ZyWALL ATP 800 - testing the performance of the top security gateway from Zyxel
The Zyxel series of security gateways has already been considered by us earlier on the example of the ATP500 and USG Flex 500 models, but such devices are such an immense topic that you can return to it again and again, and each time discover something new. So, if you haven't met Zyxel ATP before, then here's a little brief for you: this powerful 8-core firewall gateway with Multi WAN support combines all modern methods of analysis, privacy protection and integrity of your corporate network: signature lists of Internet sites and IP addresses, intrusion prevention system (IDP), antivirus and HTTPs sniffer for both Web and mail, plus a Wi-Fi controller with proprietary Secure Wi-Fi technology that installs a VPN tunnel directly to the access point.
To generate the load during testing, I used a server based on VMware ESXi 6.5U2 with four guest Windows 2019, from under which I launched iPerf in 8-thread mode. The test traffic was fed through a 10-Gigabit Intel X520-DA2 network card to a 10-Gigabit Zyxel XS1920-12HP switch, where it was cut into 1-gigabit ATP800 ports via VLAN. Since the switching matrix of security gateways is usually small, four 1-Gigabit ports in duplex mode were enough to more than cover the capabilities of the device and facilitate testing work. To do this, I used 4 virtual machines connected in a ring via the ATP 800. Each machine tested the neighboring one via iPerf, loading 8 directions in total with a total maximum speed of up to 8 Gbit /s, it is this speed that can be counted on, judging by the characteristics of the device (see the table below).
Specifications |
ZyWALL ATP100 |
ZyWALL ATP200 |
ZyWALL ATP500 |
ZyWALL ATP800 |
Number of ports 1GBase-T |
4 |
4 |
7 |
12 |
Number of ports SFP |
1 |
1 |
1 |
2 |
Device performance in packet processing, Mbit/s | ||||
SPI |
1000 |
2000 |
2600 |
8000 |
VPN |
300 |
500 |
900 |
1500 |
IDP |
600 |
1200 |
1700 |
2700 |
Antivirus |
380 |
450 |
890 |
2000 |
Routing performance | ||||
Maximum number of TCP-sessions |
300K |
600K |
1M |
2M |
Maximum number of IPsec tonnels |
40 |
40 |
300 |
1000 |
Maximum number of SSL tunnels |
10 |
10 |
150 |
500 |
VLAN-interfaces |
8 |
16 |
64 |
128 |
Max. number of controlled access points |
24 |
40 |
72 |
520 |
Zyxel ATP800 is designed for large offices, this gateway has 12 1GBase-T physical ports, supports up to 1000 IPsec tunnels at the same time, up to 520 (!) wireless access points (including Wi-Fi 6), and Firewall is capable of processing traffic at speeds up to 8000 Mbps. All the gateway functionality is now available in the Nebula cloud, but we will focus on local configuration.
Design
I don't know why Zyxel doesn't adopt the fashionable abbreviation NGFW (Next Generation FireWall) today: from the point of view of hardware, everything is at a high level here: an 8-core processor and 8 GB of RAM allow you to process the entire stream in RAM, including checking downloaded files with an antivirus.
Structurally, the Zyxel ATP800 is a 19-inch 1U case with bright red "ears", with a built-in power supply and 4 fans, the airflow from which exits backwards. In normal mode, the Zyxel TP 800 works very quietly, so it can be installed in a common room with staff, both in a closed cabinet and in an open rack.
The gateway has 12 1GBase-T ports (copper) and two SFP slots, usually used for uplinks. For direct control via the console, a DB9 port is installed on the front side, and a pair of USB 3.0 ports can be used both to load signatures from a USB flash drive and to save some diagnostic data on it (packet capture, logs, etc.). And Zyxel ATP800 supports 4G/LTE modems, which I recommend definitely using: you can't let all corporate traffic through them, of course, but you can ensure the operation of key services and the transmission of telemetry.
