One of the things I liked about the USG100 was the number of options available for networking and interface configurations. The USG20 has 1 WAN port, 1 USB port, and 4 LAN ports compared to the USG100's 2 WAN ports, 2 USB ports, and 5 LAN ports. But the USG20 still has the configuration flexibility I found valuable in the USG100.
All ports on the USG20 are Gigabit Ethernet, although the max MTU is 1500 bytes, ruling out Jumbo Frame support. The WAN port (port 1), which is the WAN interface, is used to connect to the Internet, and supports Static, DHCP, and PPPoE configuration.
The USB port is also a WAN port, used to connect to 3G wireless providers. This enables the USG20 to share a 3G connection if that is the primary Internet connection, or use a 3G connection as a back up to a wired connection.
3G modem support has been recently updated in firmware 2.21 (BDQ.3) and is listed in the Zyxel's product 3G compatibility section. Supported modems include HuaWei's E220, E270, E169, E800, and E180. Also newly supported are the Sierra Aircard USB 598, and Novatel Ovation MC760.
For North American customers, the supported modem list doesn't provide many options, and doesn't include 4G support. A quick web search showed that at one time, both Verizon Wireless and VirginMobile supported the MC760, and Sprint supported the Sierra Aircard. Check with your wireless provider if either are still supported (Ed. note: VirginMobile still supports the MC760). (An example of a router that has more extensive USB modem support is the Cradlepoint MBR900.)
The four physical LAN ports (ports 2-5) can be assigned to one of three interfaces: LAN1, LAN2 or DMZ. Each of these three interfaces has a separate subnet and DHCP server, and is configured as a separate zone in the firewall. By default, ports 2-3 are assigned to LAN1, port 4 to LAN2 and port 5 to the DMZ. Changing a port's designation is point and click, as shown in Figure 5.
Figure 5: LAN port assignment
As with the USG100, the USG20 supports 802.1q VLAN tagging, enabling even greater network segmentation then available with the three interfaces. VLAN tags can be between 1-4094 and the USG20 can have up to 8 different active VLANs, each with its own DHCP server.
The USG20 provides the same powerful routing options as the USG100. The options include Policy Routes, Static Routes, RIP and OSPF. Policy Routes allow for defining traffic paths based on incoming interface, source and destination subnets, service (protocol), and a next-hop destinations such as an interface or IP. I covered an example of a Policy Route configuration in my review of the USG100.
For a router designed for a small office with five users or less, you might wonder why an advanced routing protocol like OSPF would be supported in the USG20. However, a remote office may connect to a main corporate office that uses OSPF and need to learn network destinations from that main router. The USG20 can be configured as an OSPF stub router, meaning it could learn default and summary routes from the more powerful router without the high memory and processor requirements.
A useful feature on the USG20 is the ability to measure and manage bandwidth utilization. AT&T recently announced it is going to cap Internet delivery service for broadband and DSL customers. I hope they don't, but I wouldn't be surprised if other ISPs follow suit. With the USG20, you can collect traffic statistics and measure your utilization by user or service. Figure 6 shows my utilization by service. As you can see, most of my traffic (94 MBytes) is web traffic.
Figure 6: Traffic statistics
To further manage utilization, the Bandwidth Management (BWM) feature of the USG20 can be used to limit throughput for a specific service, such as FTP or HTTP. There are 73 defined services and more can be added as needed. BWM can also be applied globally between zones based on protocol (TCP or UDP).
In addition to limiting traffic by service or between zones, session limits can be applied by user or address, restricting the number of simultaneous flows generated by end devices. Of course, with the USG20 Firewall, specific traffic flows can be blocked entirely, which I'll discuss next.
The Firewall on the USG20 uses similar object oriented configuration options as the USG100. Firewall rules are created to allow, deny, or reject traffic based on user, source, destination, or service between zones. The difference between denying and rejecting traffic is that denied traffic is simply dropped. When traffic is rejected by a Firewall Rule, a TCP reset message is sent to the source.
For example, I created a simple rule to reject all FTP traffic through the USG20 (Figure 7). I could have made this rule more detailed and blocked FTP traffic only for a specific schedule or for a specific user, or between specific source and destinations as desired.
Figure 7: Block FTP firewall rule
A neat feature of the USG20 is Endpoint Security (EPS). An EPS profile can be set up to allow PCs to connect to the USG20 only if they meet certain criteria. When a user first tries to access the network they will have to authenticate with a valid user name and password. Their PC will then be checked to see if it meets programmed security criteria. Those criteria examine the PC's Operating System (OS), Firewall software, and Anti-Virus (AV) software as depicted in the below diagram.
Figure 8: Endpoint Security block diagram
EPS allowed OSes include Windows, Linux and Mac OSX. If Windows is permitted, you can choose the versions allowed, including Windows 2000, XP, Vista, and 7, as well as Server 2003 and Server 2008. Further, you can require certain OS patches are applied to devices that connect to the USG20.
EPS allowed firewalls include Windows, Kaspersky, and Trend Micro. EPS allowed AV software includes Avira, Kaspersky, Norton, Trend Micro and Microsoft's Security Center.
As a test, I set up an EPS profile to only allow PCs with Norton AV software. I do not use Norton AV Software, so I expected to be blocked. Indeed, with this EPS profile loaded, I was blocked from connecting to the USG20 with the message shown in Figure 9.
Figure 9: EPS block message
I modified my EPS profile to accept connections from a PC with Microsoft Security Essentials AV software, and was then able to connect to the Internet. Note, if you're using a different OS, Firewall, or AV software than those supported by the USG20 EPS feature, you can disable the appropriate check in the EPS profile.
I ran another test to see if EPS detected whether the AV software was up to date or even running by turning real time protection off on the Microsoft Security Essentials. But my PC still passed the EPS check. This was certainly disappointing because EPS could give users a false sense of security about the status of AV software running on machines that it allows network access to.
I found the EPS functionality a nice enhancement to network security. Network security is improved by ensuring all PCs using the network through the USG20 LAN have required security software, especially in a small network where users may use personal devices.