Slashdot Mirror

Try a Zywall 5 (ZyXel) or something similar. You can use the built in virtual port thing, built in firwall and VPN support to set up a firewall and lock the ports coming off it down. You can add a wireless card to the Zywall or connect the wireless AP you already have to to a port on the back. The Zywall is a pretty poppin VPN device too so you can lock everyone out and give them access by VPN and have somewhat of a reliable setup without much problems.

I did this about a year ago, Had an issue getting the VPN working (problem with XP), called their tech support and they walked me right through it even to the point of testing the connection. Best of all, it was only about $350 or so. I didn't get the turbo models with the accelerator cards and the built in virus scanners or anything. I do start seeing a slowdown on the VPN after around 8 to 10 clients. but I usually don't have more then one off site VPN going and maybe two on site through the wireless (Dlink AP).

For small to medium size business's, I think they are just as good as a cisco in "practical" uses, just without the cost. I don't know how well they scale though, I've never needed more then one and don't have them anywhere that has more then 30 people. I'm convinced and happy with them. I just wish I knew about them a few years sooner.

Hello,

What I would like to know is how Yoggie's devices compare to Zyxel's ZyWALL P1. Zyxel's device is larger at about 5×3×0.75" (assuming I'm doing the metric conversion properly) but it is a standalone device with two 10/100 Ethernet ports. Zyxel's web site says anti-virus, IDP and anti-spam will be available in the future, but since that was two years ago with no update to the web site since then, I'm guessing they will never be added, so the device only acts as a firewall with SPI and DDoS protection and VPN client. Still, at around $70.00 or so, it is half the cost of the Yoggie and you can always run anti-virus and anti-spam on your client PC.

I have not used either device, so I am wondering how their respective firewall and VPN feature sets compare.

Regards,

Aryeh Goretsky

Hello,

What I would like to know is how Yoggie's devices compare to Zyxel's ZyWALL P1. Zyxel's device is larger at about 5×3×0.75" (assuming I'm doing the metric conversion properly) but it is a standalone device with two 10/100 Ethernet ports. Zyxel's web site says anti-virus, IDP and anti-spam will be available in the future, but since that was two years ago with no update to the web site since then, I'm guessing they will never be added, so the device only acts as a firewall with SPI and DDoS protection and VPN client. Still, at around $70.00 or so, it is half the cost of the Yoggie and you can always run anti-virus and anti-spam on your client PC.

I have not used either device, so I am wondering how their respective firewall and VPN feature sets compare.

Regards,

Aryeh Goretsky

Already exists: ZyXEL G-4100
D-Link had something similar but looks like they don't carry it anymore.

We're using ZyWall 2 boxes for NAT/routing/IPsec VPN. At ~US$200 each they are pretty economical, and very easy to setup via http config. Even has support for being a DynDNS client, which is just fantastic for DSL without static IP. You would need a beefier model as the concentrator, but they arent much more expensive - eg Zywall 35 supports 35 sessions @ around US$600. They also can be configured to play nice with just about any other hardware (Sonicwall, etc) with proper IPsec support.

Actually, no. I thought I saw a review over at Tom's Hardware (but I can't seem to find it now), and by their datasheet you can see it's wireless B and WEP-only encryption.

So I guess we're still a ways off from someone making a VoIP wireless handset (I'll take skype, if you can get it) that doesn't require a computer to plug into. (think: if you thought the guys who used the local coffeeshop as their office were already pretty bad...)

There is a phone like this on the market already: The Zyxel P-2000W_v2 is exactly that.

Especially when there are loads of products out there which can do the job standalone, either as handsets, or boxes which will take an ordinary analogue phone (including DECT).

Just one picked at random, but this seems like a far more sensible approach...?

Zyxel sells a range of VoIP and wireless gear. Their P-2000 wireless VoIP handset looked nifty, but supposedly turning on even 40-bit WEP encryption taxed its little CPU too much and so acceptable sound quality required you to run without encryption.

