Price: Starts at $244
If you're concerned that privileged employees--from sysadmins to CFOs--connect to the corporate network via the Internet, ZyXEL's ZyWALL P1 personal Internet security appliance offers some peace of mind. The P1 is the first hardware-based personal security solution offering centrally managed enterprise-class protection for remote users.
The appliance is pricier than a personal firewall, but it works with just about any device or OS.
The P1 is armed with a stateful packet inspection firewall as powerful as many rack-mounted appliances, plus an IPSec VPN client. It delivers a throughput of 80 Mbps on the firewall and 30 Mbps on the VPN through onboard 10/100 Mbit/s WAN and LAN ports on a device the size of a PDA. And it's secure. Unlike software-based firewalls, the P1 can't be disabled by worms like magistr.b@mm that shut down security software.
The P1 is platform independent--truly plug-and-play. We effortlessly hooked the device to a Windows XP laptop, a Linux desktop and a Mac G5 Powerbook, and then configured the P1 through a browser-based GUI without using the documentation. The VPN client was almost as easy to set up. The option for adding VPN rules was one of the less intuitive features of the GUI. However once we reached the Gateway Policy edit screen, we were easily able to set up a tunnel specifying whether or not to traverse NAT, the address of the remote gateway, type of authentication key (preshared or certificate), authentication and the IKE proposal. Settings for IKE proposals included encryption algorithms (DES, 3DES and AES), authentication algorithm (MD5 and SHA-1), Security Associations (SA) Lifetime designation and Key Group (Diffie-Hillman 1 and 2). Other good features in the VPN setup are the Idle Timers for input and output, which automatically terminate inactive tunnels.
The 368-page PDF Users Guide explains in great detail the device's features and offers a wealth of supporting information about the technology.
Adding to the P1's portability is power through the included USB-to-mini-USB cable. Disappointingly, there is no support for a wireless connection. The P1's biggest shortcoming is that it supports a single onboard configuration. However, backing up and restoring configuration files from a storage device was easy.
Centralized management is available through a wide range of protocols, so security administrators can enforce firewall policies through HTTP, HTTPS, SSH, Telnet, FTP, SNMP and DNS.
The P1 is also strong on logging. More than a dozen different logging and alert parameters--and the ability of logged events to generate immediate alerts via e-mail--can be switched on and off through check boxes. Logs can be exported to a syslog server for further analysis.
True, ZyWALL P1 is yet another gadget for mobile users to carry around and possibly lose, and it's not cheap. However, when you consider the depth of protection it offers for the people who hold the keys to your corporate kingdom, it's quite a deal.
This product review appears in the November 2005 issue of Information Security magazine.