Security conscious broadband Internet users will be particularly interested in this latest offering from ZyXEL, the Prestige 652 'ADSL Security Router'. ZyXEL have identified and are targeting an ever growing, highly competitive area of the broadband CPE market, which is of course, security and secure communications over the Internet. With an endless list of past and present vulnerabilities and offensive websites circulating around the net, customers are no longer simply interested in ease of installation and reliability, but rather a safe and secure solution for the home or office. The Prestige 652 supports a wealth of features including NAT in two distinct modes of operation, Universal Plug & Play (UPnP), content filtering, VPN with IPSEC and firewalling.
The 652 arrives with the usual array of parts including:
The router's dimensions measure roughly 23 x 16 x 5 centimetres, and is encased in a stylish, lightweight enclosure. The product can be mounted with screws to a wall or under your desk, if you so desire. Additionally, it is well worth bearing in mind that a fair amount of heat energy is dissipated while in operation and the vents to the sides and top of the chassis should be kept clear where possible.
Prestige 652 - Out of the Box
I was satisfied with the "Read Me First" quick setup guide which includes a wiring diagram suitable for a typical computer newbie, and a reference table containing details such as the default username/password, IP address, subnet mask and DHCP pool range. You may be wondering what is so special about something which should be expected as standard with any product of this nature? It's all down to communication - those small snippets of information can save a lot of time when you're dealing with a problem in the future - the clearer, the better. There are many modems and routers which do not arrive with any useful information attached, so it's good to see ZyXEL are making an effort on this front.
"Read Me First" Wiring Diagram
Physical setup involves connecting the RJ-45 network cable to your hub/switch (remember to press the uplink button), or to the network card on your PC. Furthermore, the RJ-11 ADSL cable must be connected to the DSL side of your micro-filter, and finally the power connector in the usual manor. In most cases, there won't be a requirement to use the console cable unless you are unable to access the router via the network at any time throughout its lifetime. As mentioned previously, the built-in DHCP server is running by default and serves IP addresses in the range of 192.168.1.33 to 192.168.1.64. By configuring your network interface to "Obtain an IP address automatically" under the TCP/IP protocol settings, you will be assigned an appropriate IP address. Once again, a step by step procedure for Windows 95/98, NT/2000/XP is detailed in the quick setup guide.
Connectors from left to right - power switch, power DC in, uplink switch, RJ-45 Ethernet port, reset switch, DB-9 console port, backup modem serial port, RJ-11 ADSL port
The web based configurator can be accessed by pointing your web browser to "http://192.168.1.1" and the quickest way to get up and running is to complete the "Wizard Setup". Electronic Frontier, the UK ZyXEL distributor, are shipping the P652 with the default UK network settings loaded automatically for BT based ADSL services. Your settings should match those depicted below and if not, simply modify the values appropriately.
Web Based Configuration - Setup Wizard (1)
The final step demands a username and password from your ISP. If you're a new ADSL customer, these details should have been supplied to you. If you're an existing customer, you've either forgotten them or are frantically searching around for that elusive piece of paper!
Web Based Configuration - Setup Wizard (2)
Readers with static IP services, may wish to enter their IP address into the wizard under "Static IP Address". This is not usually required because at the end of the day, the process involved in obtaining an IP address is exactly the same whether you are a dynamic or static customer - the only difference is that static customers are always assigned the same reserved address via DHCP. The "Nailed-Up Connection" prevents your session from timing out and disconnecting.
Click Finish to complete the setup wizard. The router should start to synchronise with the local exchange and shortly afterwards, access to the Internet becomes a reality. It took me around 10 minutes from opening the package to getting online - certainly an improvement over the router's older brother, the 643.
There are a number of issues that should be attended to before dismissing the web interface and starting to surf the web. Firstly, and most importantly, the default administrative password should be changed. Obviously, this is to prevent somebody on your local network from entering the password "1234" and changing your settings. The Advanced Setup portion of the graphical menu houses a "Password" option where this can be adjusted. Secondly, it's worth double checking that access to your router is only available from within the local network. To confirm that this is the case, click on the Remote Management menu and ensure that telnet, FTP and web are all set to "LAN Only" (this is the default).
Remote Management - configured to allow connections from "192.168.5.60" only
The Secured Client IP field can be used in combination with the Access Status configuration to only allow access from a specific set of hosts. In the example above, only the host with IP address 192.168.5.60 is granted access to all 3 services on the router.
