February 19, 2019 at 09:26In search of the "Do well" button. Zyxel in the network of small and medium-sized businesses
UPD: Telegram chat to discuss Zyxel equipment @zyxelru tg.guru/zyxelru
Mikrotik routers are smart from the point of view of a network engineer. They allow you to build incredibly complex network solutions. And the equipment costs ridiculous money.
But for small and medium-sized businesses that are not related to the IT industry, it is extremely difficult to install. To properly configure RouterOS, a businessman must hire a contractor who specializes in this equipment, or train his system administrator. In the first case, expensive, the second - for a long time ... and again expensive.
Vulnerability in WinBox ( CVE-2018-14847) showed that few people are able to correctly configure RouterOS. And those who set up update firmware extremely rarely. Despite the fact that the latest vulnerable version 6.42 was released on April 20, 2018, my article on Habr made a noise around the world , people who have just discovered that their router has been hacked through this vulnerability continue to write to me ...
Value for money Mikrotik does not always play in favor of the consumer. My task: to find network equipment, which after passing the "master" provides maximum functionality for a small office up to 50 people. Moreover, one of the main criteria is safety. Indeed, for example, the logistics company should be concerned about the speed of delivery of the parcel to the customer, and not the falling off network and the “hanging” terminal.
Outsourcing came to me a small office expanding, who ordered the installation of a network based on a Zyxel hardware kit: ATP 200 gateway, two Wi-Fi points and a PoE-controlled switch. The experience turned out to be quite interesting, given that I have always neglected Zyxel.
Before I got Zyxel in my arms, I asked the opinions of my friends networkers how they relate to this equipment:
Of course, I climbed to watch registered CVE (Common Vulnerabilities and Exposures) .
In 2018, CVE was registered:
→ D-Link - dofiga
→ RouterOS - 6 vulnerabilities that they still hiccup with ....
→ Cisco - more than D-link
Even the little-known Eltex from Novosibirsk has 5 vulnerabilities.
Zyxel 7 vulnerable networks .
Zyxel amused me with the vulnerability CVE-2018-9149 with a maximum hazard rating:
Immediately recalls footage from your favorite spy militants, where the main character / villain penetrates the base by a rope and clings to a box with wiring to stop / launch nuclear missiles aimed at ... * think for yourself * .
That is, to exploit this vulnerability, it is necessary for an attacker to connect to a Wi-Fi point physically using a special USB-to-UART cable !
I have no questions about Zyxel's CVE reliability.
Boxes have come, and the walls are still painted. Unpack at home.
My first impression is weight! The ATP 200 weighs 1.4 kg for its small size (272x36x187 mm). Access points are also noticeably heavier than Ubiquiti.
There were no power supplies in the dotted boxes. Such equipment with adequate installation is powered by PoE. The GS1200-5HP managed switch was purchased for this.
I connected the ATP200 to the laptop with a cable through the P4 port (from lan) of the gateway. In wan1 I plugged in wired Internet, in USB1 E3272 with Hi-Link firmware and in USB2 my Android phone in the “USB modem” mode. It loaded for about a minute. Further on “Quick Start” I climbed on 192.168.1.1. Here the first trouble awaited me. Webmord works on SSLv3, which is turned off on modern browsers. We turn it on:
At the first login, it does not allow you to proceed to the next step without changing the password, unlike RouterOS. Next, the “wizard” starts, in which I indicated that I want to use the second port wan (p3). The "master" did not see any additional devices.
Services left also by default.
Since I have wireless dots, I turn on the WiFi controller immediately:
Another plus in safety: the extremely dangerous function is turned off by default: We
re-login and a notification about a new firmware arrives immediately.
That's all! A laptop surfs the Internet! True, only through wan1 port.
We climb into the config to add a USB modem and Android phone to the group of WAN ports. In “Configuration → Interfaces” only the Hi-link modem becomes active. The Androidphone has remained unrecognized.
In the connection properties, you can set the channel check by:
and also set the parameters of a limited connection, for example, according to the amount of traffic, if the operator has limited it.
Next, we need to allow the release of clients through this modem. I made it equivalent to the channel that I stuck in wan1: Click
on the "apply" button below and that's it! The entire network will go through two channels at once.
It's a little more complicated here.
Editing a security profile.
Configuration → Objects → Access Point Profiles → SSID → List of Security Profiles. Select the default profile and click "Edit":
Specify wpa2 and just below the network key.
Save and go to the next tab "SSID List". We edit the profile “default” by setting the name for our point.
We have edited the settings for the default points for ourselves.
Now we allow to automatically register "empty" points.
We include points in the PoE switch. The switch is included in the lan port (p4-p7). And ... And that’s it. Points are automatically detected and a config is loaded on them.
Turn off the automatic snap points. Plus in safety karma.
Click "apply" and enjoy the new network.
We go deep into safety. Long live the network, protected both outside and inside! The indispensable law of a good office admin is to leave only the solitaire solitaire out of all the amusements!
