ZyNEWS

Nr. 1| 2008

Unifi ed Security Gateways (USG)

A good two years after the successful launch of the

ZyWALL UTM fi rewalls, ZyXEL has reached another key milestone in security. A new generation is to gradually replace the existing ZyWALL models by the end of the second quarter of 2008. The launch will kick off with two high-performance SME fi rewalls:

ZyWALL USG 300 & USG 1000. Page 2

ZyXEL ZyWALL USG 300

Article: 91-009-034001B

Sale Price: € 1.518,00 excl. VAT.

Welcome to ZyXEL News

Welcome to a brand new communications initiative from ZyXEL Nordic: The

ZyXEL News quarterly newsletter. Correct us if we’re wrong, but we have the impression that you are buried in electronic newsletters. Therefore we have chosen to go for a quite informationheavy printed newsletter that you can read, save and use as reference on

ZyXEL technologies and products. If you want to distribute ZyXEL

News in your organization, then you can fi nd a PDF-version on our web site.

In this format, ZyXEL News can go deeper into technical matters and give you a better understanding of how our products works, what their unique sales points are and how they can fulfi l your customers needs.

I invite to send your feedback and comments on the ZyXEL News to me ([email protected]) so we can keep improving the newsletter and provide you with the most valuable information.

Magnus Ahlberg

Nordic Business Manager, Channel news

Copyright © 2008 ZyXEL Communications Corp., Columbusvej 5, 2860 Søborg

Publisher: ZyXEL Communications 2008, Editor. Carsten Hetling

Changing of the Guard

The new generation of security for large as well as small organizations, ZyXELs new Unifi ed Security Gateways is a series of rock-safe fi rewalls and much more...

IPSec and SSL

What are the differences between IPSec and SSL, and when to choose what?

Gigabit at low cost

ZyXEL is a very competitive player in the switch market with still more advanced products at very attractive prices.

Elegant housing for SME applications

Simple and contemporary design for the new professional

Access Point

Diversity function for better reception

Diversity when should it be used?

Security / USG

USG-Firewalls

Changing of the guard!

With its ZyWALL USG Series, ZyXEL has launched a new generation of security gateways. The USG models are based on a new fi rewall operating system and offer more performance, more features and can be managed more fl exibly as a result of their object-oriented confi guration. The UTM functions offer all-in-one protection for the network.

ZyWALL USG 300

The fi rewall protects small and medium-sized networks with up to 75 users comprehensively.

Thanks to the effi cient fi rewall and IPSec throughput, it is ideally suited as a hybrid VPN concentrator. Seven Gigabit Ethernet ports can be freely

Hardware High Availability function increases the availability of the network.

ZyXEL ZyWALL USG 1000

ZyXEL ZyWALL USG 1000

Article: 91-009-052001B

Sale Price: € 3.350,00 excl. VAT

ZyWALL USG 1000

As a VPN concentrator for medium-sized networks with up to 200 users, the ZyWALL USG 1000 offers the required performance. Up to 1,000 IPSec and 50 SSL-VPN connections can be handled simultaneously on the fi rewall. Where segmented networks with active AV/IDP are used, it delivers a particularly high throughput. As with the ZyWALL

USG 300, it is possible to set up VLANs. The fi ve

Gigabit ports which can be freely assigned to different zones ensure fl exibility. The splitting of the local area network (LAN) reduces broadcast traffi c and increases security considerably.

ZyXEL ZyWALL USG 300

10/100/1000 AUX Console Expansion card slot

Firewall with hybrid drive?

Previously IPSec-based VPN connections were generally considered to be the best solution for secure remote access. Today hybrid VPN with

IPSec, L2TP and SSL is the ideal tool for meeting the requirements of different business models.

IPSec-VPN is used primarily to link entire networks.

The L2TP included in the operating system is a good solution for remote access by a large number of Windows PCs without installing software. SSL-

VPN has recently become established as an access technology in the SME sector. With the new

ZyWALL USG solutions, these three VPN types can be used simultaneously.

Network security a thing of the past?

Network security continues to be the most important aspect of fi rewall appliances. However, today it is no longer the only focus. The network infrastructure in companies must consider the users

Security / USG and their applications to a greater extent. Application Patrol is one of the tools for defi ning rules as to who may use which applications at what time.

The bandwidth management, which is based on the Application Patrol, regulates bandwidth availability.

Overview of ZyXEL ZyWALL fi rewalls:

Intrusion detection & prevention

More than 2,000 signatures protect systems from attacks by worms, trojans, backdoors, etc., and recognise the most frequently used instant messaging and peer-to-peer applications that usually aren‘t tolerated in a business network. While the antivirus functions seeks to prevent the infection,

IDP blocks the already active intruder.

