ZyWall USG 1000
Strengths: Zoning and policies offer good flexibility, IPsec and SSL VPN support, excellent web content filtering, useful application controls
Weaknesses: Comparatively expensive, the anti-spam feature is ineffectual
Verdict: A pricey but well-featured security appliance with excellent web content filtering, IDP and application controls - but don't buy it for anti-spam
ZyXel's latest ZyWall USG (unified security gateway) appliances aim to take all the best bits from its established range of UTM solutions and augment them with even more security options. They look to be good all-rounders as eight key UTM features are augmented, with support for IPsec, SSL and L2TP VPNs plus ZyXel's new application patrol service.
The USG 1000 on review is at the top of a family of four appliances and supports between 75 and 200 users. The unit is a compact box equipped with 1GB of RAM and 256MB Flash memory, while the five Gigabit Ethernet ports can take on a range of roles. You can ignore the two USB ports, the PC Card slot and the SFF hard disk bay, as these are not yet supported in firmware.
The network ports can operate in LAN, WAN or DMZ modes and you can use the second and third ports to provide primary and secondary internet connections for failover. The USG 1000 functions as a transparent gateway and for testing we simply slipped it between our LAN and the internet using the first two ports, where it required no client config changes.
The tidy web interface opens with a complete rundown on the status of the appliance plus services and offers a quick-start wizard for single or dual ISP scenarios to get internet access sorted quickly. Your best bet at this stage is to create objects, as these define users, groups, addresses, services and schedules and are used in the majority of security policies. For user authentication, you can employ the appliance's local database or define external AD, LDAP or Radius servers and for the latter ZyXel also offers its optional ASAS OTP (one time password) tokens.
The OTP option is the same as that provided with Billion's nifty little SSL VPN appliances (see http://www.scmagazineuk.com/Billion-BiGuard-S6000/Review/2742/), which combine tokens with the Authenex ASAS Radius server software. We've always found the software easy to use but we recommend dedicating a Windows system to the ASAS server to avoid problems.
The network ports are grouped into different zones, with each having its own security policies. Zones make the USG 1000 quite versatile as you can block or allow traffic between zone members, different zones or that which is not assigned to a zone. Firewall rules use zones to define inbound and outbound routes through the appliance and ZyXel provides nearly 20 predefined rules, to which you can add custom rules.
Optional anti-virus measures are provided by Kaspersky where you apply policies to selected zones and choose to scan HTTP, FTP, POP3, SMTP and IMAP4 protocols. As the appliance is transparent and doesn't have a hard disk, quarantining is not an option and Kaspersky will simply destroy infected files and also remove archives that can't be extracted for scanning.
Web content filtering is handled by Blue Coat and this differs from the rest as you define filter policies for objects rather than zones, allowing you to create AUPs. You can apply policies using different filter profiles to single systems, groups of AD users or perhaps an IP address range and apply time schedules to each. Blue Coat offers 60 categories. A handy feature is the ability to enter a URL and see how it is categorised.
During testing we found filtering performance to be extremely good. We googled for online bingo sites and we gave up after being blocked from accessing the first 60 hits. Online gaming sites were just as difficult to access and with the social networking category selected we were unable to use problem sites such as Facebook, Bebo and MySpace. Blue Coat's remote web filtering reports for our appliance were very useful.
For anti-spam, the appliance transparently scans POP3 and SMTP traffic, but all you can do is create your own black and white lists of keywords and use DNSBL servers. We tested the latter in a live environment using the free Spamhaus, Spamcop and Sorb services and found that they were virtually useless, as nearly everything got through without being picked up and tagged.
ZyXel's Application Patrol looks far more useful, as this optional feature allows you to control a range of applications including IM and P2P and apply inbound and outbound bandwidth limits to each one. We tested using Windows Live Messenger and were able to block users from logging in, stop them using video or restrict file transfers which timed out after being started.
For SSL VPNs, the base price includes support for five tunnels, and profiles can be created for controlling access to web servers, RDP and VNC connections, OWA and basic file sharing. We found SSL VPNs easy enough to create where you select service objects and assign users and group permissions. Remote users are then directed to a secure portal offering only the services they are permitted to access.
The USG 1000 is offering a fine range of security features although compared with products such as eSoft's ThreatWall 450 (see http://www.scmagazineuk.com/eSoft-ThreatWall-450/Review/2683/), it is comparatively costly and ZyXel's anti-spam option is of no value at all. Nevertheless, the use of zones and policies makes it very versatile and the tough web content filtering allows strong AUPs to be enforced in the workplace.