ADSL/Cable Firewalls: Products Reviews

An Analysis of hardware mini-firewalls for 'always-on' Users

By Seán Boran (sean at boran.com)
www.boran.com/security/sp/pf

The appetite of hackers, complexity of PC applications / operating systems, and the extensiveness of networking, have contributed to continual discovery of security weaknesses - which the "average" user can hardly be expected to follow. Until now the standard tool for defending PCs was the antivirus scanner. The PC personal firewall recently made a debut to fend off Internet attacks on individual PCs. An alternative to such software running each PC is a dedicated hardware mini-firewall, particularly interesting for protecting small groups of machines, or 'always-on' Internet connections, such as ADSL or Cable

Latest Changes:

22.Nov.02 Snapgear Pro+ review, reorganise Detection/Reaction.
15.Sep.02 Update Linksys notes
16.Jul.02 Snapgear update.
10.May.02: Zywall corrections.

Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may also be rendered useless by dialup access weaknesses, encryption, VPNs, Teleworkers connecting directly to the Internet from home, etc. Two alternatives are:

PC "personal firewalls" that are installed on Windows and allow both beginner and expert users to protect their PCs. Refer to [1] for an analysis of PC-based personal firewalls.
Mini-hardware firewalls for protecting a small number of PCs. These little devices are useful for protecting one or more PCs on a small network, for example a SOHO ADSL connection. This article presents comparisons of several such products. Before reading this report, you may wish to refer to [2] for an introduction to these tests, an explanation of the topology of ADSL connections, analysis of risks and general countermeasures.

Although we specifically refer to ADSL here, the same principles apply to cable modems and ISDN firewalls.

This report compares 7 devices to restricting ADSL connections : Zywall 10, Watchguard SOHO, Linksys BEFSR41, Zyxel 642RI router, Sonicwall SOHO, SnapGear SOHO+, SnapGear PRO+.

Product Tests

Price Comparison

Product	Version tested	Hub or switch included?	List price	No. host licenses	Annual maintenance or monitoring services
Zywall 10 [3]	v320(WA.1)	no	$399	no limit?
WatchGuard SOHO [4]	v2.3.21	4 port	$449	10	LiveSecurity Service is included for one year. See note.
Linksys BEFSR41 [5]		4 port	$150	no limit
Zyxel 642 Router [6]	V2.50(A.1) V2.50(AL.2)b2, V2.50(AJ.2)	no	$399	no limit
SnapGear SOHO+ [8]	v6.1.1	no	LITE $199, SOHO+ $399	no limit	90 days support. Free firmware upgrades for life.
Sonicwall SOHO2 [9]		no	$495	10, upgrades available.	An automated scanner/vulnerability service is available on www.mysoniwall.com (not free) that performs a risk assessment of your open services (regularly) and reports on then. Looks quite accurate. [9]
SnapGear Pro+[8]	V 1.7.2	no	$740	no limit	- 90 days support. - Annual support $99 - 4 year warranty $100 - Free firmware upgrades for life. URL Content filtering: 5 user=$49 up to 1000 users $7k URL Content filtering with reporting: 5 user=$99 up to 1000 users $13k

Watchguard LiveSecurity Note: Watchguard's Service subscription entitles you to:
"Software updates and Rapid-response alerts that notify you of security threats as they break, with an archive of past broadcasts. Expanded self-support options, such as Frequently Asked Questions, Known Issues and a searchable Knowledge Base Interactive. Online Training and options for instructor-led training. Comprehensive Online Help, including installation instructions, user guides and product reference. Incident-based Technical Support with a choice of optional escalation upgrades."

Usability Comparison

Product	Ease of configuration or installation	Documentation	On-line help	Are logs / alerts easy to understand?	User knowledge if default config. needs changing
Zywall 10	HTTP GUI and telnet menu is good.	Good, but only on CD. 150 pages in user manual alone.	none	no	Advanced
Watchguard SOHO	• HTTP GUI is good. • Windows GUI for upgrades.	OK, Internet access must work to access docs.	none, unless Internet active.	logs easy, but limited.	Intermediate- Advanced
Linksys	HTTP GUI is good.	good, also on paper.	limited	logs easy, but limited.	Intermediate- Advanced
Zyxel 642 Router	Installation OK, UI poor.	Good, but only on CD.	none	no	Expert
SnapGear SOHO+	HTTP GUI is good.	Good.	good	no	Intermediate- Advanced
Sonicwall SOHO	HTTP GUI is very good.	good.	good	quite good	Intermediate- Advanced
SnapGear PRO+	HTTP GUI is good.	Good. Also, lots of help on www.snapgear.com	good	quite good, colour coding by severity	Intermediate- Advanced

