What to look for when choosing a VPN router for a distributed network? And what features should it have? This is what our review of ZyWALL VPN1000 is dedicated to.
Introduction
Prior to this, most of our publications were devoted to junior VPN devices for accessing the network from peripheral facilities. For example, to connect various branches with the headquarters, access to the Network of small independent companies, or even private houses. It's time to talk about the central node for a distributed network.
It is clear that it will not work to build a modern network of a large enterprise only on the basis of economy-class devices. And organize a cloud service to provide services to consumers - too. Somewhere, equipment must be installed that can serve a large number of customers at the same time. This time we will talk about one such device - Zyxel VPN1000.
For both large and small participants in the network exchange, criteria can be distinguished by which the suitability of a particular device for solving a problem is assessed.
Below are the main ones:
- technical and functional capabilities;
- control;
- security;
- fault tolerance.
It is difficult to distinguish what is more important, and what can be done without. Everything is needed. If the device, according to some criterion, does not reach the level of the requirements, this is fraught with problems in the future.
However, certain features of devices designed to ensure the operation of central nodes and equipment that operates mainly on the periphery can differ significantly.
For the central node, computing power comes first - this leads to forced cooling, and, therefore, fan noise. For peripherals, which are usually found in offices and residential areas, noisy operation is almost unacceptable.
Another interesting point is the distribution of ports. In peripheral devices, it is more or less clear how it will be used and how many clients will be connected. Therefore, you can set hard partitioning of ports on WAN, LAN, DMZ, perform a hard binding to the protocol, and so on. There is no such certainty in the central node. For example, they added a new network segment that requires connection through its own interface - and how to do it? This requires a more universal solution with the ability to flexibly configure interfaces.
An important nuance is the saturation of the device with various functions. Of course, there are advantages to having one piece of equipment do a single job well. But the most interesting situation begins when you need to take a step to the left, a step to the right. Of course, you can additionally buy another target device for each new task. And so on until the budget or rack space runs out.
In contrast, an extended set of functions allows you to get by with one device when solving several issues. For example, ZyWALL VPN1000 supports several types of VPN connections, including SSL and IPsec VPN, as well as remote connections for employees. That is, one "piece of iron" closes the issues of both inter-site and client connections. But there is one "but". For this to work, you need to have a margin of performance. For example, in the case of the ZyWALL VPN1000, the IPsec VPN hardware core provides high VPN tunnel performance, while VPN balancing/redundancy with SHA-2 and IKEv2 algorithms ensures high reliability and business security.
Listed below are some useful features that cover one or more of the directions described above.
SD WAN provides a platform for cloud management, taking advantage of centralized management of communication between sites with the ability to remotely control and monitor. ZyWALL VPN1000 also supports the appropriate mode of operation where advanced VPN features are required.
Support for cloud platforms for critical services. ZyWALL VPN1000 is validated for use with Microsoft Azure and AWS. The use of pre-validated devices is preferable for any level of organization, especially if the IT infrastructure uses a combination of local network and cloud.
Content filtering enhances security by blocking access to malicious or unwanted websites. Prevents malware from being downloaded from untrusted or hacked sites. In the case of the ZyWALL VPN1000, an annual license for this service is immediately included in the package.
Geo Policies (GeoIP) allow you to track traffic and analyze the location of IP addresses, denying access from unnecessary or potentially dangerous regions. An annual license for this service is also included with the purchase of the device.
Wireless network management The ZyWALL VPN1000 includes a wireless network controller that allows you to manage up to 1032 access points from a centralized user interface. Businesses can deploy or expand a managed Wi-Fi network with minimal effort. It is worth noting that the number 1032 is really a lot. Based on the fact that up to 10 users can connect to one access point, a rather impressive figure is obtained.
Balancing and Redundancy. The VPN series supports load balancing and redundancy across multiple external interfaces. That is, you can connect several channels from several providers, thereby protecting yourself from communication problems.
Device redundancy capability (Device HA) for a non-stop connection, even when one of the devices fails. It is difficult to do without it if you need to organize work 24/7 with minimal downtime.
Zyxel Device HA Pro is in active/passive, which does not require a complicated setup procedure. This allows you to lower the entry threshold and immediately start using the reservation. Unlike active/activewhen a system administrator needs to undergo additional training, be able to configure dynamic routing, understand what asymmetric packets are, etc. - mode setting active/passive much easier and less time consuming.
When using Zyxel Device HA Pro, devices exchange signals heartbeat through a dedicated port. Active and passive device ports for heartbeat connected via an Ethernet cable. The passive device fully synchronizes information with the active device. In particular, all sessions, tunnels, user accounts are synchronized between devices. In addition, the passive device keeps a backup copy of the configuration file in case the active device fails. Thus, in the event of a failure of the main device, the transition is seamless.
