advertisement
ZyNEWS
Nr. 1| 2008
Unifi ed Security Gateways (USG)
A good two years after the successful launch of the
ZyWALL UTM fi rewalls, ZyXEL has reached another key milestone in security. A new generation is to gradually replace the existing ZyWALL models by the end of the second quarter of 2008. The launch will kick off with two high-performance SME fi rewalls:
ZyWALL USG 300 & USG 1000. Page 2
ZyXEL ZyWALL USG 300
Article: 91-009-034001B
Sale Price: € 1.518,00 excl. VAT.
Welcome to ZyXEL News
Welcome to a brand new communications initiative from ZyXEL Nordic: The
ZyXEL News quarterly newsletter. Correct us if we’re wrong, but we have the impression that you are buried in electronic newsletters. Therefore we have chosen to go for a quite informationheavy printed newsletter that you can read, save and use as reference on
ZyXEL technologies and products. If you want to distribute ZyXEL
News in your organization, then you can fi nd a PDF-version on our web site.
In this format, ZyXEL News can go deeper into technical matters and give you a better understanding of how our products works, what their unique sales points are and how they can fulfi l your customers needs.
I invite to send your feedback and comments on the ZyXEL News to me ([email protected]) so we can keep improving the newsletter and provide you with the most valuable information.
Magnus Ahlberg
Nordic Business Manager, Channel news
Copyright © 2008 ZyXEL Communications Corp., Columbusvej 5, 2860 Søborg
Publisher: ZyXEL Communications 2008, Editor. Carsten Hetling
Changing of the Guard
The new generation of security for large as well as small organizations, ZyXELs new Unifi ed Security Gateways is a series of rock-safe fi rewalls and much more...
IPSec and SSL
What are the differences between IPSec and SSL, and when to choose what?
Gigabit at low cost
ZyXEL is a very competitive player in the switch market with still more advanced products at very attractive prices.
Elegant housing for SME applications
Simple and contemporary design for the new professional
Access Point
Diversity function for better reception
Diversity when should it be used?
Security / USG
USG-Firewalls
Changing of the guard!
With its ZyWALL USG Series, ZyXEL has launched a new generation of security gateways. The USG models are based on a new fi rewall operating system and offer more performance, more features and can be managed more fl exibly as a result of their object-oriented confi guration. The UTM functions offer all-in-one protection for the network.
ZyWALL USG 300
The fi rewall protects small and medium-sized networks with up to 75 users comprehensively.
Thanks to the effi cient fi rewall and IPSec throughput, it is ideally suited as a hybrid VPN concentrator. Seven Gigabit Ethernet ports can be freely
Hardware High Availability function increases the availability of the network.
ZyXEL ZyWALL USG 1000
ZyXEL ZyWALL USG 1000
Article: 91-009-052001B
Sale Price: € 3.350,00 excl. VAT
ZyWALL USG 1000
As a VPN concentrator for medium-sized networks with up to 200 users, the ZyWALL USG 1000 offers the required performance. Up to 1,000 IPSec and 50 SSL-VPN connections can be handled simultaneously on the fi rewall. Where segmented networks with active AV/IDP are used, it delivers a particularly high throughput. As with the ZyWALL
USG 300, it is possible to set up VLANs. The fi ve
Gigabit ports which can be freely assigned to different zones ensure fl exibility. The splitting of the local area network (LAN) reduces broadcast traffi c and increases security considerably.
ZyXEL ZyWALL USG 300
10/100/1000 AUX Console Expansion card slot
Firewall with hybrid drive?
Previously IPSec-based VPN connections were generally considered to be the best solution for secure remote access. Today hybrid VPN with
IPSec, L2TP and SSL is the ideal tool for meeting the requirements of different business models.
IPSec-VPN is used primarily to link entire networks.
The L2TP included in the operating system is a good solution for remote access by a large number of Windows PCs without installing software. SSL-
VPN has recently become established as an access technology in the SME sector. With the new
ZyWALL USG solutions, these three VPN types can be used simultaneously.
Network security a thing of the past?
Network security continues to be the most important aspect of fi rewall appliances. However, today it is no longer the only focus. The network infrastructure in companies must consider the users
Security / USG and their applications to a greater extent. Application Patrol is one of the tools for defi ning rules as to who may use which applications at what time.
The bandwidth management, which is based on the Application Patrol, regulates bandwidth availability.