ZyXEL ZyWALL 70 UTM

Firewall

Gateway antivirus

The new USG models offer about twice as many virus signatures as the ZyWALL 70 UTM. Another innovation is that IMAP4 is checked for viruses.

The antivirus service is based on a virus signature database from Kaspersky.

Higher security thanks to content fi lter

A content fi lter doesn‘ just improve productivity. It also improves security in the network by blocking spyware-infected websites. Many of the 60 categories are considered by the majority of companies to be irrelevant to business.

Throughput Firewall (Mbps)

Throughput IPSec-VPN (Mbps)

Max. NAT sessions

Max. IPSec tunnels

SSL tunnels

IDP-/AV-/AS-/CF Service Option

Interface

VLAN (802.1q)

Zone-specifi c rule categories

Object-oriented confi guration

Hardware High Availability

Garantie (Anzahl Jahre)

80

40

10‘000

100

-

✔

-

0

✔/✔/✔/✔

7 x 10/100

-

2

High availability of hardware

A second, identical ZyWALL USG allows the

Hardware High Availability function to work in active/passive mode. The confi guration is synchronised at regular intervals. If the active fi rewall fails, the backup takes over the gateway function.

Sale Price Phased-out

* Free anti-spam function in Version 2.1 Q2/2008

COMPANY

Object-oriented confi guration

The object-oriented design of the ZyWALL USG enables the security rules to be defi ned fl exibly.

If necessary the objects can be adapted easily because they are only created once centrally.

All rules in which these objects occur apply the changes automatically. Defi nitions cover users/ user groups, IP addresses, services, timetables,

AAA servers, authentication methods, certifi cates,

ISP accounts and SSL applications.

DMZ server

Text-based confi guration readout

The confi guration of the ZyWALL USG Series can be saved, then viewed and updated if need be in an editor and reimported to the ZyWALL. Administrators value this function – both for documentation purposes and for checking the confi guration.

Trade-in

An attractive trade-in offer makes the replacement of an old fi rewall appealing. It allows dealers to become familiar with the new confi guration and the wide-ranging functions of the USG Series in a short time.

ZyWALL 35 UTM

SSL VPN

ZyXEL ZyWALL USG 300

USG-Firewall

200

100

60‘000

200

2 / max. 10

✔/✔/✔*/✔

7 x 10/100/1000

✔

✔

✔

✔

5

€ 1.518,00 excl. VAT.

SSL VPN

IPSec VPN

ZyWALL USG 300 www

ZyXEL ZyWALL USG 1000

USG-Firewall

NEW

350

150

200‘000

1000

5 / max. 50

✔/✔/✔*/✔

5 x 10/100/1000

✔

✔

✔

✔

5

€ 3.350,00 excl. VAT

ZyWALL USG 1000

IPSec VPN

IPSec VPN

ZyWALL 2 Plus

NEW

SUPPLIER BRANCH

Hybrid VPN coupled with UTM ensures the remote link is secure.

HOME OFFICE

Security / USG Security / VPN

IPSec and SSL − two VPN technologies compared

While VPN with IPSec has been a well-known and frequently used feature of the ZyWALL fi rewall series for years, in many situations SSL is increasingly seen as a valid substitute for providing secure access to network resources. Although many requirements can be met with both IPSec and

SSL, there are applications in which one or the other technology offers clear advantages.

Virtual Private Network

A «Virtual Private Network» (VPN) sets up an encrypted and therefore secure connection via a public network. The most common application can be found in the link-up of a branch or home offi ce with headquarters. In this case all the data are transferred between the endpoints in encrypted form following authentication. advantage of SSL is that it is easy to handle and gives the user fl exibility. Any computer with an

SSL-enabled web browser can be used on the corporate network as a secure terminal, without software having to be installed beforehand or the confi guration having to be modifi ed. The user is identifi ed and the tunnel set up via the portal site of the SSL appliance in the corporate network.

IPSec

IPSec (Internet Security Protocol) contains several standards for authentication, for the exchange of keys and for encryption as well as for the transmission of data. All ZyWALL models and many

ADSL and WAN routers from ZyXEL support

IPSec and in this way enable a direct tunnel to be set up between the branch offi ce and headquarters (site-to-site). The advantage of a purely hardware-based solution is that the confi guration is limited to the routers, which makes the mode of operation reliable and transparent for the user. As soon as a remote network resource is accessed, the tunnel is set up automatically. To the user, the network connection established via the tunnel looks the same as with a locally connected computer and offers the same options. Software clients are available for mobile solutions.

