By Joel Snyder
Network World, March 06, 2006
Original Article on Network World Web Site
ZyXel Communications has entered the unified threat-management fray by building content filtering, intrusion-prevention, anti-virus and anti-spam technology into its ZyWall 35 and ZyWall 70 combined firewall and VPN appliances.
In our test of the ZyWall 70 UTM with the ZyWall Turbo Card, which is necessary to accelerate the new anti-virus and IPS services, we found the combination provides a massive set of features that will make it very attractive to small and midsize businesses (SMB) looking for a more sophisticated firewall device. However, the ZyWall 70 UTM's capabilities are offset by its difficult-to-use policy management GUI and weak documentation, and a rapid release cycle - we were shipped three updates of the software during our three-month testing cycle.
We tested the ZyWall 70 UTM by installing it on a live customer site in Tucson, Ariz., that needed advanced UTM features, including both threat management (virus scanning and spyware blocking) and URL filtering (see "How we did it" ).
The ZyWall 70 UTM is a 1U, rack-mountable device with four control zones: LAN (one 10/100 Ethernet port), DMZ (four 10/100 Ethernet ports), WAN (two 10/100 Ethernet ports) and a wireless LAN (WLAN) slot. When the Turbo Card is installed, the appliance's UTM features are enabled, and wireless is disabled, because the Turbo Card takes the slot that the wireless would have.
The ZyWall 70 UTM is managed using a Web browser. Once you've set some basic parameters, such as IP addresses and network-address translation options, and have decided whether to bridge or route, the first impression when you start working on security policy is overwhelming confusion. ZyXel opens up with 16 rules, listing all four zones and all of the interactions between any two zones. From there, you can add rules to pass traffic through the system, or to block or selectively log traffic. Each rule not only has source and destination IP addresses and IP service, but also a schedule for when the rule is enabled.
It's not an unusable interface, but it's also not for someone who wants to dive in and click through a few simple configuration steps and be done with it. By enabling off-site management in our initial installation, we inadvertently enabled off-site SNMP, which ships with the default read and write passwords of "public". Within 24 hours the firewall was cracked into and shut down by an attacker using SNMP.
The lesson we learned is not to underestimate the number of details you need to be concerned with in configuring any part of the ZyWall 70 UTM or to assume that the software's default behavior is desirable. Unfortunately, the documentation is not a great help for most configuration changes. There's a lot of information, but much of it is poorly written and confusing.
The ZyWall 70 UTM interface wasn't built confusing just to confound the network manager; it's confusing because ZyXel's engineers have packed into this system every feature anyone ever asked for in a midrange firewall. For example, if you have DSL and broadband cable at the same location, they can handle and manage two outbound LAN connections. The ZyWall 70 UTM can do load sharing, failover, route specific traffic from different interfaces, and reserve and allocate bandwidth among different applications.
The basic firewall and VPN functions of the ZyWall 70 UTM are restricted (for example, it includes application-layer gateways for only FTP, Session Initiation Protocol, and the H.323 standard), but it will easily meet the needs of most SMBs. Although we were able to get the site-to-site VPN working (after updating to a newer build of the Version 4.0 software), the ZyWall 70 UTM is not well designed for use as a remote-access VPN, because the VPN features don't support internal addressing, group-based access control or different VPN policies.
The UTM features for content filtering and anti-virus protection are easy to use. Anti-virus software using the subscription-based Kaspersky engine scans traffic on FTP, POP3 and SMTP ports, as well as on the 80, 8080 and 3128 HTTP ports. Content filtering can be used with a traditional URL filtering service sold as a subscription by ZyXel, or by maintaining lists of trusted and forbidden Web sites. Our testing, based on three months of use, confirmed content filtering's basic functionality: No user claimed to have been infected with a virus or had seen an untoward Web page when the ZyWall 70 UTM was in control. ZyXel also offers a subscription-based anti-spam service that can scan SMTP and POP3 mail, which we did not test.
If there's a useless part of the UTM service, it is ZyXel's intrusion-prevention technology. Like Velveeta processed cheese on top of a pizza, it's technically there, but it's limited and not very interesting. Although the company has built some IPS features - including simple but effective denial-of-service mitigation options - into the ZyWall 70 UTM's basic feature set, the IPS signature set and its management capabilities are narrow. ZyXel publishes signatures by subscription that can be used to drop packets and sessions or reset connections when a signature matches, but no real tuning is possible. Because the signatures are entirely opaque, figuring out what went wrong and how to fix it is nearly impossible. We also ran into problems as we tried to research logs; for example, there was missing information on the company's Code Red signature.
Although the ZyWall 70 UTM has its share of rough edges, it will meet the needs of most SMBs. It's an especially nice firewall for the technical security professional who can take the time to study and understand its many options.