Conclusion I reached after 3,200 individual malware removals.

ProAdvantage has been selling Zyxel USG licenses at discount prices since the Nex Gen USG releases. Here is just the USG60

http://www.provantage.com/zyxel-icbun1yusg60~7ZYX90PQ.htm

 

Seems like a few of you are using ZyxelUSG's and another UTM in bridge mode like me. Here s a picture of my home setup, pictured with my old USG 100. I now have a USG60. I am running Sophos UTM on a 8 Core Rangely Intel Atom with 16 GB ram in bridge. I ditched Untangle because their IDS is worthless and they don't have country blocking. Plus, who can argue about having Sophos and Avira gateway AV with 6 million definitions EACH to filter through.

http://www.walleyecentral.com/forums/attachment.php?attachmentid=61338&d=1388078833


http://www.walleyecentral.com/forums/attachment.php?attachmentid=61346&d=1388078833



.

 

Thanks for the lead. The USG110 I ordered comes with a 1 year bundle, I will keep ProAdvantage marked for future reference.

My adventure with the USG110 should begin shortly. I've got some some pretty heavy system admin experience, but I was never one of the "network guys" and so we will see how this goes.

 

Bingo! I am with you on that. Although well thought out system hardening goes a long ways with that as well.

 

This device is very impressive, your guidelines above helped tremendously in my set up process, thank you. I was able, after some dithering around, to get everything working but I could not find the area to change remote admin access or any of the underlined areas above. Also, for some reason the app patrol does not seem to have any applications to choose from. My wireless router connected seamlessly and all the devices register on the USG110. Altogether a very nice set up prosess, and I feel much more secure behind this device.

 

I setup Brocke's from remote session in about 5 minutes. There are a lot of areas to configure, so you may want me to do the same. He's been blocking some significant trojans and exploits with his so far from what I heard. It's an amazing appliance for the price.

Admin settings are under 'System' then WWW on down.. Turn off everything but WWW, disable HTTP access, enable HTTS on port 10005, then disable redirect to HTTPS. Then put in policies to deny everything NOT from your LAN Subnet.

 

Mayahana set it up fast. and it has been caught a lot of really nasty stuff.

 

Thanks Mayahana,

I had to laugh a bit when I saw this post. As I was searching around to find the method to block remote access I found the WWW screen and disabled both https and http access thinking that "of course I would be able to log on hardwired". Haha, I had to do a reset and set things up again. But it was a learning experience and going through the motions of set up again gave me more confidence with the interface, and now your attachment explains it perfectly. I really appreciate your offer to do a remote set up, but then I would not learn how to do it myself, which I think is important with such an important piece of my network. So if you could give me hints, like the above post(s) it would be invaluable to me, and possible others.

Now for a couple of questions. In App Control, I have set up a profile but when I enter the profile and try to add an application there is nothing there. It's like there should be a population there to select from but I do not have it. Next, my SSL Inspection module does not seem to have a certificate base, I keep getting certificate errors when I go to common sites like Amazon or Newegg. I can add these sites to the exclude list but it seems like there should be a basis of certificates that I do not have. I can see down at Object -> Certificate that I can import certificates but are these provided by ZyXel or do I need to get them from somewhere else? Last, the Anti-Spam module does not seem to be scanning email, at least the UTM stats show 0 Total Mails scanned. Any help on these little problems would be appreciated.

This device is really impressive. The AV module has stopped 82 viruses since my reset. The other UTM modules are working (well except for anti-Spam) protecting my network as a whole. My computers are protected by Eset, Sandboxie and other things but the USG 110 gives me a whole new level of confidence in my network security and privacy.

a little later: I had to disable SSL Inspection for now, almost every https site was having a certificate error.

 

Application control pulldown will be empty because you've not assigned applications to the group under objects/applications. Remember, enterprise devices require action in 2-3 places - average.. Firewall for example requires policies, and firewall rules. Actionable targets require the object, then the action taken to the object. Parental controls are the same way, you setup the IP address to control, then the action for the IP address.

Certificate errors will be resolved when you load the ZyXEL root CA onto each system as trusted. Right now the default browsers are catching the SSL inspection from ZyXEL supplicating the certificate, therefore you need to add the ROOT CA from ZyXEL to trusted CA on each browser to authenticate SSL inspection without certificate errors.

Antispam module will only inspect SMTP traffic, if you are not running a mail server just leave it off.

 

The reason I supplant the device admin access rules is because ZyXEL defaults admin access to an insecure all/all/allow. Your first rule should be allow on LAN ONLY, the second rule all/all/DENY, therefore anything coming from anything other than your lan subnet will be denied straight away. I tend to do these types of things to enhance security over the default or common configurations. Also by disabling HTTP to HTTPS failover you restrict access to pure HTTPS only, and don't reveal your port. If you use failover, you reveal your port to anyone hitting the device in HTTP - another security flaw. Finally, port 10005 is good because it's generally unused, and unknown, and adds another layer to your security.

Disabling all unused services reduces the attack surface significantly, and closes those ports. Another ZyXEL engineer I know always laughs when he sees devices I setup because he says I am one of the only one to go to extremes to lock them down beyond what the defaults, or common practices are.

 

Thanks again Mayahana, this is very helpful. Too bad about the anti-spam module, but my ISP checks and segregates spam and I use Mailwasher to preview email so not a great loss. Now, how do I get the Root CA from ZyXel? I left a phone msg at Zyxel, a question about the warranty and I need to register to get 90 days of free tech support (if I need it).

 

When I get home I will send you the information, and a direct email contact at ZyXEL to bypass the ticket/queue system.

