The ZyWall 1050 is a 1U (1.75-inch) Internet security appliance that provides firewall protection, a 1,000-tunnel VPN option and a host of traffic control features for governing internal users.

Announced in October, the ZyWall 1050 costs $4,000. Although this is on the higher end of the price scale for this class of security tool, the ZyWall 1050 packs five Gigabit Ethernet ports—the most we've seen in this class of security appliance.

During eWEEK Labs' tests, the ZyWall 1050 effectively repelled automated probes from our Metasploit attack system. It also withstood tests using malformed IP traffic streams generated by a test device we've just started using: the Mu Security Mu-4000 Security Analyzer.

We also put the ZyWall 1050 on our outside Internet connection to let it fend off probes and scans from the outside world, which it did with aplomb.

Resource Library:

ZyXel offers many add-ons for the ZyWall 1050, including the IDP (intrusion detection and prevention) engine and a content filter. We used both components during our initial tests.

The IDP engine is an embedded, signature-based component that is turned on with a license key. Many security advisers point to the weaknesses of signature-based protection in a world of zero-day threats, and we generally concur. However, security for a smaller organization must be based on a careful risk analysis that balances the cost of security with actual threats, and the ZyWall 1050 IDP engine provides good protection for the price.

During our tests, the signatures that look for protocol anomalies and pattern matches were updated several times by ZyXel's security response team. These updates can be applied automatically, which is what we recommend for busy IT managers in smaller organizations that may not have the staff to review the new signatures.

None of the updates blocked our good test traffic. However, there wasn't a good way to roll back the updates. This means that IT managers who get a false-positive block resulting from a newly installed update will likely spend a fair amount of time adjusting the signatures by hand.

eWEEK Labs picks the top five network security developments of 2006. Click here to check them out.

The ZyWall 1050 provides a fine level of control over individual user access, and we could add authentication requirements for the network, including the maximum number of log-on retries and the length of time a user should be locked out if log-on fails.

However, there is no way to integrate user information with a directory such as Microsoft's Active Directory. This means that IT administrators will be managing user accounts from the console. We hope that subsequent versions of the ZyWall 1050 include an option for integrating with existing directory data.

Always On

The ZyWall 1050 provides high availability in two ways.

The appliance can use multiple WAN ports to create backup connections in a single device. During tests with the single-device scenario, the WAN backup connections worked to load balance and provide failover if WAN services were offered by different providers. The ZyWall 1050 also can use VRRP (Virtual Router Redundancy Protocol) to link two ZyWall 1050s—an impressive capability given the appliance's price.

The combination of WAN backup and VRRP device redundancy means that IT managers can realistically deploy the ZyWall 1050 in locations where mission-critical applications are used.

Voice traffic gets special treatment from the ZyWall 1050. We configured our device to enable SIP (Session Initiation Protocol) transformations, and we could specify additional SIP signaling ports. There is even support for much older H.323 VOIP (voice over IP) traffic. The voice traffic pass-through features worked well in our tests, and after spending a couple of hours configuring the settings, we were able to get voice traffic through the firewall.

Technical Director Cameron Sturdevant can be reached at cameron_surdevant@ziffdavis.com.