Overview of ZyXEL ZyWALL fi rewalls:
Intrusion detection & prevention
More than 2,000 signatures protect systems from attacks by worms, trojans, backdoors, etc., and recognise the most frequently used instant messaging and peer-to-peer applications that usually aren‘t tolerated in a business network. While the antivirus functions seeks to prevent the infection,
IDP blocks the already active intruder.
ZyXEL ZyWALL 70 UTM
Firewall
Gateway antivirus
The new USG models offer about twice as many virus signatures as the ZyWALL 70 UTM. Another innovation is that IMAP4 is checked for viruses.
The antivirus service is based on a virus signature database from Kaspersky.
Higher security thanks to content fi lter
A content fi lter doesn‘ just improve productivity. It also improves security in the network by blocking spyware-infected websites. Many of the 60 categories are considered by the majority of companies to be irrelevant to business.
Throughput Firewall (Mbps)
Throughput IPSec-VPN (Mbps)
Max. NAT sessions
Max. IPSec tunnels
SSL tunnels
IDP-/AV-/AS-/CF Service Option
Interface
VLAN (802.1q)
Zone-specifi c rule categories
Object-oriented confi guration
Hardware High Availability
Garantie (Anzahl Jahre)
80
40
10‘000
100
-
✔
-
0
✔/✔/✔/✔
7 x 10/100
-
2
High availability of hardware
A second, identical ZyWALL USG allows the
Hardware High Availability function to work in active/passive mode. The confi guration is synchronised at regular intervals. If the active fi rewall fails, the backup takes over the gateway function.
Sale Price Phased-out
* Free anti-spam function in Version 2.1 Q2/2008
COMPANY
Object-oriented confi guration
The object-oriented design of the ZyWALL USG enables the security rules to be defi ned fl exibly.
If necessary the objects can be adapted easily because they are only created once centrally.
All rules in which these objects occur apply the changes automatically. Defi nitions cover users/ user groups, IP addresses, services, timetables,
AAA servers, authentication methods, certifi cates,
ISP accounts and SSL applications.
DMZ server
Text-based confi guration readout
The confi guration of the ZyWALL USG Series can be saved, then viewed and updated if need be in an editor and reimported to the ZyWALL. Administrators value this function – both for documentation purposes and for checking the confi guration.
Trade-in
An attractive trade-in offer makes the replacement of an old fi rewall appealing. It allows dealers to become familiar with the new confi guration and the wide-ranging functions of the USG Series in a short time.
ZyWALL 35 UTM
SSL VPN
ZyXEL ZyWALL USG 300
USG-Firewall
200
100
60‘000
200
2 / max. 10
✔/✔/✔*/✔
7 x 10/100/1000
✔
✔
✔
✔
5
€ 1.518,00 excl. VAT.
SSL VPN
IPSec VPN
ZyWALL USG 300 www
ZyXEL ZyWALL USG 1000
USG-Firewall
NEW
350
150
200‘000
1000
5 / max. 50
✔/✔/✔*/✔
5 x 10/100/1000
✔
✔
✔
✔
5
€ 3.350,00 excl. VAT
ZyWALL USG 1000
IPSec VPN
IPSec VPN
ZyWALL 2 Plus
NEW
SUPPLIER BRANCH
Hybrid VPN coupled with UTM ensures the remote link is secure.
HOME OFFICE
Security / USG Security / VPN
IPSec and SSL − two VPN technologies compared
While VPN with IPSec has been a well-known and frequently used feature of the ZyWALL fi rewall series for years, in many situations SSL is increasingly seen as a valid substitute for providing secure access to network resources. Although many requirements can be met with both IPSec and
SSL, there are applications in which one or the other technology offers clear advantages.
Virtual Private Network
A «Virtual Private Network» (VPN) sets up an encrypted and therefore secure connection via a public network. The most common application can be found in the link-up of a branch or home offi ce with headquarters. In this case all the data are transferred between the endpoints in encrypted form following authentication. advantage of SSL is that it is easy to handle and gives the user fl exibility. Any computer with an
SSL-enabled web browser can be used on the corporate network as a secure terminal, without software having to be installed beforehand or the confi guration having to be modifi ed. The user is identifi ed and the tunnel set up via the portal site of the SSL appliance in the corporate network.
IPSec
IPSec (Internet Security Protocol) contains several standards for authentication, for the exchange of keys and for encryption as well as for the transmission of data. All ZyWALL models and many
ADSL and WAN routers from ZyXEL support
IPSec and in this way enable a direct tunnel to be set up between the branch offi ce and headquarters (site-to-site). The advantage of a purely hardware-based solution is that the confi guration is limited to the routers, which makes the mode of operation reliable and transparent for the user. As soon as a remote network resource is accessed, the tunnel is set up automatically. To the user, the network connection established via the tunnel looks the same as with a locally connected computer and offers the same options. Software clients are available for mobile solutions.
