New Feature                                               Need help? Try our Zyxel Search AI feature Try Now!

Best Practice - ATP UTM Features ATP / USG FLEX Series icon

Avatar
Raphael

This article will look at the Best Practice Setup for the ATP in a Networking Environment.

As an example, we will take a school environment that we need to Secure with properly:

ADP, IDP, Content-, DNS-, Web filter, Anti-Virus, Anti-Malware, Sandboxing, CDR, Reputation Filter.

 

Our Topology for this will be a School Network.

 

mceclip0.png

We'll assume the following:

We have a school network with the following Subnet.

IP Address: 10.10.8.0
Network Address: 10.10.8.0
Usable Host IP Range: 10.10.8.1 - 10.10.15.254
Broadcast Address: 10.10.15.255
Total Number of Hosts: 2,048
Number of Usable Hosts: 2,046
Subnet Mask: 255.255.248.0
Wildcard Mask: 0.0.7.255
Binary Subnet Mask: 11111111.11111111.11111000.00000000
IP Class: B
CIDR Notation: /21
IP Type: Private

 

Now let's look at the different UTM Services and set them up according to our best practice.

App Patrol:

We already have a "default_profile", which includes already encrypted and anonymised Tunneling.

We also want to block Gaming and Social Media (like Facebook and Instagram).

 

  1. Click on "Query Result".
  2. We now chose "mceclip2.png
  3. Repeat the above Steps but choose "Search Application(s) By Name."
  4. Search for Facebook and Instagram and click on mceclip3.pngmceclip4.png
  5. Now we need to change the "Action" to "drop". Go to "My Application" > choose all Applications and click "Action" and choose "drop" > "Save & Exit".mceclip5.png
  6. Now the ATP asks if you want to add the Profile to a Security Policy.
  7. Choose "Yes"mceclip6.png
  8. In our case, we are using LAN2, so we choose the "LAN2_Outgoing".mceclip7.png

 

Content Filter:

Here we will set up a new Profile.

 

  1. Click on add                                                  mceclip8.png
  2. Give it a Name and click "Enable Content Filter Category Service."mceclip9.png
  3. Choose the Categories you wanna block and click on "OK."mceclip10.png
  4. As with the App Patrol before, apply the Profile to the Security Policy.

 

DNS Content Filter:

We now set up the DNS Content Filter:

 

  1. Click on the "DNS Content Filter" Tab.mceclip0.png
  2. Go to "Add"
    1. Please give it a Name
    2. Under "Clone Categories Settings from Profile", choose the Content Filter Profile we created earlier.
    3. Click on "Clone" and "OK"mceclip1.png
  3. As before, add it to the Security Policies. This Time we also add it to the "LANX to Device."mceclip2.png

 

Anti-Malware:

Now let's set up the Anti-Malware.

 

mceclip3.png

There is already a basic Security setup by default.

We are going to enhance it.

  1. We leave the Hybrid Mode as it is
  2. Under "Advanced"
    1. We choose all available file types and add them to the list.mceclip4.png
      1. "Destroy infected file" means that the client will still download the file, but the firewall will inject random "0" into the binary stream. This results in a destroyed file.
      2. If You choose " that means that, for example, clean (password protected) archives would also be destroyed since we could not unpack them.             mceclip5.png
    2. Click on "Apply"

 

Reputation Filter:

When it comes to the Reputation Filter (enabled by default), we need to consider that we are talking about 3 Aspects:

  • IP Reputation
  • DNS Threat Filter
  • URL Threat Filter

The Settings here are (by default) to block everything, and we should leave it.

mceclip6.png

mceclip7.png

mceclip8.png

You can add an external Blocklist to the "IP Reputation" and "URL Threat Filter" if you wish.

"IP Reputation":

  • The external blocklist file must be in text format (*.txt), with each entry separated by a new line.
  • External blocklist entries can consist of single IPv4 / IPv6 IP addresses, IP address ranges, CIDR (Classless Inter-Domain Routing entries such as 192.168.1.1/24, 2001:7300:3500::1/64. These are some examples for your reference only:
    • 4.4.4.4
    • 192.168.1.0/32
  • If the external blocklist file contains any invalid entries, the Zyxel Device will not use the file.
  • The external blocklist file can contain up to 50,000 entries. A warning message displays when the maximum is reached.

"URL Threat Filter":

  • The external blocklist file must be in text format (*.txt), with each entry separated by a new line.
  • External blocklist entries can contain a complete URL or a hostname and may contain wildcards. There are some examples for your reference only:
    • https://www.zyxel.com/products_services/smb.shtml?t=s (complete URL)
    • www.zyxel.com (hostname)
    • *.zyxel.* (hostname with wildcards)
  • If the external blocklist file contains any invalid entries, the Zyxel Device will not use the file.
  • The external blocklist file can contain up to 50,000 entries. A warning message displays when the maximum is reached.

 

IPS (Intrusion Detection, Prevention):

The IPS is also a "One-click Module", usually we can leave the Settings as is (which we will do in this case).

If needed, you can add custom Signatures or change the behaviour of the IPS for certain Signatures.

mceclip9.png

 

Sandboxing:

Sandboxing contains all unknown packets or user patterns in isolation, then emulates the programs to run and identifies whether or not they are malicious.

Sandboxing will update this new malware information via Threat Intelligence Machine Learning to the Cloud-Server if it's malicious.

Here it should be enough to "enable" the Module.

If you want, you can enable the "Inspect Selected Downloaded Files" and select which files should always be considered a threat and be sandboxed first.

 

mceclip11.png

mceclip12.png

 

CDR:

The above Modules detect Outside Threats, Collaborative Detection & Response takes care of the Inside Threats.

CDR can detect Malicious connections or behaviours from clients inside the Network.

 

  1. Enable the Feature              mceclip13.png
  2. We need to set up the Alert E-Mail. (Please note that under "System > Notifications", you'll need to set up an SMTP Server first.) mceclip14.png
  3. We'll set up the containment VLAN (blocked clients will be pushed there to prevent them from further spreading the malicious actions). If you're using the ATP as an Access Point controller, you will be able also completely to block Wi-Fi Clients. mceclip15.png
    1. Click "Block wireless client."
    2. Click "Add VLAN"
      1. Fill the VLAN as a fictive non-existent VLAN mceclip16.png
      2. Choose it as "Quarantine VLAN" and click on "OK"

 

ADP:

Last but not least, we'll check the ADP (Security Policy > ADP).

The "Anomaly Detection and Prevention" tries to detect currently unknown Threats with known Thread patterns.

It is enabled by default, and we usually can leave it, as we will.

 

mceclip17.png

Related articles

Comments

0 comments

Please sign in to leave a comment.