- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - With more than 27.4 million broadband subscribers in the U.S., chances are you have access to multiple WAN connections (DSL, cable, satellite or all three). For small businesses and others who want Internet access redundancy and improved speed, companies are producing dual-WAN routers for combining two broadband connections on your network.
We recently tested five dual-WAN routers - the ZyWall 70 from Zyxel Communications; TZ 170 from SonicWall; XC-DPG602 from Xincom; H2WR54G from Hawking Technologies; and FortiGate-60 from Fortinet - and focused on their ability to control a WAN connection and other features. We also tested the Safe@Office 225 from Check Point, which only offers failover but not concurrent access (see story).
The TZ 170 from SonicWall gets the nod for our favorite (Clear Choice Award), for its security, configuration options and additional features (some at extra cost). Budget seekers should rejoice at Hawking's product, which includes wireless support, and the Zyxel ZyWall 70 comes in a close second to SonicWall.
Many of the routers will support:
• Outbound load balancing.
• Inbound load balancing (low-end units have outbound only).
• Demilitarized zone (DMZ).
• Virus filtering on content (both inbound and outbound) and e-mail (at least inbound).
• Intrusion detection.
• Web content filtering.
Routers vary in CPU speeds and amount of RAM, usually reflected by the number of VPN connections supported concurrently. Because connection counts for all these systems start in the thousands of dollars, midsize networks should not feel limited. However, the number of VPN sessions supported often have server restrictions, so check carefully if your network needs to support many VPN clients.
The inbound load-balancing features make the routers useful when combining two of the same high-speed WAN connections, such as two cable modem links. Because cable downstream speeds range from 1.5M to 3M bit/sec and DSL links provide less than 512K bit/sec, a mixed pair of connections offers little speed improvement and can slow access if misconfigured. However, a mixed connection still offers Internet access redundancy.
One warning on every dual-WAN system: You must be able to route all outgoing SMTP traffic to the appropriate WAN link. Most ISPs reject all mail not originating on their own network, so routing an outgoing e-mail to the wrong WAN link results in an error. Using an internal e-mail server, one connected to the DMZ, or sending e-mail through a Web-hosting service rather than an ISP, eliminates this problem.
During our testing, the SonicWall TZ 170 developers plugged a major hole in their feature list by supporting load balancing for incoming traffic with a new firmware revision. But you must purchase the enhanced operating system to get the TZ 170 to support dual-WAN connections. The same small plastic housing supports all the various TZ 170 permutations, so looks don't indicate supported features.
Installation and configuration took some time. Unlike the other units we tested, the TZ 170 does not enable its Dynamic Host Configuration Protocol (DHCP) server by default. You must change your computer address to match the default IP network settings of the TZ 170, then configure the DHCP address range along with other initialization settings through its attractive wizard. But after rebooting and head-scratching, we discovered that setting the DHCP range does not turn on the DHCP server, and we had to turn it on manually. The quick-start guide includes nine pages of dense text, blunting the idea of a "quick" start. Our technical support contact agreed that the DHCP configuration was a bad design decision and he had no explanation.
Because only the tested enhanced version of the TZ 170 includes dual-WAN support, there's no WAN2 plug on the unit (software adds the feature). Using the OPT (optional) Ethernet connector WAN2 isn't a problem because any or all of the five 10/100Base-T Ethernet ports on the unit can be configured for DMZ use. The SonicWall Web-based administration utility includes stacked menus on the left side of the screen, but no tabbed pages on the right. Instead, multiple command icons pop open new, smaller windows for configuration settings or explanation. This sounds clumsier than it is, because drilling down into details works easily. Multiple wizards await for chores such as VPN settings, public server (DMZ) access and initial setup.
The good news: SonicWall provides great flexibility in configuring its firewall. The bad news: There is almost too much to learn and handle for most small-business users who will require help from their reseller. Where the ZyWall had 44 services configured in the drop-down menu, the TZ 170 has 140. SonicWall uses Zones for networks, including several screens of a matrix describing the relationship of zones (WAN-to-LAN, for example) and which firewall, routing or network address translation rules apply to that particular connection. You even can have five different classes of users, from Everyone to Limited Administrators, and include any class in a rule. Few small to midsize businesses will be able to configure this without help, but getting help will provide them with excellent protection.
Handling the dual-WAN connection worked well on the TZ 170. Unlike all other units we tested, the TZ 170 picked up and continued to stream audio files when we disconnected the cable modem and forced the unit to switch to the DSl connection. It also switched to the faster service when we re-connected, again without interruption.
Security options abound, but order them carefully. For example, you can purchase network anti-virus and server anti-virus, but not have e-mail anti-virus filtering. Nodes/users are counted by active IP addresses on the network rather than concurrent users through the router, so you might need more licenses than you think.
SMTP routing to the proper WAN port took only a few mouse clicks. Five drop-down menus led us through choosing the source (LAN), the destination (any), service (SMTP send e-mail), gateway (WAN Primary IP), and interface (WAN). Once we got over the surprise at all the choices available, making rules wasn't difficult, and we could tweak settings the way we wanted them.
Although a bit aggravating to get the right options purchased and DHCP figured out, once running, the SonicWall offered a wealth of pre-defined firewall settings and choice, and the only failover that kept up a continuous audio stream.
Called an Internet security appliance to emphasize features beyond routing, the ZyWall 70 is one of 11 routers that Zyxel calls an appliance or a gateway. Installation involved booting clients to accept IP address information from the ZyWall 70 box to start configuration. Screens are clear and well laid out, with a menu down the left side and page tabs shown clearly on the active page. The electronic manual is long (713 pages), but includes hundreds of pages devoted to the console connection and old-fashioned (and somewhat painful) terminal command interface and command syntax.
You can set up a DMZ, but there is no separate Ethernet port for it. IP addresses separate traffic for each DMZ system. While this works, a specific port is always appreciated to avoid confusion and limit port-specific configuration chores. Default traffic rules allow connections between the DMZ and the WANs in both directions, and only allows outbound traffic from the LAN to the DMZ. Traffic from the DMZ to the LAN is blocked unless rules are added to allow access, which is the security configuration we expected.
Managing the ZyWall 70 is simple because of its clear Web management application interface. The Home page shows that status for each type of connection (LAN, WAN, wireless LAN and DMZ) with buttons the display statistics, DHCP table or VPN status with one click.
Security controls include the firewall, certificate controls (trusted certificate authorities and trusted remote hosts), RADIUS support and a complete content filter option. The firewall uses stateful packet inspection with denial-of-service protection. Firewall rules are easy to create, with check boxes and 44 services predefined for easy control. Time-of-day controls for firewall rules also are included, providing a fairly complete and workable security control situation.
The ZyWall 70 let us specify the WAN1 port for all outgoing SMTP traffic but required the use of console commands outside the regular management interface.
Bandwidth management includes options to define classes and provide extra bandwidth to certain classes, such as VoIP or video. Engaging the priority-based scheduler allocates extra bandwidth to configured services, such as VoIP, while the fairness-based scheduler tries to keep things even between the service classes, and adjusts easily with a mouse click. This approach also makes it easy to configure symmetrical or asymmetrical WAN links. The ZyWall 70 installed easily, provided great port flexibility with four DMZ ports, included plenty of firewall detail and supports an optional wireless PC Card. But forcing traffic, such as SMTP, to a particular WAN port required console commands via telnet.