 

I like being locked down I have always disabled any sort of remote support functions on systems that I have set up. They can always be turned on if needed.

 

Ok, thanks.

 

One of the ways we lock down companies is to disable all non-subnet connectivity to admin, then RDP into the server, and access the UTM from the server within in the subnet. Leaving remote access on can be a fairly substantial security risk, unless it's done carefully, and the attack surface is reduced dramatically. Protocol is changing to obscure port, disabling failover, disabling everything but HTTPs. Also you can specify specific IP ranges to allow connectivity, so for example if you know your work IP ranges, you can allow access to remote (with caveat) of those ranges. The nice part about a good UTM like this is you have an incredible array of options.

It's difficult, if not impossible to go back to consumer grade trash after this.

 

Hi Mayahana
I stumbled across this post looking for info on USG 110 I brought the weekend.
Could I trouble you to point me in the direction of any setup guides you may know of.
I used the wizard to setup PPPoE but I have 5 static ip's assigned to me and can't get them to work or my mail server up and running.
Thanks in advance,
Paul

 

I am, slowly, working my way through the user's guide. A lot of sections do not apply to my situation, but it is interesting reading. Quite a powerful device for the $$.

As of this morning 528 viruses stopped by the USG!

 

Sorry, but these statistics seem quite panicky to me. Homer users go on without UTMs and stay uninfected for years and at the moment of installation it starts to stop hundreds of viruses every day. One thing these statistics inspire for sure is a sense of need for this kind of protection.

 

True... I am confused, are we here talking about honeypot type of setups?

 

This isn't uncommon with UTM's, and reinforces the fact that the internet is very very dirty these days. When I checked a client's Fortigate this morning I saw 2,398 attacks blocked overnight - as one example. Granted much of these attacks are automated, it doesn't mean those attacks aren't happening if you don't have a device blocking it, it means the attacks are reaching past the device, and potentially finding code to execute. Not always, and in some cases unlikely - right? But at least the UTM is stopping them from progressing deeper into your network.

UTM's block an array of things far beyond what a normal AV or router is capable of, that's why they are called NGFW's. For example in my case I block thousands of exploits a day related to Tivo. Tivo is very slow to patch and fix issues, and as a result are they vulnerable. The very second the Tivo reaches out, it broadcasts this fact, and is subject to potential exploit. The UTM blocks this aspect of Tivo inbound/outbound, and as a result generates logs showing this activity - which can look pretty daunting.

Kaspersky UTM is extremely potent, and will generate quite a lot of blocks using flow-through methodology targeting extremely advanced, and very new malware or injections. Often hitting 5-6 websites will generate a dozen errors because those websites are compromised in some cases, and feeding compromised packets to your network. Without a UTM those compromised packets DO arrive into your network, however whether or not they find a vector for operation is an entirely different discussion. Taking a large keyring filled with keys, and trying them on various door locks doesn't always get you through the lock. But if you can rip the keyring out of the persons hand, why not?

 

OK, so you need to have open ports towards the internet for these threats to penetrate the network... if you do not have open services facing the internet then I wonder whats the value added of this for home use.... a firewall ensuring unsolicited calls are rejected would be enough... I don't really need to know that a rejected call was due to malware X or Y.

 

NAT router provides protection from unsolicited inbound events, so what? It blocks port scans, pings, and random sweeps but that's about it a NAT router won't protect you against the majority of network attacks. SPI is better, but these days largely considered to not be enough. They examine the headers and potentially the content of each network packet in the context of its connection to check for validity. While an NGFW like the ZyXEL takes this to an entirely different level. Lan segregation, VLAN's, even multiple cascading NAT's can increase security quite substantially, but this can get complex. These days we pair a strong NGFW with VLAN's and Thin Clients, and isolated subnets with statics to add some fairly strong security layers. Your browser connects to a site, opens port 80 up, accepts bi-directional communication to this IP, the NAT doesn't do anything at this point, but the NGFW is picking apart what is going back and forth, and examining the packet flow for detailed signs of exploits, injections, and compromises. It is sometimes said that NAT masks the internal hosts, i.e., a server on the Internet does not know how many devices reside behind the NAT device, nor can the server distinguish between them. However, this is not true since servers, Internet trackers, Applications etc. count their users on more relevant information than simply the incoming IPv4 addresses.

 

How is this relevant in any way? We're not talking about compromised computers, we are talking about a compromised internet. I would bet some real money that the majority of viruses and exploits these ZyXEL's (or any UTM) are picking up are externally generated, targeting specific IP's on the network. Nothing to do with infected machines in general.

 

Unless they are .Gen, these are real signature hits from packet inspection. IPS and AV work together on that device, so for example if the AV detects Eicar, then it informs the IPS to block any domain where Eicar would originate that is in it's database. So you will see IPS hits from potential infection sites widespread across a variety of IP ranges 'out there'. I will dig up some documentation on this, but Kaspersky UTM is focused on blocking extremely new, extremely serious threats in realtime at the packet level. While I love Fortinet appliances, I feel ZyXEL's are more potent mostly because of their work with Kaspersky.

It's pretty well known in the industry that Kaspersky UTM blocks NSA packet injections - by the way. (Not talking desktop, the UTM Flow Through)

 

Indeed, NAT is out of the picture. I was talking more of a decent SPI firewall upfront your home DSL line that provide a good filter already. And, yes.. on active connections like the typical browsing activity I see what you mean... tough the risk is marginal with a good end point protection on the systems, strict update policy and users on the LAN that are not too happy clickers