Zyxel ATP 500: Wi-Fi, Mesh and UTM controller in one package

Zyxel has a great concept for quickly deploying a wireless network at a facility, whether it’s a country club, a branch office or a Central office: it’s a bundle of Zyxel ATP security gateway and clinging access points. The idea is as follows: today, the network without a security gateway, except that home users go, and you in any case, the company will have to use such a device, software or hardware. Since you need support and SLA, you naturally choose a commercial solution with cloud training and automatic updates. And this gateway will manage the access points located below in your wireless network, providing work “from one window”.

It should be noted here that the WLAN management function itself is quite simple in terms of CPU load, and wireless network controllers are already built into access points, and output to the cloud, and run on ordinary computers, although there are purely hardware solutions, which we also wrote about. In general, each of these solutions in one way or another has its pros and cons, and the main advantage of using Zyxel ATP500 is the possibility of using simple access points while below the gateway you install only switches by the number of ports: a minimum of unnecessary devices, a minimum of fuss and a maximum of integration.

ZyXEL ATP 500 firewall

So, you have a facility where you build secure wireless Internet. The Zyxel ATP series is the latest generation of security gateways that can analyze downloaded files, including archives, scan them for viruses, send suspicious files to the cloud for analysis, and skip safe and useful files. In addition, it uses multi-level protection based on patterns of existing attacks, application-level protection, Web-security and reputation sheets necessary for massive DDoS attacks.

All ATP gateways in the world communicate with the Central cloud, exchanging data on new types of attacks (Hello, telemetry), which allows the global security system to constantly learn and develop autonomously. That is, tomorrow your Zyxel ATP will be a little smarter than it was today, and all this at the expense of today’s fashionable machine learning.

Specification ZyWALL ATP100 ZyWALL ATP200 ZyWALL ATP500 ZyWALL ATP800
Number of 1GBase-T ports 4 4 7 12
Number of SFP+ ports 1 1 1 2
Packet processing performace
SPI 1000 2000 2600 8000
VPN 300 500 900 1500
IDP 600 1200 1700 2700
Routing performace
Max number of TCP-sessions 300K 600K 1M 2M
Max number of IPSec tunnels 40 40 200 1000
Max number of SSL tunnels 10 10 50 100
VLAN-interfaces 8 16 64 128
Number of driven access points 10 18 34 130

At the time of preparation of the review, there were 4 models in the Zyxel ATP series, differing in the number of ports and performance. The ATP 500 we are considering is second from the top and promises you support for 64 VLANs, 50 SSL tunnels and Firewall bandwidth (SPI) at the level of 2600 Mbps.up to 1 million TCP sessions are supported at the same Time, that is, if you have a small public or large corporate cloud behind the gateway-the capabilities of the ATP500 will be enough to support user and application traffic.

All devices are assembled in 1U-high metal cases, but of different widths, so you can install them in a Telecom Cabinet or just on a Desk, in the spirit of Edge. :grinning:

As for VPN, it supports up to 200 simultaneous IPSec tunnels, 50 SSL tunnels, as well as support for Microsoft Azure and Amazon VPC. The SSL VPN tunnel organizes the connection to the gateway on port 443 to access the private network. Client for VPN you can download directly from the gateway, or rather from its web interface. The OpenVPN standard is not supported, probably due to low SoC performance.

Interestingly, there is no firewall in the form of a table with Accept / Drop / Forward checkboxes, and from my point of view this is a minus, because no matter how much you do everything in the form of services, you should always leave the possibility for manually prescribing rules through the Web interface.

Of course, the highlight of the ATP-series is all sorts of filters that protect you from:

  • Intrusions into your network from the Internet
  • Infiltration of infected files and Trojans into the network
  • DoS and DDoS attacks
  • Visits by your employees to questionable sites

All this filtering works transparently for the user, and even the device administrator is given the opportunity to only enable/disable a particular filter and configure the categories of unwanted sites from the proposed ones. Of course, for an integrator or an intermediary company that needs to quickly deploy network protection and throw all the work of the device on the vendor is a gift, but if you are used to thoroughly configure everything - you will be disappointed.

For example, Zyxel ATP 500 uses DNSBL technology, blacklisting addresses from which malicious traffic is generated. You can’t define and configure subscription sources, and if everything is enabled with the default settings, even large websites lose their normal appearance.

In part, this is due to ad blocking and trackers. Today, this stuff does not block unless the lazy, and I must say - very effectively.

With a powerful DDoS attack, you will have no choice but to fight off entire continents and countries, and above all, with a dubious reputation. Of course, you can immediately limit traffic to only the area you are working for, disabling for example, Vietnam, all of Africa, or all of Eastern Europe, if necessary. But it will have to be done manually: such a useful setting ,such as “1000 positives from Africa - block the entire continent” is not here, but for the corporate network it is, in general, not a problem.