The new P-2000 v2 looks great, resembles a normal mobile phone and I would _imagine_ they would have fixed the quality issues associated with encrypted WiFi (best to read some reviews first).

They've also got this thing, a sort of ADSL/WiFi/VoIP stand-alone box thingy. Not sure what the "VoIP" part does, apart from perhaps doing QoS... and stuff like STUN (NAT traversal for SIP), etc.

Zyxel sells a range of VoIP and wireless gear. Their P-2000 wireless VoIP handset looked nifty, but supposedly turning on even 40-bit WEP encryption taxed its little CPU too much and so acceptable sound quality required you to run without encryption.

The new P-2000 v2 looks great, resembles a normal mobile phone and I would _imagine_ they would have fixed the quality issues associated with encrypted WiFi (best to read some reviews first).

They've also got this thing, a sort of ADSL/WiFi/VoIP stand-alone box thingy. Not sure what the "VoIP" part does, apart from perhaps doing QoS... and stuff like STUN (NAT traversal for SIP), etc.

Zyxel sells a range of VoIP and wireless gear. Their P-2000 wireless VoIP handset looked nifty, but supposedly turning on even 40-bit WEP encryption taxed its little CPU too much and so acceptable sound quality required you to run without encryption.

The new P-2000 v2 looks great, resembles a normal mobile phone and I would _imagine_ they would have fixed the quality issues associated with encrypted WiFi (best to read some reviews first).

They've also got this thing, a sort of ADSL/WiFi/VoIP stand-alone box thingy. Not sure what the "VoIP" part does, apart from perhaps doing QoS... and stuff like STUN (NAT traversal for SIP), etc.

Why is it that my cellphone can render 3D graphics and record video but it can't perform a simple point to point encryption algorithm? There is obviously a conspiracy...

Having said that, it looks like the ZyWALL's stack up pretty good against Sonicwall's low/mid end.

Per ZyXEL's home page, their ZyWALL 70 won Network Computing's "Best Value Award" and SC Magazine's "Best of 2004" award. Not too shabby. Also did a quick google search and turned up this review from Network World, "the Zyxel ZyWall 70 comes in a close second to SonicWall."

Zyxel sells an access point designed for just this purpose: ZyAir B-4000. Much easier than implementing it yourself, unless there is already on Open Source solution based on NoCat or something similar.

http://www.pcmag.com/article2/0,1759,1650238,00.as p

http://www.zyxel.com/product/model.php?indexcate=1 060053881&indexcate1=1085450334&indexFlagvalue=102 1876859

From reading this, and another article by Richtel about US mom and pop businesses outsourcing their manufacturing, it seems that people who run things or design things still have jobs. That's just not many people.

The assembly has moved to China. You probably don't want those jobs anyway -- when they were here they were lousy jobs, but now they are unthinkable (unless you like breathing lead). Design and prototyping still gets done in Silicon Valley.

Even so, actual engineering is moving to Taiwan. Imagine you want to make a board. The assembly guys (Chinese, in Shanghai) need to talk to the engineer and ask some questions about a substitution. Better if he is Chinese in Taiwan, right?

Even more disturbing (as a non-Chinese-speaking American) is that actual innovation (the stuff we are supposed to be good at) is getting done in Taiwan. E.g. stuff that allows a cheapo processor to have 5 fast ethernet interfaces. Your routers were probably designed in Taiwan, and labled "Cisco" or "D-Link". But Cisco didn't design it -- it was probably someone like these guys: Zyxel (Taiwan)

Americans need to lose the laziness and start working harder (if they want to be able to pay for enough gas to fill a SUV). This is inevitable. As long as there was no China, the Taiwanese could make decent money on the bottom. Now that Red China is here, they are getting pushed up; they have to do fancier work, or they will live like the Chicoms.

If the Africans ever get their act together, their wages will be lower than the Chinese, and that will be it for the rag trade. North Carolina will not make any textiles/clothing at that point.

