Introduction

In my previous review of Zyxel's USG100, I covered the impressive routing capabilities of this comprehensive network device, leaving coverage of its security and Unified Threat Management (UTM) for this review. As depicted in the above diagram, Zyxel's device has the ability to separate a network into multiple different network zones. This network segmentation along with its UTM features allows for quite granular control over multiple different traffic types to and from each network.

The list of security functionality for this device is long.  The USG100 has Anti-Virus (AV), Intrusion Detection and Prevention (IDP), Content Filtering (CF) and Anti-Spam features.  Further, it has Anomaly Detection and Prevention (ADP), Application Layer Gateway (ALG), and Application Patrol features for complex traffic flow management.  WOW!

The AV, IDP, Application Patrol and CF features are enabled for a 30 day trial with annual subscriptions required thereafter. But the Anti-Spam, ADP, and ALG features are all included in the price of the UTM. I'll list the subscription rates again at the end of this review.

Each of the UTM features on the USG100 can be individually enabled or disabled.  As I'll show at the end of this review, they do have varying impact on throughput. So you should consider carefully which are required for your network.

Anti-Virus

The USG100's Anti-Virus functionality allows for centralized Anti-Virus filtering.  This functionality works at the center of your network, without running client software on each PC.  It is a subscription based service, so once the 30 day trial runs out; you'll have to subscribe to keep it running.

The two subscription options on the USG100 are Zyxel's International Computer Security Association (ICSA) approved solution and Kaspersky solutions.  Kaspersky is a well known software provider of security solutions, but their solution for the USG100 isn't ICSA approved. The Zyxel solution, provided directly by Zyxel and not provided by a third party, is ICSA approved. 

With the USG100's Anti-Virus feature enabled as shown in Figure 1, a current subscription, and one of the two Anti-Virus options selected, the USG100 will filter emails, web surfing, and downloads for various virus signatures. 

Figure 1: AV Enable

The USG100 monitors data flows via the common SMTP, POP3, IMAP4, HTTP and FTP applications.  More specifically, the USG100 is monitoring traffic using TCP ports 25, 110, 143, 80/8080/3128, and 21, respectively. 

The USG filters FTP traffic by default on port 21. But ports other than 21 can be filtered if configured via the Application Layer Gateway configuration screen.  I'll touch on the ALG aspects of the USG100 later.

Other than FTP, it is important to note that only the ports specified above are monitored.  This is important because there are virus-sensitive services that use non-standard ports, which will not be monitored by the USG100.  For example, Google's popular Gmail uses ports 587 and 995 for SMTP and POP3.  Subsequently, the USG100 will not filter emails sent and received via Gmail, or other email services using non-standard ports.

The USG100 looks at traffic on the monitored ports and then checks the contents of that traffic for patterns that match a known virus signature.  This is why a subscription based service is required, since those signatures are constantly changing. 

The USG100 Anti-Virus solution is customizable, with Black and White List functionality.  By defining various file types, you can tell the USG100 to look for and block (Black List) or allow (White List) specific file attachments. 

I set up a simple Black List rule shown in Figure 2 to block Microsoft Word documents, using the criteria of *.doc as shown. I tested it by sending a Word file from a non-filtered Gmail email account to a standard POP3 filtered email account.

Figure 2: Blacklisting

I sent the same file twice, once with the Black List enabled, once with it disabled.  In both cases, the email went through with the file attached.  However, with the Black List enabled, the file was unreadable, while with the Black List functionality disabled, the file went through unchanged.  As you can see in Figure 3, the USG100 logged that a file was received matching my Black List rule.

Figure 3: Blacklist hit logged

Tags: UTM, ZyXEL,

Related Articles: