ZyXEL ZyWALL 70
Page 1 of 1
Price: $999 (ESP)
Pros: Subscription-based content filtering; multiple DMZ hosts.
Cons: 802.11b only, added via PC card.
ZyXEL's latest Internet security appliance, the ZyWALL 70, is a device designed to compete with similar products from firms like SonicWALL and WatchGuard. The ZyWALL 70 is the company's first product of this kind to have any inherent wireless capability, but I'll call it "wireless ready," for reasons I'll explain later.
The $999 ZyWALL 70 is aimed at small and medium businesses that are concerned primarily with network security and availability. It's a 1U rack-mountable device, with all ports and indicator lights on the front of the unit.
Speaking of ports, the ZyWALL 70 has not just one but two WAN ports, which allows the unit to maintain two ISP links and thus provide redundancy for a firm's Internet connection. I couldn't test this feature since I don't have two ISP connections (only the larger side of offices would), but ZyXEL says the ZyWALL will automatically shift to the secondary when connectivity on the primary connection is lost. Whether you're using one broadband connection or two, you can connect an external modem or ISDN adapter to the ZyWALL 70's 9-pin serial port for dial backup as well.
In addition to redundant WAN connections, the ZyWALL 70 can provide control over outgoing network usage via a bandwidth management feature. Administrators can choose two methods of bandwidth control. Often, it's more practical to limit a bandwidth-hungry protocol rather than ban it, so a fairness-based scheduler can prevent one type of traffic from monopolizing the connection. If you need to give preference to latency-sensitive traffic like voice or video, the ZyWALL can also do priority-based scheduling.
The ZyWALL 70 provides a single LAN port, so it needs to be used in conjunction with an external switch. Chances are that a business considering the ZyWALL is likely to maintain their own public servers for a Web site, e-mail, or other services, and the ZyWALL simplifies doing so by providing four DMZ ports. The DMZ ports can be configured for separate subnets from the LAN, and default routing rules allow access from both WAN and LAN.
The ZyWALL 70's offers extensive content filtering capability. Administrators can define blocked Web sites and keywords, and disable cookies and ActiveX and Java programs. The restrictions can be always-on or scheduled, and you are provided the flexibility to include or exclude certain IP address ranges as to selectively apply the policies.
Of course, maintaining content filters is a lot of work, and almost impossible to do effectively. Therefore, beyond its internal filtering capability, the ZyWALL offers an additional level of optional content filtering through third-party Cerberian. A free 30-day trial is available.
The Cerberian service maintains its own extensive database of Web site content, and when activated, the ZyWALL will check sites against Cerberian's information before returning content to the user. Cerberian offers several dozen content categories that you can filter against, but once you've picked those about which you care, configuration involves little more than a series of mouse clicks. If you want to simply track matching sites rather than block them outright, you can do that, too.
Logging support on the ZyWALL 70 is excellent. The system log monitors twenty events, and output can be sent to a syslog server. E-mail alerting of logs is also provided via a customizable schedule, and eight serious events like attacks or system errors can be configured to trigger an immediate e-mail notification. You can also have the unit collect information on and generate aggregate reports on things like Web sites visited and ports and protocols used. These reports must be viewed in real-time on the device and can't be saved or exported, and they're stored in volatile memory and thus disappear after a system reboot.
Most people who consider a ZyWALL 70 are likely to do so because of the virtual private network (VPN) capability, and ZyXEL says the unit can handle 70 simultaneous IPSec tunnels.
A VPN wizard can be used to simplify the process of setting up basic VPN rules, (at least on the ZyWALL 70 side of the connection) provided you're using a pre-shared key as an authentication method. The ZyWALL 70 also supports certificate based authentication, and can encrypt data via DES, 3DES, or AES.
Unlike many products with VPN endpoint capabilities, the ZyWALL 70's documentation and online help go out of their way to provide a detailed explanation of how an IPSec VPN must be configured in order to function correctly on networks using NAT.
The ZyWALL 70 can host a wireless network, but it doesn't have a built-in WLAN antenna and radio. The ZyWALL's wireless network comes from a ZyAIR B-100 WLAN PC Card NIC that can be added via a slot on the back of the unit.
The ability to quickly and cheaply add a wireless network in this way will definitely come in handy for many administrators. However, considering that the basis of the WLAN is a PC Card in the back, the wireless range and performance may come up short, particularly if the ZyWALL resides on a network rack in an equipment room or network closet.
Also, the unit currently only supports an 802.1b WLAN via the B-100 card. ZyXEL says that support for their 802.11g-based G-100 card is coming in an August 2004 firmware update. Also coming in that same time frame is WPA support; currently only WEP encryption is offered for wireless connections.
The ZyWALL 70 does support 802.1x for WLAN client authentication. A RADIUS server can be used, and like ZyXEL's B and G series WLAN routers and access points, the ZyWALL 70 hosts its own authentication service that can save a small business the expense of an external server. The ZyWALL internal authentication system can maintain credentials for only 32 users, though, and its MAC filtering is limited to 12 clients.
The ZyWALL 70 is a great router/firewall for any administrator that wants to maintain tight control over network traffic, bandwidth usage, and employee usage, but the device is primarily geared toward wired communications. The ability to add WLAN capability will be useful to some, but many will require conventional access points (managed separately).