Zyxel Firewall seriesfrom firmware version 5.35
A firewall is the first line of defence against attackers from the Internet. It protects the local network from unauthorized access and is an essential part of a security concept. But what if the firewall itself becomes the target of hacker attacks and can therefore become a potential threat? The following guide is intended to provide information on how to attack possibilities that can be restricted.
1. Policy Control
2. Anomaly Detection and Prevention
3. Remote Management via HTTPS
4. Two-Factor-Authentication
5. Alert Logs
6. Automatische Firmware Updates
7. Sensitive Data Protection
1. Policy Control
As few users as necessary should have access to the firewall. To ensure this, it is advisable to restrict access rights as much as possible.
Configuration > Security Policy > Policy Control
ZyWALL zone takes a particular role. It contains all interface addresses of the firewall. Only rules can be created for this zone.
For example, the default address 192.168.1.1 does not belong to the LAN1 zone but to the ZyWALL zone.
With the default settings, access to the firewall is mainly open. Therefore, these should be further restricted.
Restricting Policy Control Rules
Firewall rules can be restricted based on several criteria. Mainly three criteria are helpful for firewall access:
1. IPv4 source (address objects)
2. service
3. user
These elements are created as objects.
Address-objects
There are basically three types of address objects. These are:
1. IP addresses
2. FQDN addresses
3. GeoIP addresses
Address objects can be grouped. However, it is not possible to mix different address types.
Configuration > Object > Address/Geo IP > Address
1.1 IP addresses
IP addresses should be used whenever possible, as they are unique. There are several types of IP addresses:
1. host > this describes a single IP address
2. range > This can be any range defined by the start and end address
3. subnet > this can be created by entering a subnet mask or CIDR (e.g. /24)
4. interface IP > takes over the IP address of an interface and adapts dynamically
5. interface subnet > takes over dynamically the subnet of an interface
6. interface gateway > takes over the gateway of an interface of the type WAN or general.
Host, Range, Subnet
The address types Host, Range and Subnet are particularly suitable as IPv4 sources. If access is made from the WAN, the public IP address of the remote station is specified.
From a LAN, these objects can be used to create groups with different authorizations.
Interface IP
This object can be used if access is only possible on a specific IP address. For example, if there are 2 WAN interfaces, but a service should only be available on one interface, the interface IP can be entered in the policy control rule as an IPv4 destination.
Interface Subnet
This address type is suitable if uniform rules are to be created for a local interface (e.g. LAN1).
Interface Gateway
This address type is not relevant for access to the firewall.
2. FQDN objects
With FQDN objects, a name can be entered instead of an IP address, e.g. www,mydomain.com. This entry type is particularly suitable if access is made from the WAN and the remote station does not have a static public IP address. A DynDNS name can be used instead of the IP address in this case. For FQDN objects, a fast DNS server is required. Wildcard entries such as *.mydomain.com are also possible. However, these cannot be used for this purpose.
1.2 FQDN objects
With FQDN objects, a name can be entered instead of an IP address, e.g. www,mydomain.com. This entry type is particularly suitable if access is made from the WAN and the remote station does not have a static public IP address. A DynDNS name can be used instead of the IP address in this case. For FQDN objects, a fast DNS server is required. Wildcard entries such as *.mydomain.com are also possible. However, these cannot be used for this purpose.
Geo IP addresses
Geo IP can be used to create a country or region-based objects. The service uses an external database and should be updated regularly. Geo IP does not offer reliable protection, as the source address can be manipulated very easily using freely available VPN services.
Service objects
Service objects are used to define which services are granted or denied access in the policy control settings. The services can be grouped. The services can also be used elsewhere, e.g. in policy routes and NAT entries.
In addition to the standard service objects, there are some particular objects. These are the objects "Wiz_2FA, Wiz_HTTP, Wiz_HTTPS and Wiz_SSLVPN". The port of these services adapts automatically when it is redefined in the corresponding menu.
Configuration > Object > Service
User
Configuration > Object > User
There are different types of users.
Admin - can make changes to the configuration
Limited-admin - can access the configuration but cannot make any changes
User - can authenticate using 2FA
Guest - can log on to the firewall
Ext-user/ext-group-user - can authenticate to an external server.
Built-in users are predefined users that cannot be deleted and are intended for specific purposes.
Users should be defined so that they have only the necessary permissions.
Typically, VPN or 802.1x users are defined as user-type Users.
Login Security
Defines if and in which period passwords have to be changed and if password complexity is required.
User Login Settings
Defines how many times a user can log in at the same time. If the limit is set to "1", an administrator may lock himself out.
