Key security features of the USG20 are configured in the Anti-X menu. These features are Anomaly Detection and Prevention (ADP), Content Filtering, and Anti-Spam protection.
Zyxel's ADP seems to be a poor man's version of Intrusion Detection System (IDS) and Intrusion Detection and Prevention (IDP). The USG20's ADP feature protects against network threats such as port scans, DoS (Denial of Service) attacks, and protocol based attacks via http, tcp, udp and icmp.
Zyxel's ADP, like an IDS/IDP system, relies on signature databases for detecting unsafe traffic types. A signature is a traffic pattern or characteristic that is considered potentially malicious. The firewall compares incoming and outgoing traffic against its database of patterns, and blocks those that match the patterns it holds in its database. The USG20 updates its ADP database from Zyxel which has a partnership with Lionic for current signature files.
ADP is enabled by default. Enabling and disabling ADP is a simple check box. Options for customizing ADP includes defining which zones (LAN1, LAN2, DMZ) are to be protected by ADP and selecting traffic types (port scans and floods) and protocols (http, tcp, udp, icmp) to be scanned.
Running a port scan on the USG20 triggered dozens of messages in the log, all alerting of unsafe traffic hitting the firewall and blocked. As you can see in the log output in Figure 10, the USG20 successfully detected the traffic anomaly and blocked it. (A port scan is both a useful tool for a network administrator, as well as for a hacker. It scans a device for possible open ports that can be used for unauthorized access.)
Figure 10: Log messages from port scan
The USG20's ADP functionality isn't as comprehensive as an IDS/IDP solution, but it has a key advantage in that it is free!
The USG20 comes with a 30 day trial for Content Filtering, with a suggested retail price of $77 annually. Content Filtering on the USG20 is facilitated through a partnership with BlueCoat.
Configuration of Content Filtering is pretty straightforward and consistent with the object oriented methods found in other menus. First, a Filter Profile is created. Within the Filter Profile, you define whether a web page will generate a warning, be blocked or passed, and/or whether it will trigger a log report.
There are 66 different managed web site categories, shown in Figure 11, plus three categories for filtering sites known to be risky for Phishing, Spyware/Malware, and Spyware/Privacy.
Figure 11: Web filter categories
Web features such as ActiveX, Java, Cookies, and Web Proxies can also be blocked. A white list and a black list of web sites, as well as key words found in URLs can also be defined as part of the Filter Profile.
Once the Filter Profile is created, it is applied to a Policy where the schedule, zones, and users that will be subject to the Filter Profile are specified. In addition, a custom message and URL to redirect end users can be applied.
I looked up smallnetbuilder.com in the Profile tool, it is listed as a Computers/Internet site, so I created and applied a simple Profile to block Computers/Internet sites. Upon browsing to smallnetbuilder.com, I was presented with the below default message.
The web access is restricted. Please contact with administrator.(Computers/Internet)
It's a good thing the default message can be edited! Nevertheless, filtering seemed to work as expected. Selecting all categories for filtering is a bit excessive, you can't even go to Google, but the USG20 certainly provides plenty of filtering options.
The USG20's Anti-Spam feature is based on do-it-yourself lists of black lists, white lists, and domain names. This is not a very comprehensive solution, as it leaves the blocking definitions up to the network administrator instead of leveraging a database of known spammers. On the other hand, it is cost effective because there isn't a monthly or annual subscription cost.
Emails matching a black list or domain list can be blocked, or tagged with a specific text string and forwarded. The default tag is [SPAM], which can be customized. Figure 12 is a screen shot of a simple domain list I set up to tag all emails from yahoo.com. Once tagged, I set up a rule in my email program (Outlook) to delete emails with the [SPAM] tag.