Further access options, including secure FTP access, can be implemented via applets provided by the SSL appliance. It is even possible to set up a full-tunnel mode via a software client. With both variants, some fl exibility is sacrifi ced owing to the platform dependencies.
Summary
The two VPN technologies can overlap to a large extent in their applications. A simple remote desktop solution can run via an IPSec tunnel, just as a full-tunnel mode can be implemented via SSL.
Nevertheless it is worth selecting the right solution for each use case. SSL does not replace IPSec.
For site-to-site connections, IPSec will continue to serve us well for a long time yet, but for access to Web applications SSL is defi nitely the better option. Moreover, the two technologies can coexist without diffi culty.
SSL
SSL is an increasingly widespread encryption protocol that was already used with the fi rst web browsers for secure https connections. Although the protocol could also be used for other purposes, it is employed mainly in web browser-supported applications. Web-oriented applications such as Outlook Web Access (OWA) or the intranet are made accessible to users via an encrypted connection to the corporate servers. The great
File access
Advantage of SSL-VPN:
- SSL-enabled browser suffices as client
- non-site-dependent
- no configuration on the client
Advantage of IPSec-VPN:
- transparent for user
- direct network access
- simple site-to-site connection
Secure from point to point with Vista
For an encrypted point-to-point connection via a public network, IPSec
VPN is the best choice. The new IP-
Sec VPN client from ZyXEL is convincing thanks to its compatibility with the latest Windows operating systems and its user-friendly installation and operation.
Secure and communicative
The ZyWALL IPSec VPN client enables remote users to set up a secure, encrypted point-to-point connection via public networks. It doesn‘t matter whether the connection is established via dial-up,
Ethernet, DSL, WiFi or 3G. Thanks to its compatibility, the client can be used in conjunction with gateways from ZyXEL and many other manufacturers. The latest version can now also be used under Vista.
Powered by TheGreenBow
ZyXEL IPSec-VPN-Client
Easy handling
The installation wizard guides the user effi ciently through the confi guration in three steps. For major installations the confi guration data can be copied quickly onto many computers in the form of a saved fi le. To meet the highest security demands, the confi guration can be put on a USB memory stick with security elements such as a certifi cate, pre-shared key, etc. This means no authentication data are stored on a notebook. In such cases a
VPN connection can only be set up in conjunction with the USB stick.
Free trial
The ZyXEL VPN client (powered by TheGreen-
Bow) can be installed and tested free of charge for
30 days.
Applicability of VPN technology corresponding to usage
Ethernet / LAN switching
Gigabit at low cost
The ZyXEL switch family is growing at a rapid pace. The new webmanaged switches ZyXEL GS-1524 and GS-1548 offer low-cost access with Gigabit speed. An intuitive web interface offers all the possible confi gurations that a small enterprise could need. The GS-1548 is also the fi rst 48-port Gigabit switch from ZyXEL.
Web-managed Gigabit
The web-managed switches fi ll the gap between unmanaged and managed switches. They have a simplifi ed web interface, which supports all the important confi gurations such as VLAN, QoS, port mirroring, trunking, etc. The GS-15XX are the fi rst Gigabit switches in this class.
ZyXEL GS-1524
Article: 91-010-159001B
Sale Price: € 201,00 excl. VAT.
Investment protection
The confi guration option ensures that the switch can be adapted to the network. Moreover, software upgrades are possible, which is not the case with «dumb» models. As a result, the switch can handle new requirements, and investments are protected.
AutoVoIP and AutoDoS
Both models support the function for automatic detection and prioritisation of VoIP calls that users have come to know from the ES-15XX models. The prioritisation is suitable for networks with only one switch, but unlike the 3XXX and
4XXX models cannot be passed on by 802.1p or Diffserv. AutoDoS is a function for protecting against the most serious denial-of-service attacks. This increases the internal security of the network.
Suitable for small networks
ZyXEL recommends web-managed switches particularly for small-sized networks. The spanning tree function is only supported by the fully-managed switches. These are preferable for more highly complex structures which often require this function.
Sensational prices
The new web-managed switches are very aggressively priced – only a little higher than the unmanaged switches. And with the GS-1548, ZyXEL for the fi rst time offers a high Gigabit port density.
This makes it increasingly worthwhile to equip all workplaces with Gigabit access.
ZyXEL GS-1548
Article: 91-010-160001B
Sale Price: € 517,00 excl. VAT.
