ZyXEL ZyWALL UTM
Strengths: Lots of features and good expansion options.
Weaknesses: Some flaws found during aggressive internal attacks.
Verdict: More than we expected from an SMB/branch office firewall.
The ZyWALL 35 is a mid-range model with four LAN and two WAN ports, and a throughput of 70Mbps.
Getting started was easy, but we worried about security. Although HTTPS is enabled, the quickstart guide mentions only an unsecure HTTP GUI interface. Although the login page does make an effort to encrypt the password, it does so predictably and a replay attack is easily accomplished. Furthermore, the form prompting for a new password passes its data back in complete cleartext, although you can disable HTTP administration from within the GUI.
IDP and anti-virus is provided through an optional module that ships on a PC card, a clever idea to extend the modest processing capabilities of the system.
However, the chassis only has one slot, which can also be used for a wireless card, so you have to choose either IDP/AV or wireless. Plugging in the module did not result in any GUI feedback, and after downloading the initial signatures (none are bundled), we could not find any sign of success - a bit more feedback is needed.
The firewall works fine and includes some denial-of-service protection, but the system is quite sensitive: initial scans logged as "flood" attacks. If the unit is sitting on a DSL connecting in a branch office, this will happen a lot, but we were pleased to see the alert.
IPsec is provided and works fine with wizards to get VPNs configured. Class-based queues control bandwidth, and anti-spam and content filtering is included.
The unit can operate in transparent mode (as a filtering bridge) or as a router, and has very easy interfaces to switch configuration. LAN ports can also be very easily reassigned to a DMZ and servers configured - not complicated tasks, but we liked the easy GUI mechanisms to accomplish them.
Logging is simple and among the best we looked at. Logs can be periodically mailed or directed to a syslog server. Within the GUI, events can be narrowed down to specific types of incidents, and while no searching is provided, the product ships with ZyXEL's Vantage reporting tool, which gathers syslog data then offers a graphical reporting frontend.
We did find some vulnerabilities during some of our more aggressive tests - simulating attacks from insiders against the admin interface - so this would need protection. Limit the IPs with access, for example.
ZyXEL is continuing to do what it does well: bundling good enterprise features into SME and branch office products at a very attractive price.