Building an Astaro personal firewall with spare or low end parts. Part 1
“Astaro Security Gateway turns any PC into a security appliance within minutes, providing high-performance whilst reducing network administration costs.
· Network Security - Firewall, VPN and Intrusion Prevention
· Web Security - URL Filtering, Malware Detection, Bandwidth Management and Application Control
· Mail Security - Antispam, Antivirus, Antiphishing and Email Encryption “
Now here’s the cool part. Astaro will let you download, install and use the Astaro Security Gateway with all the features (Except Enterprise stuff) enabled. Absolutely FREE for personal use.
This will be a multi-part blog. In this part we’ll cover: Hardware requirements, registering, downloading and installing the software, then some basic configuration.
In future parts we’ll get into more advanced configurations like using Packet Filters, Port Forwarding, Anti-Virus, Anti-Spam and VPNs for remote access.
Minimum Hardware Recommendations
Pentium III 900 MHz or compatible CPU
512 MB RAM
10 GB SCSI/IDE HD
Bootable CD-ROM SCSI/IDE
3 NICs (Internet, Local Net, Demilitarized Zone)
My Realistic Hardware Recommendations
Pentium 4, 1+ GHz or compatible CPU – The faster the processor, the less likely the firewall is to bottleneck when handling large amount of data or downloads.
1-2 GB RAM – Same here.
60 GB SCSI/IDE HD – More storage for swap space and log files.
Bootable CD-ROM SCSI/IDE – can’t get away from this if you want to be able to install the software. You could use a USB CD-ROM drive if your system will boot from one.
3 NICs (Internet, Local Net, Demilitarized Zone) – Technically you only NEED 2 NICs unless you want to run a web or e-mail server in a DMZ that is separated from both the internal and external networks.
See the Astaro Hardware Compatibility List Here
I don’t think I need to go through all the steps of building a PC, so we’ll skip right to getting the software and installing it.
Creating a MyAstaro Account, creating a license and downloading the software.
The first step here is to go to https://www.astaro.com/user/login, if you already have an account you can just log in. If not then create an account by clicking the Join MyAstaro button.
Once you’ve created the account you will be in the License Management screen.
Click on the “Astaro Security Gateway V7 is available as a fully functional home use version and is free of charge. Download here.” Link. This will bring you to the “Create License” screen.
Read the Home User Agreement. (yeah right)
Enter a Nickname for your license. I just named it “My Firewall”, and click the “Create” button.
Once the License is created you can click the “Download License File” button. Save the license file to a location on your hard drive, but remember where you put it, you will need it later.
Next, we’ll download the Astaro software
On the navigation links click on the “MyAstaro End User Portal” link. Under “Software Downloads”, look for Astaro Security Gateway - Software Appliance.
Choose a location near you and either HTTP or FTP. (It’s up to you which to use)
Navigate into the /ISO folder and select the latest_asg_v7_software.iso file (that will make sure you get the latest version). Download the file to your hard drive. Make sure you have enough space, the file is just under 500MB.
Once the file has completed downloading, burn it to CD using your favorite utility.
Installing the Astaro Security Gateway software
Make sure that you understand that this is a complete operating system. It will format your hard drives and any data you had on there will be destroyed. You cannot multi-boot the software. If you want you can install the software on a VM.
Insert the CD you created into the CD-ROM drive and boot the computer. At the first screen that comes up, hit “Enter” to begin the installation.
The next screen is the first of the Astaro configuration screens.
Press “Enter” again to begin the install.
The next screen is the same warning I already gave you that all data on the hard drives will be lost.
Press F8 to confirm that you understand you are about to destroy your data.
At the next screen, choose your keyboard layout. Then.
The install will scan your hardware and ask you to confirm the configuration.
The next 3 screens ask your Location, Time Zone and let you set the Time and Date.
At the next screen select the Ethernet NIC that you will use as the internal interface to your network and will also be the network you access the management interface.
At the next screen you can accept the default addresses or set a new network address for your internal network. Keeping the defaults should work fine for any home network.
