[BEST PRACTICE] Firewall Maintenance, Config Protection and CVE Attack Mitigation

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

[We recommend reading this article carefully and complete, take your time]

Zyxel assists Administrators with their responsibility to keep a firewall installation optimally protected, use existing basic and advanced firewall security features, and protect their devices as best as for unexpected                                                                                                                            

Common Vulnerabilities and Exposures (CVE) and attacks.
We live in a world where updates and maintenance are our daily job in professional IT. Your smartphone load App-Updates every day, Google roll-out monthly security patches for smartphones, and Windows has its patch day also. A firewall needs to get needed attention from time to time.

 

Firewall Setup and First Installation

Security Tuning - Optimize the system-default configuration!

Maintenance - Take care of your firewall

CVE Attack Mitigation

Support Insights - Further Security and Optimization Tips


Nebula - Ways to stay up2date and benefits

 

Firewall Setup and First Installation


Firmware Upgrade

The first step should be to upgrade the firmware of our devices to the latest release once you receive your device. Our Quick Start Installation Wizard will assist you in getting the latest update installed.

Admin User Password Change

You should change the password of the Admin User. Our device will prompt you to execute the changer. We suggest using a minimum 8-character password with numbers and special characters.

Security Tuning - Optimize the system-default configuration

The system-default configuration file already includes some protection, but you can adjust them for your needs to be even better protected.


WAN to ZYWALL

The Security Policy rule "WAN to ZyWALL" assists you in easily accessing your device from a Remote and being able to use VPN services on your device. However, the default "Source" is "any," which means potentially everyone in the world is able to access your device.

1.) Object > Service > Service Group > "Default_Allow_WAN_To_ZyWALL"

a) To modify the rule, we suggest you add another HTTPS Port, for example: "7592" and you remove every service port you don´t need (remove VPN ports if you don´t use VPN).

b) Setup another HTTPS Port [Don´t block yourself from remote session]
If you remove "HTTPS" (443) from WAN to ZyWALL Group and add your own port, make sure to update the Web-Management Port too. Changing the HTTPS-Port of the USG

2.) Security Policy > Policy Control

Check the rule "WAN to ZyWALL" and try to add "IPv4 Source" into this rule. That means you can control which IP ADDRESSES, FQDN or GEOGRAPHY locations allow you to access your device or use VPN.

For example:
The firewall Setup Region is: Germany (Geo-IP, license-free)
Your VPN Region is: Austria (Geo-IP, license-free)
Your VPN Site2Site Tunnel Remote IP is: 1.1.1.1 (IP-Address Object)
To maintain the firewall, your "Office" IP is a static IP: 2.2.2.2 (IP-Address Object)

Now, you know your firewall requirements, you know your partner and the regions you are operating with. You can start creating "Object > Service > Address and Object > Service > Address Group to create a group of allowed sources and bind them to your firewall rule "WAN to ZyWALL" as Source.

You made a big step now to protect your device from being "openly available" to Port Scanner, World Wide Web, Regions you do not want to get GUI access to your device, and many additional scenarios.

We know this does not always work. For example, remote VPN clients or international companies may require dynamic IP ranges and more, but you can try your best. A-Words in a firewall device are never good. Avoid "Any, Allow, All, Always" in your configuration. Be as much as possible concrete, and if you only can enable at least 1 feature like GEO IP, it´s better than nothing. How to use the Geo-IP feature

Maintenance - Take care of your firewall

If you support your firewall setup with regular maintenance, your firewall will support you with the best network protection in a long time and less chance for a needed recovery during the device's lifetime.

 

Firmware Upgrades

Maintenance of many devices causes you to need also have more maintenance time. Keeping your devices up2date is one of the most urgent parts. The regular release cycle of Zyxel devices is each 3 months. In advance, we have monthly bug fix updates for our experienced customers called "Weeklys" Weekly Firmware / Support Version / Lab Version. [Weekly will add a warning notice. If you upgrade next time to FCS, don´t worry. Just download FCS from www.myzyxel.com and upgrade the firmware] 

Zyxel always delivers bug fix updates and performance improvements and protects their devices for security issues or reported CVEs. If we fix security issues, such updates are mandatory and should be installed asap after release. 

We offer 2 partition devices, where both partitions should be upgraded to the same or 1 level behind firmware versions in rotation. Let´s look at an example.

Partition 1 > v5.36 Patch 2 [Running]
Partition 2 > v5.36 Patch 1 [Standby]
The next update, "5.37" should be installed on Partition 2 (Standby).

With an installation to "Standby" Partition, you will automatically "copy" your current configuration file from "Running" to "Standby" which means you have a 2nd backup. Also, if any issue happens with the newest upgrade, you can simply boot up Partition 1 again (previous Running, currently Standby) to get your (optimal 1 version older) firmware back with the same config.

