For those who choose a firewall
Introduction
Long ago, there were times when the only means of protecting the perimeter of the network could be a router from an old computer with some free UNIX-like operating system, for example, FreeBSD and a regular firewall.
Today, system administrators have access to both numerous specialized distributions for installation on a server, and ready-made hardware and software systems.
The development of supply and demand has led to increased specialization.
If earlier organization of access to the Network and security was a matter of selected gurus, now the number of points with Internet access is growing day by day, and any student can connect a gateway, router, access point and start distributing traffic within the network.
Network threats have changed. Now the main danger is not the hackers of the “old school”, but mass infections with new types of viruses and Trojans. In the preparation of attacks, attackers can use third-party resources, for example, previously created botnets (zombie networks) to send spam, organize DDOS attacks, and so on.
But that is not all. With the development of the network, an increasing role is played not only by the security level on the sender and receiver, but how information is transmitted: in what form, along which route, etc.
If you leave these questions unanswered, you will have to answer other questions, for example: “Where did the money get out of the account? ”,“ How did THEY know about it? ”and“ When in the end will at least something work ?! ”.
Now you need to know exactly what and what we are protecting from and which tool is better to choose.
What does Zyxel offer: separation by specifics
There are two main areas that require protection:
- Access to third-party resources and third-party access to corporate (for example, to a web site). These solutions can be divided using cloud resources in the Zyxel ZyWALL ATP series gateways and the fully closed USG series.
- The connection between the individual sites, for example, branches with the center or individuals with the employer. This is usually done using VPN VPNs and Zyxel of the ZyWALL VPN series.
Table 1. Classification of Zyxel ZyWALL VPN, USG and ZyWALL ATP Series Gateways.
Note. There is also a family of Zyxel gateways, which we do not consider in this chapter. These are devices with the possibility of external cloud management Zyxel Nebula. But since “it is impossible to grasp the immensity,” we now concentrate on the classic version of devices with local control.
It should be noted that despite the differences, there are some common features. Among each of the areas can be identified solutions for large businesses, and for small organizations. This imposes some design features.
Figure 1. Gateway for corporate use USG2200-VPN .
For example, some models for small businesses have built-in WiFi modules for use as wireless access points.
Figure 2. Gateway to protect networks in small organizations USG60W.
Since the functions of all three areas partially overlap, we will talk about the recommended scope.
Of course, if you try to build a VPN connection at the USG gateway, or use a VPN to protect the network, then nothing bad will happen, but it will not be very effective.
Therefore, before we turn to the features for each direction, it will be useful to study their common features.
Forewarned is forearmed
The OneSecurity.com portal is used as a single hosting for operational information. This special resource hosts operational bulletins and recommendations regarding current security threats. OneSecurity offers up-to-date information and recommendations for enhanced network security. This helps companies and IT professionals to ensure a secure network, despite the growing number of threats.
For convenience, access to this portal is integrated into the graphical interface of the products of the USG series and the ZyWALL VPN series. Search for information and resources with one click in the GUI console of these products. Through this approach, you can quickly and easily find out about actual threats, methods of eliminating them. The material is presented in the form of a well-established format FAQ (Frequently Asked Questions). This allows you to take timely all necessary measures to protect against identified threats.
Content Filtering
Content Filtering is used to block access to dangerous and unrelated to the main web sites. The recently released Content Filtering 2.0 introduces enhancements to the HTTPS Domain Filter, Browser SafeSearch, and Geo IP Blocking security features to improve the security of connecting to the Web.
Fast and secure update.
This feature is also common to all three directions.
To facilitate the search for the desired firmware update (Firmware) of the required version, use the new Cloud Helper service, which provides information on the latest firmware versions.
The latest version becomes immediately available after the official release, which guarantees its authenticity and reliability.
Zyxel ZyWALL VPN Series
The recommended area of use is a secure and reliable VPN connection.
The main purpose is to tunnel traffic using secure Secure Hash Algorithm 2 (SHA-2) encryption algorithm.
With the ZyWALL VPN 50/100/300, you can implement high-speed, secure communication between local servers, remote devices, and applications deployed in the cloud.
Figure 3. Gateway for establishing reliable VPN connections for the ZyWALL VPN300.
Separately, it is worth noting support for dual-WAN failover and fallback. Due to the presence of two WAN connections, one of which is used as the main and the second backup, in the event of a failure of the main connection, the Zyxel VPN Firewall automatically switches to the backup one.
ZyWALL VPN Series also uses multi-WAN load balancing / failover and provides full support for USB cellular modems from a list of compatible hardware that can be used to back up a WAN connection.
To build channels with high reliability requirements, the ZyWALL VPN Series provides a mode of operation as part of a fault-tolerant cluster (High-Availability, HA) in Active-Passive mode.
ZyWALL VPN Series supports IPSec load balancing and failover, providing additional fault tolerance for switching business-critical VPNs when implementing a VTI Interface.
Supported VPN features and more :
- VPN connection with IPSec VPN function load balancing and failover between locations.
- Remote access using SSL, IPSec and L2TP over IPSec VPN.
- Hosted at the VPN head office, the gateway can also establish an IPSec VPN connection with the Amazon VPC cloud to securely access various cloud applications and expand the corporate network by connecting cloud resources to it. This can be used both through a graphical user interface and through the command line interface (CLI).
- Management Hotspot Management (starting with VPN100) - providing access to the Internet, for example, for visitors to cafes, restaurants, hotel guests and so on. You can provide different levels of service, keep a log of events in accordance with the requirements of the legislation.
- Thanks to the integration of Facebook Wi-Fi service into ZyWALL VPN, small shops and restaurants can not only provide their visitors with access to the Internet, but also improve their popularity with the help of Facebook.
- An integrated access point controller provides centralized control for flexible wireless network deployment. The AP Controller feature in the ZyWALL VPN series allows you to centrally manage multiple access points using a single user interface. This feature maximally simplifies the deployment and maintenance of the company's WiFi network.
- The ability to organize site-to-site IPSec VPN connections.
- IPSec VPN HA failover cluster (load balancing and failover) to ensure high availability of the VPN connection.
- Organization of secure access to internal resources using SSL, IPSec and L2TP over IPSec VPN.
- Connect USG / ZyWALL over an IPSec VPN channel with Microsoft Azure for secure access to various cloud applications.
For larger organizations, more powerful gateways such as USG110 / 210/310 that have more powerful hardware, can support more connections, and so on are better suited.
It is worth noting that this device works on the principle of "all my burden with me." There is a VPN, and a good level of protection, and a limited bandwidth.
But if you need to focus on the security features, it is better to use ZyxALL ZyWALL ATP series gateways with support in the face of the Zyxel Cloud cloud service.
Zyxel ZyWall ATP Series
Recommended area of use - enhanced protection against malicious programs and application optimization
The main highlight of this family of secure gateways is the use of cloud resources to raise the level of protection.
The resources of a single, even the most powerful gateway are not enough to analyze and diagnose a multitude of incoming threats.
Therefore, the attraction of additional cloud resources within the framework of secure encrypted access seems to be a very reasonable step.
Attention! Zyxel Cloud is not involved in the exchange of information between the protected gateway and access from the outside. That is, traffic does not pass through it. The cloud resource is used primarily for the rapid exchange of information about vulnerabilities, as well as the results of additional verification of suspicious objects, for example, within the sandbox (Sandboxing).
In general, the Zyxel ATP family of functions is similar to the previously considered Zyxel USG version, but the support of cloud mechanisms greatly enhances services such as anti-virus protection, which always lack resources.
Figure 4. Gateway with cloud support to protect the ATP200 network.
Below are some of the distinctive features that are typical only for gateways in this series - Zyxel ZyWall ATP.
Zyxel Cloud Machine Learning
Zyxel Cloud identifies unknown files on all ATP firewalls, collects the results in a database and forwards updates to all ATP family gateways daily. This allows you to collect knowledge about new threats and develop the system by machine learning. In this way, the cloud environment “learns” to counter new attacks.
Sandbox - Sandboxing
This is an isolated cloud environment where suspicious files are placed to identify new types of malicious code, including the launch method. What the streaming antivirus cannot detect is manifested in the Sandbox.
Conclusion
Of course, within the framework of one small article it is impossible to describe the whole wide range of possibilities that are available to modern Zyxel security gateways.
For more information, read our blog on Habra, the materials on the Zyxel website, and, of course, the documentation for the products.
Sources
[1] Building an extended anti-virus protection system for a small enterprise. Part 1. Choosing a strategy and decision.
[2] Building an extended anti-virus protection system for a small enterprise. Part 2. ZyWall USG40W anti-virus gateway from Zyxel.
[3] Building an extended anti-virus protection system for a small enterprise. Part 3.
[4] Eat breakfast yourself, share your work with the "cloud".
[5] A page on the Zyxel official site dedicated to firewalls.