The Prestige 652 supports a list of keywords to help network administrators or cautious parents control which websites can be accessed. In reality, as we recently discussed in our Netgear DG814 review, the filtering lists are only as good as defined. There will frequently be ways to bypass the filters by using other website URL's, or names which do not match the filter.
Keyword Based Content Filtering
Now, we all know that dynamically blocking websites can be fun, however a more appropriate message is definitely required. The stereotypical 'control freak' can relax - it is possible to exclude a range of IP addresses from the content filtering configuration. Certain techniques can be used to bypass the content filter and obtain the desired webpage including URL encoding within HTTP GET requests. Although the majority of users will never understand or consider this approach, it's worth remembering that the content filter is not entirely fool proof.
Command Line Interface
ZyXEL have always been good at implementing the command line side of their routers. The Prestige 652 features a menu driven (default) and raw command line interface (accessible via option 24.8). The web based interface is essentially an add-on to the CLI, which is really very straight forward to operate, even for a novice.
Command Line Interface - Main Menu
IP Filtering & Firewalling
Living up to its name, the router really takes security seriously. Beyond the concept of a typical stateful firewall, ZyXEL have built in Denial of Service detection, email alerting and logging with UNIX syslog support (configurable on the command line interface). The router is proud to be able to provide protection against many known types of DoS attack including "Ping of Death", "Teardrop", SYN flooding, LAND attacks, ICMP vulnerabilities, illegal NetBIOS & SMTP commands and IP spoofing. The manual covers these areas in depth with full descriptions and explanations of how such attacks can occur and how they are prevented on the Prestige 652.
Virtual Private Networking
The Prestige 652 supports VPN with IPSEC. This means that secure tunnels can be created between two Prestige routers over the Internet. This is particularly beneficial for businesses with a head and branch office, for example. A local area network can be extended beyond the scope of a single office increasing the viability of teleworking and remote access.
The router can be configured to automatically dial an ISP of your choice. Perhaps the best feature is the ability to assign a budget to the dialup connection. In the example below, the modem may only be in operation for a maximum of 120 minutes per 24 hour period. Furthermore, a schedule can be created on the command line and applied to your dialup connection to control when the router is allowed to connect - after all, there is no point in dialling up during the night!
Backup Dialup - Modem Configuration
Backup Dialup - ISP Configuration
If your ADSL session is lost, the router will automatically connect (if enabled) using the dialup modem. Although there is a brief period if inactivity while the connection is established, you will be able to continue using the internet albeit somewhat slower.
Network Address Translation (NAT)
Beyond the standard interpretation of NAT, the Prestige 652 can be configured with a mix of NAT and non-NAT. Customers with multiple IP addresses assigned by their ISP can chose to run some computers behind NAT (i.e. with internal IP addresses protected by the firewall), and others with direct external IPs. This is a fantastic feature and means that users can run externally accessible web & email servers while maintaining an internally protected set of workstations.
Firstly, the router continually crashed and rebooted when browsing maps at streetmap.co.uk. You may ask why - the short answer is that ZyXEL could not replicate the problem however, it was later discovered to be a fault with the firmware used during the review (V3.40(FN.5)b3). The second, more significant problem had ZyXEL scratching their heads. After brief periods of inactivity (30 to 60 seconds), the router would appear to go into a "snooze". Although the ADSL connection was never lost, if further data was to be transmitted, a delay of around 1 to 2 seconds was incurred before anything was actually sent or received. When using interactive applications such as telnet and SSH, this became extremely frustrating. For general web and email, users are unlikely to notice any performance degradation. Maintaining a ping stream to a remote host acted as a work-around. I tried the router on 3 different ADSL lines to no avail. Electronic Frontier were extremely helpful with the diagnosis, but at the end of the day, they were unable to recreate the problem at their end. They were convinced the issue was external to the router and not a firmware bug. If anybody else encounters similar problems, ZyXEL would be interested to know (email: firstname.lastname@example.org).
The Prestige 652 series empowers small and medium sized businesses with a set of well designed, security focused features. Denial of Service prevention, content filtering and backup dialup are areas that businesses are becoming increasingly interested in. On the downside, a fair amount of time spent testing the router was concerned with the stability and data transfer issues outlined earlier. With a little luck, future firmware updates will correct these matters for the minority of users who may be affected. Other than these problems, there were no further spanners in the works and the router sat contently for over a month routing traffic to and from the internet.
£249.00 – ZyXEL Prestige 652 ADSL Security Router
Prices listed above are excluding postage and VAT.
|Where to Buy:||See our DSL Hardware FAQ|
The contents of this review should not be relied upon in making a purchasing decision—You should always discuss your requirements with your service provider and hardware supplier.