Comparison and positioning of web-managed switches
Features ZyXEL GS-1124A
NEW
GS-1524
Description
Ports
Port Trunking
Unmanaged switch
24 x 1000Base-T,
2 x MiniGBIC (shared)
-
Spanning Tree Protocol
QoS 802.1p
-
-
VLAN 802.1Q -
AutoVoIP/DoS -
Rate Limiting
Serial Port/Telnet CLI
802.1x/MAC Filter/Intrusion Lock
-
-
-
Sale Price € 201,00 excl. VAT
Web-managed switch
24 x 1000Base-T,
4 x MiniGBIC (shared) static
-
4 queues
4K
✔
7 levels
-
-
€ 267,00 excl. VAT
NEW
GS-1548
Web-managed switch
48 x 1000Base-T,
4 x MiniGBIC (shared) static
-
4 queues
4K
✔
7 levels
-
-
€ 517,00 excl. VAT
GS-2024
Managed switch
24 x 1000Base-T,
2 x MiniGBIC (shared) static
STP/RSTP
4 queues
-
4K
64-Kbps levels
✔
✔
€ 681,00 excl. VAT.
Wireless LAN
Elegant housing for SME applications
Simple and contemporary design - that‘s the look of the new NWA-3160
Professional Access Point from ZyXEL. It has exactly the same functionality as the NWA-3100. This makes it ideal for use in professional environments, especially where aesthetic offi ce design is a must.
FEATURES
WLAN access point, dual band 802.11 a/b/g
• WDS modes (AP/AP bridge/repeater)
• 8 SSIDs with VLAN 802.11Q
• Security WEP / WPA / WPA2 and WPA mixed mode
• 2 connectable external antennas / RP-SMA
New outfi t
ZyXEL is launching the NWA-3160 with dual-band function (based on the Professional WLAN Series
NWA-3x00) with a new housing design. Simple, contemporary design is particularly important for business applications. works (multi-SSID) combined with VLAN tagging
(802.11Q) enable multiple user groups to be handled simultaneously with only one access point.
A wealth of features
The NWA-3160 transmits and receives on the
2.4 GHz or 5 GHz band. Thanks to PoE support, no obtrusive plug-in power supply units are required. As far as quality of service is concerned, it can be individually confi gured so that real-time data are given higher priority than data that are not time-critical. Up to eight virtual wireless net-
Versatile applications
With its extensive function set, the NWA-3160 can be used for applications in SMEs, for hotspots, in industry (process automation) or for telephony.
Roaming has been optimised and consequently the quality of VoIP calls improved. Central management for multiple access points is expected by the start of 2008.
ZyXEL NWA-3160
Article: 91-005-197001B
Sale Price: € 164,00 excl. VAT.
Diversity function for better reception
Diversity uses multiple antennas to provide better transmission and reception characteristics. It is already in use in the WLAN Pro products
NWA-3100 and NWA-3500 and will be implemented in NWA-3160 at a later point in time. If standard antennas are used, better radio communication coverage can be achieved. When external antennas are used, however, the diversity function must be deactivated.
Diversity – when should it be used?
ZyXEL WLAN Pro Access Points have diversity technology implemented for optimum transmission and reception characteristics. During operation the system switches automatically to the internal or external antenna connection. While this technology offers optimum coverage with the standard antennas provided, the function needs to be deactivated when external antennas with cables are used. is cancelled out and the required WLAN coverage cannot be achieved.
How is diversity deactivated?
At present the function can only be confi gured via the CL interface with the following commands:
NWA-3100 wlan superset 0 0 0 -> Diversity ON wlan superset 0 0 1 -> Diversity OFF Undesirable effects of diversity
External antennas are used to optimise coverage.
If the diversity function is deactivated, this prevents the access point from being switched to the internal antenna mistakenly. This can happen, for example, if a WLAN client is close to the access point and not in the area covered by the external antenna. If the system switches to the internal antenna, the desired effect of the external antenna
With diversity deactivated on the NWA-3100, only the main antenna on the right-hand antenna connection is used.
NWA-3500 wlan [wl] superset 0 0 0 --> Diversity ON wlan [wl] superset 0 0 1 --> Diversity OFF
External antenna connection
Transmitter / Receiver
Deactivate diversity when using external antennas
[wl]: 0=WLAN 1, 1=WLAN 2
With diversity deactivated on the NWA-3500, the internal chip antennas are switched off. WLAN
1 is aligned to the right-hand antenna connection, while WLAN 2 is routed to the left-hand connection.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement