Zero Trust - A compendium to a secure network – Zyxel Support Campus EMEA

Zero Trust - what at first listen to sounds like a very negative thing, is actually a security concept which guarantees your network and therefore your clients a maximum of security and therefore a minimum of compromise in availability. While the Coronavirus-pandemic, which started by the end of 2019, has shown us a very different type of work, which is way more flexible, this also inherently comes with dangers to business networks, as a BYOD (Bring your own device) is way more established in the mindset of both employee and employers likewise as well as the shift to utilizing more cloud services and externalizing tasks away from the intranet. It's not unusual, that networks nowadays look like this:

Having remote home offices, people on the road connecting via VPN, Branch-Sites interconnected with the main-site and using different Software-as-a-Service-offerings (SaaS), we are utilizing the full technological power of today's networking world.

All of these things open the gate for new security concerns, which in turn have to be specifically addressed. There are three pillars, which are necessary to gain a zero-trust security level:

Visibility
- The ability to scan and detect different device types, networks etc.
Control
- Clear administrative organization of your network frames the use of your network
Reaction
- In case of danger, no compromise and direct counter-measurements taken

All of the changes in today's networking world require a big palette of different measurements, which we associate the term Zero Trust too. In this article, we want to give a starting point at what measurements can be placed on our firewall solutions to grant you maximum security! However, please note that there is no dedicated "Zero Trust feature", but Zero Trust is rather a concept on managing your network - so we can only give you recommendations and starting points here.

Visibility

With visibility, we mean that the network administrator has to be able at all times to know and find out, what is happening in their respective network. One offering is Device Insight. Device Insight is a powerful analysis tool in our gateway that can find out information of a client such as its IP-Address, MAC-Address, operating system, sometimes even the version, vendor and device type. More is to come in the future, as technology progresses - the gateway devices check not only locally in their network, but are also supported by a cloud server providing additional information.

This, in theory, gives you the possibility to e.g. only allow MacBooks to connect to the network, if you happen to know that your staff is fully equipped with these machines, making it harder for people with malicious intent to get their device into the company network. For more information on this, check this article below as well as the few pictures below as reference:

Device Insight Feature for USG FLEX/ATP/VPN Series

Control

Business networks are sensitive infrastructures. You want to avoid as much as possible "open the gates" and just let everybody in without checking. As you would not simply let the door to your house for anyone to enter, you want to be able to decide upon whether or not a device is allowed to enter the network. For this, we have different options at hand, and intertwining them gives you the greatest gain out of them:

2-Factor Authentication
- Utilize the benefits of not having one authentication stage, but two authentication stage
User-Authentication via RADIUS/AD
- Local users can be prompted to validate themselves towards your authentication servers
User-Authentication via VPN
- Besides the local users, you can apply authentication policies also for your remotely connected VPN clients
SecureWifi / Remote AP
- Separate work- and private-related networks, even at home!

Below, you may find some useful tutorials giving you a starting point for these different fields:

Overview of all 2FA Methods (Two Factor Authentication)

USG Series - Authenticate SSL VPN clients with Microsoft Active Directory

How to join an Active Directory Domain with USG/ATP/VPN

Secure WiFi

Reaction

All measurements you can take are nice and dandy, but the true question is: what, if none of them suffice, and you are challenged by a security threat? With Zyxel ATP and/or USG FLEX, fear not, as these devices bring a UTM Pack (upon licensing and registration, that is), which gives you full capabilities to counteract risks and dangers prompted to your network.

The UTM Pack consist of these UTM Services:

Content Filter
- Allows you to block/disallow access to pages that match certain criteria (e.g. pornographic, racist, violent content etc.)
Anti-Malware
- Protects your networks from malicious software such as ransomware, viruses, worms, trojans etc
Collaborative Detection & Response
- Take your Anti-Malware to the next level - CDR will allow for Access Points in your network to block infected wireless clients out of the WiFi and thus providing more security
App Patrol
- Administrate, what type of content and applications, which can't be blocked scanned via regular firewall security policies can be used or are forbidden with your network (e.g. differentiation between allowing WhatsApp-Messaging and blocking WhatsApp-Calling possible)
IPS (Intrusion Prevention System) + ADP (Anomaly-Detection & -Protection)
- Fight off malicious attacks on your network such as brute force entry attempts and DoS-attacks as well as suppress strange, unusual traffic inquiries through your network
Sandboxing (only ATP-Series)
- The crowned king of UTM features - Sandboxing allows for analyzing and scanning files sent over the network in semi-real-time for malicious code via cloud services, and in turn propagating new anti-malware signatures when a hit is registered. This makes for a zero-hour reaction time on new malware and makes sure only a minimal number of clients worldwide are affected. It's basically networking herd immunity on steroids!