pre-buy: choosing USG20 or USG40?

Horia
Horia Posts: 33  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
As I cannot reach Zyxel in any "live" way (chat or phone) I must ask here my question.
Depending on the reply, I will buy (or not) a Zyxel product.
I also sent a request for a local dealer for Zyxel, two weeks ago, but... no answer from Zyxel.
So I hope some of you could help me with a few questions! I thank you in advance for that!

so here are my details:

For a small VPN connection from outside PCs to a LAN with only two internal small servers, I would need a fitting USG product. I am thinking of the USG20 or USG40 (possible with WLan option).

The VPN firewall from Zyxel would be setup behind an austrian telecom router. It should allow the connection to two small "servers" in a LAN, which have only a http (web, browser) interface.

I would need to know the following, in order to understand what my total costs would be (hardware + software licences) :

1) - what kind of software licences do I need to buy, except the hardware itself? There are a lot of software licences available from Zyxel, but I don't know which is useful for what.

My necessity would be only and alone to connect to the internal LAN, coming from the internet, via VPN, from two clients on two windows PCs and one on a mac PC. Possibly also from a mac tablet to the VPN.

I do not need to filter other outgoing or incoming traffic (eg. email traffic or surfing from the LAN behind the firewall to the internet), or an antivirus licence on the firewall.

2) - do I need to buy yearly some kind of "updates" for the firewall firmware itself (the one that is on the USG20 or 40 hardware)

3) does the USG20 firmware allow some kind of "Country-IP Blocking"? What intrusion prevention options does the USG 20 offer?
I know that the IPS software is available only on the USG40 (or higher). How is it called? (if I want to buy an IPS licence) and how much does that cost per year?

What security options would be recommendable for such a small LAN? I mention that the whole LAN behind the firewall is not extremely sensitive (it contains no important private data in it, but only these two small servers in it, which are additionally secured with passwords).

Thank you a lot!
«13

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello Horia,
    the question you mentioned,
    I think you can purchase USG40W which has Wlan and VPN function.  
    1) - what kind of software licences do I need to buy, except the hardware itself?~~
    The USG 40W or higher model can include UTM licenses(bundle license for one year), so you dont need to worry which license you need to buy. Otherwise, let you know that the USG40W support Anti-Spam, Anti- virus, IDP, Content Filter.

    2) - do I need to buy yearly some kind of "updates" for the firewall firmware itself ~~
     You dont need to pay extra money for this license. Just sign in the account on myzyxel.com, and register the device. Then sync the device with your account. Here is website: https://portal.myzyxel.com/users/sign_in

    3) does the USG20 firmware allow some kind of "Country-IP Blocking"?~~
    The Country-IP Blocking is supported on USG40 or above models.
    What security options would be recommendable for such a small LAN?~~
    As your description, the Anti- virus and IDP is enough. However, as I mentioned, when you buy USG 40W the one year licenses already included.(bundle package)
    Charlie
  • Horia
    Horia Posts: 33  Freshman Member
    Friend Collector First Comment
    edited November 2017
    Hello Charlie,
    thank you very much for your detailed answer!

    for the USG40 hardware, am I correct that I would need the version "ZYXEL USG40W-EU0102F" in order to have the UTM licence included?

    In case I would like to buy an IDP-license separately (only IDP, no anti-virus etc.) and a licence for VPN access (as far as it is mandatory), how are they called, please? I cannot understand, looking at the webshops in my country, which one I should buy. The licenses are unfortunately called quite in an abstract way...

    In case I do not buy a bundle with UTM, do I need a VPN-"server"-license in order to be able to access the VPN of the firewall, or is all the necessary software (regarding the VPN) included in the hardware? (here, I do not mean the VPN-clients, but only the "server-sided VPN software, that has to be located on the hardware from ZyXel)

    I need to know this, as I want to indicate to my customer the yearly costs for the next years too. (The first year, we would have an included software, but what happens later?)

    thanks again,
    Horia
  • Horia
    Horia Posts: 33  Freshman Member
    Friend Collector First Comment
    Sorry, but I have to bother you with another (hopefully last) question:

    for a Nebula cloud-managed version firewall, ZyXel NSG50-ZZ0101F, do i need any software license? I could not understand this, after reading the info at Zyxel and on the reseller's site.