Further access options, including secure FTP access, can be implemented via applets provided by the SSL appliance. It is even possible to set up a full-tunnel mode via a software client. With both variants, some fl exibility is sacrifi ced owing to the platform dependencies.

Summary

The two VPN technologies can overlap to a large extent in their applications. A simple remote desktop solution can run via an IPSec tunnel, just as a full-tunnel mode can be implemented via SSL.

Nevertheless it is worth selecting the right solution for each use case. SSL does not replace IPSec.

For site-to-site connections, IPSec will continue to serve us well for a long time yet, but for access to Web applications SSL is defi nitely the better option. Moreover, the two technologies can coexist without diffi culty.

SSL

SSL is an increasingly widespread encryption protocol that was already used with the fi rst web browsers for secure https connections. Although the protocol could also be used for other purposes, it is employed mainly in web browser-supported applications. Web-oriented applications such as Outlook Web Access (OWA) or the intranet are made accessible to users via an encrypted connection to the corporate servers. The great

File access

Advantage of SSL-VPN:

- SSL-enabled browser suffices as client

- non-site-dependent

- no configuration on the client

Advantage of IPSec-VPN:

- transparent for user

- direct network access

- simple site-to-site connection

Secure from point to point with Vista

For an encrypted point-to-point connection via a public network, IPSec

VPN is the best choice. The new IP-

Sec VPN client from ZyXEL is convincing thanks to its compatibility with the latest Windows operating systems and its user-friendly installation and operation.

Secure and communicative

The ZyWALL IPSec VPN client enables remote users to set up a secure, encrypted point-to-point connection via public networks. It doesn‘t matter whether the connection is established via dial-up,

Ethernet, DSL, WiFi or 3G. Thanks to its compatibility, the client can be used in conjunction with gateways from ZyXEL and many other manufacturers. The latest version can now also be used under Vista.

Powered by TheGreenBow

ZyXEL IPSec-VPN-Client

Easy handling

The installation wizard guides the user effi ciently through the confi guration in three steps. For major installations the confi guration data can be copied quickly onto many computers in the form of a saved fi le. To meet the highest security demands, the confi guration can be put on a USB memory stick with security elements such as a certifi cate, pre-shared key, etc. This means no authentication data are stored on a notebook. In such cases a

VPN connection can only be set up in conjunction with the USB stick.

Free trial

The ZyXEL VPN client (powered by TheGreen-

Bow) can be installed and tested free of charge for

30 days.

Applicability of VPN technology corresponding to usage

Ethernet / LAN switching

Gigabit at low cost

The ZyXEL switch family is growing at a rapid pace. The new webmanaged switches ZyXEL GS-1524 and GS-1548 offer low-cost access with Gigabit speed. An intuitive web interface offers all the possible confi gurations that a small enterprise could need. The GS-1548 is also the fi rst 48-port Gigabit switch from ZyXEL.

Web-managed Gigabit

The web-managed switches fi ll the gap between unmanaged and managed switches. They have a simplifi ed web interface, which supports all the important confi gurations such as VLAN, QoS, port mirroring, trunking, etc. The GS-15XX are the fi rst Gigabit switches in this class.

ZyXEL GS-1524

Article: 91-010-159001B

Sale Price: € 201,00 excl. VAT.

Investment protection

The confi guration option ensures that the switch can be adapted to the network. Moreover, software upgrades are possible, which is not the case with «dumb» models. As a result, the switch can handle new requirements, and investments are protected.

AutoVoIP and AutoDoS

Both models support the function for automatic detection and prioritisation of VoIP calls that users have come to know from the ES-15XX models. The prioritisation is suitable for networks with only one switch, but unlike the 3XXX and

4XXX models cannot be passed on by 802.1p or Diffserv. AutoDoS is a function for protecting against the most serious denial-of-service attacks. This increases the internal security of the network.

Suitable for small networks

ZyXEL recommends web-managed switches particularly for small-sized networks. The spanning tree function is only supported by the fully-managed switches. These are preferable for more highly complex structures which often require this function.

Sensational prices

The new web-managed switches are very aggressively priced – only a little higher than the unmanaged switches. And with the GS-1548, ZyXEL for the fi rst time offers a high Gigabit port density.

This makes it increasingly worthwhile to equip all workplaces with Gigabit access.

ZyXEL GS-1548

Article: 91-010-160001B

Sale Price: € 517,00 excl. VAT.