I really liked the app patrol feature. No need to bother writing regex instructions for filtering L7, as in Mikrotik. It is already there. It is only necessary to add to politics, and that’s it.
Blocking instant messengers, online games or social networks without sweat, blood and tears of young admins.
A dashboard is like most bosses love: with pictures and graphs. You can see where the calls go most often, what is blocked and how much, etc.
Zyxel has a central management system Nebula, which is supported by Wi-Fi points issued to me. At first glance, it’s SDN, which is actively being implemented in large data centers. But this topic is already another article :-)
And then the laptop on the open spaces of the global network has already found instructions in more than 800 pages and about the same amount of handbook .
Sadly, the license for updated signature databases is not endless, and after the first activation of the gateway, signatures are updated within a year. Next, you need to renew your subscription.
An annual subscription for Gold costs 38,600 rubles, and for Silver - 29,000.
There is a question of benefit in each particular case. For example, with ATP200 keep a weak admin for 30k per month and buy a license for 40k per year, or use Mikrotik with add. server (near Surikatu) and keep a “bearded” admin for 80k per month.
For me, the advantages of the Zyxel glands that I came across:
The functionality of the Zyxel ATP200 gateway is quite extensive. Moreover, much is implemented in one piece of hardware, and it is not necessary to block a complex structure, such as Mikrotik + Suricata .
Again, the basic functionality is deployed easily and in a short time.
Of course, there are also disadvantages. You need to get used to the configuration logic. ATP200 knows few tunneling protocols; for example, it is not suitable for forwarding an SSTP tunnel.
Any equipment must be selected for specific tasks.
Training on working with Zyxel equipment (ZCNA) is cheaper than competitors - 15,000 rubles! Official MTCNA - from 22,000 rubles. Cisco is certainly out of competition - both in terms of variety of courses and in terms of cost, approaching the details of an airplane.
Due to the fact that not everyone on Habré can comment, and I did not find a valid Zyxel chat in Telegram, I created @zyxelru . I invite you to discuss cases, settings and other tricks of using Zyxel equipment, as well as ideas for new articles on the Habr for the series “In search of the“ Do well ”button.”
Mikrotik routers are smart from the point of view of a network engineer. They allow you to build incredibly complex network solutions. And the equipment costs ridiculous money.
But for small and medium-sized businesses that are not related to the IT industry, it is extremely difficult to install. To properly configure RouterOS, a businessman must hire a contractor who specializes in this equipment, or train his system administrator. In the first case, expensive, the second - for a long time ... and again expensive.
Vulnerability in WinBox ( CVE-2018-14847) showed that few people are able to correctly configure RouterOS. And those who set up update firmware extremely rarely. Despite the fact that the latest vulnerable version 6.42 was released on April 20, 2018, my article on Habr made a noise around the world , people who have just discovered that their router has been hacked through this vulnerability continue to write to me ...
Value for money Mikrotik does not always play in favor of the consumer. My task: to find network equipment, which after passing the "master" provides maximum functionality for a small office up to 50 people. Moreover, one of the main criteria is safety. Indeed, for example, the logistics company should be concerned about the speed of delivery of the parcel to the customer, and not the falling off network and the “hanging” terminal.
Outsourcing came to me a small office expanding, who ordered the installation of a network based on a Zyxel hardware kit: ATP 200 gateway, two Wi-Fi points and a PoE-controlled switch. The experience turned out to be quite interesting, given that I have always neglected Zyxel.
Keenetic not zyxel
As I know, Keenetic appeared as a custom firmware for Zyxel routers, which the company took custody of. In 2016, keenetic separated from Zyxel and began to produce their own equipment.
So now Keenetic has nothing to do with Zyxel.
So now Keenetic has nothing to do with Zyxel.
Before I got Zyxel in my arms, I asked the opinions of my friends networkers how they relate to this equipment:
“We do not put it in our data centers, because this is not an enterprise decision. But our customers put contractors. It just works ... Set and forget. "
Security
Of course, I climbed to watch registered CVE (Common Vulnerabilities and Exposures) .
In 2018, CVE was registered:
→ D-Link - dofiga
→ RouterOS - 6 vulnerabilities that they still hiccup with ....
→ Cisco - more than D-link
Even the little-known Eltex from Novosibirsk has 5 vulnerabilities.
Zyxel 7 vulnerable networks .
Zyxel amused me with the vulnerability CVE-2018-9149 with a maximum hazard rating:
The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a suitable mechanism to protect the UART. After an attacker dismantles the device and uses a USB-to-UART cable to connect the device, he can use the 1234 password for the root account to login to the system. Furthermore, an attacker can start the device's TELNET service as a backdoor.
Immediately recalls footage from your favorite spy militants, where the main character / villain penetrates the base by a rope and clings to a box with wiring to stop / launch nuclear missiles aimed at ... * think for yourself * .
That is, to exploit this vulnerability, it is necessary for an attacker to connect to a Wi-Fi point physically using a special USB-to-UART cable !
UART
I have no questions about Zyxel's CVE reliability.
