ADSL/Cable Firewalls: Products Reviews

An Analysis of hardware mini-firewalls for 'always-on' Users

By Seán Boran (sean at boran.com)
www.boran.com/security/sp/pf


The appetite of hackers, complexity of PC applications / operating systems, and the extensiveness of networking, have contributed to continual discovery of security weaknesses - which the "average" user can hardly be expected to follow. Until now the standard tool for defending PCs was the antivirus scanner. The PC personal firewall recently made a debut to fend off Internet attacks on individual PCs. An alternative to such software running each PC is a dedicated hardware mini-firewall, particularly interesting for protecting small groups of machines, or 'always-on' Internet connections, such as ADSL or Cable

Latest Changes:
  • 22.Nov.02 Snapgear Pro+ review, reorganise Detection/Reaction.
  • 15.Sep.02 Update Linksys notes
  • 16.Jul.02 Snapgear update.
  • 10.May.02: Zywall corrections. 

See also Change history

  1. Introduction
  2. Product Tests: price | usability | features | filters | management | alerting | Intrusion Detection/Reaction | Security of the default Policy 
  3. Other issues
  4. Summary and Conclusions
  5. References
  6. Appendix: Acknowledgements | Change history | Feedback pending | About the Author

Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may also be rendered useless by dialup access weaknesses, encryption, VPNs, Teleworkers connecting directly to the Internet from home, etc. Two alternatives are:

  1. PC "personal firewalls" that are installed on Windows and allow both beginner and expert users to protect their PCs. Refer to [1] for an analysis of PC-based personal firewalls.

     

  2. Mini-hardware firewalls for protecting a small number of PCs. These little devices are useful for protecting one or more PCs on a small network, for example a SOHO ADSL connection. This article presents comparisons of several such products. Before reading this report, you may wish to refer to [2] for an introduction to these tests, an explanation of the topology of ADSL connections, analysis of risks and general countermeasures.

    Although we specifically refer to ADSL here, the same principles apply to cable modems and ISDN firewalls.

This report compares 7 devices to restricting ADSL connections : Zywall 10, Watchguard SOHO, Linksys BEFSR41, Zyxel 642RI router, Sonicwall SOHO, SnapGear SOHO+, SnapGear PRO+.


Product Tests

Price Comparison

Product Version
tested
Hub or switch
included?
List
price
No. host
licenses
Annual maintenance or monitoring services
Zywall 10 [3] v320(WA.1) no $399 no limit?
WatchGuard SOHO [4] v2.3.21 4 port $449 10 LiveSecurity Service is included for one year. See note.
Linksys 
BEFSR41
[5]
4 port $150 no limit
Zyxel 642
Router
[6]
V2.50(A.1) V2.50(AL.2)b2, V2.50(AJ.2) no $399 no limit
SnapGear SOHO+ [8]  v6.1.1 no LITE $199, SOHO+ $399 no limit 90 days support. Free firmware upgrades for life.

 

Sonicwall
SOHO2
[9]
no $495 10, upgrades available. An automated scanner/vulnerability service is available on www.mysoniwall.com (not free) that performs a risk assessment of your open services (regularly) and reports on then. Looks quite accurate. [9]
SnapGear
Pro+
[8]
V 1.7.2 no $740 no limit - 90 days support. 
- Annual support $99
- 4 year warranty $100
- Free firmware upgrades for life.

URL Content filtering: 5 user=$49 up to 1000 users $7k
URL Content filtering with reporting: 5 user=$99 up to 1000 users $13k

Watchguard LiveSecurity Note: Watchguard's Service subscription entitles you to:
"Software updates and Rapid-response alerts that notify you of security threats as they break, with an archive of past broadcasts. Expanded self-support options, such as Frequently Asked Questions, Known Issues and a searchable Knowledge Base Interactive. Online Training and options for instructor-led training. Comprehensive Online Help, including installation instructions, user guides and product reference. Incident-based Technical Support with a choice of optional escalation upgrades."

