The security device offers VPN interfaces for both the public Internet and for the University's private network. For example, one interface connects to the logical private network overlaid on top of the public Internet for the VPN. The interface on the public Internet acts as a gateway for VPN workstations to access the private networks within Stanford.

The security device also can act as a firewall between systems on the private network and the public Internet. To get access to the public Internet, these systems must pass back and forth through the security device.

The open systems nature of a Linux security product didn't bother Little. He says, "It was a selling point for us. Because we're a university, we get nervous about products built on a proprietary operating system (OS). For example, Windows NT/2000 OS has a notorious security reputation. So, we'd have to think twice about buying a Windows-based security product."

Little says that the security device doesn't require much software maintenance. In fact, Astaro Security Linux runs as an application server on top of a hardened OS . He says, "Since a lot of security products run as an application on top of a general purpose OS, you'll have to manage the underlying OS, be it Windows or Sun Solaris. This means work."

On the other hand, Little adds Astaro Security Linux functions in a self-contained entity capable of automatically updating itself for changes, such as virus updates. "This was another key buying point," he says.

The security device is hard for an intruder to tamper with. A "chroot" or change route environment exists for every service the software offers, effectively sand boxing each service – providing untrusted code that limits the ability of the intruder to do risky things. Little says, "If one could possibly exploit one service, one couldn't possibly take over the entire system."


The security device also supports standard authentication mechanisms. Remote access to the security device uses SSH Remote access to the Web services uses SSL. The VPN workstation uses IPSEC with its secure authentication components, or PPTP, the Microsoft authentication components.

Little says by running the Astaro Security Linux on systems with multiple processors, one could deploy a security system throughout the entire campus.

In fact, Little says that the university is looking for a firewall solution for all of the departments. "Our solution might be modeled for the rest of the university," he says.



Steve Schlesinger is general manager at Astaro Corp. of Burlington, Mass. USA. He was most recently vice president, corporate development, at SoundBite Communications. He was previously at Workgroup Technology and at Easel Corp.