- Limited administration interface
- Four LAN ports
ZyXEL's ZyWALL SSL 10 is an SSL VPN appliance aimed at small and medium-sized businesses, allowing secure remote access to files and applications on a company's network without manual installation of extra software. It can be used in place of or alongside an existing router or gateway, and offers an economical way to provide remote access to an office network. However, the hardware is somewhat limited, the licensing somewhat dubious and the management and user interfaces fixed and not necessarily easy to use.
The ZyWALL SSL 10 is designed to be an all-in-one gateway device for small networks, and can be used as a WAN router, including network address translation and firewalling. For broadband connections, you'll need the appropriate modem (cable or ADSL), and for other WAN types you'll need an Ethernet interface. You can also use the appliance with an existing gateway device, by routing external SSL traffic to the unit, in a configuration usually referred to as a DMZ (DeMilitarised Zone).
The ZyWALL SSL 10's hardware is small, featuring only four LAN ports and a single WAN port. This is similar to other VPN appliances we've reviewed in the past, but does mean that if you're using the ZyWALL SSL 10 as your internet gateway, you'll probably have to add an extra Ethernet switch so you can plug in more than four devices.
The ZyWALL SSL 10, as the name suggests, only provides SSL security, not IPSec or PPTP as can be found on some higher-end appliances. The advertised 'clientless' operation in reality means that the client software needed is either already installed (a web browser), or is installed automatically (a Java-based network proxy). This proxy redirects network traffic from client PCs to the ZyWALL SSL 10, which then forwards it onto the appropriate network service, assuming that you've configured it. Users can access whichever services – web applications, file sharing or other applications – you give them permissions for.
The ZyWALL SSL 10 can use an existing LDAP, RADIUS or Active Directory server for user authentication, or you can use the appliance's built-in user management system.
In the built-in user management system, a user can only be a member of one group, and once a group is assigned, you can't give individual rights to users. This could make rights administration more difficult than it needs to be, but for the small networks this device is aimed at, the chances are you'll only have a very simple policy anyway.
Since this is an SSL VPN, an X.509 certificate for the appliance is needed. A default one is supplied by ZyXEL, but you can import your own certificates from a commercial supplier or a self-signed certificate. We'd recommend you do this for security and usability reasons: Until you do, users accessing the VPN will get warnings from their browser that the built-in certificate is from an untrusted source, and also applies to a different name to your appliance. You also have no idea how secure the built-in certificate is, since you haven't been in control of the generation process.
In an odd move for a piece of hardware, you need to register the ZyWALL SSL 10 before remote clients can log in. Although the registration process is straightforward and can be done from the appliance's management interface, it effectively means the ZyWALL SSL 10 'phones home' – it contacts the ZyXEL web site when you register. Registration and activation for software is normal practice, but this is to guard against unlicensed duplication and use of that software. It's hard to see how the ZyWALL SSL 10 could be duplicated in the same way as a CD-ROM. Zyxel says the registration is to check that the licence key for the unit is valid, but other manufacturers are happy to use cryptographic keys to do this without needing online registration.
Also, the default licence for the the ZyWALL SSL 10 only allows 10 concurrent remote users, but an upgrade is available to 25 users. ZyXEL says this allows them to sell the SSL 10 at a lower cost for users who don't need that many users at once
The ZyWALL SSL 10's Endpoint Security feature allows you to prevent clients that don't meet a certain level of security configuration and software – antivirus, firewall and patches – from connecting to your VPN. This is strictly a Windows-only feature – there's no way of specifying Mac OS or Linux at all, never mind a particular version. The antivirus rules in the Endpoint security only allow McAfee or Norton Antivirus to be enforced, and the same applies to personal firewalls – there's no way of checking for Windows Firewall or its settings which, given the target market for the SSL 10, is an oversight.
The ZyWALL SSL 10 is an inexpensive product, but to a certain extent you do get what you pay for. The administrative interface is a little cumbersome in places, and the permissions system is limited, but the product does do what it claims to, and many of its limitations won't apply to the small businesses at which it's aimed.