Introduction

Two months ago, ZyXEL announced their new line of Unified Security Gateway products, the USG100, USG200, and USG1000. ZyXEL introduced this product line as “the most complete security platform of its kind providing small to medium size businesses enterprise-class security features for offices with as few as 10 employees and up to 300 PC users.”

This article will cover the USG100, a Unified Threat Management (UTM) device targeted at networks of 10 to 25 users. Supporting Dual WAN connections, 3G Wireless connection, multiple VPN technologies, High Availability failover, Intrusion Detection & Protection, Anti-Spam, Anti-Virus and Content Filtering, as well as extensive network management tools, this is a device designed to provide a full array of network functionality in a single box.

Figure 1: The USG100 at work

With all these capabilities, I’m going to divide my coverage of the USG100 into two reviews. In this review, I’m going to cover the networking and VPN aspects of the USG100. In a subsequent review, I’m going to cover the security and UTM features.

On the outside, there are two USB ports and seven Gigabit Ethernet ports on the front of the 9.5 (W) x 6.9 (D) x 1.4 (H) inch sliver metal case with a red highlights on each side. The two USB ports shown in the product shot above are used for connecting 3G cards, not flash or storage drives as you might expect.

The rear of the USG100 shown in Figure 2 has ports for an auxiliary modem, a console connection, a PCMCI 3G WWAN card, and the power connection to an external power brick.

Figure 2: USG100 rear panel

Figure 3 shows the internal components of the USG100, which include 256MB of DDR2 RAM, 256MB of Flash, a PCMCIA slot, and a passively cooled Freescale 8343 CPU, running at 400Mhz with a front side bus of 266 MHz. The gigabit Ethernet ports are provided by a Vitesse VSC7388 Integrated Gigabit Ethernet Switch.

Figure 3: USG100 board

Object Oriented Configuration

The key to understanding how to configure the USG100 is that it is object oriented, i.e. each interface (wan1, wan2, lan1, ...) is an object. The IP addresses and subnets assigned to each interface are also objects, as are subnets accessed via a VPN tunnel and devices behind the router, such as servers or another router.

At first, configuring all these different objects seems tedious, especially for someone who doesn't like reading a manual. (There is a 902 (!) page manual that comes with the device and available on line.)  As you layer on functionality, though, having an object comes in handy, because you can reuse predefined objects in multiple configurations.

Routing, VPN, and Firewall rules are all created using various objects. In Figure 4 below, the first five lines are default objects defining the subnets for the various interfaces. Below the first five default objects, I created objects for the IP address to a Windows PC which I named WindowsMachine, a subnet that I accessed over a VPN tunnel which I named ZLAN, a subnet I accessed through another router which I named DFLLAN and the IP address for that other router's interface which I named DFL. I ended up using each of these objects for port forwarding, a VPN tunnel, and a static route, as I'll explain later.

Figure 4: Objects

In more basic routers, defining the subnet on the other end of a VPN tunnel is done within a single VPN configuration screen. But the USG100 requires that the subnet on the other end of a VPN tunnel be defined as an object and added to the VPN configurations, plus a Policy Route has to be defined so the traffic will be routed through the tunnel. The point is the USG100 will do a lot, but you have to give it the necessary instructions.

Tags: Security Appliance, UTM, ZyXEL,

Related Articles: