Review: ZyWALL-2WG Mobile Internet Security Appliance
April 24, 2008
ZyXEL's well-connected branch/small/home office firewall secures Internet access via 802.11a/b/g, 3G cellular, and wired broadband.
Pros: Unusually well-connected and versatile; plenty of bang for the buck.
Cons: Lacks 802.11n or virtual AP support; a tad complex for SOHOs to configure.
Wi-Fi routers are a dime a dozen these days, but products that can also deliver secure Internet access when wired broadband is down or altogether absent are rare. ZyXEL's inexpensive-yet-feature-rich solution to this challenge is the ZyWALL-2WG, an 802.11a/b/g capable security appliance that can tap 3G cellular for primary Internet uplink, load sharing, or fail-over.
Where wires can't and Wi-Fi won't
Who needs a secure Internet router with on-board Wi-Fi and 3G cellular? For starters, any small or home office located outside a wired broadband (cable/fiber/DSL) serving area.
In the past, rural SOHOs had little choice but to reach the Internet via pricey satellite or painfully slow dial-up. But today, many have the option of using 3G "high-speed wireless broadband." In the US, that means HSDPA from a GSM carrier (e.g., AT&T Wireless) or EV-DO from a CDMA carrier (e.g., Verizon, Sprint). Although 3G handles hundreds of Kbps instead of Mbps, many isolated SOHOs--and even small branch offices--can be happy with that kind of throughput.
In fact, the ZyWALL-2WG is definitely not a residential Wi-Fi router. It is an entry-level Internet security appliance, capable of satisfying business needs like WPA2-Enterprise, configurable security zones, redundant VPN tunnels, bandwidth management, and Web filtering. Although the 2WG lacks the horsepower required by larger offices, it is certainly beefy enough and capable enough for small branch offices where budget is scarce, but security is important.
3G cellular makes the ZyWALL-2WG far more versatile than most security appliances. ZyXEL markets this paperback-sized box (220 x 148 x 30 mm, 1.13 lb) as a mobile Internet security appliance. No, you cannot carry it in your pocket and surf the Web as you stroll. But you can take the 2WG along to conferences, hotels, customer sites, and field surveys. In short, the 2WG can deliver shared Internet access from any venue with an AC outlet and cellular data coverage--including moving vehicles equipped with DC power inverters.
Some travelers use client mode to connect Wi-Fi routers to hotspot APs. But public venue Wi-Fi coverage can be spotty and setup/payment (e.g., portal login) is often required. By comparison, the ZyWALL-2WG can deliver instant subscription-based Internet access anywhere--except deep inside buildings where cellular penetration is poor, or at sites too remote to receive any cellular service. (In those cases, the 2WG could use dial-up as a last resort.)
Putting the 2WG into action
When the 2WG was first announced, 3G coverage was absent in our neck of the woods. But U.S. carriers have significantly expanded 3G footprint and increased typical throughput over the past year. To tap into more networks, ZyXEL qualified the 2WG with 5 EV-DO and 4 HSDPA adapters that can be slipped into the appliance's PCMCIA slot.
The unit we tested arrived with a Sprint Nextel EX720 ExpressCard (regular price $329), nestled inside a PC card cradle. That card had already been activated on Sprint's Power Vision mobile broadband network, selling here in Philadelphia for $39.99/month (40 MB) or $59.99/month (unlimited.) Thus, all-you-can-eat 3G is more expensive than a $40/month wired broadband account, but well within reach for most SOHO's.
Some offices will rely exclusively on a cellular WAN link, but we deployed the 2WG in the dual-homed configuration shown below. We used wired broadband (Verizon's FIOS) as our primary WAN link, configuring the 2WG to fail over to Sprint's EV-DO Rev. A network as needed. If both of those WAN links had ever failed (or their budget or bandwidth had been exhausted), our 2WG was set to fail over to analog dial-up. That never actually happened during our month-long live test, but that emergency backup would be important in any office that used 3G alone.
Making complicated things simple
We found the 2WG surprisingly simple to put into action and relatively trouble-free thereafter. To get started, we simply inserted the Sprint PC card, connected a broadband Ethernet uplink, and powered up the appliance. First-time setup and registration was completed by plugging a laptop into the 2WG's LAN port and logging into ZyXEL's Web GUI.
By default, the appliance operates in route mode with Network Address Translation (NAT)--a configuration likely to fit most SOHOs. The 2WG also supports transparent (bridging) mode for branch offices that want to drop the appliance into the middle of an existing LAN without impacting IP addresses and routes.
Click to enlarge.
WAN defaults are also suitable for most users--active/passive failover from WAN1 (Ethernet) to WAN2 (3G), with failback to primary when possible. The 2WG also supports active/active, but we think few users will balance traffic across WAN links if both lead to the Internet and one is clearly faster and cheaper than the other. Default route priorities reflect this and most installations will not need to fiddle with them.
Anyone who relies on 3G for Internet access should consider setting the 2WG's budget parameters. We briefly limited ourselves to 1MB per month to verify that we would be cut off when we tried to exceed that budget. For subscribers with metered 3G, the 2WG's time and volume-based thresholds and log, alert, or disconnect actions are essential. Because some carriers refuse to accept what "unlimited" really means, even subscribers with all-you-can-eat 3G plans should set high budgets to prevent the unexpected.
Configurable timeouts control how quickly the 2WG fails over from WAN1 to WAN2 and back again. We lost Internet connectivity from 30 seconds to two minutes whenever we pulled the 2WG's Ethernet cable. Presumably most of that delay was 3G session establishment, because failover in the opposite direction (3G to Ethernet) ranged between ten and 60 seconds.
