ZyXEL ZyWALL USG 50 review

Now on a third-generation hardware platform, ZyXEL’s new ZyWALL USG 50 offers small businesses a complete security solution at an apparently low price. It’s designed for small offices of up to ten users, although this is a limitation of the hardware; it isn’t because of a per-user licensing scheme.

The appliance gets the benefit of Gigabit Ethernet all round, with four LAN ports and two for WAN connections – it can perform load balancing or failover across them. The two USB ports support a very small selection of 3G adapters that can be used for failover.

The USG 50 offers a heap of security measures, but many are optional extras. Extra licences are required for antivirus, content filtering, IDP and application patrol, and although subscriptions are reasonable, they will double your outlay for the appliance in one year.

The web interface has been redesigned, with the new dashboard using widgets for various status readouts. We found initial installation easy enough, and the web interface offers wizards for single and dual-ISP scenarios.

We recommend setting up objects next, as these define users, groups, addresses, services and schedules, and are used in the majority of security policies. Plenty of user authentication schemes are supported, although the appliance’s local database should be sufficient.

Security policies are applied to zones representing different groupings of physical ports. Zones are used by firewall rules to define inbound and outbound routes through the appliance. These also apply to the antivirus and IDP components, and for the former you can decide whether to scan HTTP, FTP, POP3, SMTP and IMAP4 protocols.

For performance testing, we used the lab’s Ixia Optixia XM2 chassis equipped with two Xcellon-Ultra NP blades. Using IxLoad to simulate ten web clients, we recorded a throughput of 131Mbits/sec with the firewall enabled and 30Mbits/sec with AV and IDP also active. During the tests, appliance CPU usage was seen to settle at 98%, showing that ten clients is a realistic limit.

Anti-spam is included as standard, but don’t get excited: all you can do is create black and white lists for message subject keywords, and apply up to five DNSBL servers. Using five DNSBL servers, including Spamhaus and Spamcop, we tested with live mail over a two week period and saw it stop less than 5% of spam.

ZyXEL’s application control can manage a wide range including IM, P2P and VoIP. For Windows Live Messenger we could stop users logging in or block them from using video, chat and file transfer; while for BitTorrent and FTP we could allow access but apply bandwidth restrictions.

Web filtering is provided by Blue Coat’s Cloud Service, and uses filter policies applied to objects such as systems, subnets and users. It provides over 70 different categories, and we found it extremely efficient.

The ZyWall USG 50 offers an impressive range of security measures, although most are optional and will push up the price. ZyXEL’s anti-spam is of limited value, so we recommend checking out Netgear’s ProSecure UTM5; it offers an effective anti-spam service, a similar level of features and is easier to install.

Author: Dave Mitchell