Feature Comparison

Product	Default policy	'uplink' switch to replace crossover cables?	Regular (online) Updates
Zywall 10	Outgoing allowed, incoming blocked, DoS prevention.	yes	Firmware updates can be downloaded.
Watchguard SOHO	Outgoing allowed, incoming blocked, except ping.	no	Bug-fix updates can be downloaded.
Linksys	Outgoing allowed, incoming blocked.	no	Bug-fix updates can be downloaded.
Zyxel 642 Router	Outgoing allowed, incoming blocked.	no	no
SnapGear SOHO+	Outgoing allowed, incoming blocked.	no	Firmware updates can be downloaded.
Sonicwall SOHO	Outgoing allowed, incoming blocked.	no	Firmware updates can be downloaded.
SnapGear Pro+	Outgoing allowed, incoming blocked.	no	Firmware updates can be downloaded.

Product	IP sec VPN	Dynamic DNS	Port-forwarding (SUA server) or Address translation ( NAT)	DNS proxy	DHCP Server	Other tools/ features included
Zywall 10	• no • an IPsec pass through test worked.	yes (tested with dyndns.org)	• SUA server and NAT • SUA allows specification of up to 11 ports forwarded to internal address • Source and destination port must be identical. • NAT for up to 10 addresses. • Flexible: on-to-one, one- many, many-many and server supported.	yes	yes	Fine tuning of TCP/IP timeouts is possible: - tcp connection, Fin-wait, tcp idle, udp idle and icmp timeout.
Watchguard SOHO	• VPN optional $599 • an IPsec pass through test worked.	no	SUA server	no	yes	-SOCKS proxy
Linksys	• no • an IPsec pass through test worked. (only one session is supported)	no	• SUA server • Up to 10 addresses.	no (other readers say yes)	yes	MAC address filtering.
Zyxel 642 Router	• no • an IPsec pass through test worked.	no	• SUA server allows specification of port per machine or default machine. • Source and destination port must be identical. • Up to 8 ports.	yes	yes
SnapGear SOHO+	• PPTP and IPsec VPNs • an IPsec pass through not yet tested.	yes	• Can have several external addresses (not tested) • SUA allows specification of port per machine. • Source and destination port can differ • SUA definitions can be disabled without being deleted	yes	yes, disabled by default	Traffic shaping Access to OS (Linux) configuration files. Dial-in and dial-out via a serial interface.
Sonicwall SOHO	• optional • an IPsec pass through test worked.	no	• SUA server and NAT	yes	yes	Extensive web filtering.
SnapGear Pro+	• PPTP and IPsec VPNs • Hardware encryption	yes	as SOHO+	yes NTP proxy too	yes	As SOHO+, - plus modem built-in.

Note: The IPsec VPN 'pass through' test was an attempt to make a VPN connection from a Cisco VPN client 3.0.1 on Windows 2000 on the LAN to a Cisco VPN concentrator on the Internet. I realize this is a simple test of one VPN product, but it was interesting if the rather complex IPsec protocols worked.

SUA note: I don't recommend using a 'default LAN address' for incoming connections, as this effectively opens this host completely to the Internet. Specify only the necessary ports, for example 80/443 for HTTP/S.

Filter Rules Configuration

Product	Filter incoming/ outgoing	Address specification	port specification	state based	Trojan detection engine	HTTP content analysis	Email content analysis
Zywall 10	• up to 10 flexible rules in each direction • Options: in/out, pass or block, logging & alerting optional	single, range, network	tcp + udp ports or ranges Up to 10 custom port definitions.	FTP	no	yes... see note.	no
Watchguard SOHO	• block specific outgoing ports • allow specific incoming ports	no	tcp or udp ports or ranges IP protocol numbers	FTP	no	no	no
Linksys	• block all except specific outgoing ports per LAN IP address	LAN yes, WAN, no.	tcp or udp ports or ranges	FTP works	no	no	no
Zyxel 642 Router	Yes, per interface. But complicated, primitive and error prone.	single, range or networks. Network ranges not supported.	single udp/tcp, no ranges	FTP works	no	no	no
SnapGear SOHO+	• block specific outgoing ports • allow specific incoming ports • custom (IP tables) rules.	network+ netmask	single udp or tcp, no ranges Custom rules allow ranges.	FTP works	no	no (planned)	no
Sonicwall SOHO	• flexible rules • Options: source/destination IP, allow/deny, time of day, inactivity timeout. • rules can be disabled without being deleted.	single, range	tcp, udp, icmp ports or ranges custom port definitions.	FTP	no	extensive... see note.	no anti-virus from Network Associates for $?? per year
SnapGear Pro+	as SOHO+	as SOHO+	as SOHO+	FTP	no	yes	no

