Zyxel USG Flex 500 review: testing speed and exploring enterprise security gateway capabilities

The number of threats faced by the owner of a local or public network is growing every day. Now, in addition to various time-killers that distract staff from work, viruses and malware, there is a new attack: maybe someone will go to an extremist site, put a like or repost there, and then you, as the person who administers the network, will drag around the instances and give evidence who went where from your IP address. Therefore, it is better to segment the limitations of your network in advance: for IoT devices, allocate a separate maximum closed space, for employees - restrict access to entertainment sites and social networks.networks, and for guests to disable suspicious domains and extremist sites.

The Zyxel USG Flex series implements all these tasks in one box, and as a bonus offers a built-in Wi-Fi controller and a productive VPN. In the new series, the manufacturer has focused on the speed of operation, and in the "Antivirus +IDP" mode, the LAN-WAN speed does not fall below 800 Mbit/s. In part, this was achieved due to two antivirus engines: you can either check each file through the built-in bitdefender with updated signatures, or cloud verification by McAfee means by sending hashes of downloaded files to the servers. The total bandwidth of the Firewall is 2300 Mbit/s, and given that any of the LAN interfaces can act as a WAN, this is more than enough to handle multiple load-balanced channels.

Zyxel USG Flex series

Today, there are 5 models in the G Flex series, and all of them provide the same security functionality and have a built-in Wi-Fi controller. A very interesting modification is the USG Flex 100W with a built-in Wi-Fi controller (although the outdated 802.11ac standard is supported), which can be used as a replacement for conventional routers in small offices. The top-end USG Flex 500, 700 models already use a fan for cooling and can be mounted in a rack. Otherwise, the difference between the models is only in quantitative characteristics.

From the point of view of the design, the following should be noted: the device with a height of 1U has an external power supply that connects from the back, which is not very convenient for installation in shallow wall cabinets. The built-in fan works noticeably audibly, although the automatic speed control keeps the speed at the lowest possible speed. In general, you can't put the USG Flex 500 in the workplace.

On the front panel there are interface ports: SFP and 7 pieces of 1GBase-T. In the USG Flex 500 model, you can assign each of the" copper " ports as LAN, WAN, or DMZ.

Also on the front panel there are two USB 3.0 ports, in which you can connect flash drives to save logs or packet capture files on them, or you can use 3G/4G modems.

According to the hardware stuffing, it should be noted 4 GB of DDR4-2666 RAM, typed with K4A8G165WC-BCTD chips from Samsung, an 8-port gigabit Ethernet switch Realtek RTL8370MB-CG and a fairly simple element base, which does not stand out in any particular way.

In general, a hardware security gateway is no longer a Firewall, it is a device that should protect a person from any of his stupidity on the network: from downloading a virus, from hanging in the social network.social networks, as well as from visiting sites with undesirable content. Zyxel has a similar solution designed for the hotel business. In one device of the USG Flex series, the company implemented anti-virus protection of the network, analysis of encrypted https traffic, blocking of suspicious domains, application filter, well, plus a Wi-Fi access point controller, VPN and fault-tolerant Internet.

Test bench

During testing, we will find out how much security rules affect the speed of WAN-LAN connections. To do this, we implement a virtual stand based on the following configuration:

We will launch two virtual machines with Windows Server 2016 operating systems and physically connect the ports of the Intel X550-T2 network cards to them via the WAN and LAN ports of the security gateway. By passing TCP traffic with a packet size of 1518 bytes between ports, we can evaluate performance in different conditions.

A simple LAN-to-WAN test shows an average speed in the region of 800-860 Mbit/s.

Web Surfing Security

The logic of restrictions in Zyxel USG Flex 500 is as follows: the rules that restrict certain resources are collected in protection profiles, such as "banning visits to nonsense during working hours", "filtering unnecessary sites for children" and so on. Well, you just apply the profile itself to the direction of traffic between zones, such as LAN-WAN.

Well, you just apply the profile itself to the direction of traffic between zones, such as LAN-WAN.

Application Patrol

If your company implements the principle of using personal gadgets in a shared network, then of course smartphones and laptops can generate spurious traffic without the user's participation: these are constant updates, background surveillance and telemetry, messengers, etc. Modern devices have learned to understand this heap of requests, implementing the IDS principle: if a packet is sent from a device to such an address with such a port, then most likely it is Skype, and if the packet came from such an address to such a port, then it is Angry Birds.

A distinctive feature of Application Patrol is that it does not "listen" to packets, and encryption from applications is not a hindrance for it. The ability to distinguish an application by the nature of both outgoing and incoming packets depends on the quality of the signatures used. At the time of writing the test, Zyxel USG Flex 500 distinguished 3647 applications, of which 2435 are various Web services, such as photo hosting, update servers, etc. Not to say that the list is downright exhaustive, but most of the necessary applications are in it, at least you can rid your network of TikTok, Likee and Bigo in just two clicks. Please note - you are not blocking the exit through the browser, but the operation of the applications themselves on smartphones.

When testing, we will make a list of 150 applications, in which 50 will be mercilessly dropped. Apply this filter to the LAN-to-WAN direction and see what has changed.

BandWidth Monitoring

But in general, sometimes it is more important to set a priority for different types of traffic, which is configured through the BWM tab.

You can use DSCP codes, generally change the routing, directing one traffic through a VPN, another-through a land channel, and the third-drop without regret, but there is no possibility to install different DSCP code for different applications.

The very function of traffic prioritization has a very strong impact on performance: the speed is reduced from 800 to 570 Mbps, so think three times, do you need to use this feature?