User IP Lockout Settings
The entries define how often a wrong password entry is allowed until the user is blocked for a certain period. This setting protects against brute force attacks.
Recommended Policy Control Rules
From: WAN To: ZyWALL
It is strongly recommended to close all services that are not specifically needed.
Frequently needed services:
IPSec VPN (IKEv1, IKEv2, L2TP):
ESP, IKE, NATT, (L2TP-UDP).
SSL VPN:
Wiz_SSLVPN
2-factor authentication for VPN:
Wiz_2FA
Remote access via HTTP/HTTPS:
Wiz_HTTP, Wiz_HTTPS
To avoid security risks as far as possible, remote management is ideally carried out via IPSec VPN. The source addresses should be restricted if possible. SSL VPN is not recommended, as this offers a possible attack vector via SSL.
Remote access over HTTPS:
If remote access via HTTP/HTTPS is required, the source address should always be restricted to an IP address or FQDN. GeoIP as a source address is not secure and offers significant potential for attack. For HTTPS management, it is recommended to use an alternate port.
From: VPN zone To: ZyWALL (client-to-site)
By default, all ports are open. In most cases, only a few services are required. These are, e.g. DNS and L2TP-UDP. For other services, access should be blocked. If remote management via client-to-site VPN is desired, access to the firewall can be restricted to one user. However, this only works if the user has already logged on to the firewall when the tunnel was set up.
From: LAN To: ZyWALL
Also, here the access rights should be limited. Full access to the firewall should only be granted to a special management LAN or individual administrator IP addresses. For some services to work correctly, access to the firewall must be granted. This includes DNS, multicast, Radius-Auth, NetBIOS, SNMT, SSO, etc. Which accesses are effectively required depends heavily on the network topology and technologies used.
2. Anomaly Detection and Prevention (ADP)
Configuration > Security Policy > ADP
ADP provides protection against port scans and unusual network behaviour. Activating ADP with the default profile from the WAN zone is recommended. Individual adjustments can be made to the profile if problems occur.
In individual cases, ADP can affect certain services. This applies in particular to flooding detection. For this reason, flooding protection can be deactivated for individual services, e.g. NATT. Such a setting is only helpful if problems occur.
3. Remote Management via HTTPS
Some specific settings in the WWW settings have a direct impact on system security.
Configuration > System > WWW
Server port
The standard port 443 should not be used for remote management, as this is always scanned during automated attacks. Frequently used alternative ports (e.g. 8443) are also not ideal.
Redirect HTTP to HTTPS
All HTTP calls to the GUI are redirected to HTTPS. Attention. This setting must not be enabled if Web Authentication is used. In all other cases, this option should be enabled.
Admin Service Control
Here you can set who may have administrator access to the firewall. It would be best for you to restrict access to individual IP addresses. Only IP addresses are allowed as address objects. As the last rule (here, rule 5), an ALL/ALL/deny rule should be created. Care must be taken when creating the rule so as not to lock yourself out. Therefore, the accept rules must be created before the deny rule is created last.
User Service Control
The user service control defines which clients can authenticate to the firewall.
The rule is relevant for SSL-VPN, 2-FA, VPN Configuration Provisioning and WEB-Authentication.
If this is not used, a deny rule can also be set.
Authenticate Client Certificates
If the Authenticate Client Certificate option is enabled, the client must authorize itself with a valid certificate. Otherwise, a connection will be denied. This applies to access via HTTPS and SSL VPN. VPN Configuration_Profisioning with SecuExtender does not work if this option is enabled. However, calling the 2FA window is still possible without a certificate.
For a certificate to be trusted by the firewall, the certificate authority's chain of trust must be installed. This usually includes a root and intermediate certificate. The firewall trusts every certificate with a valid certificate chain as well as its own self-signed certificates. It should be noted that some browsers reject self-signed certificates on principle (currently Firefox-based browsers). The client certificate does not have to be installed on the firewall.
Configuration > Object > Certificate > Trusted Certificates
4. Remote management services
Configuration > System
There are several services on the firewall that are rarely or never needed. These services can be disabled completely.
SSH
For example, this service can be used when configuration changes are performed with an automatic script. If SSH is not used regularly for administration, the service can be disabled. The Web Console can also be used instead of SSH for CLI input.
TELNET
It is not needed in most cases and can be disabled.
FTP
Via FTP, e.g. the firmware can be updated, or configuration files can be downloaded. FTP must be activated if HA-Pro is in use. If this is not the case, FTP can be deactivated. If the service is needed sporadically, it can be activated temporarily.
SNMPThe service is needed for network monitoring and is required for solutions like PRTG. If the network is not monitored, the service can be deactivated.