My answers to your original questions, in sequence: I use a Watchguard FireBox II hardware firewall/router combo box. If I were going to go through an actual purchase process, instead of ending up with the FireBox II as a gift, I would purchase either a Zyxel ZyWall 5 or one of Netgear's hardwired router/firewall combos.

Your second question: "Is it less than $100?" Only if you get REALLY lucky on the used equipment market. If you're at all serious about protecting your servers, your data, and your LAN, it's far more important to be paranoid than it is to try and be frugal.

In other words: The best possible computer and network security device is sitting right between your ears. Invest in a good solid firewall, yes, and expect to spend more than $100 for it, but also invest in good security policies and procedures for your users to follow. Use a combination of common sense, paranoia, and planning, and you will probably do pretty well.

Happy tweaking.

My answers to your original questions, in sequence: I use a Watchguard FireBox II hardware firewall/router combo box. If I were going to go through an actual purchase process, instead of ending up with the FireBox II as a gift, I would purchase either a Zyxel ZyWall 5 or one of Netgear's hardwired router/firewall combos.

Your second question: "Is it less than $100?" Only if you get REALLY lucky on the used equipment market. If you're at all serious about protecting your servers, your data, and your LAN, it's far more important to be paranoid than it is to try and be frugal.

In other words: The best possible computer and network security device is sitting right between your ears. Invest in a good solid firewall, yes, and expect to spend more than $100 for it, but also invest in good security policies and procedures for your users to follow. Use a combination of common sense, paranoia, and planning, and you will probably do pretty well.

Happy tweaking.

Jus make them buy a Zyxel access point witch comes with a little printer. Just sell the damn coffee with "free" 30 minutes of WiFi access. The Zyxel prints out a code (receipt with a code), you open your broser and connect to their wireless. Then a page appears asking you to enter the password the cashier gave you when you bought the coffee (yes the printout from the Zyxel.)

http://www.zyxel.com/product/model.php?indexcate=1 103876296&indexFlagvalue=1085450343 Damn it, losers!

Your wireless are belong to us... get it?

Have a good one.

• http://www.voip-news.com/1/voipwifi.htm
• http://www.zyxel.com/product/P2000W.php
• http://www.vonage.com/
• http://www.webopedia.com/DidYouKnow/Internet/2005/ voIP_WiFi.asp
• http://digital-lifestyles.info/display_page.asp?se ction=platforms&id=1761
• http://www.voipsupply.com/home.php
• http://www.voipuser.org/forum_topic_1072.html
• http://www.voip-info.org/tiki-index.php

I suggest looking at the ZyXEL ZyAIR B-4000. It's an access point / receipt printer that is commonly used for selling access. The user gets a receipt, logs into a website, and is granted access for X period of time. You could make it so that when someone buys coffee, they get a receipt good for four hours. Or for $X they can get all day access... It's all up to you. Either way, it's trivial to use. The clerk just presses one of three preconfigured buttons on the receipt printer, the receipt with the access code is created, and everything else happens automagically.

With wireless access becoming more widespread why not drop the GSM part altogether like this product?

This is by no means the first wifi phone. Its cool and the price point looks pretty attractive, but if your interesting in existing technology check it out:

BroadVoice branded Wisip Phone (standards standards standards)
Pulver Innovations (unbranded) Wisip Phone (for the purists)
Cisco's sexily titled IP Phone 7920 (like they'd be behind the curve!)
and
Zyxel's Prestige 2000W

There's probably more, but thats what google coughed up for "wifi phone" tonight (in the first couple of pages..I have a life you know. Just kidding!).

Just take the cellphone out of the picture entirely

ZyXEL makes a well-regarded turnkey hotspot device (the ZyAIR B-4000). This one has integrated billing capabilities for you to run your own hotspot network. Other solutions (like the Linksys one) require a specific provider like Boingo, T-Mobile, etc, who do the billing and scrape some of the usage fees.

