Price: $999 (ESP)
Pros: Subscription-based
content filtering; multiple DMZ hosts.
Cons: 802.11b
only, added via PC card.

ZyXEL’s latest Internet security appliance, the ZyWALL
, is a device designed to compete with similar products from firms like
SonicWALL and WatchGuard. The ZyWALL 70 is the company’s first product of this
kind to have any inherent wireless capability, but I’ll call it "wireless
ready," for reasons I’ll explain later.

The $999 ZyWALL 70 is aimed at small and medium businesses that are concerned
primarily with network security and availability. It’s a 1U rack-mountable device,
with all ports and indicator lights on the front of the unit.

Like other ZyXEL products, administrators have multiple methods available to
configure and maintain the unit from local and remote networks. In addition
to the de rigueur Web-based configuration, the ZyWALL’s SMT menu system
can be accessed via telnet or securely through SSH. Each method of access can
be restricted to access by only one (or all) of the ZyWALL’s interfaces, and
by a single remote IP address.

Router Features

Speaking of ports, the ZyWALL 70 has not just one but two WAN ports, which
allows the unit to maintain two ISP links and thus provide redundancy for a
firm’s Internet connection. I couldn’t test this feature since I don’t have
two ISP connections (only the larger side of offices would), but ZyXEL says
the ZyWALL will automatically shift to the secondary when connectivity on the
primary connection is lost. Whether you’re using one broadband connection or
two, you can connect an external modem or ISDN adapter to the ZyWALL 70’s 9-pin
serial port for dial backup as well.

In addition to redundant WAN connections, the ZyWALL 70 can provide control
over outgoing network usage via a bandwidth management feature. Administrators
can choose two methods of bandwidth control. Often, it’s more practical to limit
a bandwidth-hungry protocol rather than ban it, so a fairness-based scheduler
can prevent one type of traffic from monopolizing the connection. If you need
to give preference to latency-sensitive traffic like voice or video, the ZyWALL
can also do priority-based scheduling.

The ZyWALL 70 provides a single LAN port, so it needs to be used in conjunction
with an external switch. Chances are that a business considering the ZyWALL
is likely to maintain their own public servers for a Web site, e-mail, or other
services, and the ZyWALL simplifies doing so by providing four DMZ ports. The
DMZ ports can be configured for separate subnets from the LAN, and default routing
rules allow access from both WAN and LAN.

Content Filtering

The ZyWALL 70’s offers extensive content filtering capability. Administrators
can define blocked Web sites and keywords, and disable cookies and ActiveX and
Java programs. The restrictions can be always-on or scheduled, and you are provided
the flexibility to include or exclude certain IP address ranges as to selectively
apply the policies.

Of course, maintaining content filters is a lot of work, and almost impossible
to do effectively. Therefore, beyond its internal filtering capability, the
ZyWALL offers an additional level of optional content filtering through third-party
Cerberian. A free 30-day trial
is available.

The Cerberian service maintains its own extensive database of Web site content,
and when activated, the ZyWALL will check sites against Cerberian’s information
before returning content to the user. Cerberian offers several dozen content
categories that you can filter against, but once you’ve picked those about which
you care, configuration involves little more than a series of mouse clicks.
If you want to simply track matching sites rather than block them outright,
you can do that, too.

Logging support on the ZyWALL 70 is excellent. The system log monitors twenty
events, and output can be sent to a syslog server. E-mail alerting of logs is
also provided via a customizable schedule, and eight serious events like attacks
or system errors can be configured to trigger an immediate e-mail notification.
You can also have the unit collect information on and generate aggregate reports
on things like Web sites visited and ports and protocols used. These reports
must be viewed in real-time on the device and can’t be saved or exported, and
they’re stored in volatile memory and thus disappear after a system reboot.


Most people who consider a ZyWALL 70 are likely to do so because of the virtual
private network (VPN) capability, and ZyXEL says the unit can handle 70 simultaneous
IPSec tunnels.

A VPN wizard can be used to simplify the process of setting up basic VPN rules,
(at least on the ZyWALL 70 side of the connection) provided you’re using a pre-shared
key as an authentication method. The ZyWALL 70 also supports certificate based
authentication, and can encrypt data via DES, 3DES, or AES.

Unlike many products with VPN endpoint capabilities, the ZyWALL 70’s documentation
and online help go out of their way to provide a detailed explanation of how
an IPSec VPN must be configured in order to function correctly on networks using

Wireless Features

The ZyWALL 70 can host a wireless network, but it doesn’t have a built-in WLAN
antenna and radio. The ZyWALL’s wireless network comes from a ZyAIR
WLAN PC Card NIC that can be added via a slot on the back of the unit.

The ability to quickly and cheaply add a wireless network in this way will
definitely come in handy for many administrators. However, considering that
the basis of the WLAN is a PC Card in the back, the wireless range and performance
may come up short, particularly if the ZyWALL resides on a network rack in an
equipment room or network closet.

Also, the unit currently only supports an 802.1b WLAN via the B-100 card. ZyXEL
says that support for their 802.11g-based G-100 card is coming in an August
2004 firmware update. Also coming in that same time frame is WPA support; currently
only WEP encryption is offered for wireless connections.

The ZyWALL 70 does support 802.1x for WLAN client authentication. A RADIUS
server can be used, and like ZyXEL’s B and G series WLAN routers and access
points, the ZyWALL 70 hosts its own authentication service that can save a small
business the expense of an external server. The ZyWALL internal authentication
system can maintain credentials for only 32 users, though, and its MAC filtering
is limited to 12 clients.


The ZyWALL 70 is a great router/firewall for any administrator that wants to
maintain tight control over network traffic, bandwidth usage, and employee usage,
but the device is primarily geared toward wired communications. The ability
to add WLAN capability will be useful to some, but many will require conventional
access points (managed separately).

News Around the Web