The USG20 supports both SSL VPN tunnels and IPSec VPN tunnels, although the number of tunnels is very limited. The USG20 supports one SSL VPN tunnel and two concurrent IPSec VPN tunnels.
I had a bit of a challenge setting up the SSL VPN tunnel. The key to the USG20's SSL VPN tunnel is to decide whether to allow full remote access to the USG20 LAN, or restrict remote access to specific applications including RDP, VNC, and Web Servers.
Full remote access to the USG20 LAN involves building an SSL VPN Access Policy, creating a user name and password, specifying the subnets accessible on via the remote tunnel, and defining a range of IPs for the remote PC. I overlooked the last step because it is labeled optional in the configuration menu. It turns out defining a range of IPs for the remote PC is an optional step only if you choose application restricted remote access. Interestingly. there is a wizard for setting up IPSec VPN tunnels, but not for SSL VPN tunnels.
Once the above set up was completed, I was able to remotely connect to the USG20 from my 64 bit Windows 7 laptop. Zyxel uses the SecuExtender client for remote SSL access, which has a Java applet for managing the tunnel. Figure 13 shows my PC has an IP of 10.10.10.100, which is an IP from the range created for remote PCs. Further, you can see I have access to the USG20 default 192.168.1.0/24 subnet. Up to four USG20's LANs can be accessible remotely over an SSL VPN tunnel.
Figure 13: SecuExtender SSL client status
As discussed in the Security section, the USG20 has a feature for checking device's security software called EPS. The EPS feature can be employed along with SSL VPN tunnels to ensure remote PCs accessing the network meet required security specifications. However, EPS applies to only SSL VPN tunnels and is not available for IPSec tunnels.
I usually find IPSec more challenging than SSL to configure. But I had no problem manually setting up the USG20 to support both Client-Gateway IPSec tunnels and Site-Site IPSec tunnels. For all IPSec tunnels, I set up both sides to use 3DES for encryption and SHA-1 for authentication. I manually set up my tunnels entering IPSec Phase 1 configurations on the USG20's VPN Gateway tab and IPSec Phase 2 configurations on the VPN Tunnel tab.
I successfully created an IPSec Client-Gateway tunnel with Zywall's IPSec VPN Client (which is from GreenBow) and IPSec Site-Site tunnels with both a Cisco RV220W and Netgear SRX5308. Figure 14 shows my active IPSec VPN Client tunnel to the USG20.
Figure 14: VPN tunnel status
I measured the USG20's VPN throughput with iperf using default TCP settings, with a TCP window size of 8KB and no other options. I ran iperf on two PCs running 64-bit Windows 7 with their software firewall disabled. All tests were done over a Gigabit network. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
Zyxel rates the USG20 at 30 Mbps for 3DES IPSec VPN throughput,but doesn't provide a throughput rating for SSL VPN tunnels. Table 1 shows the results of my throughput tests.
|WAN > LAN||LAN > WAN|
Table 1: VPN throughput (Mbps)
The USG20's SSL VPN throughput is more symmetrical than I've seen recently, at 4.51 Mbps from the remote client to router (WAN-LAN) and 4.78 Mbps from the router to remote client (LAN-WAN). In comparison, both the RV220W and SRX5308 support SSL VPN tunnels, but their throughput is much more asymmetrical, with <1 Mbps throughput from the remote client to router (WAN-LAN) and 12-13 Mbps from the router to remote client (LAN-WAN).
The USG20's IPSec VPN throughput is a bit more asymmetrical than the SSL throughput and significantly faster. I measured 17.6 Mbps from the remote client to router (WAN-LAN) and 27.8 Mbps from the router to remote client (LAN-WAN).
The more important number in remote tunnels is throughput from from the router to remote client (LAN-WAN), as remote clients are typically downloading more data than uploading, so it was good to see my measured throughput (27.8 Mbps) is relatively close to Zyxel's rating (30 Mbps).
The USG20 provides a significant amount of information on network activity, performance, and security. The left side of the Monitoring menu is the launch point to access all this data, as shown in Figure 15.
Figure 15: Monitoring - port statistics
Via the Monitoring menu, you have access to data on port activity, interface status, traffic stats, active sessions, DDNS status, IP/MAC binding, logged in users, 3G connections, IPSec and SSL activity, Content Filter and Anti-Spam activity, and the general USG20 log.
In addition to the information available via the USG20's menus, log messages can be emailed on regular intervals, as well as a daily report. The USG20's daily report provides a summary of all the above data options, delivered conveniently to your inbox. A section of the Daily Report shows WAN utilization by hour, shown in Figure 16.
Figure 16: WAN usage plot
Tim previously reported the maximum sessions capability on the USG20 at only 8, even though Zyxel rating states the device will support up to 6000 sessions. Subsequently, he asked me to repeat the tests to validate. Using the same tool, I couldn't get a result greater than 8 either, until I changed some of the USG20 settings.
I found the ADP functionality was intercepting our maximum sessions tests. Our tool for measuring maximum sessions is a UDP based tool, which must be triggering one of the ADP signatures. With ADP disabled, our tool indicated the maximum session capability was 29,986. So the Router Chart data has been updated to reflect this.
I don't think the USG20's ADP feature actually limits sessions as our tool indicates. I was able to open numerous browser sessions at once, and could see over 30 sessions active in the USG20's session monitor, even with ADP enabled.
The USG20 sits between a couple of other devices I've previously reviewed. SonicWall's TZ100W is a UTM device with more security features than the USG20 and Cisco's RV220W is a VPN/Firewall device with fewer security features. All three devices are targeted at the same network size, though, so it is interesting to see how they stack up.
Table 2 compares the throughput capabilities of all three devices, and Table 3 shows price and some key capability/capacity information.
Table 2: Performance comparison (Mbps)
Table 3: Competitive comparison
*As I mentioned in the beginning of this article, the USG20 is also offered with a wireless radio. The USG20W can be found on line for $214.09.
Although these comparisons are not apples to apples, I think it helps provide a good idea of the value of the USG20.
The TZ100W is a UTM device with more security features that you'll pay for with a higher device cost ($321.99) and annual subscriptions of $95/yr for Content Filtering, an additional $95/yr for IDS/IPS and AV protection, and $135/yr for Anti-Spam.
In contrast, the RV220W is not a UTM device at all, has greater routing and VPN capability and throughput, but you'll pay a higher device cost ($245.89). It does have a subscription content filtering option (Cisco ProtectLink Web Service) for $65/yr or $194 for 3 years.
The biggest weakness of the USG20 is the limited number of VPN tunnels, but if that is a problem, Zyxel offers the USG50 that supports up to 5 SSL VPN tunnels.
I look at the USG20 as a “UTM-light” device as it provides the security functions of a UTM at a lower level and cost:
- Content filtering comes in at a reasonable $77/yr compared to SonicWall's $95/yr.
- The USG20's ADP functionality is a tool that provides subscription free signature based network security, although not as in depth as a full blown IDS/IPS.
- The USG20 does not provide AV software, but its EPS feature can ensure all clients are running firewall and AV software. With Microsoft giving away AV software, why pay for it?
- The USG20's Anti-Spam functionality is also bit light, as it relies entirely on your configurations for detecting and blocking spam, but it is subscription free.
Overall, I think the USG20 is a good security device. It was stable and configuration was quick and relatively easy. The EPS feature, in particular, is a nice way to ensure endpoint security without adding cost. Finally, from a technical standpoint, the USG20 has an incredible amount of network options and provides plenty of details and information about the health and performance of your network.