Launched in September, Zyxel's ZyWall 35 UTM (unified threat management) appliance is designed for small enterprises or branch offices with up to 50 users. It offers a load-balanced, dual wide area network (WAN) firewall that can also be configured with virtual private network (VPN) tunnels, and it can run antivirus, intrusion detection and prevention (IDP), content filtering and anti-spam tools.

But unless preconfigured, such appliances require a certain amount of expertise to configure and maintain them. The ZyWall 35 is no exception and for such a small device possesses a large and versatile feature set.

The ZyWall 35 includes two 10/100Mbit/s full duplex WAN connections, and four 10/100Mbit/s full duplex LAN/DMZ ports, all of which are auto-negotiating and auto-crossover. There is a serial console management port, a PC Card slot and a dial backup port, but no failover to remote power supplies.

There are two ways of ensuring WAN connectivity with the ZyWall 35. In our tests we could configure the dual WAN link in an active/active configuration, which would load balance data through the links, or we could configure to the failover option whereby the ZyWall 35 would switch to the other WAN link in the event of one link going down.

Setup for the ZyWall 35 was simple - plug in the power adaptor, RJ-45 to the WAN, RJ-45 to the LAN, then browse to the default IP address, 192.168.1.1. First you have to set a password, after which the ZyWall 35 creates a new digital certificate that incorporates the device's MAC address.

After this the home screen opens with the device in router mode, though it can also be set to bridge mode where it acts as a transparent firewall. Users can then subscribe to trial security options such as antivirus and anti-spam. However, for antivirus, IDP and content-filtering options, users need to have a Turbo Accelerator Card installed.

The Turbo Accelerator Card and a one-year licence for antivirus and IDP services costs from £245 + VAT. A 50-client VPN licence costs £662 + VAT; a Blue Coat content-filtering licence costs £140 + VAT and a MailShell licence costs £199 + VAT.

So, adding extra functionality including VPN, IDP, antivirus, content filtering and anti-spam tools more than triples the price.

Network administrators can select to remotely manage the ZyWall 35 via the WAN link only, via the LAN only, via the DMZ only or through all three, but WAN access needs correct configuration of the firewall. Only one management session can run at any one time and access is prioritised, with a Console session having the highest priority, through SSH and Telnet down to the lowest priorities, HTTPS and HTTP.

Although the ZyWall 35 does not have inbuilt wireless functions, a wireless PC Card can be inserted into the card slot. However, this would prevent antivirus and IDP functionality, which require the Turbo Accelerator card. For WLAN security an access point must be plugged into the ZyWall 35 and access rights configured using the onboard authentication functions.