And here I want to put an end to the issue of compatibility of the gateway and Nebula: yes, Zyxel has implemented this feature in the latest firmware, but the cloud mode must be configured at the first initialization of the device, otherwise all settings will be reset during the "transition to the cloud".
Interfaces and configuration
You can talk about the gateway's capabilities endlessly, but I will dwell on the points that seemed interesting to me, and I will start right from the start page. I am very close in spirit to the modern trend of displaying device statistics on the start screen in the form of pie charts and histograms - you can immediately see who exactly in your network causes what alerts, as well as where blocked traffic most often knocks. Well, this is, of course, in addition to the usual technical details about loading the machine.
Such a serious machine as the ATP 800 is designed to manage a large number of networks, so physical interfaces here are a very conditional concept. Local area networks are defined by port groups designated ge1ge 14, which can be transferred between physical ports while maintaining settings. On top of each port group, you can also create networks on VLANs, each with its own DHCP server, IP range, MTU size and other settings. In addition, networks can be defined by VPN subspace or tunnels connecting your gateway to remote offices. If you are faced with the task of allocating your own VLAN to each department and configuring access levels such as "can an accounting user access a printer in a meeting room from a laptop via wi-fi in a warehouse" - this can be solved not by Windows security policies, but by means of a network gateway.
Logically, all these networks are divided into zones: LAN, WAN, DMZ, IPSec_VPN, and you can set as many such names as you like. Why make it so complicated? Well, so that later it would be possible to apply security policies immediately to the direction, for example LAN 6-WAN or, in the case of bridges, LAN1-LAN2 to protect horizontal traffic. To be honest, I have not yet met a security gateway where all these hundreds of settings and hierarchies would be perfectly structured and laid out on shelves, and the Zyxel ATP800 is no exception: the setup is complex, and almost always highly fragmented: to do the next logical action, you need to dig through all the navigation menus. Fortunately, almost everywhere there is a link to references to see which parameters of which interfaces are affected on this page, an effective diagnostic system with packet capture is integrated into the gateway, and so, in general, a day or two - and you will love it.
Declared bandwidth of 8 Gbit/s refers to UDP traffic, but in our test the cumulative speed did not rise, but 5.5 Gbit / s is a very decent indicator for TCP. An interesting feature was that in 1-stream mode, the LAN-WAN direction works somewhat faster than LAN-LAN, although there are no technological reasons for this: all ports here are equivalent.
The gateway supports up to 1000 IPsec tunnels, and here I want to make a reference to the wireless access point controller. Zyxel has Secure Wi-Fi technology, in which an access point located anywhere on the globe can connect to the gateway via VPN, and work and be managed in the same subnet as your local devices. We discussed this technology in detail in the Zyxel WAX650S review. This technology completely eliminates the need for secure traffic between iOS devices and applications that cannot use an HTTPs connection. But, of course, no Wi-Fi controller or IPsec tunnels will surprise anyone today, and it is much more important what security solutions are implemented here.
The mechanism for setting restrictions and filters is as follows: first you specify a zone, for example LAN1, LAN1, LAN2, WAN. After that, in the security policy, you can open or close the internetwork connections completely, for example, allow only certain ports and certain IP ranges between LAN2 and LAN1, or allow all connections from VPN1 to any networks, and so on. And for each of these policies, you can additionally hang a software filter that will additionally process traffic following a given rule. Moreover, you can configure the same filters for different policies with different parameters. Now it will become clearer.
Application Patrol
Perhaps we should start with the simplest - Application Patrol. This is a list of almost all the programs known in the world that you can allow or prohibit on your network. Signatures are updated by subscription, and the software itself is sorted by category. Theoretically, of course, it is possible to ban entirely categories of applications such as "games", but in practice it is better to ban everything, and allow only those that you need. This is because the interface is clearly not designed to manage hundreds of programs: it will be difficult to ban games at the same time, but it will be difficult to allow office and messengers. And the rules are prescribed specifically for the application, not for the category: a new messenger has been released - please add.