Anti-virus protection, the so-called “Sandbox” works completely transparently for the user: infected files are cleared by the security gateway (scored with zeros). This feature works both when surfing the web and when scanning mail, and to effectively detect threats when surfing the web over the secure https Protocol, you only need to create an appropriate profile.

But how many times have you seen on the forums the screams of the nerds: "Help me to block Youtube on Mikrotik?"Here the answer is as simple as a white day: you have all the sites in the world are divided into categories, and the lists are regularly updated and are part of The ZyXEL service. You can block all types of sites, such as pornographic or entertainment content, and a separate line in the black list to put Youtube, so that the enemy did not get through your barrier.

Interestingly, filtering is used for different interfaces, that is, you can configure some rules for VPN and others for GE/2, and thus apply the separation of powers within your organization.

Zyxel ATP 500 allows you to create up to 64 VLAN networks, tying them to physical or logical ports. From the standard functions of the router, port forwarding and NAT are available to you.

The access point controller logically combines hotspots into groups, allowing you to create different WLAN networks on the site. IEEE 802.11 g/r seamless roaming, suspicious access point detection and automatic radio module calibration are supported. When you capture access points, their own management interface is disabled, so you do not have to worry about the safety of hotspots.

As a Mesh function, ZyXEL is used-the proprietary zymesh Protocol, which is different from the traditional Mesh network. The thing is that in a normal Mesh-space, the entire network is peer-to-peer, and access points are equivalent. A large network may not even notice the loss of one access point, and the connection between hot spots passes both over Wi-Fi and over the wire. In the case of ZyMesh, you set the roles of root hotspots and repeaters.

The former are connected to the Internet only by cable, and for the backhaul channel, both have one of the radio modules (2.4 GHz or 5 GHz) reserved. In relation to the root hotspots, repeaters can be organized in a chain or star, there is also used some analogue of STP to find the fastest route, but communication between repeaters is carried out only on the radio channel.

In general, ZyMesh was first described back in 2015 at the first stage of the transition from WDS to peer-to-peer networks, but today, at the end of 2019, I can not give you any reason why Zymesh is better than the usual Mesh, implemented for example in Zyxel Multy X. However, if the number of hops on which you scale a wireless network is small, well, say 2-3, then the topology is not so important, and even on the edge of such a network, clients will have a speed of about 70-80 Mbit/s.

ZyXEL nwa5123ac-HD and WAC-6103D access points

If you decide to use the ZyMesh network, you may need to install 2 or more root access points, and on the one hand to conduct a Backhaul channel at 2.4 GHz, and on the other-at 5 GHz. Not every ZyXEL access point will allow you to switch your 5-gigahertz radio module to Root AP mode. From the models considered by us, NWA5123AC-HD has such a function.

This model has 2 radio modules: one-format 2x2 MIMO for 2.4 GHz, and the second-format 3x3 SU/MU-MIMO for 5 GHz. The second generation of beamforming signal direction technology and nebula cloud management is supported (the operation of this service is discussed in detail in the ZyXEL gs1920-8HP switch overview). As it should be ZyXEL access points, the antenna unit itself is placed on a separate metal plate to reduce interference to the electronics. On the motherboard of the access point, the RF modules have their own shielding, plus the hot spot body is made of aluminum. In sum, this helps to concentrate the direction of the radio signal in one direction, and reduce the radiation towards the electronics and overlaps, so as not to interfere with other access points.

The wac6103d-I access point is the familiar NWA1123AC - Pro, which has 3x3 antenna groups for both the 2.4 GHz and 5GHz bands. This model is interesting because it has a hardware switch installation mode: on the ceiling / on the wall.

To shielding here all the same severe Zyxel-evsky approach, but the back wall of the case-plastic. Both access points have two 1-Gigabit ports. The total bandwidth of the NWA5123AC-HD is 1.6 Gbit/s, and the WAC6103D-I has 1.75 Gbit/s.

Recommendations for ordering

The ZyXEL ATP series should be considered not as a piece of iron, but as a service that you purchase from the developer company, and the piece of iron is given to you in the load. First of all, of course, we are talking about the security of the serviced object, which is configured literally in two or three mouse clicks. Of course, you have access to a beautiful control panel, which is updated every minute the number of repelled attacks by your network gateway. In the field of protection against DDoS, botnets and harmful sites, including Youtube, and antivirus protection, this device is what you need. Of course, many things are missing here, such as: OpenVPN, a full-fledged Firewall with a user-friendly interface, the ability to add your subscriptions, well, at least the same Emergint Threats, and in the field of Wi-Fi remains an open question with Band Steering.

With all this, the considered solution is a kind of constructor that can be sent to a remote object in a ready form, configured in just a couple of hours, and then serviced remotely through the cloud, placing the issue of network security on the company Zyxel.