Zywall note: ActiveX, Java, cookies, web proxies can be blocked for one list of sites. However the settings cannot be saved individually per site. For example you can't enable ActiveX for some sites, cookies for other and Java for others. Nor is it possible to block ActiveX for all sites, for example.

Watchguard note: Different rules cannot be applied to different addresses on the private network. Outgoing traffic is controlled by port number, so dynamic protocols such as FTP cannot be effectively filtered. Different rules cannot be applied to different Internet addresses either.

Sonicwall web filtering: is extensive:

Time of day access control.
ActiveX, java, Cookies, web proxy, invalid certificates can be blocked.
Access to violent/pornographic/dangerous sites can be restricted. There are 12 different categories, a filter list can be downloaded, and updated automatically at pre-programmed intervals.
Trusted domains can be defined, where is access is always granted.
Forbidden domains can also be defined.
URLs containing specific keywords can be blocked.
Consent filtering for controlling when kids access the web for how long.

Snapgear Pro+ also has extensive web filtering:

Based on the Cerberian Web Filter, but must be subscribed to (paid for) additionally.
"features a database of several million categorized URLs. .... combines blocking, monitoring, real-time URL rating, policy management and real-time reporting in a centrally managed, 100 percent web-based solution."
Trusted domains can be defined, where is access is always granted.
Forbidden domains can also be defined.
Sites are classified into ~80 categories, for each of which the category can be allowed, blocked or allowed with logging of violation.
The categories pornography, hate, violence, weapons, illegal drugs, pay to surf sites and advertisement were enabled for a period of three weeks.
==> Blocking was accurate, no "false positives" were notices.
If the user feels a site was blocked that should not have been blocked, a form can be filled out which is sent to Cerberian for analysis.
Useful reports of blocked and allowed filter usage can be viewed on cerberian.com. These reports would give the IT Manager a useful overview of his Webtraffic, even if no sites are actually configured to be blocked.

Management Features

Product	user interface	Centralized policy changes?	Export / import / distribute rules / objects?	Export configuration as text?	Export logs?
Zywall 10	GUI: Web. telnet (good menu), ftp, serial console, SNMP (off by default)	no	configuration file 'rom-0' via ftp	no	no
Watchguard SOHO	GUI: Web ftp	possibly, not fully explored	via ftp?	yes	no
Linksys	GUI: Web	see note	no	no	no
Zyxel 642 Router	GUI: Windows wizard. telnet, ftp, serial console, tftp, SNMP	no	via ftp	no	no
SnapGear SOHO+	GUI: Web on port 80, Telnet (simple, linux like). Serial console possible.	no	no	yes	no
Sonicwall SOHO	GUI: Web on port 80 SNMP (off by default)	yes	yes, via web interface to/from a file	no	no
SnapGear Pro+	GUI: Web on port 80, Telnet (simple, linux like). Serial console possible.	no	no	yes	no

Linksys note:

Enabling 'Remote Management' results in port 8080 being open on the LAN side (but not the WAN interface), which is a second identical web server. I've not read up on these features yet.
Enabling 'Remote Upgrade' doesn't open up any new ports.

Logging & Alerting

Product	Logging	Alerting	Reaction	Management protection
Zywall 10	• local and syslog • Logs difficult to understand for beginners • GUI limited • config changes not logged • no packet details logged	• SMTP Email alerts of logs and DoS attacks • Alerts difficult to understand for beginners • Scans not detected, no high level analysis.	no	• Passwords, with session timeout. • Only one session allowed at a time. • Telnet/ftp access can be disabled or limited to one IP address (via the telnet menu only)
Watchguard SOHO	• no remote syslog, only to Firebox. • log GUI easy to use • config changes logged	no	no	• Password (none by default). See note. • Blocked by default on WAN interface
Linksys	• local log contains source IP address and port, but not time or any further packet data • config changes not logged • log GUI easy to use	no	no	• Passwords • Blocked by default on WAN interface
Zyxel 642 Router	• syslog	no	no	• Passwords • Interfaces visible to Internet! see note.
SnapGear SOHO+	• local and syslog • configuration changes not logged • some details logged	if syslog analysed	no	• Username + Password (long timeout) • Blocked by default on WAN interface
Sonicwall SOHO	• local and syslog • lots of options, good GUI • no packet details logged • Administration and not just traffic, is logged.	• SMTP email alerts of known hacks and scans. • Tested, works well..	no	• Passwords, with session timeout. • Several users can be defined.
SnapGear Pro+	• local and syslog • configuration changes not logged • priority highlighted by colour	if syslog analysed	Yes, IDS can auto block scans..	• Username + Password (long timeout) • Blocked by default on WAN interface