ZON
Enables information exchange with neighbouring devices (model, name, firmware, MAC address, IP address) via LLDP as well as with Zyxel's software ZON in the same LAN. The service is not required for regular operation.
VPN
IPSec Site-to-Site VPN
When using site-to-site tunnels, a peer gateway address should be entered whenever possible. If the remote site has a dynamic IP address, a DynDNS name can also be used. A DynDNS name can also be used if the remote site is behind a NAT/CG-NAT. In this case, it is important that the connection is established from the remote side and that the DynDNS service synchronizes the public IP address.
For authentication, a certificate is better than a PSK. The following has to be considered:
1. The used certificate can be a Self-Signed Certificate but must be stored on the remote side under "Trusted Certificates".
2. On both sides, own certificate is created
3. The local ID type is taken from the certificate and must be entered identically as the peer ID on the other side.
The recommendation for the maximum SA lifetime is 86400 seconds in the VPN gateway and 14400 seconds in the VPN connection.
5. the following settings are recommended as a minimum for VPN encryption: AES256 / SHA256 / DH15. This is the VPN gateway as well as in the VPN connection.
Extended Authentication Protocol is also possible for site-to-site tunnels. However, the registered user is not logged on to the firewall when the connection is established.
IPSec Client-to-Site VPN
For client-to-site VPN, IKEv2 with the certificate and Extended Authentication Protocol is recommended.
Configuration Payload is mandatory in the VPN connection.
After the connection is established, the client is logged on to the firewall with the user. For any admin access to the firewall, the corresponding admin user can thus be stored in the policy control.
L2TP-VPN
The use of an L2TP VPN is not recommended. IKEv2 can be used instead.
SSL VPN
Due to performance and possible security issues, SSL VPN is not recommended. However, since this is popular due to the ease of configuration, the following should be considered:
Configuration > VPN > SSL VPN > Global Setting
The use of a separate port for SSL VPN is mandatory. Under no circumstances should port 443 be used.
Security is significantly increased by using a certificate for authentication. The configuration is described under "Remote Management via HTTPS > Authenticate Client Certificate".
In the Policy Control, it is advisable to restrict the Source IP for the access from WAN to ZyWALL for the service Wiz_SSLVPN. At least to a GeoIP, better to an FQDN or an IP address.
Also, administrator access to the firewall from the SSL-VPN zone can be restricted to the admin user. This is possible because the user already logs on to the firewall during tunnel setup.
Regular users do not need access to the firewall from the SSL VPN zone. It is sufficient if typical services such as DNS are allowed here.
5. Two-Factor-Authentication
Two-factor authentication is recommended for Admin Access, preferably with Google Authenticator.
The setup for 2FA must be done separately for each user. The Google Authenticator method is recommended. Note that users who do not have 2FA set up can still log in without additional authentication. For this reason, 2FA offers only limited protection.
2FA kann auch für VPN-Access aktiviert werden.
Zur Authentifizierung wird immer ein eigener Port verwendet (Objekt Wiz_2FA).
Es stehen auch verschieden Methoden zur Verfügung, wie ein Link gesendet werden soll. Schlussendlich wird jedoch bei allen Methoden ein Link auf das WEB-GUI aufgerufen.
Da das WEB-GUI für 2FA aus dem WAN erreichbar sein muss, besteht hier auch ein potenzielles Angriffsrisiko. Aus diesem Grund ist diese Funktion mit Vorsicht zu geniessen.
How to set up two-factor authentication is described in our other article:
Two-Factor Authentication with Google Authenticator for Admin Access
6. Alert Logs
For some options, it may be helpful to set up an alert log. In this case, an email notification can be triggered immediately when an event occurs. This makes sense, for example, when an administrator logs in, especially for firewalls that are only monitored at irregular intervals.
Configuration > Log & Report > Log Settings
7. Automatische Firmware Updates
Care should always be taken to ensure that the firewall firmware is up to date. For systems that are actively maintained, updates can be performed manually. However, in reality, it is often the case that this is neglected, and firewalls with known security vulnerabilities are not updated over a long period.
Especially in environments of this type, it is recommended to activate automatic updates for security reasons.
Maintenance > File Manager > Firmware Management
8. Sensitive Data Protection
As of firmware version 5.35, passwords can be encrypted with a custom key instead of the default algorithm. Other passwords still use the default method. The function also protects against reading user passwords from configuration files with the help of hacking tools.
Maintenance > File Manager > Configuration File > Configuration > Sensitive Data Protection
Suppose the file is reinstalled on a firewall. This is only possible with the key.
Comments
0 comments
Please sign in to leave a comment.