ZyXEL USG60W UTM review
ZyXEL’s affordable USG60W could be the perfect all-in-one security appliance for SMBs.
ZyXEL's next generation of UTM appliances offer small businesses a one-stop shop for all their gateway security needs. Along with an SPI firewall and support for IPsec and SSL VPNs, they can be beefed up with web content filtering, anti-virus, anti-spam, IDP and ZyXEL's own application patrol.
The USG60W on review goes one step beyond as it provides dual band 5GHz and 2.4GHz wireless services and can manage up to 10 wireless APs. The USG60W supports 60 users although this is more a limitation of the hardware as ZyXEL doesn't employ a per-user licensing scheme.
It hits the spot for value as the base appliance with firewall and support for 2 SSL VPNs costs a shade under 300. A full one year bundle with all security services pushes this to only 348.
The appliance has Gigabit all round with four LAN ports and two for WAN connections where it can perform load balancing or failover. The two USB ports support storage devices for storing logs on or mobile broadband adapters which can be used for failover.
The dashboard uses status widgets which can be easily moved around as required
To deploy the USG60W just point a web browser at its default address and follow the quick start wizard. This is designed to get Internet access up and running first so it can download the latest firmware.
ZyXEL's web console opens with a tidy dashboard using widgets for various status readouts. You can decide which widgets you want to see and customise the dashboard by dragging them around to suit.
The four LAN ports can be grouped into one of three zones each with their own DHCP server. The appliance defaults to having all ports as members of the LAN1 zone but it's easy enough to change them.
It's worth sorting out your network objects next as these define things such as users, groups, services, schedules, applications and wireless AP profiles. When creating security policies you'll find objects are referenced in most of them.
The UTM components include anti-spam which is configured using profiles and rules
Each port zone is assigned a security policy with firewall rules defining inbound and outbound routes, time schedules, users and services. UTM profiles are enabled within policies and for web content filtering you can create multiple profiles and choose from over 60 URL categories to block or allow.
For IDP profiles you have preconfigured rule sets which can be tweaked to suit. Kaspersky handles anti-virus duties but there isn't much to do here as you just decide whether to have it destroy infected files, log all activities and peer into ZIP and RAR archives.
The USG60W functions as a transparent gateway so it can scan email straight from the box. First, you enable the sender reputation, mail content analysis and virus outbreak detection global features and then create profiles that log, drop or tag suspected spam messages.
The appliance can send web filtering data to ZyXEL's web portal for use in graphical reports
Application patrol and wireless
The application patrol feature controls a wide range of apps and ZyXEL provides details of over 3,000. These include apps such as IM, P2P, VoIP, media streaming, file transfer and mail.
You define application objects first where you search by category though the list and choose those you want to control. Now you can add the objects to a profile and decide whether to allow or deny this traffic.
There are some useful management tools for social networking with both Facebook and Twitter on the list. For the latter you can decide whether to allow users to tweet, follow or post messages while for Facebook you only have options to block users logging in or accessing media.
Separate objects are used to control the 2.4GHz and 5GHz radios and each can present up to 8 SSIDs. Profiles defining a security scheme are assigned to each SSID and you can block users on one SSID from seeing those on another.
The lab's Ixia Xcellon-Ultra NP blades recorded an average of 65Mbits/sec with AV and IDP enabled
Ixia performance tests
We tested performance with the lab's Ixia XM2 chassis and its two Xcellon-Ultra NP blades. ZyXEL claims a raw firewall throughput of 1,000Mbits/sec but this test doesn't give an indication of real world speeds as it only uses lightweight UDP packets.
With an IxLoad test configured for 512KB HTTP web pages, we saw firewall throughput of around 180Mbits/sec. With AV enabled in our policy, this fell to 70Mbits/sec 20Mbits/sec less than ZyXEL claims.
UTM performance stayed fairly steady as with IDP also enabled, performance dropped marginally to 65Mbits/sec. We can't argue with ZyXEL's 40,000 concurrent connection (CCs) claim as with 1byte web pages and a 50,000 CC load objective, IxLoad reported a tidy 39,998 CCs.
Reporting and conclusion
The console's monitor tab provides statistics tables on all UTM components, interfaces and traffic plus managed wireless APs and clients. It also sends web content filter data to ZyXEL's web portal where you can pull up graphical reports on blocked or allowed categories and URLs.
Small businesses may struggle with the complex relationship between the numerous security policies and profiles but it's worth persevering as they offer a versatile range of security measures. The price for a 1-year bundle is remarkably low and made all the more tempting by the integral dual-band wireless and AP management features.
The USG60W offers an impressive range of security measures and tops them off with dual-band wireless. Configuration can get complicated but small businesses will be hard pushed to find better value elsewhere.
Chassis: Desktop/rack mount chassis
Network: 6 x Gigabit (2 x WAN, 4 x LAN/DMZ)
Wireless: Concurrent 5GHz and 2.4GHz - 802.11a/b/g/n
Other ports: 2 x USB2, serial port
Power: External PSU
Management: Web browser
Warranty: 5 years
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now