 

Usability Comparison

Product Ease of
configuration
or installation
Documentation On-line
help
Are logs / alerts
easy to understand?
User knowledge if default config. needs changing
Zywall 10 HTTP GUI and
telnet menu is good.
Good, but only on CD. 150 pages in user manual alone. none no Advanced
Watchguard SOHO • HTTP GUI  is good.
• Windows GUI for upgrades.
OK, Internet access must work to access docs. none, unless Internet active. logs easy, but limited. Intermediate-
Advanced
Linksys HTTP GUI  is good. good, also on paper. limited logs easy, but limited. Intermediate-
Advanced
Zyxel 642 Router Installation OK,
UI poor.
Good, but only on CD. none no Expert
SnapGear SOHO+ HTTP GUI  is good. Good. good no Intermediate-
Advanced
Sonicwall
SOHO
HTTP GUI  is very good. good. good quite good Intermediate-
Advanced
SnapGear PRO+ HTTP GUI  is good. Good.
Also, lots of help on www.snapgear.com 
good quite good, colour coding by severity Intermediate-
Advanced

 

Feature Comparison

Product Default policy 'uplink' switch
to replace crossover
cables?
Regular (online) Updates
Zywall 10 Outgoing allowed, incoming blocked, DoS prevention. yes Firmware updates can be downloaded.
Watchguard SOHO Outgoing allowed, incoming blocked, except ping. no Bug-fix updates can be downloaded.
Linksys Outgoing allowed, incoming blocked. no Bug-fix updates can be downloaded.
Zyxel 642
Router
Outgoing allowed, incoming blocked. no no
SnapGear SOHO+ Outgoing allowed, incoming blocked. no Firmware updates can be downloaded.
Sonicwall
SOHO
Outgoing allowed, incoming blocked. no Firmware updates can be downloaded.
SnapGear Pro+ Outgoing allowed, incoming blocked. no Firmware updates can be downloaded.

 

Product IP sec VPN Dynamic
DNS
Port-forwarding (SUA server) or Address translation ( NAT) DNS
proxy
DHCP
Server
Other tools/ features included
Zywall 10 • no

• an IPsec pass through test worked.
yes

(tested with dyndns.org)

• SUA server and NAT

• SUA allows specification of up to 11 ports forwarded to internal address
• Source and destination port must be identical.

• NAT for up to 10  addresses.
• Flexible: on-to-one, one- many, many-many and server supported.

yes yes Fine tuning of TCP/IP timeouts is possible:
- tcp connection, Fin-wait, tcp idle, udp idle and icmp timeout.
Watchguard SOHO • VPN optional $599
• an IPsec pass through test worked.
no SUA server no yes -SOCKS proxy
Linksys • no
• an IPsec pass through test worked. (only one session is supported)
no • SUA server
• Up to 10  addresses.
no

(other readers say yes)

yes MAC address filtering.
Zyxel 642
Router
• no

• an IPsec pass through test worked.

no • SUA server allows specification of port per machine or default machine.
• Source and destination port must be identical.
• Up to 8 ports.
yes yes
SnapGear SOHO+ • PPTP and IPsec VPNs

an IPsec pass through not  yet tested.

yes • Can have several external addresses (not tested)
• SUA allows specification of port per machine.
• Source and destination port can differ
• SUA definitions can be disabled without being deleted
yes yes, disabled by default Traffic shaping

Access to OS (Linux) configuration files.

Dial-in and dial-out via a serial interface.

Sonicwall
SOHO
• optional

• an IPsec pass through test worked.

no • SUA server and NAT yes yes Extensive web filtering.
SnapGear Pro+ • PPTP and IPsec VPNs
Hardware encryption
yes as SOHO+ yes

NTP proxy too

yes As SOHO+,
- plus modem built-in.

Note: The IPsec VPN 'pass through' test was an attempt to make a VPN connection from a Cisco VPN client 3.0.1 on Windows 2000 on the LAN to a Cisco VPN concentrator on the Internet. I realize this is a simple test of one VPN product, but it was interesting if the rather complex IPsec protocols worked.

SUA note: I don't recommend using a 'default LAN address' for incoming connections, as this effectively opens this host completely to the Internet. Specify only the necessary ports, for example 80/443 for HTTP/S.

 

Filter Rules Configuration

Product Filter incoming/
outgoing
Address
specification
port
specification
state
based
Trojan detection
engine
HTTP
content
analysis
Email
content
analysis
Zywall 10 • up to 10 flexible rules in each direction
• Options: in/out, pass or block, logging & alerting optional
single,
range,
network
tcp + udp ports or ranges

Up to 10 custom port definitions.

FTP no yes...
see note.
no
Watchguard SOHO • block specific outgoing ports
• allow specific incoming ports
no tcp or udp ports or ranges

IP protocol numbers

FTP no no no
Linksys • block all except specific outgoing ports per LAN IP address LAN yes, WAN, no. tcp or udp ports or ranges FTP works no no no
Zyxel 642
Router
Yes, per interface. But complicated, primitive and error prone. single, range or networks.