Watchguard note: A passphrase can be configured to protect read-only or read-write access to remote configuration.

Zyxel 642 note: Active services (ftp, telnet..) visible on the Internet Interface! This is a serious problem as it means Zyxel's are sitting on the Internet, with default passwords and telnet enabled on the WAN interface.

The telnet WAN filter does not work on Firmware V2.50(A.1), an upgrade to V2.50(A1.1) is needed.
The Zyxel 642RI was incorrectly delivered with the telnet WAN filter disabled. The distributor assured me all models have this blocked now (June 2001). However previously delivered firmware and possible that delivered in other countries is wrong.
After upgrading to Firmware V2.50(AL.2)b2, the telnet WAN filter was enabled by default, and worked fine - blocking Internet access to the telnet menu. However, ftp was open on the Internet interface (even though the ftp filter had been enabled - it didn't seem to work).
This weakness was also discovered by others - Daniel Roethlisberger posted a summary of his findings on Bugtraq [11] on the 8th August 2001. He goes into more detail and notes that both tftp and snmp (which are udp services) were visible on his router. I don't have one available to test this just now.
On 30.Aug.01 a new fresh 642 was tested: ping, ftp, tftp and snmp were open to the Internet! It was trivial to upload or download firmware configs via ftp with the default password. There is little evidence that Zyxel (or their Swiss distributors) are taking this problem seriously, or doing anything to fix it.

Lesson: Always change the default password and scan your router for open ports, even if you configure filters.
If you have a Zyxel router, run, do not walk, to the console, change the password fast, check for 'unusual rules' that might indicate penetration and finally upgrade your firmware if it is old.

Security Effectiveness, Intrusion Detection & Reaction

Product	Port Filtering	Intrusion Detection	Intrusion Reaction
Zywall 10	default configuration is good and can be tuned given appropriate knowledge.	alerting and logging via email and syslog are available, but the non-expert user will find the alerts difficult to handle.	discovering the identity of attackers automated blocking of attacks is not supported.
Watchguard SOHO	incoming ports are well protected. Outgoing ports are allowed, but can be restricted.	logging is better than the others, but there is no alerting.	minimal
Linksys	incoming ports are well protected but outgoing ports are allowed and are not so easy to restrict.	minimal	minimal
Zyxel 642 Router	incoming ports are blocked unless SUA enabled	none	none
SnapGear SOHO+	incoming ports are indicated as being open, but in fact are well protected. Outgoing ports can be restricted.	There are automated IDS features that can be enabled for specific ports, which is good. But there are no useful statistics, and logs need improvement.	good, attacking machines can be ignored or blocked for 20 minutes. Scans are very effectively slowed down. However, logging and reporting needs improvement.
Sonicwall SOHO	the default configuration is good (but could be better) and can be tuned given appropriate knowledge.	alerting and logging via email and syslog are quite good, but the non-expert user will find the alerts difficult to handle.	discovering the identity of attackers, or automated blocking of attacks is not supported.
SnapGear Pro+	as SOHO+	as SOHO+, and: Scanners are detected and listed in the GUI. It would be nice to have useful statistics, and logs could be easier to read for the novice. It would also be good to define the time that attack sources are blocked for.	good, attacking machines can be ignored or blocked. A list of IP addresses to exclude from blocking can be added. The number of ports scanned that kick in blocking can be customised. Scans are very effectively slowed down. Reporting could be better.

Security of the Default Policy

All products provide a similar security in the default configuration.