Valid addresses for private networks are in the ranges of:
· 10.0.0.0 – 10.255.255.255
· 172.16.0.0 – 172.31.255.255
· 192.168.0.0 – 192.168.255.255
Depending on how many addresses you need and the NetMask you use. (We’ll get into NetMasks in a later part)
This is the last screen you will need to enter any information. After accepting the IP settings, there will be a few more screens that you can just hit enter through.
When the install is complete you will see this screen. Write down or remember the address it shows you. i.e. here it’s https://192.168.2.100:4444 you will need this to access the management.
Hit Ctrl-Alt-Del to reboot your new firewall! When you hear 5 beeps it will have completed booting.
Now we’ll go through the basic settings wizard
First you will need to give the PC that you will do the management from an IP address on the same network as the firewall you just installed. Remember the address I told you to write down in the last step?
Plug a network cable into the NIC you selected as your management interface. Open a web browser on your computer and type in the address you wrote down on the last screen.
If you had plugged the cable into the right NIC you will probably get a certificate error. Just click on “Continue to this website” Link. If your not in the correct nic, you will get a “Page not found” error.
After continuing, you will come to the Hostname and passwords screen.
All the fields must be filled in to continue.
· The Hostname will be what’s shown when someone pings the firewall. I usually do something short like FW or FireWall.
· Company name can be anything you want.
· Type your City and select your country.
· Create a Strong password! Remember that if someone figures out your firewall password they have complete access to your network!
· Use your e-mail address, this is where firewall notifications will be sent, it’s important that you receive them.
Accept the license agreement and click “Perform basic system setup”
After a minute or 2 you will be back at the “Certificate error” page again. Continue to the login screen.
The User Name is admin (All lower case)
And the password is the one you set in the previous step.
You are offered 2 options here, either “Continue with This Wizard” or “Restore Existing Backup File”. Unless you already had an Astaro firewall you will probably choose “Continue”. Click Next.
This is the screen you will install the license file you created way back at the beginning of this blog.
Click on the folder next to the text box and browse to the location you saved the file. Select the file and hit “Next”.
On this screen you can change the IP address if you don’t want to use the ones you selected earlier. You can also enable the DHCP server if you would like the firewall to give out IP addresses on your network. (We will go more in depth on DHCP in a later part). After you’ve made any changes you want, Click “Next”
On this screen, choose the NIC that will be connected to the internet and the connection type. In most cases you will probably choose “Cable Modem”. Click “Next”
On this screen you select what services you want to be able to use from INSIDE. By default ALL services are blocked INCOMING and OUTGOING. By selecting these items you are allowing these things to work OUTGOING. So if you want to be able to browse the web, you need to select “Web (HTTP, HTTPS, FTP)” for RDP you will need “Terminal Services (Citrix, Apple Remote Desktop, RDP, SSH, Telnet)” and so on. Choose the services you want to be able to use. Adding any of these will NOT allow INCOMING connections. (We’ll discuss incoming connections in a later part).
Select the options you want and click “Next”.
On this screen you select the type of Intrusion Protection you want to enable. You might be tempted to just select everything and be done with it, but each item you select, adds overhead to the system and will make the system run slower. Only select the items you really need. If you don’t have Linux, a Web Server, Mail Server or Database Server, don’t select them. The system will be more efficient that way.
On this screen you select items you want to BLOCK. Anything NOT selected will be allowed. In this case you want to select items that you don’t use and will most likely never use. You can change them later if you do decide to use one that was selected.
On this screen, you can enable virus scanning of files that you download, it will also scan all web pages for Trojans and other malware.
You can also enable web filtering here. If you have children or just don’t want to accidentally hit a certain type of webpage (Porn, Terrorist, Criminal . . .) you can select them.
Here you enable your spam and virus scanner for Incoming and outgoing mail. (We’ll discuss advance options for SMTP/POP in a later part)
Congratulations!! You’ve completed the basic configuration. You now have a working firewall.
The Astaro Dashboard.
Follow Pete on Twitter! http://twitter.com/tyrstag