    I would think of buying that one (in case I can manage the WLAN with an old router) instead of the USG40W.



  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    edited November 2017
    Horia said:
    As I cannot reach Zyxel in any "live" way (chat or phone) I must ask here my question.
    Depending on the reply, I will buy (or not) a Zyxel product.
    I also sent a request for a local dealer for Zyxel, two weeks ago, but... no answer from Zyxel.
    So I hope some of you could help me with a few questions! I thank you in advance for that!

    so here are my details:
    For a small VPN connection from outside PCs to a LAN with only two internal small servers, I would need a fitting USG product. I am thinking of the USG20 or USG40 (possible with WLan option).

    Chris> please check the total required troughput in the local network.

    The VPN firewall from Zyxel would be setup behind an austrian telecom router. It should allow the connection to two small "servers" in a LAN, which have only a http (web, browser) interface.

    Chris> dose your ISP support also modem (bridge) mode, to have the public ISP-IP at the WAN1 at a Firewall device ?  vpn behind a router is a bit tricky to configure.

    I would need to know the following, in order to understand what my total costs would be (hardware + software licences) :

    1) - what kind of software licences do I need to buy, except the hardware itself? There are a lot of software licences available from Zyxel, but I don't know which is useful for what.

    My necessity would be only and alone to connect to the internal LAN, coming from the internet, via VPN, from two clients on two windows PCs and one on a mac PC. Possibly also from a mac tablet to the VPN.

    Chris> SSL-VPN Client is availible and ca aos used trough Proxys/Hotspots, they are blocking L2TPoverIPSEC connections :)

    I do not need to filter other outgoing or incoming traffic (eg. email traffic or surfing from the LAN behind the firewall to the internet), or an antivirus licence on the firewall.

    2) - do I need to buy yearly some kind of "updates" for the firewall firmware itself (the one that is on the USG20 or 40 hardware)

    Chris> The Firmware updates are actually free of charge. Only dedicated services (content-filter, av, idp/app-patterns are optional and can be payed for 1yr or 2yrs).

    3) does the USG20 firmware allow some kind of "Country-IP Blocking"? What intrusion prevention options does the USG 20 offer?
    I know that the IPS software is available only on the USG40 (or higher). How is it called? (if I want to buy an IPS licence) and how much does that cost per year?

    Chris> priceing is depending by the dealer.

    What security options would be recommendable for such a small LAN? I mention that the whole LAN behind the firewall is not extremely sensitive (it contains no important private data in it, but only these two small servers in it, which are additionally secured with passwords).

    Chris> are the server reachalble from the internet (trough NAT) ? This two system can be palced in the Zone DMZ. All other devices e.g. in LAN1. But to get connected from LAN1 to DMZ -you have to create a security policy.

    USG40W -> WLAN only 2.4G
    USG60W -> WLAN 2.4/5G

    Regards
    Christian




  • parnassus
    parnassus Posts: 13  Freshman Member
    Friend Collector First Comment
    Also consider that ZyXEL USG40 and ZyXEL USG60 (with latest 4.25 Firmware) provide up to 5 (free) SSL VPN concurrent connections so if you don't want to purchase the ZyXEL VPN Client (application) - one for any supported device (Apple/Microsoft) you're going to use to connect to your Firewall - you can use supported Web Browser(s) to securely connect to your Firewall...ZyXEL ZyWALL USG20 (old Firmware 3.30 not more updated since November 2016...a thing to consider) supports at maximum 1 (free, I think not expandeable) SSL VPN connection.

    If I were you I would go with the USG60 (very good CPU performance) without any UTM bundle (if you are going to ignore UTM features), then - separately - I would purchase a supported NWA Wireless Access Point (USG60 supports up to 2 APs free, without licensing...with licensing up to 8) so you will be free to install it far from the place where the Firewall will be placed (I successfully used NWA5121-NI as example).

    USG40/60 datasheets are a good source of informations WRT licensing and Firewall features/capabilities.

    The USG60W is the product to go if you (a) want "embedded WiFi with antennas" and (b) have the Firewall well positioned (not inside a metal Rack!) in order to benefit of its "embedded WiFi".