Product	Incoming from Internet	Netbus trojan test	LAN ports visible on firewall
Zywall 10	ping and all other services blocked. Ports auth, snmp, tftp are visible. See note.	OK, but no alert.	ftp, telnet, http
Watchguard SOHO	ping allowed, all other services blocked. Ping can be blocked optionally.	OK, but no alert.	ftp, http, socks5/1080
Linksys	ping and all other services blocked.	OK, but no alert.	http
Zyxel 642 Router	Depends on firmware and ISP config. I've seem: a) ping is blocked, but telnet, ftp, tftp, snmp are open b) ping, ftp, tftp, snmp open. => Bad news indeed, see note.	OK, but no alert.	ftp, telnet
SnapGear SOHO+	ping and all other services blocked. Ports with SUA but not active (pptp, http, imap) were marked as closed, all others open.	OK	Many "reported open" by nmap, but this is only the IDS listening for attacks. This might however encourage attackers to keep digging and hence waste bandwidth?
Sonicwall SOHO	ping and all other services blocked. Ports snmp, tftp are visible. See note.	OK, alert (if email alerts enabled)	TCP: http and telnet is detected as "filtered" by scanners, but can't be connect to. UDP: bootps, netbios, snmp, syslog and port 1024 are open. (why?)
SnapGear Pro+	as SOHO+ - scanners are detected, blocked and listed in GUI	OK	as SOHO+

Outgoing policy to Internet:
In the document "ADSL: security risks and countermeasures" [2], the concept of information leakage was discussed. As explained in that document, it's difficult for hardware firewalls to prevent such outgoing connections. All of these hardware firewall allow all outgoing connections by default (the Zywall and Watchguard block Netbios). Several of these products can be customised to restrict outgoing ports and even better, products like the Sonicwall can restrict web content.

Zywall note:
• Snmp can only be configured from the telnet interface. It has a default get/set community of public. A scan shows that the snmp port (udp/161) is open on the Internet side. However, if we use an snmp scanner to download snmp information it does not work This is probably since a 'trusted host' must be configured on the Zywall who is allowed to interact with the smtp service. Hence, although the snmp port is open by default, it does not pose a significant risk. It would be an advantage to be able to switch off SNMP entirely.
• Tftp (udp/69) is visible on the Internet interface and it can be connected to. However, it doesn't seem to be possible to download/upload files, unless a management telnet session is active, so the risk seems low.
• Port auth (tcp/113) service also "seems" open. This is for SMTP servers who also connect to the auth service when delivering email. By providing a dummy auth service, this prevents some SMTP servers from timing out. This feature can be disabled on the command line: sys firewall tcprst rst113 off

Sonicwall snmp note:
• A scan shows that the snmp port (udp/161) is open on the Internet side. However, if we use an snmp scanner to download snmp information it does not work, as one would expect since SNMP is disabled by default in the GUI.. Hence, although the snmp port is 'open by default' to scanners, it does not pose a significant risk.
• Tftp (udp/69) is also visible on the Internet interface and it can be connected to. However, it doesn't seem to be possible to download/upload files.
• It would be an advantage to be able to switch off both these services entirely, so they are not visible to Internet scanners.

Other issues:

