The Hsinchu, Taiwan-based networking and security vendor has been shipping three models in its ZyWall FW/VPN range for the SME market for the last four years, said James Walker, product manager for the company in the UK. Now it is introducing multi-function versions with the option to upgrade existing boxes via a Memory Card with the additional functionality.
Unified Threat Management, or UTM, is a term coined by analyst IDC for the appliances combining multiple perimeter security functions in a single box that have become very popular in the mid-market segment in recent years and are now moving down to the SME market.
In ZyXel’s case, the basic FW/VPN products already offer bandwidth management for QoS and a content-filtering capability with technology produced by and subject to a separate license from Blue Coat Systems Inc. The U feature adds anti-virus from Russian developer Kaspersky Lab; anti-spam from Mailshell Inc, a US ISV that provides its engine primarily to OEM customers; and IDS/IPS, which is ZyXel’s own technology as featured on the IDP 10 appliance launched last year.
Walker said ZyXel will continue to ship the vanilla FW/VPN range as well as the U versions of the three boxes, making available a Memory Card called the ZyWall Turbo with all the additional software and SecuASIC, a piece of bespoke silicon developed by the company to reduce the service degradation that ensues from turning on all the U functions. IDS/IPS in particular is very processor-intensive, and Walker quoted Intel research that shows other U devices for SME see CPU usage increase tenfold when they switch from FW/VPN-only mode.
The ASIC seeks to counter this performance hit. We developed it to give 20 times faster throughout on IDS/IPS and AV, said Walker. Comparing throughput with and without the additional functionality, for instance, the ZyWall 5 (up to 10 users, one WAN port and four LAN/DMZ ports and support for up to 10 VPN tunnels) goes from 65Mbps without to 12Mbps with. The ZyWall 35 (up to 30 users, dual WAN ports, four LAN/DMZ and 35 VPN tunnels) goes from 70Mbps to 18Mbps and the ZyWall 70 (100 users, dual WAN, four dedicated DMZ, one LAN port and 100 VPN tunnels) from 90Mbps to 18Mbps.
The price differential between the vanilla and U versions is between 50% on the low end (the 5 goes from $458 vanilla to $680 UTM) and 15% at the top of the range (the 70 goes from $1,470 to $1,692).
The non-U devices will continue to ship for customers who prefer best-of-breed, and the IDP 10 will also continue, despite ZyXel extending IDS/IPS functionality to the firewalls. It’s a different proposition, said Walker, pointing to its higher price tag ($2,944) and transparent nature (it has no IP address), which makes it suitable for inspecting high volumes of clear next traffic within a network, whereas the U devices terminate VPN (encrypted) traffic, decrypting and inspecting it, which the IDP 10 cannot do.
The roadmap for ZyXel’s security products will first see it extend the U capability to the ZyWall P1 personal FW in November, then add higher-end products for the 100-to-500-seat company in the first half of next year. For that market you need Gigabit interfaces, which we already offer on our switching products, Walker said.
The U launching now are built to handle ADSL 2 (8Mbps) and ADSL 2+ (24Mbps), which Walker said already differentiates them from competing products from the likes of Fortinet and SonicWall that can take up to 1Mbps.
He said other differentiators are in the pricing and the contract terms. After a three-month trial with Fortinet, if you go for a one-year contract they deduct the three months of the trial, whereas we give you 12 months and if you sign up within the trial period, you get a further three, he said.
