Verdict

ZyXEL has been partial to a spot of diversification lately, as in our exclusive review of the NSA-2400 where we saw it move into the hotly contested desktop NAS appliance market. Now, its latest ZyWALL SSL 10 aims to give it a foothold in the world of SSL VPNs.

The appeal of SSL VPNs to small businesses hasn’t been missed by most SMB networking vendors with the majority catching on this year and delivering low cost appliances. Billion was one of the first with its well-featured BiGuard S10 and was followed quickly by Netgear and Linksys. Tipping the price scales at over £200 puts the SSL 10 firmly in the same ball park as Billion and Netgear and here we see whether it has the features to square up to them.

This compact appliance supports up to 10 SSL VPN tunnels but can be upgraded to 25 tunnels. It comes with a quad of switched Fast Ethernet ports and a single RJ-45 WAN port, which can be connected to a broadband modem or to an existing gateway. It has its own SPI/NAT firewall so can front an Internet connection, or you can drop it into a DMZ behind an existing firewall.

The web interface is easy enough to use and a wizard helps configure the appliance either as a gateway or when it’s on a DMZ. To secure access to LAN resources the appliance uses a combination of user authentication and group membership plus network objects. For authentication you have plenty of choices as you can use the appliance’s local user database but it also supports AD, LDAP and RADIUS servers.

SSL application objects are used to define a service and associated IP address on the LAN. For web based applications you specify the address of the hosting server and choose web server, web mail or OWA (Office Web Access) as the server type. For non-web applications you define them as applications with an associated IP address, TCP or UDP transport and service type. Lastly, you have basic file sharing objects, which contain a system’s IP address and the share path to a file or directory that will be presented to a remote user. If you want to give full access to the LAN you define the address subnet as a VPN Network, which will create a fully encrypted tunnel allowing access to the local network.

Now you can create policies to determine what remote users are allowed to access. Each policy can contain selected users and groups, have a range of objects assigned to it and be scheduled to be active at certain times of each day. You can also decide whether to allow full network access and provide different VPN networks that determine the private addresses they receive. Usefully, any changes to network objects will be automatically propagated to the policies that use them.

ZyXEL’s end-point security enables you to check the client system for operating systems, service packs and so on. After successful authentication the appliance downloads ActiveX controls and Java apps that scan the system looking for required components. You can check for specific versions of IE, NetScape, Mozilla and FireFox and look for anti-virus products although this is currently limited to Symantec and McAfee. However, you can also insist that their auto-protect function is switched on and check for the existence of Windows patches, registry entries and processes.

When a user points their browser at the appliance’s WAN port they are redirected to a log-in portal and after authentication receive a page showing what applications and file sharing features they can access. The portal asks if you’re on a trusted or untrusted machine during logon but can’t validate this. If you select the trusted option then your browser cache won’t be cleaned when the session ends.

”’The web management interface provides easy access to a wealth of security features.”’

Web applications can be fired up directly from the portal whilst non-web apps must be loaded and pointed at the localhost address and port specified in the portal entry. We tested the latter successfully using an FTP client tool on a remote system which was redirected through to our server on the LAN. Using the full tunnel mode we were able to access LAN resources from our remote client and connect over RDP to a Windows server. File sharing was also easy to configure and we were able to remotely browse files and directories on our local servers from the portal.

Although not available in the UK until July, the SSL 10 will support ZyXEL’s OTP (one-time password) system. The kits comprise USB tokens which receive a set of OTPs from the server software component. The user presses a button on the token, which displays the next password. This is entered in the login portal and the SSL 10 links up with the OTP server to verify the password.

”’Verdict”’

The SSL 10 is delivering a lot of features for the price and the combination of policies, end-point security and network objects makes it extremely versatile. It’s a close call with Billion’s BiGuard S10, although we found the latter is easier to configure and is a better bet if you also want basic URL filtering plus QoS features.

Note that the login portal trusts users to select the correct computer and OTP won’t be available until July.

—-


Once you’ve defined your network objects the security policies tie everything neatly together.

—-


Endpoint security is good for the price although client anti-virus checks are limited to McAfee or Symantec.

—-

Specific file shares on local systems can be offered to selected users.


—-

Trusted Score