Zywall:
- The registration URL http://www.zyxel.com/html/product/reg.html, listed in the documentation, did not work.
- Log viewer cannot jump to first or last page.
- The time can be set manually or from a central server on booting (this can be configured via the telnet interface only). It forgets the time when you switch it off.
- Some options are only available via the command line interface, e.g. syslog configuration, dynamic dns, firewall rules.
- Some options are only available via GUI/web interface, e.g. firewall rules. The GUI is not exactly state of the art HTML programming (e.g. Sonicwall is better in this area).
- RIP routing is available in addition to static routes.
- Multiple LAN IP addresses (or ranges) can be mapped to multiple WAN addresses.
- Free Firmware updates have been released several times in the last year, so the Zywall is evolving.
- I upgraded to the latest V324(WA.2) on 9.Oct.01, since I was having SMTP timeouts with some email servers. No major feature differences, but lots of pain during the upgrade processes... Took almost 3 hours...
Watchguard:
- Firmware had to be (manually) upgraded to get it working with my ADSL connection.
- Reboots are quite slow.
- No time synchronisation or place set reset the date/time.
Zyxel 642 RI router:
- Time sync is possible via: daytime, time, ntp. An ntp server was preconfigured and worked fine.
- It's difficult to find out what (dynamic) IP address has been assigned by your ISP. For example, select System Maintenance from the main menu -> Command Interpreter Mode -> type "ip ifconfig" and look at the address listed for 'wanif0'.
Linksys:
- DNS had to be manually set on the LAN hosts, it was not transmitted via DHCP. Two readers have written in to say this works fine for them, so either my setup was wrong, or my Linksys firmware was old.
- There is no Internet support site for discussions, or security alerting.
- Stability: During a scan from the Internet, the web GUI froze. Had to switch unit off and on. Traffic was un-affected though. Over a period of several days, my Internet connection would become very slow, DNS lookups not working properly. Each time rebooting the Linksys solved the problem.
- There is a "keep alive" function, which seemed to maintain my connection better that other products (I left an SSH connection open all night).
- The Linksys comes in 1 port (BEFSR11 - no hub/switch), 8 port (BEFSR81), 3port/USB (BEFSRU31), and as a wireless model (BEFW11S4).
- In Sept.02 the test unit's Firmware was upgraded and a few tests carried out:
  - A new 'security' tab appears in the web GUI, which allows enforcement of certain software being used on the LAN: Personal Firewall -Zone Alarm Pro, Antivirus -PC Cillin, Parental Control -AOL Parental Control
SnapGear SOHO+
- Troubleshooting can be difficult, make sure you have a syslog server available. However, support staff were quick and helpful.
- Make sure "IP Configuration -> masquerade' is ticked (on the initial firmware 1.5.3 I received it had to be manually enabled, otherwise PPoE/ADSL would not work).
- The firewall cannot filter dynamic protocols like ping, you need to work with ICMP directly.
- A serial console can be enabled if desired. For example to create a serial console at 9600 baud on com1, enter the following at the telnet prompt:
  flashw CONSOLE=/dev/ttyS0,9600 /dev/flash/bootarg
  To disable the console:
  flashw CONSOLE=/dev/null /dev/flash/bootarg
SnapGear PRO+
- Time sync via ntp is available.
- Extensive VPN capabilities, IPSec and PPTP, with several authentication methods: PAP, Chap, Mschap, radius, Tacacs+.
- Custom Firewall examples:
  a) To block explicit access to Netbios ports so that attempts to access them won't be logged:
  iptables -A ExtAccIn -p tcp --dport 135:139 -j DROP iptables -A ExtAccIn -p udp --dport 135:139 -j DROP
- Management via https is planned in a future release.
- GUI suggestions:
  - The title of the web pages is "web page configuration", if would be more useful to have Snapgear, or Pro+, for example, making it easier to identify open browser pages.
  - Add syslog log directly to the system menu.
  - Shorten login timeout to 10 min or so.
  - Maybe add a nice graph with traffic throughput? (not easy for such small devices, yes, I realise that)
  - Diagnostics should be first on the system menu?
Sonicwall:
- Time sync via ntp is available.
- Web proxy requests can be automatically forwarded to a named proxy.
- Advanced networking options: Ethernet interface speed and half/full duplex can be set individually. A max mtu size above which packets are fragmented can be specified.
- The Web GUI won't work with Opera 5.11.
- The Status pages gives an nice overview of what security mechanisms are configured.
- Statistics on bandwidth usage by service or internal IP address, and webpage hits, may be of interest to some users.
- Debugging logs are good.
- Tcp sessions are broken after 5 minutes of inactivity which is a real pain if you use applications like SSH. The network session timeout value can be configured, but doesn't seem to have any effect. Further investigation provided the answer: each firewall rule also has a timeout, and the default for all the standard rules is 5 minutes. By changing the rule for "LAN to *" to a larger timeout, the problem was solved. This issue was report on Sonicwall on 31.Aug.01.
  Note: apparently this was not a feature and hence not a problem in older firmware's.
- I received reports that the installation wizard did not work correctly in some previous versions (I used the firmware available on 30.Aug.01).

Summary and Conclusions

Summary

The risks of an unprotected ADSL connection are real, please ensure that you take at least minimal precautions to secure your ADSL connection.

Hardware firewalls are useful and should be considered by users who directly connect to hostile networks such as the Internet. They are less sophisticated than PC personal firewalls [1], but are easier to install and won't interfere with PC based software, or need to be install for each single host on the local network.

They have a role to play in SOHO (Small Office/Home Office), ISP and possibly corporate markets. Several of these products were tested over a long time period (Zywall 18 months, SnapGear 6 months) and have proved their effectiveness. None of these products is provided with source code, or is open-sourced (although the SnapGear is based on opensource elements).

Firewalls don't offer 100% protection. For instance, even if they do have all the features needed, they can be badly configured; they might not recognize all hostile traffic; they may have bugs; may crash, etc. It's a good strategy to have several barriers to attackers, e.g., antivirus tools, file encryption, good passwords, a well-configured OS and possibly PC personal firewalls..

