As mentioned previously, ZyXEL's OneSecurity website has useful configuration tutorials and resources for security configurations on ZyXEL routers.
The firewall on the USG20-VPN uses stateful packet inspection and is configured via security policies. To understand a ZyXEL USG firewall, you have to understand policies and zones. Security policies are applied controlling traffic flows between zones. The default zones are LAN1, LAN2, DMZ, WAN, TUNNEL, IPsec_VPN, and SSL_VPN. Interfaces and connections are mapped to zones. The four interface types lan1, lan2, dmz, and wan map to firewall zones LAN1, LAN2, DMZ, and WAN. Virtual interfaces created by GRE, IPv6 to IPv4, and 6to4 tunnels map to the zone called TUNNEL. VPN connections map to zones labeled IPsec_VPN and SSL_VPN. Additional zones can be created and the mapping of interfaces to zones can be edited.
The default security policies on the USG20-VPN allow traffic from all zones to connect to the USG20-VPN's admin server. Default security policies on the USG20-VPN also allow traffic from all zones, except the DMZ and WAN zones, to send traffic to all other zones. A default security policy also permits traffic from the DMZ zone to the WAN zone. Stateful packet inspection will allow traffic from the WAN through the firewall only if that traffic matches a known active connection. All other traffic by default is denied. The below screenshot shows the default security policies.
Default Firewall Policies
Additional security policies can be created to allow or deny traffic from specific zones and/or address objects to specific zones and/or address objects. Address objects can be created specifying single addresses, address ranges, or subnets. Security policies can allow or deny all traffic or predefined TCP, UDP, or ICMP traffic types. Custom traffic types can be defined as an object and used in a security policy. Security policies can also allow or deny traffic based on users and schedule.
Session limits can also be applied on the USG20-VPN to control network activity levels by user and/or address object.
The USG20-VPN also supports user authentication. The basic login screen or a custom screen can be presented to users the first time they attempt to browse to a website. You can create different authentication policies based on schedule and based on source or destination IP addresses. Users can be authenticated via a local user database or via external Active Directory database.
I created a simple authentication policy using the USG20-VPN web authentication feature and a local user name and password. Once enabled, I was prompted to enter my user name and password before I was able to access web sites. My settings are shown below.
The USG20-VPN provides a wealth of information about activity on your network. The dashboard, as previously discussed, is a quick way to see device info, system status, license status, content filter stats, system resources, and interface status.
The Monitor menu provides more detailed port statistics, traffic statistics, a session monitor, IGMP statistics, DDNS statistics, IP/MAC bindings, logged-in users, cellular statistics, UPnP port status, USB storage data, and detected Ethernet neighbors. It also provides a display of active VPN connections (shown in the previous VPN section.) The monitor menu also provides a display of Content Filtering and Anti-Spam activity.
You can also view current log messages in the Monitor menu. The USG20-VPN can be configured to email a Daily Report. The Daily Report provides General info about the USG20-VPN, plus daily graphs of CPU Usage, Memory Usage, Session Usage, Port Usage (for each port), Content Filter and Anti-Spam Statistics, and Interface Traffic Statistics.
The gallery shows sections of a daily report from a USG20-VPN to give you an idea of the format. The reports would be more interesting if the USG20-VPN had been in service for awhile before I grabbed them!
Testing and analysis by Tim Higgins
The USG20-VPN was one of the first devices to be put through our new V4 Router test process. So it received both performance and functional testing with V4.16(ABAQ.1) firmware loaded. You can download an Excel test summary that contains all functional and performance test results. You'll note the performance tests include data we aren't including in the Router Charts at this time, such as retries for TCP/IP tests, % packet loss for UDP and latency.
The Benchmark Summary shows throughput significantly lower than we're accustomed to seeing in most of today's routers. I verified the results with ZyXEL; they're as expected. Note the router's firewall was not doing any heavy lifting when performance tests were run, i.e. neither of the UTM features were engaged. So these numbers are best case.
ZyXEL USG20-VPN Benchmark Summary
To compare to other routers tested with the V4 process, you'll need to scroll down a bit in the Router Charts Benchmark selector. Here's a link to the new WAN to LAN Throughput - TCP benchmark to start you off.
The USG20-VPN passed both the TCP and UDP 3,000 connection tests. The latter success was made possible by the router's ability to set the UDP session timeout. I changed it from its default 60 seconds to 300 seconds. I could have made it shorter, since the UDP tests usually takes about 3 minutes to run. The only other router to pass the UDP session test so far is the NETGEAR R7000 Nighthawk, which has no controls to set UDP session timeout.
The Functional Score of 84.1% includes 39 failed functional tests. Key takeaways from the failed tests are:
- Deprecated HTTPs SSL protocols were not blocked
- Hairpin NAT translation for TCP/IP and UDP are not supported
- Triggered port forwarding tests failed because the feature isn't supported
- More UPnP tests than usual failed.
- The router lost connection when the WAN IP address changed
In addition to the above, I noticed different results in the initial DoS tests from run to run. The test plan allows 30 seconds for the device to recover from each attack. Sometimes all tests recovered, other times they didn't. The functional score doesn't include any DoS test failures.
There were also differences in the number of UPnP tests that failed from run to run. I also suspect this is due to short UPnP mapping expiration times.
The USG20-VPN is currently priced around $195, just about midway between the USG20 at around $165 and the USG40 at close to $240. This pricing passes the sniff test since the USG20-VPN's features and performance are between the two devices'.
Extending the Content Filter license for one year will run you $74.99 and $129.99 for two. Extending the Anti-Spam license for one year is $109.99 and $189.99 for two. Additional IPsec Client Licenses are $64.99 for 1, $249.99 for 5, and $399.99 for 10. Additional SSL Client Licenses cost out at $135 for 5 and $225 for 10. MacOS SSL software will set you back $135 for 10 licenses; Windows SSL costs nothing.
UTM devices in general are no picnic to configure, as the amount of options can be overwhelming. The user manual for the USG20-VPN is 683 pages! However, I found that ZyXEL's new embedded links with Configuration Walkthroughs and info pages, plus the Configuration Wizards were very helpful. Despite this and help from ZyXEL, I couldn't get Client-to-Site IPsec tunnels to work. Other than this issue, though, I was able to configure and enable every feature on the USG20-VPN I explored.
As a Unified Threat Management device, the USG20-VPN provides Content Filtering and Anti-Spam protection, leveraging huge global databases. If you also need Anti-Virus and Intrusion Detection and Prevention, you can get those features from the USG40 for about $35 more. Overall, I found the ZyXEL USG20-VPN a compact and powerful network security device that does an excellent job as an Internet Gateway, VPN router for remote access, Firewall to protect your network and Security Appliance providing Content Filtering and Anti-Spam protection.