|
If you are a linux fan and
have ever looked around at a few of the linux firewall distros you
have probably seen both
Astaro Security
Linux and IPCop
Firewall. Both are widely used products that have a ton
of features packed in. Of course IPCop was originally based
off of the
Smoothwall Firewall project. IPCop appears to have more
features and better security(NOTE: After putting up
this article I was informed that this is no longer the case,
Smoothwall now reportedly runs the latest patched versions and
updates come out regularly) than Smoothwall so we will focus
strictly on Astaro and IPCop for the purposes of this review.
The review will cover the main features, performance, ease of
installation and configuration, and management and reporting
capabilities.
If you are a linux fan and
have ever looked around at a few of the linux firewall distros you
have probably seen both
Astaro Security
Linux and IPCop
Firewall. Both are widely used products that have a ton
of features packed in. Of course IPCop was originally based
off of the
Smoothwall Firewall project. IPCop appears to have more
features and better security(NOTE: After putting up
this article I was informed that this is no longer the case,
Smoothwall now reportedly runs the latest patched versions and
updates come out regularly) than Smoothwall so we will focus
strictly on Astaro and IPCop for the purposes of this review.
The review will cover the main features, performance, ease of
installation and configuration, and management and reporting
capabilities.
Features
The features of both of these products
on initial glance appear very similar. The primary feature
any good firewall needs is packet filtering. Both of these
products have the iptables package for packet filtering.
NAT(Network Address Translation) is also required for any good
firewall. Once again both support this. Web
administration is also a key feature that both firewalls support.
Other features that both include are traffic analysis, caching web
proxy, port forwarding, dmz support, ssh access, vpn support,
etc.. The only notable difference in the feature set is that
Astaro supports
Webtrends statistical tools for in depth analysis of your
network traffic. Astaro also supports virus scanning and
spam filtering but these are features best left to another device
inside the network to avoid network slowdowns and reduce chances
of the firewall being exploited. These features also require
a corporate license so they will be discounted for the ratings.
| Features
Ratings (Out of 5 stars) |
| Astaro Security Linux |
 |
| IPCop Firewall |
|
Performance
Both products are based on linux
so one would expect the base performance to be almost the same.
With no features enabled other than packet routing this is mostly
the case. IPCop appears to function slightly faster but this
could be because they are running a newer kernel(2.4.21) which
provides some speed enhancements, albeit very few. Astaro
runs on the 2.4.19 kernel, even after the most recent updates
which is a slight negative for them. The overall
configuration for the main speed tests are as follows:
- Web proxy disabled
- DNS proxy disabled
- Intrusion Detection disabled
- No port forwarding
- No specialty firewall rules
- VPN disabled
- Identical hardware
- Pentium 450mhz
- 128mb RAM
- 4gb Hard disk
- 2 Network Interfaces
- External connection to Comcast Cable Network
- Internal connection to 10mb/s Netgear router
The first speed test was a 10MB file.
This file was placed on an infrequently accessed web server and
downloaded from one system ten times, the next was connected, and
the downloads were repeated. The download average was 31.23
seconds through the IPCop Firewall. The average was 35.61
seconds for the Astaro firewall. These results could be
affected by network performance but the fact that the lowest
download time for the Astaro firewall was 30.78 in comparison to
27.43 for the IPCop seems to indicate that this was more than
network lag.
The second test run was web surfing
with the transparent proxies enabled. These tests were more
subjective as there was no easy method for timing. Both
firewalls appeared to load in about the same time, with some lag
from the Astaro box. Again, these results are not precisely
timed though
| Performance
Ratings (Out of 5 stars) |
| Astaro Security Linux |
|
| IPCop Firewall |
|
Ease of Installation and Configuration
Installation of a product is always a
major factor. Astaro has almost no prompts during the
installation. The problem with this is that there is a lot
of configuration to do after the install completes. IPCop on
the other hand has several easy to understand prompts during
installation that configure, almost completely, the entire system.
Neither firewalls require disk partitioning as they do this
completely on their own during installation. Once the system
is up and running the configuration of either firewall is
extremely easy. Again, Astaro comes out a little harder as
you need to configure the external interfaces and NAT whereas
IPCop has already taken care of this during installation.
The VPN configuration, especially if you want to connect in via
Windows, is much easier through Astaro though. Bonus points
to them for easing the roadwarrior's job. The ratings here
are equal. The VPN setup helped to equal out the ratings so
if you don't want a VPN I would go with IPCop as the overall
installation and configuration seems much easier. Neither
firewall receives five stars though because each lacks what the
other is best at.
| Installation
and Configuration (Out of 5 stars) |
| Astaro Security Linux |
|
| IPCop Firewall |
|
Management and Reporting Capabilities
Management is done primarily through a
web interface for both firewalls. SSH can be enabled but is
not by default for either. My only complaint with IPCop is
that by default it operates on port 445 instead of the standard
https port 443. This is a minor annoyance though. The
web interfaces for each are incredibly easy to understand and use.
Astaro comes out with a more professional look but that really
doesn't add to the ease of use. Even linux newbies can
administer these firewalls once installed with the web interface.
Of course for advanced features you need some understanding of how
things work in linux though. Only a couple of minor tweaks
required SSH access. Almost everything can be done via the
web interface which is quite impressive. Astaro has the
biggest benefit here, iptables configuration from the web
interface. This is due to be added to the IPCop distro
shortly.
The reporting capabilities are almost
exactly the same. Traffic graphs, firewall connections,
detection logs, basic system logs, etc. are all available very
easily through the web interface. The only advantage of the
Astaro firewall is if you also have Webtrends Analysis tools.
Astaro allows for easy dumping of information into a compatible
format for Webtrends products or even emailing results to yourself. This allows far more analysis
of information, not that the onboard diagnostics are lacking.
Both products have great analysis tools right onboard. Once
again both products come out equal in the ratings with 5 stars
each.
| Management and
Reporting (Out of 5 stars) |
| Astaro Security Linux |
|
| IPCop Firewall |
|
Conclusion
The only downside to the Astaro
product not mentioned in detail above is that it is not completely
free. Home users can get a free license but it does not
activate all the functionality of the product. IPCop is a
completely free product with constant open source development and
upgrades. The rest of this review is strictly this writers
opinion. I personally find IPCop easier to install and
configure. Although there is slightly less reporting than I
would like it is far from inadequate. I have to admit the
high availability features(redundancy) of Astaro sound great but
most home users don't have the hardware to support this type of
setup. Large businesses would, in my opinion be better off
using Astaro as its integration with Webtrends will greatly ease
administration and monitoring. Home users and small
businesses would be far better off with IPCop. The overall
ratings of these products are very close but I have to give IPCop
5 stars and Astaro an overall 4 stars.
| Overall
Ratings |
| Astaro Security Linux |
|
| IPCop Firewall |
|
Have a different opinion? Email me at
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
or head over to the
forum.
|