Conclusions

The Zyxel 642 router:

The Zyxel is a simple, flexible router that includes some basic firewall functions, which may be enough for some users.
It is better than a pure ADSL modem (which provides no protection what-so-ever).
If you want a Zyxel product, buy the Zywall, it a bit more expensive since you'll have to buy an ADSL modem too, but offers better security. Update Nov.2002: even better buy the 652 which includes router + firewall.
What I liked: Serial console, support, simplicity.
What I missed: Web GUI, limited dynamic DNS, better logging, easier filtering.

The Zywall is a flexible and powerful, but could be improved.

User interface: Simplicity and a useful default configuration are the main advantages of this product, but the non-expert could easily make mistakes and open up the firewall. It will require real expertise if custom rules need to be created.
Security features: The ideas are good but the implementation could be better.
What I liked: Serial console, telnet interface, dynamic DNS, flexibility.
What I missed: better GUI, logging, intrusion detection, alerting.

Watchguard SOHO:

A firewall with an integrated hub, good user interface.
What I liked: GUI interface, simplicity, flexibility, support.
What I missed: Serial console, dynamic DNS, stability (I had to upgrade the firmware to get on the Internet).

Linksys:

A firewall with an integrated hub, good user interface.
What I liked: Price, GUI interface, paper documentation.
What I missed: Serial console, dynamic DNS, logging of configuration errors, stability (I had to reboot it several times).

SnapGear SOHO:

The SnapGear is an interesting box, based on ucLinux with FreeS/WAN and Roaring Penguin PPoE and Boa web server.
What I liked: VPN features. Nice, simple, but effective installation wizard. Dial-in and dial-out serial interfaces. Support questions were quickly answered. It's nice to be able to view/edit the Linux configuration files.
What I missed: ftp interface, better logging & statistics, log browser, alerting options.

SnapGear Pro+:

The SnapGear is an interesting box, especially since I like Linux and use it daily.
What I liked: VPN features, installation and upgrade wizard, dial-in and dial-out serial interfaces. Built in modem. Extensive logging to syslog. Support questions were quickly answered, staff friendly and competent. Excellent flexibility and troubleshooting if you understand Linux.
What I missed: ftp interface, more "high level" logging & statistics, alerting options. Help and examples on how to create custom firewall rules.

Sonicwall:

Several readers had asked for this product to be reviewed. With good reason - it is feature packed, with an excellent GUI and makes a solid all-round impression.
Security features: more web content filtering that any other product.
What I liked: lots... especially GUI, logging.
What I missed: Serial console, dynamic DNS, default inactivity timeout on TCP sessions is way too low (5 minutes).
'Stealth filtering' was not switched by default.

The bottom line:

All of these products can reduce the risk of being connected to the Internet, but they all need time for understanding / optimal configuring. Several required firmware upgrades - so it may well be worth upgrading your firmware before going live.

The Zywall, Sonicwall and Snapgear Pro+ are the products with the most complete feature set. The Sonicwall is the best all rounder, catering for both expert and beginner user, but is also the most expensive. The Zywall is interesting (and has better routing for example), but may be more difficult for non-experts to master, lacking the finesse of the Sonicwall. A new release of Zywall is due with significant improvements, including VPN. Zyxel have also released (Autumn 2002) a product with ADSL modem, Router, Firewall rolled into one: the 652.

The Watchguard and Linksys are very similar (feature-wise) and quite easy to use, except for price (Linksys wins) and features (Watchguard LiveSecurity support, VPN options).

The Snapgear Pro+ and Sonicwall offer the best web content filtering. I liked the Snapgear's optional blocking of advertising sites.

The Snapgears would certainly interest Linux fans who want hands on access to config files / IP tables settings. The Snapgear Pro+ is designed for heavy VPN usage (hardware acceleration). The Snapgears also allow dial-in and dial-out via a serial modem connection (which was tested). In fact if you don't have broadband, the SOHO makes an excellent Internet dialup router, with built-in firewall security. The Pro+ has a built-in modem, the SOHO a serial interface on which a modem can hang.
Firmware updates are free and new features are regularly added (e.g. Dynamic DNS in June 2002).