I think this might be the kind of thing you are looking for: ZyXEL ZyAIR B-4000. It's basically an AP and receipt printer, with a few buttons on it. Via a web-based interface, you set the device up, and a clerk presses a button, and out pops a receipt you had to the user. They use the information on the receipt to log into the system, allowing their MAC to access the internet for a specified period of time.

I recommended this to a small shop, and they've been using it since with no problems. It's trivial to get set up, and the clerks selling the access don't need to be technical.

IIRC, you can also allow certain machines access all the time, use it as a normal NAT box for some devices and pay for others, etc.

Hope this helps...

> It's possible, but the available wireless VOIP handsets are 11b only and don't support WPA (both are showstoppers for me).
http://www.zyxel.com/product/P2000W.html

It allows users to make or receive phone calls as long as they are in the coverage of IEEE 802.11b or 11g wireless Access Points. ...
- 64/128 bit WEP encryption

Get a phone that's guaranteed wi-fi friendly, It actually uses wi-fi as a transport. You will of course need some additional hardware for interfacing with your phoneline unless you want to move to VoIP completely. Asterisk and a voice card would probably be nice in a linux box.

not long, its allready been done.
VoIP Wi-Fi Phone
That one may not use skype, but its VOIP.

Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.

I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.

Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.

If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.

If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.

If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.

The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).

Happy hunting.

Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.

I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.

Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.

If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.

If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.

If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.

The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).

Happy hunting.

The Netgear RT310/RT314 routers are actually just rebranded ZyXEL Prestige P310/P314 routers.

ZyXEL continued to update the firmware while Netgear did not. You can download patched ZyXEL firmware that can be used in the Netgear routers from netgear.org.

Also, read netgear.org for tips and tricks (such as tricking your router into ignoring ICMP pings).

Take a look at Zyxel.

It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.

I haven't used it, and can't vouch for it. But it's gotten some good press.

As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.

I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.

In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.

I was going to suggest the same! It's a $650 box, so it's not cheap, but it sounds really solid and it's all-in-one. Plus, I've always respected Zyxel's products.

ZyAir B-4000 web-page

To summarize:
1. Anyone who wants to use the AP has to ask permission.
2. Someone behind the counter pushes the button for New Authorization and the built-in printer spits out a quick code.
3. the user goes back to their PC and enters the code in the authentication web-page they're seeing.

The code lasts for an hour, I believe, and the coffee shop can choose to charge or not for the access.

This might be a little off-topic, but the ZyXEL ZyAIR B-4000 has come in handy for a number of small wireless POPs I've talked to. Basically, it's a self-contained AP / billing / access control system that's available for ~$700. There's a Tom's Hardware review here detailing a bit about how it works. In short, you program the buttons on the front for whatever time/price you want, and the receipt printer spits out a serialized receipt containing a password which will allow the user's machine to access the network for X period of time. Nice and simple for non-techies to operate.

I'd imagine that if you did a $5/day or /week this way, the price would remain cheap, the hardware would be reliable, and easy for anyone working the coffee shop to use.

A small coffee shop I do side work for was looking for a similar solution, but wanted to be able to sell time to people without having to buy in to one of the larger deals (T-Mobile, etc.).

We found the ZyXEL ZyAIR B-4000, which has all that they need. It has (built-in) a four-port switch, NAT router/firewall, and wireless AP, and includes a thermal printer that does a one-touch purchase of wireless time by communicating with the AP over the LAN.

The AP is configured to isolate the wireless network from the LAN (DMZ mode), and authenticates the users through an SSL encrypted access page.

While the unit was rather pricey ($600ish), it's a no-brainer both economically and time-wise as there is nothing to really maintain...no computer to die, software to be corrupted, maintenance, etc. I find that it is a much better decision for them to pay a little more up front to have something that requires little to no intervention and will just run...

Try zyxel. They're cheap and good.

