot your ASG if you connect a new one.

KVM performance optimization
When run in KVM, ASG now has support for VirtIO devices (disks/NICs), which results in increased performance for I/O operations.

Wireless Improvements
Firmware-side:

  •     New WLAN driver, uses an Open-Source driver now instead of a proprietary vendor driver
  •     802.11r Roaming
  •     Rebootless reconfiguration (for majority of cases)

ASG-side:

  •     SSID-to-AP Group Matrix
  •     Ability to group APs
  •     Push configuration without disconnect
  •     Perform key negotiation only when confirming AP

Integration of Log Management Service
Astaro has a new cloud-based Log Management service, which is integrated with ASG 8.2. A preview version of this service is available and can be used free of charge with this beta. Currently the Log Management service is planned to be included with any ASG subscription.
See Log Management and more information can be found here.

IPv6 Improvements

  •     IPv6 support for SMTP proxy
  •     IPv6 support for HTTP proxy in "full transparent" mode
  •     ICMPv6 service definitions

Packet filter optimization (IPset)
Packet filter rules that contain list of networks/IPs, either explicit (via network/DNS groups) or implicit (via lists in WebAdmin) now use IPset (IP sets) to reduce the number of generated iptables rules. This should improve memory consumption and performance.
This affects both user-generated packet filter rules (Network Security >> Firewall) and auto-generated rules (e.g. via Allowed Networks for services or Auto packet filter rules for VPNs).

Fixed Issues
Of course we also fixed a few bugs in this release. Here a list of the some of the most prominent current ones:
    [14019] SMTP relay attempts shown as webadmin logins
    [14073] WAF: SSL support for multiple DNS names (subjectAlternativeName certificates)
    [14186] WebAdmin last failed session count doesn’t match executive report
    [14782] UTF-8 characters in realname of imported keys are not displayed correctly
    [14820] Virus uploads don’t get blocked if XSS or SQL Injection filter (mod_security) is enabled
    [15438] Sortable tables and Batch-Operation use same GUI element
    [15440] Improve input validation for advanced bridge settings
    [15654] Packets mislabeled as connections in reporting
    [15972] Exceptions do not work for Cross Site Scripting, SQL-Injection or Cookie Signing
    [16103] missing table header at NAT and SNAT/DNAT
    [16153] Radius secret containing backtick character (`) doesn’t work
    [16255] Exception for Certificate Trust Check does not work in transparent mode
    [16438] Self signed certificate in chain and an exception for all requests going to this category will not work for some banking sites

Enjoy the 8.200 Beta, we look forward to working with you throughout it.

Angelo Comazzetto
Astaro Product Manager

Leave a Reply

Your email address will not be published. Required fields are marked *