The ZyWALL is promoted as a wireless-ready Internet security gateway. This basically means that it’s a small/home office firewall that has both LAN and WAN ports but into which you can insert a wireless LAN adaptor if you so desire – so you can use it with either cable-based or wireless LANs. The unit itself is a little grey box about the size of your average four-port Ethernet hub. Although it comes with a support software CD, you don’t actually need to load any software onto your PC to get running, as the unit can be managed through a serial connection (using HyperTerminal on Windows), a Telnet link or a Web browser. The latter is, unsurprisingly, a pretty Web interface, while the other options are necessarily text- and menu-based. We connected up the unit and turned on, pointing a Web browser at http://192.168.1.1. There’s a little startup wizard that asks you first to enter the password (it’s defaulted to 1234) and change it to something a little more secret, and then you can set up the unit for use. The main thing you need to do is define the WAN settings; in our case we have an Ethernet-based Internet link, so we just supplied an IP address, network mask and default router address. Two-minute wonder
This process took all of about two minutes, and we were up and running on the Internet – a fairly impressive achievements. This is, however, only the tip of the iceberg – there’s a whole shedload of stuff you need to configure in order to protect the network from the big wide world out there (though the unit will block incoming traffic by default, so you don’t have to worry about unexpected attacks). Setting up firewall rules is the usual exercise of defining what source address can make connections of what types to which destination address(es). The setup process is very simple – you pick addresses and service types from menus and hit “Apply”. I would prefer the ability to name addresses (so instead of having to remember that 192.168.34.23 is the internal address of my DNS server I’d like to be able to pick “Internal DNS” from a menu) but perhaps I’m just being picky. Alongside the usual packet-filtering gubbins you’d expect from this kind of gadget is a big pile of content filtering too, so the unit will use a pre-configured list of sites and pages to disallow the download of dodgy content. The unit can be a part of a virtual private network (VPN) – a growing desire for home and small office workers who want transparent but secure access into the office network. As with all VPN implementations of this sort, it’s a bit cryptic setting everything up (VPNs are a mass of key exchange types, authentication systems and encryption mechanisms) but this isn’t a criticism of the ZyXEL unit in particular – it’s part of life with any firewall. A key desire for any firewall is the ability to apply firmware patches quickly and easily, and the 10W makes life very simple on this front. The Web interface makes it easy to locate the new firmware file and upload it; although it warns that you may need to save and then reload the configuration (always a good idea) when we updated to the most recent version the settings didn’t seem to be affected. The final key thing that firewall makers often get wrong is logging – as a security consultant I like to be able to log everything that ever happened, regardless of whether it’s a “permit” or a “deny”. The 10W logs to its internal store by default (it splits things into 10 categories to avoid information overload), and if you so wish you can email the logs to a system admin or alternatively get the unit to fling messages at another system using the Unix “syslog” protocol (my preferred approach). Everything is logged by default, and you can turn categories of message off individually; for key message types such as login errors or suspected attacks the system can be told to send an immediate email alert to someone instead of waiting until the regular log update. In short, the ZyWALL is a usable, fully-featured little home/small office firewall that makes all the right noises and is simple enough for someone with a fairly basic understanding of how firewalls work to get to grips with quickly.