Network ranges not supported.

single udp/tcp, no ranges FTP works no no no
SnapGear SOHO+ • block specific outgoing ports
• allow specific incoming ports
• custom (IP tables) rules.
network+ netmask single udp or tcp, no ranges

Custom rules allow ranges.

FTP works no no

(planned)

no
Sonicwall
SOHO
• flexible rules
• Options: source/destination IP, allow/deny, time of day, inactivity timeout.
• rules can be disabled without being deleted.
single,
range
tcp, udp, icmp ports or ranges

custom port definitions.

FTP no extensive...
see note.
no

anti-virus from Network Associates for $?? per year

SnapGear Pro+ as SOHO+ as SOHO+ as SOHO+ FTP no yes no

Zywall note: ActiveX, Java, cookies, web proxies can be blocked for one list of sites. However the settings cannot be saved individually per site. For example you can't enable ActiveX for some sites, cookies for other and Java for others. Nor is it possible to block ActiveX for all sites, for example.

Watchguard note: Different rules cannot be applied to different addresses on the private network. Outgoing traffic is controlled by port number, so dynamic protocols such as FTP cannot be effectively filtered. Different rules cannot be applied to different Internet addresses either.

Sonicwall web filtering: is extensive:

Snapgear Pro+ also has extensive web filtering:

Management Features

Product user
interface
Centralized
policy
changes?
Export / import /
distribute
rules / objects?
Export
configuration

as text?
Export
logs?
Zywall 10 GUI: Web.
telnet (good menu), ftp, serial console, SNMP (off by default)
no configuration file 'rom-0' via ftp no no
Watchguard SOHO GUI: Web
ftp
possibly, not fully explored via ftp? yes no
Linksys GUI: Web see note

no

no no
Zyxel 642
Router
GUI: Windows wizard.
telnet, ftp, serial console, tftp, SNMP
no via ftp no no
SnapGear SOHO+ GUI: Web on port 80,
Telnet (simple, linux like).

Serial console possible.

no no yes no
Sonicwall
SOHO
GUI: Web on port 80
SNMP (off by default)
yes yes, via web interface to/from a file no no
SnapGear Pro+ GUI: Web on port 80,
Telnet (simple, linux like).

Serial console possible.

no no yes no

Linksys note:

 

Logging & Alerting

Product Logging Alerting Reaction Management  protection
Zywall 10 • local and syslog

• Logs difficult to understand for beginners

• GUI limited
• config changes not logged
• no packet details logged

• SMTP
Email alerts of logs and DoS attacks

• Alerts difficult to understand for beginners

• Scans not detected, no high level analysis.

no • Passwords, with session timeout.

• Only one session allowed
at a time.

• Telnet/ftp access can be disabled or limited to one IP address (via the telnet menu only)

Watchguard SOHO • no remote syslog, only to Firebox.

• log GUI easy to use

• config changes logged

no no • Password (none by default). See note.

• Blocked by default on WAN interface

Linksys • local log contains source IP address and port, but not time or any further packet data

• config changes not logged
• log GUI easy to use

no no • Passwords

• Blocked by default on WAN interface

Zyxel 642
Router
• syslog no no • Passwords

• Interfaces visible to Internet! see note.

SnapGear SOHO+ • local and syslog
• configuration changes not logged
• some details logged
if syslog analysed no • Username + Password (long timeout)
• Blocked by default on WAN interface
Sonicwall
SOHO
• local and syslog
• lots of options, good GUI
• no packet details logged
• Administration and not just traffic, is logged.
• SMTP
email alerts of known hacks and scans.
• Tested, works well..
no • Passwords, with session timeout.
• Several users can be defined.
SnapGear Pro+ • local and syslog
• configuration changes not logged
• priority highlighted by colour
if syslog analysed Yes, IDS can auto block scans.. • Username + Password (long timeout)
• Blocked by default on WAN interface

Watchguard note: A passphrase can be configured to protect read-only or read-write access to remote configuration.

Zyxel 642 note: Active services (ftp, telnet..) visible on the Internet Interface! This is a serious problem as it means Zyxel's are sitting on the Internet, with default passwords and telnet enabled on the WAN interface.