So, anyone have 2 DSL modems working point to point, back to back? Are there any caveats or precautions?
Check out the SDSL / GSDSL Devices from Zyxel; I'm using a lot of these in back-to back configurations covering distances in the range from ~ 300ft to 4 miles.
I'm using two differnt models: the older Prestige 681 SDSL Modems/Routers and newer Prestige 782R G.SHDSL Routers.
Both have a max. linespeed of ~2Mbits; what you actually can get depends both on line quality and distance. Under identical conditions, the newer 782R will get about 20-30% higher troughput.
From my experience I'd expect to get about 1 - 1.5 Mbits over a 2 mile link if it's reasonable quality.
There's probably lots of other devices that would also work, it's just that I've successfully used these myself. Prices (new) in Europe are about $480 each; with a bit of luck you should be able to get them used for a lot less.

So, anyone have 2 DSL modems working point to point, back to back? Are there any caveats or precautions?
Check out the SDSL / GSDSL Devices from Zyxel; I'm using a lot of these in back-to back configurations covering distances in the range from ~ 300ft to 4 miles.
I'm using two differnt models: the older Prestige 681 SDSL Modems/Routers and newer Prestige 782R G.SHDSL Routers.
Both have a max. linespeed of ~2Mbits; what you actually can get depends both on line quality and distance. Under identical conditions, the newer 782R will get about 20-30% higher troughput.
From my experience I'd expect to get about 1 - 1.5 Mbits over a 2 mile link if it's reasonable quality.
There's probably lots of other devices that would also work, it's just that I've successfully used these myself. Prices (new) in Europe are about $480 each; with a bit of luck you should be able to get them used for a lot less.

While a Cisco Aironet would be nice, $1400 is a bit steep.

The issue is, with all these current 802.11b security issues and the probable introduction of new security features, what are good products to use and steps take? It's one thing to point out the flaws in the system; another entirely to show how to fix (or at least avoid) them.

I detect an "Ask Slashdot" here....

While a Cisco Aironet would be nice, $1400 is a bit steep.

The issue is, with all these current 802.11b security issues and the probable introduction of new security features, what are good products to use and steps take? It's one thing to point out the flaws in the system; another entirely to show how to fix (or at least avoid) them.

I detect an "Ask Slashdot" here....

Besided the suggestions for the ISDN router, which are good suggestions I think some mention should be made for the external terminal adapter option. The two best IMO are the 3com impact and the zyxel omni.net plus.

This option is really appealing if you are used to POTS modems because they behave just like them. They hook up to your serial port and they have dial out commands just like modems. They work seemlessly with ppp and do not require that one get involved in any isdn4linux stuff. It isn't that the isdn4linux stuff is bad it is a little hard to work with if you don't live in europe. And the isdn4linux debate on it's regular inclusion in the linux kernel is still not completely resolved.

The reason I like both the 3com and the zyxel product is because they both have the capability to do 230kbps or more across the serial port. This is important if you want to use all 128kbps of ISDN. USB would make the whole serial port discussion a null issue but it is not quite ready in linux. The 3com impact does 230kbps and the zyxel does 460kbps. Don't let the zyxel fool you 460kbps is better then 230kbps but only marginally. Instead, let the zyxel price lure you. The zyxel is generally cheaper then 3com but has just as high customer satisfaction (I own a zyxel myself and am very happy with it).

This brings up an important point. Most serial ports have the 16550A UART which does a smashing good job of 115kbps. This is more then enough for 56K modems. But for ISDN even at 115kbps one will find that the best throughput is really only 95kbps due to overhead on the UART. And if one can make a 128kbps connection the throughput is even worse. So if you go the route I describe I suggest picking up a serial port board with a 16750 or 16950 UART. These UARTs are supported in linux kernel 2.2.x or newer. A good manufacturer is pacific commware. Their turboexpress 920 board is isa pnp which will require isapnptools and a little elbow grease. I need to stress that the newer UARTs are not supported in the older 2.0.x kernels.

And now the URLs:

• 3Com Impact IQ
• Zyxel Omninet plus
• Pacific Commware's Turbo Express 920
• Serial HOWTO
• ISA PnP tools
• Theodore Tso's serial port driver, not necessary with 2.2.x kernels.