Comparison and positioning of web-managed switches

Features ZyXEL GS-1124A

NEW

GS-1524

Description

Ports

Port Trunking

Unmanaged switch

24 x 1000Base-T,

2 x MiniGBIC (shared)

-

Spanning Tree Protocol

QoS 802.1p

-

-

VLAN 802.1Q -

AutoVoIP/DoS -

Rate Limiting

Serial Port/Telnet CLI

802.1x/MAC Filter/Intrusion Lock

-

-

-

Sale Price € 201,00 excl. VAT

Web-managed switch

24 x 1000Base-T,

4 x MiniGBIC (shared) static

-

4 queues

4K

✔

7 levels

-

-

€ 267,00 excl. VAT

NEW

GS-1548

Web-managed switch

48 x 1000Base-T,

4 x MiniGBIC (shared) static

-

4 queues

4K

✔

7 levels

-

-

€ 517,00 excl. VAT

GS-2024

Managed switch

24 x 1000Base-T,

2 x MiniGBIC (shared) static

STP/RSTP

4 queues

-

4K

64-Kbps levels

✔

✔

€ 681,00 excl. VAT.

Wireless LAN

Elegant housing for SME applications

Simple and contemporary design - that‘s the look of the new NWA-3160

Professional Access Point from ZyXEL. It has exactly the same functionality as the NWA-3100. This makes it ideal for use in professional environments, especially where aesthetic offi ce design is a must.

FEATURES

WLAN access point, dual band 802.11 a/b/g

• WDS modes (AP/AP bridge/repeater)

• 8 SSIDs with VLAN 802.11Q

• Security WEP / WPA / WPA2 and WPA mixed mode

• 2 connectable external antennas / RP-SMA

New outfi t

ZyXEL is launching the NWA-3160 with dual-band function (based on the Professional WLAN Series

NWA-3x00) with a new housing design. Simple, contemporary design is particularly important for business applications. works (multi-SSID) combined with VLAN tagging

(802.11Q) enable multiple user groups to be handled simultaneously with only one access point.

A wealth of features

The NWA-3160 transmits and receives on the

2.4 GHz or 5 GHz band. Thanks to PoE support, no obtrusive plug-in power supply units are required. As far as quality of service is concerned, it can be individually confi gured so that real-time data are given higher priority than data that are not time-critical. Up to eight virtual wireless net-

Versatile applications

With its extensive function set, the NWA-3160 can be used for applications in SMEs, for hotspots, in industry (process automation) or for telephony.

Roaming has been optimised and consequently the quality of VoIP calls improved. Central management for multiple access points is expected by the start of 2008.

ZyXEL NWA-3160

Article: 91-005-197001B

Sale Price: € 164,00 excl. VAT.

Diversity function for better reception

Diversity uses multiple antennas to provide better transmission and reception characteristics. It is already in use in the WLAN Pro products

NWA-3100 and NWA-3500 and will be implemented in NWA-3160 at a later point in time. If standard antennas are used, better radio communication coverage can be achieved. When external antennas are used, however, the diversity function must be deactivated.

Diversity – when should it be used?

ZyXEL WLAN Pro Access Points have diversity technology implemented for optimum transmission and reception characteristics. During operation the system switches automatically to the internal or external antenna connection. While this technology offers optimum coverage with the standard antennas provided, the function needs to be deactivated when external antennas with cables are used. is cancelled out and the required WLAN coverage cannot be achieved.

How is diversity deactivated?

At present the function can only be confi gured via the CL interface with the following commands:

NWA-3100 wlan superset 0 0 0 -> Diversity ON wlan superset 0 0 1 -> Diversity OFF Undesirable effects of diversity

External antennas are used to optimise coverage.

If the diversity function is deactivated, this prevents the access point from being switched to the internal antenna mistakenly. This can happen, for example, if a WLAN client is close to the access point and not in the area covered by the external antenna. If the system switches to the internal antenna, the desired effect of the external antenna

With diversity deactivated on the NWA-3100, only the main antenna on the right-hand antenna connection is used.

NWA-3500 wlan [wl] superset 0 0 0 --> Diversity ON wlan [wl] superset 0 0 1 --> Diversity OFF

External antenna connection

Transmitter / Receiver

Deactivate diversity when using external antennas

[wl]: 0=WLAN 1, 1=WLAN 2

With diversity deactivated on the NWA-3500, the internal chip antennas are switched off. WLAN

1 is aligned to the right-hand antenna connection, while WLAN 2 is routed to the left-hand connection.