  1. The telnet WAN filter does not work on Firmware V2.50(A.1), an upgrade to V2.50(A1.1) is needed.
  2. The Zyxel 642RI was incorrectly delivered with the telnet WAN filter disabled. The distributor assured me all models have this blocked now (June 2001). However previously delivered firmware and possible that delivered in other countries is wrong.
  3. After upgrading to Firmware V2.50(AL.2)b2, the telnet WAN filter was enabled by default, and worked fine - blocking Internet access to the telnet menu. However, ftp was open on the Internet interface (even though the ftp filter had been enabled - it didn't seem to work).
  4. This weakness was also discovered by others - Daniel Roethlisberger posted a summary of his findings on Bugtraq [11] on the 8th August 2001. He goes into more detail and notes that both tftp and snmp (which are udp services) were visible on his router. I don't have one available to test this just now.
  5. On 30.Aug.01 a new fresh 642 was tested: ping, ftp, tftp and snmp were open to the Internet!  It was trivial to upload or download firmware configs via ftp with the default password. There is little evidence that Zyxel (or their Swiss distributors) are taking this problem seriously, or doing anything to fix it.

Lesson: Always change the default password and scan your router for open ports, even if you configure filters.
If you have a Zyxel router, run, do not walk, to the console, change the password fast, check for 'unusual rules' that might indicate penetration and finally upgrade your firmware if it is old.

 

Security Effectiveness, Intrusion Detection & Reaction

Product Port Filtering Intrusion Detection Intrusion Reaction
Zywall 10

 

default configuration is good and can be tuned given appropriate knowledge. alerting and logging via email and syslog are available, but the non-expert user will find the alerts difficult to handle. discovering the identity of attackers automated blocking of attacks is not supported.
Watchguard SOHO
incoming ports are well protected. Outgoing ports are allowed, but can be restricted. logging is better than the others, but there is no alerting. minimal
Linksys incoming ports are well protected but outgoing ports are allowed and are not so easy to restrict. minimal minimal
Zyxel 642
Router
incoming ports are blocked unless SUA enabled none none
SnapGear SOHO+ incoming ports are indicated as being open, but in fact are well protected. Outgoing ports can be restricted. There are automated IDS features that can be enabled for specific ports, which is good. But there are no useful statistics, and logs need improvement. good, attacking machines can be ignored or blocked for 20 minutes. Scans are very effectively slowed down. However, logging and reporting needs improvement.
Sonicwall
SOHO
the default configuration is good (but could be better) and can be tuned given appropriate knowledge. alerting and logging via email and syslog are quite good, but the non-expert user will find the alerts difficult to handle. discovering the identity of attackers, or automated blocking of attacks is not supported.
SnapGear Pro+
as SOHO+ as SOHO+, and: Scanners are detected and listed in the GUI. It would be nice to have useful statistics, and logs could be easier to read for the novice. It would also be good to define the time that attack sources are blocked for. good, attacking machines can be ignored or blocked. A list of IP addresses to exclude from blocking can be added. The number of ports scanned that kick in blocking can be customised.
Scans are very effectively slowed down. Reporting could be better.

 

Security of the Default Policy

All products provide a similar security in the default configuration.

Product Incoming
from Internet
Netbus
trojan
test
LAN ports
visible on
firewall
Zywall 10

 

ping and all other services blocked.
Ports auth, snmp, tftp are visible. See note.
OK,
but
no alert.
ftp, telnet,
http
Watchguard SOHO
ping allowed, all other services blocked.
Ping can be blocked optionally.
OK,
but
no alert.
ftp, http,
socks5/1080
Linksys ping and all other services blocked. OK,
but
no alert.
http
Zyxel 642
Router
Depends on firmware and ISP config. I've seem:
a) ping is blocked, but
telnet, ftp, tftp, snmp are open

b) ping, ftp, tftp, snmp open.
=> Bad news indeed, see note.
OK,
but
no alert.
ftp, telnet
SnapGear SOHO+ ping and all other services blocked.

Ports with SUA but not active (pptp, http, imap) were marked as closed, all others open.

OK Many "reported open" by nmap, but this is only the IDS listening for attacks.
This might however encourage attackers to keep digging and hence waste bandwidth?
Sonicwall
SOHO
ping and all other services blocked.
Ports snmp, tftp are visible. See note.
OK, alert (if email alerts enabled) TCP: http and telnet is detected as "filtered" by scanners, but can't be connect to.

UDP: bootps, netbios, snmp, syslog and port 1024 are open. (why?)