References

Personal Firewalls/Intrusion Detection Systems.
pf_main20001023.html
ADSL: security risks and countermeasures
pf_adsl20010614.html
Zyxel Zywall
Zywall: http://www.zyxel.com/product/firewall/zywall10.htm
Support: http://www.zyxel.com/support/
Firmware update: http://www.zyxel.com/support/download/fw/firewall.htm
Firmware archive: ftp://ftp.europe.zyxel.com/zywall10/firmware/
Watchguard SOHO
http://watchguard.com/
http://watchguard.com/products/soho.html
https://www.watchguard.com/support/sohoresources.asp
https://www.watchguard.com/pubs/FAQs/index.asp
http://www.watchguard.com/pubs/docs/v2.3SOHOUserGuide.pdf

A test in German that was found since this article was published:
http://www.fruehbrodt.org/produkttests/snapgear_soho+.html
LinkSys
http://www.LinkSys.com

Description in German:
http://www.pctweaks.de/sections.php?op=viewarticle&artid=72&inhaltid=0
Zyxel 642RI Router
http://www.zyxel.com
http://www.zyxel.com/support/download/fw/dsl.htm
Discussions forums for ADSL/cable users:
Switzerland: www.superspeed.ch
U.S. www.dslreports.com
Snapgear SOHO+ and PRO+ (used to make Pivio's and do other OEMs)
http://www.snapgear.com/products.html
Online Shop: http://store.yahoo.com/snapgear/
Sonicwall
http://www.sonicwall.com/products/soho/index.html
http://mysonicwall.com
http://firmware.sonicwall.com
Home Network Security - CERT Coordination Center
http://www.cert.org/tech_tips/home_networks.html
This document gives home users an overview of the security risks and countermeasures associated with Internet connectivity, especially in the context of “always-on” or broadband access services (such as cable modems and DSL). However, much of the content is also relevant to traditional dial-up users (users who connect to the Internet using a modem).
Zyxel Prestige 642R: Exposed Admin Services on WAN with Default Password
http://www.roe.ch/bugtraq/3161
Free remote testing of your open ports:
Neoworx port probe: http://www.hackerwatch.org/probe
Sygate also have a scanner, http://scan.sygate.com/probe.html. When I tested it, it refused access though.
Other sites that are worth a visit:

Firewall Guide Router Shop
http://www.firewallguide.com/shophardware.htm

SANS / SOHO Security
http://www.sans.org/infosecFAQ/homeoffice/homeoffice_list.htm

German site on Personal Firewalls
http://www.feuerwallshop.de/

Appendix

Acknowledgements

Thanks to the many readers who have provided tips, suggestions and noticed errors.
For example: Casper Kamp, Keith Woodward, Henry Markus, P-O Risberg, Scott Heavner, Kurt Schumacher.

Changes to this article

18.Jun.01 First Draft
1.Aug.01: This article is no longer sponsored by SecurityPortal, for the moment it is homed on www.boran.com .
17.Aug.01 Add Crossport Pivio, linksys DNS notes, feedback from Daniel Roethlisberger on Zyxel 642
3.Sep.01 Add Sonicwall, major update to Zywall, update Zyxel 642
24.Sep.01 Add Appendix section. Pivio VPN notes.
28.Sep.01 Add links to port probe sites [12]
11.Oct.01 Zywall comment 2, Linksys models & DHCP. Add [13]
08.Apr.02 Replace Crossport Pivio with a new review of the SnapGear SOHO+.
10.May.02 Zywall updates after discussions with Kurt Schumacher.
15.Jul.02 Snapgear updates: dynamic dns, serial dialup tests. German test link.
29.Aug.02 Zywall link.
15.Sep.02 Update Linksys notes
22.Nov.02 Snapgear Pro+ review

Other products that look interesting, but not yet reviewed above:

Zyxel 652: ADSL modem + firewall + VPN in one box.
Netgear FM114P: Firewall, Wireless access point, print server, 4 LAN ports.

Feedback from readers, not integrated into the above article

21.Sep.01/Casper Kamp: The Zywall is for sure the most complete, since our version contains all features you describe, including almost all of the features you describe for the Sonicwall. And even better: We are beta testing a 10 user VPN solution which seems to come available soon with firmware 3.50. We discovered that the 'current' Zywall box includes Web content filtering the extensive way the Sonicwall does, including the option to filter porn sites, etc. per timeframe per day.
Comment: Sounds good. Let's wait until v3.5 firmware is available for download...
11.Oct.01/Scott Heavner: The thing I don't like about the linksys is the way it does DHCP. If you want to do port redirection (i.e. have an outside port redirected to a NAT address on the inside), you can't rely on the DHCP address, there's no way to bind one to a specific MAC address. You can specify the range of the DHCP address block and reserve a bunch of low (and/or high) numbered addresses as static IPs on the network.

About the Author

Seán Boran (sean at boran.com) is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.