The identification of the application takes place based on the addresses of the servers where it accesses and ports, so the fact that the protocol is encrypted inside the application does not matter, and since it is all implemented on the basis of Firewall tables, even 256 rules will have a maximum impact on the connection speed, but not on overall performance.
Therefore, tests show that this filter can be applied without regard to performance.
ADP - Anomaly Detection and Prevention
Using the ADP filter, you can protect yourself from attacks aimed at causing buffer overflow. Protocol anomalies such as incorrect timestamp, incorrect packet size data, and others are also found in conventional networks, but their constant flow is either a hardware malfunction or a malware attack. The AT 800 gateway allows such packets to be dropped unconditionally or when a certain frequency is exceeded.
In total, there are only 24 anomalies in the signature list, and note that ADP is not applied to the LAN-WAN type direction, but specifically to the port, well, or to all ports at once.
This is a very light filter that does not affect the speed.
IPS (Intrusion Prevention System)
IPS is another line of protection that will allow you to close your network in case a hack has already occurred. Having an extensive database of IP addresses, ports and packet sizes, where and from where various malware are trying to establish a connection, the system can close attempts by Trojans to connect to a remote host to download viruses or drain data, block suspicious connections from spammed IP addresses to public ports, etc. Usually, this kind of protection is implemented using Suricata or Snort programs, and has two types of work: inline, when literally every network packet is checked against the "who's where from where" databases, and will not pass until the system gives the go-ahead, and offline, when packets are checked after the fact, and blocking is implemented by means of Firewall. Both types of checks have their pros and cons: the first is too expensive, designed for tens or hundreds of active rules, the second can handle any number of rules, but at the same time it skips some not particularly critical number of packets. To make it more clear how this protection is implemented in the Zyxel ATP800, see the following screenshot:
The protection can work in the event prevention and recording mode. By default, all signature options already have the - reject action, so you won't need to manually configure the rules, but you can't say that there are a lot of signature entries - about 5500. Note that IPS is enabled immediately for the gateway core, that is, for all ports and any directions.
The impact on the gateway performance is small, within 10%, so it makes sense to keep this option permanently enabled.
Content filters
The greatest danger in enterprise networks today is attacks using social engineering methods. Simply put, this is when an employee opens a suspicious attachment in a letter, visits a strange website, or even worse - from a corporate IP address leaves comments in extremist groups on social networks.networks. Any of these actions can be stopped using the Zyxel ATP 800. And even if DNS servers are installed from third-party organizations in the settings of working computers, the Zyxel gateway will not allow you to enter the blocked site anyway.
Technically, apparently, a transparent proxy is used here, because there are no problems with access to permitted sites, and even prohibited sites continue to ping, but access to them remains closed.
These filters do not affect the switching performance.
Reputation filters
It is not clear why this filter was placed in a separate category, because as for me, it could be combined with content filtering, because the meaning here is the same - we block access to suspicious IP addresses and URLs, guided by signatures. However, a significant difference from content is that reputation filters are applied to the entire device at once, without taking into account ports and traffic directions, and block the entire host and all its ports. That is, there is no such situation when the site is pinged, but does not open: blocked addresses are completely closed from you.
Performance does not suffer from the use of reputation filters.
Apparently, they are implemented on the basis of a built-in Firewall.
Antivirus filtering
Perhaps all these filters could also be combined into one, since they perform the most interesting anti-virus function for HTTPs and E-Mail. The work of the antivirus is based on the principle of proxying certain types of files, which, when passing through the gateway buffer, are scanned by its own or cloud-based antivirus engine. Archives are unzipped during verification, and if the gateway cannot unpack (for example, the archive is password-protected), then you can enable file auto-deletion. Not all files are checked - archives, MS Office documents, PDF, Flash, RTF, executable .exe and .com.
The Zyxel TP 800 sandbox uses a code emulation system to uncover behavior and detect unknown complex threats and targeted attacks. If the behavior pattern of the program or its network packets correspond to the behavior of the malware, the file is deleted and the signatures are updated. Since running programs in an isolated environment is a rather time-consuming task, the gateway, instead of hosting it, sends the file to the Zyxel cloud and waits for the results of the check. In some cases, this interrupts the download process and requires manual resumption.