It should be noted that in active systems/ active you still have to reserve 20-25% of system resources for failover. At active/passive one device is entirely in a standby state, and is ready to immediately process network traffic and maintain normal network operation.
In simple terms: βWhen using Zyxel Device HA Pro and having a backup channel, the business is protected both from loss of communication due to the fault of the provider, and from problems as a result of a router failure.
Summarizing all of the above
For the central node of a distributed network, it is better to use a device with a certain supply of ports (connection interfaces). At the same time, it is desirable to have both RJ45 interfaces for simplicity and cheapness of connection, and SFP for choosing between fiber optic connection and twisted pair.
This device must be:
- productive, adapted to an abrupt change in load;
- with a clear interface;
- with a rich but not redundant number of built-in features, including those related to security;
- with the ability to build fault-tolerant schemes - duplication of channels and duplication of devices;
- supportive management, so that the entire branched infrastructure in the form of a central node and peripheral devices is managed from one point;
- as "icing on the cake" - support for modern trends like integration with cloud resources and so on.
ZyWALL VPN1000 as the central node of the network
When you first look at the ZyWALL VPN1000, you can see that the ports in Zyxel were not spared.
We have:
-
12 configurable RJ-45 ports (GBE);
-
2 configurable SFP ports (GBE);
-
2 USB 3.0 ports with support for 3G/4G modems.
Figure 1. General view of the ZyWALL VPN1000.
It should be noted right away that the device is not for a home office, primarily because of the efficient fans. There are four of them here.
Figure 2. Rear panel of the ZyWALL VPN1000.
Let's see what the interface looks like.
Immediately it is worth paying attention to an important circumstance. There are a lot of functions, and it will not be possible to describe in detail within the framework of one article. But what is good about Zyxel products is that there is very detailed documentation, first of all, the user (administrator) manual. So to get an idea of ββthe richness of features, let's just go over the tabs.
By default, port 1 and port 2 are given over to WAN. Starting from the third port, there are interfaces for the local network.
The 3rd port with the default IP 192.168.1.1 is quite suitable for connection.
We connect the patch cord, go to the address and you can observe the web interface user registration window.
Note. For management, you can use the SD-WAN cloud management system.
Figure 3. Login and password entry window
We go through the procedure for entering a login and password and get the Dashboard window on the screen. Actually, as it should be for the Dashboard - maximum operational information on every scrap of screen space.
Figure 4. ZyWALL VPN1000 - Dashboard.
Quick Setup Tab (Wizards)
There are two assistants in the interface: for configuring the WAN and configuring the VPN. In fact, assistants are a good thing, they allow you to perform template settings without even having experience with the device. Well, for those who want more, as mentioned above, there is detailed documentation.
Figure 5. Quick Setup tab.
Monitoring tab
Apparently, the engineers from Zyxel decided to follow the principle: we monitor everything that is possible. Of course, for a device that acts as a central node, total control does not hurt at all.
Even just by expanding all the items on the sidebar, the richness of the choice becomes obvious.
Figure 6. Monitoring tab with expanded sub-items.
Configuration tab
Here, the richness of features is even more evident.
For example, the device port management is very nicely designed.
Figure 7. Configuration tab with expanded sub-items.
Maintenance tab
Contains subsections for updating firmware, diagnostics, viewing routing rules, and shutting down.
These functions are of an auxiliary nature and are present in one way or another in almost every network device.
Figure 8. Maintenance tab with expanded sub-items.
Comparative characteristics
Our review would be incomplete without a comparison with other analogues.
Below is a table of closest analogues to ZyWALL VPN1000 and a list of features for comparison.
Table 1. Comparison of ZyWALL VPN1000 with analogues.
Explanations for table 1:
*1: License required
*2: Low Touch Provision: The administrator must first configure the device locally before ZTP.
*3: Session based: DPS will only apply to a new session; it will not affect the current session.
As you can see, analogs are catching up with the hero of our review in some ways, for example, Fortinet FGβ100E also has built-in WAN optimization, and Meraki MX100 has a built-in AutoVPN (site-to-site) function, but in general, ZyWALL VPN1000 unambiguously is in the lead.
Guidelines for choosing devices for the central site (not just Zyxel)
When choosing devices for organizing a central node of an extensive network with many branches, one should focus on a number of parameters: technical capabilities, ease of management, security and fault tolerance.
A wide range of functions, a large number of physical ports with the possibility of flexible configuration: WAN, LAN, DMZ and the presence of other nice features, such as an access point management controller, allow you to close many tasks at once.
An important role is played by the availability of documentation and a convenient management interface.
With such seemingly simple things at hand, it is not so difficult to create network infrastructures that capture various sites and locations, and the use of the SD-WAN cloud allows you to do this as flexibly and securely as possible.
Useful links
Source: habr.com