SnapGear Pro+
as SOHO+
- scanners are detected, blocked and listed in GUI
OK as SOHO+

Outgoing policy to Internet:
In the document "ADSL: security risks and countermeasures" [2], the concept of information leakage was discussed. As explained in that document, it's difficult for hardware firewalls to prevent such outgoing connections. All of these hardware firewall allow all outgoing connections by default (the Zywall and Watchguard block Netbios). Several of these products can be customised to restrict outgoing ports and even better, products like the Sonicwall can restrict web content.

Zywall note:
• Snmp can only be configured from the telnet interface. It has a default get/set community of public. A scan shows that the snmp port (udp/161) is open on the Internet side. However, if we use an snmp scanner to download snmp information it does not work This is probably since a 'trusted host' must be configured on the Zywall who is allowed to interact with the smtp service. Hence, although the snmp port is open by default, it does not pose a significant risk. It would be an advantage to be able to switch off SNMP entirely.
• Tftp (udp/69) is visible on the Internet interface and it can be connected to. However, it doesn't seem to be possible to download/upload files, unless a management telnet session is active, so the risk seems low.
• Port auth (tcp/113) service also "seems" open. This is for SMTP servers who also connect to the auth service when delivering email. By providing a dummy auth service, this prevents some SMTP servers from timing out. This feature can be disabled on the command line: sys firewall tcprst rst113 off

Sonicwall snmp note:
• A scan shows that the snmp port (udp/161) is open on the Internet side. However, if we use an snmp scanner to download snmp information it does not work, as one would expect since SNMP is disabled by default in the GUI.. Hence, although the snmp port is 'open by default' to scanners, it does not pose a significant risk.
• Tftp (udp/69) is also visible on the Internet interface and it can be connected to. However, it doesn't seem to be possible to download/upload files.
• It would be an advantage to be able to switch off both these services entirely, so they are not visible to Internet scanners.

Other issues:


Summary and Conclusions


Summary

The risks of an unprotected ADSL connection are real, please ensure that you take at least minimal precautions to secure your ADSL connection.

Hardware firewalls are useful and should be considered by users who directly connect to hostile networks such as the Internet. They are less sophisticated than PC personal firewalls [1], but are easier to install and won't interfere with PC based software, or need to be install for each single host on the local network.

They have a role to play in SOHO (Small Office/Home Office), ISP and possibly corporate  markets. Several of these products were tested over a long time period (Zywall 18 months, SnapGear 6 months) and have proved their effectiveness. None of these products is provided with source code, or is open-sourced (although the SnapGear is based on opensource elements).

Firewalls don't offer 100% protection. For instance, even if they do have all the features needed, they can be badly configured; they might not recognize all hostile traffic; they may have bugs; may crash, etc. It's a good strategy to have several barriers to attackers, e.g., antivirus tools, file encryption, good passwords, a well-configured OS and possibly PC personal firewalls..


Conclusions

The Zyxel 642 router:

The Zywall is a  flexible and powerful, but could be improved.

Watchguard SOHO:

Linksys:

SnapGear SOHO:

SnapGear Pro+:

Sonicwall:

The bottom line

All of these products can reduce the risk of being connected to the Internet, but they all need time for understanding / optimal configuring. Several required firmware upgrades - so it may well be worth upgrading your firmware before going live.

The Zywall, Sonicwall and Snapgear Pro+ are the products with the most complete feature set. The Sonicwall is the best all rounder, catering for both expert and beginner user, but is also the most expensive. The Zywall is interesting (and has better routing for example), but may be more difficult for non-experts to master, lacking the finesse of the Sonicwall. A new release of Zywall is due with significant improvements, including VPN. Zyxel have also released (Autumn 2002) a product with ADSL modem, Router, Firewall rolled into one: the 652.

The Watchguard and Linksys are very similar (feature-wise) and quite easy to use, except for price (Linksys wins) and features (Watchguard LiveSecurity support, VPN options).

The Snapgear Pro+ and Sonicwall offer the best web content filtering. I liked the Snapgear's optional blocking of advertising sites.

The Snapgears would certainly interest Linux fans who want hands on access to config files / IP tables settings. The Snapgear Pro+ is designed for heavy VPN usage (hardware acceleration). The Snapgears also allow dial-in and dial-out via a serial modem connection (which was tested). In fact if you don't have broadband, the SOHO makes an excellent Internet dialup router, with built-in firewall security. The Pro+ has a built-in modem, the SOHO a serial interface on which a modem can hang.
Firmware updates are free and new features are regularly added (e.g. Dynamic DNS in June 2002).