Unpacking
Boxes have come, and the walls are still painted. Unpack at home.
My first impression is weight! The ATP 200 weighs 1.4 kg for its small size (272x36x187 mm). Access points are also noticeably heavier than Ubiquiti.
There were no power supplies in the dotted boxes. Such equipment with adequate installation is powered by PoE. The GS1200-5HP managed switch was purchased for this.
First inclusion
I connected the ATP200 to the laptop with a cable through the P4 port (from lan) of the gateway. In wan1 I plugged in wired Internet, in USB1 E3272 with Hi-Link firmware and in USB2 my Android phone in the “USB modem” mode. It loaded for about a minute. Further on “Quick Start” I climbed on 192.168.1.1. Here the first trouble awaited me. Webmord works on SSLv3, which is turned off on modern browsers. We turn it on:
At the first login, it does not allow you to proceed to the next step without changing the password, unlike RouterOS. Next, the “wizard” starts, in which I indicated that I want to use the second port wan (p3). The "master" did not see any additional devices.
Screenshots
Services left also by default.
Since I have wireless dots, I turn on the WiFi controller immediately:
Screenshots
Another plus in safety: the extremely dangerous function is turned off by default: We
re-login and a notification about a new firmware arrives immediately.
Screenshots
That's all! A laptop surfs the Internet! True, only through wan1 port.
Backup channel
We climb into the config to add a USB modem and Android phone to the group of WAN ports. In “Configuration → Interfaces” only the Hi-link modem becomes active. The Androidphone has remained unrecognized.
In the connection properties, you can set the channel check by:
icmp or tcp to the gateway address or specifically specified
and also set the parameters of a limited connection, for example, according to the amount of traffic, if the operator has limited it.
Limit
Next, we need to allow the release of clients through this modem. I made it equivalent to the channel that I stuck in wan1: Click
on the "apply" button below and that's it! The entire network will go through two channels at once.
Connect wifi
It's a little more complicated here.
Editing a security profile.
Configuration → Objects → Access Point Profiles → SSID → List of Security Profiles. Select the default profile and click "Edit":
Specify wpa2 and just below the network key.
Save and go to the next tab "SSID List". We edit the profile “default” by setting the name for our point.
We have edited the settings for the default points for ourselves.
Now we allow to automatically register "empty" points.
Of course, to facilitate the installation process.
We include points in the PoE switch. The switch is included in the lan port (p4-p7). And ... And that’s it. Points are automatically detected and a config is loaded on them.
Turn off the automatic snap points. Plus in safety karma.
Click "apply" and enjoy the new network.
What's next?
We go deep into safety. Long live the network, protected both outside and inside! The indispensable law of a good office admin is to leave only the solitaire solitaire out of all the amusements!
I really liked the app patrol feature. No need to bother writing regex instructions for filtering L7, as in Mikrotik. It is already there. It is only necessary to add to politics, and that’s it.
Blocking instant messengers, online games or social networks without sweat, blood and tears of young admins.
A dashboard is like most bosses love: with pictures and graphs. You can see where the calls go most often, what is blocked and how much, etc.
Zyxel has a central management system Nebula, which is supported by Wi-Fi points issued to me. At first glance, it’s SDN, which is actively being implemented in large data centers. But this topic is already another article :-)
And then the laptop on the open spaces of the global network has already found instructions in more than 800 pages and about the same amount of handbook .
Licenses
Sadly, the license for updated signature databases is not endless, and after the first activation of the gateway, signatures are updated within a year. Next, you need to renew your subscription.
An annual subscription for Gold costs 38,600 rubles, and for Silver - 29,000.
There is a question of benefit in each particular case. For example, with ATP200 keep a weak admin for 30k per month and buy a license for 40k per year, or use Mikrotik with add. server (near Surikatu) and keep a “bearded” admin for 80k per month.
Conclusion
For me, the advantages of the Zyxel glands that I came across:
- ease of setup;
- lack of “crutches” for typical tasks;
- functionality necessary for an office in one piece of iron;
- simplicity of security settings;
- requirement to set a PASSWORD.
The functionality of the Zyxel ATP200 gateway is quite extensive. Moreover, much is implemented in one piece of hardware, and it is not necessary to block a complex structure, such as Mikrotik + Suricata .
Again, the basic functionality is deployed easily and in a short time.
Of course, there are also disadvantages. You need to get used to the configuration logic. ATP200 knows few tunneling protocols; for example, it is not suitable for forwarding an SSTP tunnel.
Any equipment must be selected for specific tasks.
Training on working with Zyxel equipment (ZCNA) is cheaper than competitors - 15,000 rubles! Official MTCNA - from 22,000 rubles. Cisco is certainly out of competition - both in terms of variety of courses and in terms of cost, approaching the details of an airplane.
Due to the fact that not everyone on Habré can comment, and I did not find a valid Zyxel chat in Telegram, I created @zyxelru . I invite you to discuss cases, settings and other tricks of using Zyxel equipment, as well as ideas for new articles on the Habr for the series “In search of the“ Do well ”button.”