IDP - intrusion prevention

Intrusion Detection Prevention works as an independent filter, whose task is to prevent data leakage beyond the perimeter in the event of malicious code running inside the network or to protect devices from external attacks. In fact, the filtering functions are performed by the Suricata and Athena service packages, and the filter itself can be restricted for some services (mail, DNS, Web), and you can keep it enabled for all.

Here, by the way, you can add filtering rules yourself by setting very detailed connection parameters, including speed, operating system, ID, fragmentation, and packet content. Custom signatures can be downloaded from a USB flash drive.

The speed when using UDP is noticeably reduced to about 620 Mbit/s.

Mail protection

The mail protection service can work for SMTP and POP3 protocols, but in the LG Flex series, its protection is limited to antivirus scanning and a DNSBL-based spam filter. To protect against spoofing, it is possible to drop mail connections when a certain limit is reached, and Zyxel models with the ATP index also know how to implement anti-phishing protection.

Due to the fact that we have blocked the SMTP port, we can not test the performance of the E-Mail gateway.

Reputation and context filters

The reputation filter is an independent engine that restricts access to malicious sites by spoofing DNS responses to SNI (server name indicator) requests. Since SNI requests are transmitted at the very beginning of connection setup, even before encryption is installed, they can easily be intercepted by the gateway proxy server without using a MITM attack with traffic decryption, that is, completely transparent to clients. The reputation filter does not need to be applied to traffic directions, but it is simply immediately enabled for the WAN.

Here is almost the minimum minimum of settings - you can only choose the type of cyber threats, check the URL for entering the database, create black and white lists. Please note that the malicious address database contains only URLs, and reputation by IP addresses is only available in the older ATP series. Since the test is performed only at the time of sending SNI requests, this filter does not affect the performance of the network connection, and it is not possible to show the difference in speed by testing.

Antivirus Filter

As I said, the Zyxel USG Flex 500 security gateway uses two types of antivirus filters: cloud-based and embedded. As a rule, such protection is implemented through a built-in proxy: when downloading a file, it is first saved to the device's memory, quickly checked by one of the selected methods, and then transmitted to the user. For the client, this process looks completely transparent, everything works the same as with an ordinary Internet connection, with the only difference that you will not download the infected file to your computer.

Blocking infected files is not configured: just the URL at which the malware is located, bypassing the filter will work, and when connected via Zyxel USG Flex, it will give a 404 error.

Blocking infected files is not configured: just the URL at which the malware is located, bypassing the filter will work, and when connected via Zyxel USG Flex, it will give a 404 error.

Content filtering

This is a real censorship, due to which you can restrict access only to the right sites or vice versa - prohibit individual sites and entire categories. Directory lists are updated in the same way as antivirus signatures, and if the site is suddenly not in the database , you can either disable it or issue it after a warning like " we can't be sure of your security... blah, blah, blah."

Content filtering works not only by URLs, but also by keywords, it can be applied to one or more "LAN-WAN" directions, and to implement it on your network devices, you need to install a Zyxel trust certificate and enable an encrypted traffic sniffer, that is, to carry out a MITM attack. I want to note that SSL inspection is only needed to check the entire URL, that is, to block by keywords, and domain blocking works the same way as URL Reputation - by SNI.

That is, let's do it again and in more detail.

• Step 1-You create a certificate in Zyxel USG Flex 500,
• Step 2-You create an SSL inspector profile with https traffic encryption / decryption
• Step 3-You create a profile with content filtering
• Step 4-you apply a profile with content filtering to the "LAN-WAN" traffic direction"
• Step 5-You install certificates on client machines

After that, you will have a substitution of certificates for those that are installed by the security gateway.

Now you can block potentially unwanted sites and track the statistics with which your employees or guests go where they don't need to. However, this trick works just as well with Google Chrome as it does not work with Mozilla Firefox - if you use this browser, you will have to add the certificate directly to Firefox. Some sites the browser skips and opens, and with some swears at the attempt to eavesdrop on the connection.

After a little tinkering in the settings of the Zyxel USG Flex 500, I was not able to deal with the freedom-loving browser from Mozilla: apparently, without limiting the settings on the client machine side, this can not be done in any way.

The SSL Inspection function gives, perhaps, the most noticeable impact on speed, and the difference in the speed of web surfing is sometimes noticeable even to the naked eye. To test it, I decided to run a copy of our site on the same local network and run the Screaming Frog SEO spider through it, limiting the scanning depth to 1000 URLs. This spider uses the Chromium engine, so its connection to the site does not differ from a regular browser, and if there is a difference in speed , we will see it.

The average access time with SSL Inspection and antivirus enabled has increased by almost 6 times compared to access simply without security add-ons, and most pages respond longer than 1 second. So safety is definitely inversely proportional to speed in this case.

Recommendations when ordering

Zyxel USG Flex 500 is a modern machine that works on the principle of "connected and forgotten", capable of giving non-exclusive protection to your company from Trojans, hacks, indecent content and waste of time by your employees. Coupled with Windows Defender's built-in security features, as well as competent security policies at the operating system level, you can keep your perimeter secure by easily exporting settings between Zyxel USG devices. At the same time, be prepared for the fact that the protection functionality significantly reduces performance, so do not turn on "all at once".

This device is ideal for use on campuses, hotels and small business centers, where in conjunction with Zyxel access points, you can get an easy-to-configure network infrastructure.

Michael Degtjarev (aka LIKE OFF)
18/01.2021