Naturally, before executing suspicious files in the sandbox, they are pre-filtered: an antivirus scan is performed, including by the checksum of the file. If during the preliminary check the presence or absence of a threat from the file is not identified, then the sample file is transferred to the virtual sandbox for further analysis. A potentially dangerous file is being tested in virtual machines running Windows, macOS and Android.
Since this whole process takes place in a proxy, that is, it is performed in out-of-band mode, it does not affect the switching performance.
Perhaps many people will say here: Windows has a powerful built-in antivirus defender, why do I need another antivirus on the local network, and they will be absolutely right: the downloaded file scanner itself is a useless thing if your gateway can only remove malware, but Zyxel ATP800 has learned how to isolate an infected device that climbs blocked websites, downloads viruses or in which an exploit is fixed. Wireless clients are simply blocked at the ACL level of the access point, and wired clients are placed in an isolated VLAN, disconnecting from the enterprise network.
Of course, in order for an antivirus to scan a file transmitted over the HTTPs protocol, it is necessary that the gateway be able to decrypt traffic, and Zyxel ATP800 allows you to do this by carrying out a MITM attack for connected clients, and in civilized language, "enable SSL traffic inspection". This process is implemented very simply: first, in the "SSL Inspection" tab, we create a new certificate with default settings, then apply it to a given direction, for example LAN1-WAN.
Now we need to get the root certificate of our gateway, which has the uncomplicated name default, and is located in the "certificates" tab, well, or send it to E-mail in the previous step. After the certificate is on our desktop, double-click on it and install it with the path "trusted root certificates". Actually, after that, the gateway will decrypt HTTPs traffic and will be able to detect viruses. For ordinary users, the scanning process is not noticeable, the only thing is that the speed drops to about 1 MB / s, and files larger than 1 GB may not download, but on files that are not scanned by antivirus, it will be unnoticeable.
All together
Finally, we will conduct a test in which we will include all the security policies and services considered.
This test slowed down the gateway's performance, but only slightly - around 16%, and then only when the threads were fully loaded, and the speed of 1 link remained unchanged: CPU performance is more than enough for a 1-gigabit connection.
Connecting to Nebula
Cloud management is the most popular function among modern network engineers, especially when using multiple WANs, because as long as the gateway has Internet access, you will be able to reach it and make the necessary settings, or eliminate the problem that has arisen.
The Nebula cloud controller implements all the functionality of the ZyWALL ATP 800 security services, well, except perhaps very deep settings. Moreover, today Zyxel provides a separate cloud dashboard service with security reports for these gateways, where all the cases that your gateway has coped with are displayed on the world map, and reports are sent to the mail daily.
Licenses
The considered functions of Zyxel gateways are provided under license. In our case, the following licenses were activated during testing on the device:
- Web Filtering
- Application Security
- Malware Blocker
- Intrusion Prevention
- Sandboxing
- Reputation Filter
- Collaborative Detection & Response
To generate detailed security reports, a SecuRe porter Premium license is used, and Secure WiFi is used to support a VPN tunnel to an access point. To work in fault-tolerant configurations - Device HA Pro.
Conclusions
As you can see, in modern security gateways, multicore processors are adjacent to a software architecture that performs the most expensive processes in the background. Due to this, the switching performance always remains almost at the maximum level. Naturally, nothing is ever given for free, and in the field of web security, slowdowns can be observed at the time of connection establishment, but the modern Internet is so arranged that the verification of HTTPs certificates of Let's Encrypt takes incomparably longer than the security service of the Internet gateway, therefore, the inclusion of various filters does not slow down the real speed of web surfing. At least, I couldn't measure the difference.
I would attribute an illogical tincture to the disadvantages of the Zyxel ATP800: yes, different programs are responsible for different services, and they have different configuration files, but there would be no price for developers if they could group and combine them by threat types.
Michael Degtjarev(aka LIKE OFF)
08/11.2021