    Personally I tend to keep functions separated (WiFi Access and Routing/Firewalling)

  • parnassus
    parnassus Posts: 13  Freshman Member
    Friend Collector First Comment
    Clearly above I referenced about old ZyXEL ZyWALL USG20 and not the actual ZyXEL USG20-VPN (which is another model).
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    edited November 2017
    Be carefully with usage the browser-web-interface to get connected trough SSL-VPN.
    One technican from ZYXEL germany reported, the web-interface will deactivated/decommisioned by ZYXEL in one of the next firmware releases. The interface is useing java and it's a lot of work to stay up-to-date and the performance is not like the SSL-Client om a Deivce.
    See the following information by ZYXEL


    SSL VPN (SecuExtender)

    SecuExtender, the ZyXEL SSL VPN technology, works on both Windows and Mac operating systems. For Windows users, SecuExtender is free from pre-installation of a fat VPN client. ZyXEL security appliances will push VPN client and launch auto-installation while user logs in web-based authentication portal. For Mac users, a lite VPN software is provided to set up secured VPN connection.

     

    IPSec VPN

    The ZyXEL IPSec VPN Client is designed an easy 3-step configuration wizard to help remote employees to create VPN connections quicker than ever. The ZyXEL IPSec VPN client also ensures easy scale-up by storing a unique duplicable file of configuration and parameters. Moreover, VPN configurations and security elements (certificates and pre-shared key, etc.) can be saved on a USB disk in order to remove authentication information from the computer. It's very easy for administrators to control and manage the deployment and security options.


    ---

    Regards
    Christian

  • Horia
    Horia Posts: 33  Freshman Member
    Friend Collector First Comment
    a big thank you to PARNASSUS and CHRISTIAN G. for your higly valuable comments and inputs! They help me a lot!

    @parnassus
    I wasn't aware there are two versions of the USG20W (with and without -VPN in the name). I will be atttentive about that...

    @ChristianG
    yes, the austrian modem is supporting the "bridge" mode. I will test the configuration in both modes, but presumably it is better to use the ISP-router in bridge mode (only as a modem).

    regarding connections through SSL or IPsec, as we will connect to the VPN only occasionally (to check the states of the two small servers) I think it will not be a problem if there are just a limited number of VPN-connections permitted (however, I would buy only the newer version of the USG20W-VPN, not the old one).
  • DennizOlof
    DennizOlof Posts: 20  Freshman Member
    First Anniversary First Answer First Comment
    Horia, if you are going to buy a Zyxel device, go for the new new generation USG 40,  USG60 with or without wireless. They have a more powerful CPU and much better throughput then the older USG 20 with or without wireless. Also the older USG 20 with or without WiFi, only does about 50Mbit on WAN to LAN or LAN to WAN as a basic firewall with no special features turned on.

    Also the setup for wireless is different on USG40, USG60 etc compared to the older versions, there is a video on the zyxel site that shows you what to do to get it up and running.

    I have used a Zyxel 35 on my xDSL line back in the day, if I remember I tested it on my 100Mbit line and you only get about 40Mbit throughput, with the basic firewall. No inspection stuff turned on. It worked fine when I only had 8Mbit xDSL.

    The current Zyxel USG 100 I have running I get just about 95Mbit throughput, same as above with no special things enabled. The new lineup, Zyxel USG 40W does about 200Mbit throughput without any special rules. I have the Zyxel USG 60w and it should be about dubble the performance about 400Mbit throughput but I have not been able to test it.

    Forget the specifications Zyxel posts because that is just in theory, real world test show something else. Also remember the speeds I have posted are from LAN to WAN or WAN to LAN without any additional functions. Just the basic firewall. When you use antivirus, VPN and other things the speed drops even more. Something to think about depending on what your use is.

    The best part of next generation USG40 and USG60 (with or without WiFi) is that they have passiv cooling. Often important for home or office use.

    Hope that helps you decide which product to get.
  • Horia
    Horia Posts: 33  Freshman Member
    Friend Collector First Comment
    edited November 2017
    @DennizOlof
    thanks a lot for your kind and extended recommendations!
    Yes, indeed, I also observed the passive cooling (I heard the old ones had very noisy fans).
    But it is good to know about the speed, and especially about the setup. If it became simpler or more logical, it is a good reason to buy the new series.
    Otherwise, my speed requests are not important, as I would use the outgoing traffic without any special filtering, etc., and for the VPN I would need only occasionally to check the state of two servers in the internal LAN, which do not need high data throughput.

Security Highlight