Avoid making the following mistakes:

  • Do not always upgrade the "Running" partition after some time (maybe 2 years); the firmware is so old that if you reboot to the other partition or have any need to do so, it may show incompatibility with current browsers. It can have security incidents, or your configuration may not convert correctly due to newer and more features developing, as you missed too many between upgrades.

  • Do not skip firmware updates. We release upgrades because they are needed. Plan your time to execute the updates or use the "Auto Upgrade" feature.
    Firmware Update\Upgrade Procedure USG/ATP/VPN
    How to upgrade USG devices via cloud-service

    Even if you see we only add a few bug fixes or improvements, we still optimize Linux modules and update other integrated tools. So we recommend not skipping updates.

  • Receive a Security Advisory E-Mail from Zyxel? Read it and take action! If we send out a Security Advisory, it´s not only to inform you and have another mail to delete. It´s proactive information you should take seriously to protect the firewall you set up on some network. There is a chance that a not updated device will be compromised after some time due to ignoring the needed upgrades we were providing.

 

CVE Attack Mitigation

CVE attacks or exploits with root access are always annoying and bring trouble into the network. All reported CVEs to protect Zyxel firewalls from us. We act proactively with our security researcher and fix the issues with firmware upgrades before it´s too late.

 

How can I know if my device has been compromised before?

If you apply our firmware versions, which usually come up 2 weeks before the CVE code is published, you are always safe and don't need to take care here. We act deeply with researchers and CVE Authorities, and our bug fix speed is always quicker as the CVE is published.

However, in case the device is updated too late or has not received an upgrade for a long time, and you didn´t take proactive advanced configuration adjustments to mitigate the way a potential attacker can reach your device from WAN, there is still a rare chance a device could be based on CVE score severity compromised.

Therefore, it is important for Admins to check a "forgotten" firewall device with open eyes and cross-check left and right.

Do you know? All CVEs are always released in this article. Just click "Follow" to get an automatic notification once this article is updated: Zyxel Security Advisories CVE

 

Some examples:

  • Check if you can see "Admin Accounts" on your device you have not created by yourself. If someone creates an Admin account, delete it. Zyxel offers a feature during the login process to show up "Admins" when their passwords need to be changed. The only admin our devices have per default is "admin"
  • Check your latest configuration Backup "startup-config.conf" if the filesize is different from the current one and you didn´t do any kind of modification. It may be an unauthorized configuration change.
  • Check the "CPU" process page. We show you the CPU load of the Top 10 processes. If you find an abnormal process or a process using high CPU, your device is may under an attack, or a system feature is unstable, be in touch with our Support Team to clarify if you feel something doesn´t look as it should be
  • Keep your eyes open! In case you feel anything isn´t looking as expected, it can be a bug, but especially if you are on quite old firmware versions because you read the article here too late, you should check everything left and right for example, is there more traffic on WAN? is anything slower as usual? Do I see configurations I didn´t do?
  • Your ISP may be in touch with you. Many ISP already established monitoring systems to find abnormal behavior in the network, for example, quite popular "Open DNS Resolver" If you have an infected device in your network, you may receive information from your ISP, and you can take action. 

[In case of your device show abnormal behavior related to any CVE, make sure to update Admin Passwords, VPN keys, WIFI PSK, and other sensitive information]

 

Support Insights - Further Security and Optimization Tips

Zyxel offers a variety of assistance tools to keep your device up and running with the latest technology firmware version and the best available security. Make use of them.

  • Change your Password regularly. We recommend doing it all 6 months latest.
  • A "Password Change Reminder" will pop up if your password didn´t change for the time being or after EVERY firmware update.
  • A "Security Check" will pop up if you log in and have not done any of above mention protection steps. It can assist you in changing your HTTPS Port, SSL VPN Port, and further personalized optimation to increase your firewall security level.
  • Checking Monitor > Logs can help to identify abnormal traffic scenarios to your firewall. You can block such "scans or user login tries" by adding firewall rules and blocking unknown IP addresses.
  • Backup your configuration file regularly

 

Nebula - Ways to stay up2date and benefits

Nebula already includes a more intelligent strategy for firmware upgrade handling. You can decide about the "Latest" or "Stable" version, where the Latest is the absolute latest release and will be converted into "Stable" after some roll-out time. So a "Stable" can be the latest, but it could also be that in case we find abnormal behavior, the Stable is 1-2 versions before the latest firmware.


Nebula is also upgrading the devices in rotation, as mentioned for On-Premise devices above. That means each upgrade will apply to the Standby partition to switch the partition, keep the device up2date and automatically recover (boot up to the previous partition) for error recovery.

Another benefit of Nebula is "Forced Firmware Upgrade" in case of a critical security issue happens. The devices will auto upgraded on a specific time frame (mostly Sunday nights) to keep even "forgotten" devices or devices without maintenance up2date without delay.

 

Best Practice Security Information: June 2023

 

Articles in this section

See more
Was this article helpful?
4 out of 4 found this helpful
Share