There is no such thing as being too secure and the ZyAIR G-2000 has added some important security features (such as support for WPA). Yet despite its advanced features, ZyXEL has committed an error in judgment when it comes to administrative access. For the sake of ease-of-use, the administrative interface defaults to being accessible by both wired or wireless users. Web access to the Remote Management interface can be locked down to a specific IP address, but not to MAC addresses.

But the real concern is that there is no account name for the administrative user, leaving only a password standing between attempted access and actual access itself. Realizing the weakness inherent in static passwords, ZyXEL has provided a protection mechanism to help discourage brute-force password guessing attacks. This mechanism allows you to specify a wait-time that must expire after three failed login attempts (up to 60 minutes, with the default at 3 minutes) before a fourth password attempt is allowed. Of course, you may also find yourself locked out for a bit by someone attempting to guess passwords.

As for the mechanics of changing the brute force time-out, there is no way to do this through the web interface. To change the brute force wait time requires Telnetting into the ZyAIR and starting the command interpreter and entering the command using the proper syntax. The manual is not completely clear how this is done, but this FAQ will walk you through the procedure.

Firewall Features - Multi-NAT

The ZyAIR G-2000 employs a NAT plus SPI (Stateful Packet Inspection) firewall with DoS (Denial of Service) protection. The ZyAIR firewall also supports TCP/UDP inspection, real time alerts, reports and logging. Configuring firewall rules is a bit like playing the game "Operation" where you try to extract the bits you don't want without killing the patient. Therefore I respect this little notice in the ZyAIR documentation:

If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.

Yes, many a good day has been spent trying to diagnose a good firewall gone bad.

The ZyAIR's firewall has built-in support for multiple types of NAT, including One-to-One, Many-to-One, Many-to-Many Overload, Many One-to-one, and Server. However, these multi-NAT features are useful only to users who have more than one IP from their ISP, and allow multiple copies of a specific server type - HTTP for example - to be hosted through the G-2000.

Most users, though, will use the ZyAIR's SUA (Single User Account) feature to expose a LAN-based server through the G-2000's firewall. SUA supports the forwarding of single ports or port ranges.