References

  1. Personal Firewalls/Intrusion Detection Systems.
    pf_main20001023.html
  2. ADSL: security risks and countermeasures
    pf_adsl20010614.html
  3. Zyxel Zywall
    Zywall: http://www.zyxel.com/product/firewall/zywall10.htm
    Support: http://www.zyxel.com/support/
    Firmware update: http://www.zyxel.com/support/download/fw/firewall.htm
    Firmware archive: ftp://ftp.europe.zyxel.com/zywall10/firmware/ 
  4. Watchguard SOHO
    http://watchguard.com/
    http://watchguard.com/products/soho.html
    https://www.watchguard.com/support/sohoresources.asp
    https://www.watchguard.com/pubs/FAQs/index.asp
    http://www.watchguard.com/pubs/docs/v2.3SOHOUserGuide.pdf

    A test in German that was found since this article was published:
    http://www.fruehbrodt.org/produkttests/snapgear_soho+.html 
  5. LinkSys
    http://www.LinkSys.com 

    Description in German:
    http://www.pctweaks.de/sections.php?op=viewarticle&artid=72&inhaltid=0 
  6. Zyxel 642RI Router
    http://www.zyxel.com
    http://www.zyxel.com/support/download/fw/dsl.htm
  7. Discussions forums for ADSL/cable users:
    Switzerland: www.superspeed.ch
    U.S. www.dslreports.com
  8. Snapgear SOHO+ and PRO+ (used to make Pivio's and do other OEMs)
    http://www.snapgear.com/products.html 
    Online Shop: http://store.yahoo.com/snapgear/ 
  9. Sonicwall
    http://www.sonicwall.com/products/soho/index.html
    http://mysonicwall.com
    http://firmware.sonicwall.com
  10. Home Network Security - CERT Coordination Center
    http://www.cert.org/tech_tips/home_networks.html
    This document gives home users an overview of the security risks and countermeasures associated with Internet connectivity, especially in the context of “always-on” or broadband access services (such as cable modems and DSL). However, much of the content is also relevant to traditional dial-up users (users who connect to the Internet using a modem).
  11. Zyxel Prestige 642R: Exposed Admin Services on WAN with Default Password
    http://www.roe.ch/bugtraq/3161
  12. Free remote testing of your open ports:
    Neoworx port probe: http://www.hackerwatch.org/probe
    Sygate also have a scanner, http://scan.sygate.com/probe.html. When I tested it, it refused access though.
  13. Other sites that are worth a visit:

    Firewall Guide Router Shop

    http://www.firewallguide.com/shophardware.htm  

    SANS / SOHO Security
    http://www.sans.org/infosecFAQ/homeoffice/homeoffice_list.htm  

    German site on Personal Firewalls
    http://www.feuerwallshop.de/ 

Appendix

Acknowledgements

Thanks to the many readers who have provided tips, suggestions and noticed errors.
For example: Casper Kamp, Keith Woodward, Henry Markus, P-O Risberg, Scott Heavner, Kurt Schumacher.

Changes to this article

18.Jun.01 First Draft
1.Aug.01: This article is no longer sponsored by SecurityPortal, for the moment it is homed on www.boran.com
17.Aug.01 Add Crossport Pivio, linksys DNS notes, feedback from Daniel Roethlisberger on Zyxel 642
3.Sep.01 Add Sonicwall, major update to Zywall, update Zyxel 642
24.Sep.01 Add Appendix section. Pivio VPN notes.
28.Sep.01 Add links to port probe sites [12]
11.Oct.01 Zywall comment 2, Linksys models & DHCP. Add [13]
08.Apr.02 Replace Crossport Pivio with a  new review of the SnapGear SOHO+.
10.May.02 Zywall updates after discussions with Kurt Schumacher.
15.Jul.02 Snapgear updates: dynamic dns, serial dialup tests. German test link.
29.Aug.02 Zywall link.
15.Sep.02 Update Linksys notes

22.Nov.02 Snapgear Pro+ review

Other products that look interesting, but not yet reviewed above:

Zyxel 652: ADSL modem + firewall + VPN in one box.
Netgear FM114P: Firewall, Wireless access point, print server, 4 LAN ports.

Feedback from readers, not integrated into the above article


About the Author

Seán Boran (sean at boran.com) is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2002, Seán .Boran,     Last Update: 22 novembre, 2002