However, upstream failures (e.g., loss of 3G signal, wired broadband router crash) did not initiate failover until we configured optional connectivity checks. Setting the 2WG to ping a default WAN gateway or any domain name or IP address easily resolved this. The result was resilient enough that live users did not complain as we simulated various WAN failures.
Making simple things complicated
In our opinion, the 2WG GUI struggles to strike a balance between the simplicity needed by SOHOs and the degree of control required by branch office administrators. Ultimately, home offices will not find this GUI overwhelming. But many could be distracted by the plethora of options that made some simple tasks harder than we think they should be.
For example, home Wi-Fi routers tend to lump all Wi-Fi and Ethernet clients into one LAN and permit inbound traffic to a single DMZ server or a few well-known ports. But the 2WG lets you place any Ethernet port into LAN, WLAN, or DMZ security zones. Businesses will appreciate this flexibility, and port assignment couldn't be any easier (see below). Unfortunately, the 2WG also forces you to configure explicit firewall rules to route NBT (and other protocols) between zone pairs. This exposed detail and number of zone permutations make the overall outcome harder to grasp.
Similarly, when it comes to NAT, the 2WG is unusually flexible for an entry-level appliance. Possible mapping types include one-to-one, many-to-one, many-to-one-overload, many one-to-one, server, and ZyXEL's own single-user-account alternative. But you can't just configure a port-forwarding rule, mapping an inbound port to a translated port and IP. No, you must also configure a firewall rule for each affected zone to accept traffic on the incoming port. Applications that challenge NAT (like SIP and FTP) may also require Application Layer Gateway (ALG) rules. You get the picture--net admins will appreciate this control, but SOHOs will probably make a few mistakes when venturing beyond "block all inbound."
Getting more--and less--out of Wi-Fi
As we had expected, this appliance's Wi-Fi features are more sophisticated than residential APs, but less advanced than enterprise APs. For example, the 2WG supports SOHO staples like 802.11b/g, SSID hiding, MAC filters, WEP, and WPA/WPA2-Personal (PSK). Business-grade features include 802.11a, WPA/WPA2-Enterprise (802.1X), mixed (WPA + WPA2) security, and master key caching.
However, the appliance's local user database is only consulted by an odd 802.1X + static WEP option legacy option that wouldn't work with any client in our lab. It turns out that WPA/WPA2-Enterprise require an external RADIUS server. That's too bad, because that local user database would be perfect for smaller offices that don't have a RADIUS server, but still need secure Wi-Fi with per-user authentication.
To ZyXEL's credit, the 2WG lets you define up to 8 SSIDs, each tied to its own security profile. Like many small offices, we started by configuring an open guest SSID and a WPA2 company SSID. But then it dawned on us: just one SSID could be actively enabled. According to ZyXEL, there is no plan to support multiple active SSIDs (aka Virtual APs)--a common feature on business APs. This constraint renders the unit's 8 SSIDs far less useful, although they could still come in handy when moving the appliance between locations.
Click to enlarge.
Finally, note that ZyXEL plans to add 802.11n to the next version of the 2WG, currently scheduled for 4Q08. In the meantime, offices that need more capacity or reach can easily connect another AP to one of the 2WG's Ethernet ports, placed in the same security zone. If that second AP is another 2WG, roaming can be facilitated by key caching.
Making WAN diversity really work
Multiple WAN links form the tip of the iceberg when it comes to multi-homed business networks. Ensuring that other network and security capabilities continue to work in the face of WAN diversity is where the 2WG really starts to shine.
Suppose you want to put your own Web server on the 2WG's DMZ. How do you keep that server seamlessly accessible as your 2WG flips between wired broadband and 3G cellular? Like many residential routers, the 2WG can use DynDNS, a public DNS provider that automatically rebinds a static domain name to a dynamically-assigned IP address. But that's not enough for a multi-homed router, so the 2WG lets you bind multiple WAN interfaces to the same DDNS hostname. Need to advertise multiple hostnames? The 2WG supports that too.
When active/active links are used for load balancing or overflow, NAT could easily break multi-session applications. For example, if more than one WAN link is active, you need to make sure that VoIP traffic heads back out on the same WAN link (and therefore public source IP address) through which it arrived. This is where the 2WG's ALG comes to the rescue, providing default rules that keep SIP, H.323, FTP, SMTP, POP3, and HTTP sessions working as intended.
Click to enlarge.
Similarly, network-layer VPN tunnels break when one endpoint IP address changes. This of course cannot be avoided during failover from wired broadband to 3G cellular. But the 2WG overcomes this common speed-bump by letting you define redundant VPN gateways and reestablish VPN tunnels automatically during WAN fail-over. In fact, we found it surprisingly easy to establish a VPN tunnel from our 2WG to our own (Juniper) VPN gateway, and ZyXEL does an outstanding job of providing simple-but-effective VPN status and diagnostic information.
The bottom line
We focused on wireless networking and did not rigorously exercise the 2WG's firewall. But note that the 2WG does far more than basic stateful packet inspection--for example, supporting BlueCoat Web filtering for $79.99/year. We also did not test the unit's remote management features, including central control through ZyXEL's Vantage NMS. Capabilities like these differentiate the 2WG from basic 3G-capable routers like the Linksys WRT54G3G or D-Link DIR 450 and let it compete more effectively with richer appliances like the SonicWALL TZ 190.
In our opinion, the 2WG lived up to its promise of delivering business-grade secure mobile Internet at an attractive price. Aside from the occasional obscure or complex option, we found the 2WG easy to administer and surprisingly reliable. The addition of 802.11n will make the 2WG a formidable contender in growing market of "mobile" gateways that let SOHOs and branch offices make the best of both Wi-Fi and 3G wireless worlds.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.