Small Network Tools: Netgear GS108T and Zyxel Zywall USG-50

These are two classic bits of lower-end networking kit that give you some “enterprise” functionality to let you build complex networks. I really like them. I wrote this material starting around 2010, and ending around 2013.

Surprisingly, they’re still sold on the new and used markets, and cost around $60 each, used.

My use case was a small office, with public access to WiFi. The problem, as I saw it (back in 2013) was that malicious apps on mobile devices connected to open networks, or even on password protected WiFi connected to a LAN, would target old Windows and Linux hosts. There weren’t many security options at the time that didn’t require installing software on a client.

I decided that establishing VLANs to separate the networks was in order. The outside WiFi devices would use the public LAN, and the office devices would use a private LAN.

While this setup isn’t immune to attacks, like ARP cache busting – which sends some devices into “hub mode” – I guessed that our main risk was automated IP scans for targets. We had visitors. They used WiFi. They could have compromised devices.

Implementation of a light-security VLAN required some new hardware. Midrange HP managed switches (1019 switches – aka 3Com) replaced regular switches.

To keep budgets in check, I used pre-owned enterprise WiFi access points running in autonomous mode — there was no WiFi controller, nor were we paying licensing fees. I liked the HP “MSM” line of WAPs. They’re powered over Ethernet, and seemed to deliver a steady signal.

These access points supported exposing multiple SSIDs, and routing each SSID to a different VLAN.

At some desktops, I used these Netgear switches. At the center of the network, I used a USG-50.

While the USG-50 is not a performant router, our needs were pretty modest, as most traffic wasn’t over the Internet. The real “center” of the network was managed at the switching layer, which kept the office LAN separate from the public LAN. (We actually had 4 VLANs, with 3 private VLANs.)

It took a while to configure, but functioned. However, when I left, and the organization hired an IT service company, and they brought the LANs back together into a single LAN.

That made me wince. However, at the time, the threat wasn’t that great, and the organization had been doing more work on the cloud, so HTTPS, and mobile devices with signed code were more the norm.