not just a firewall

Just a couple of decades ago, most websites operated without SSL encryption, and this made it easy for firewalls to peer into passing traffic and catch malicious files and pieces of code. Now we live in a time when you can’t find a website running via HTTP during the day. All traffic is encrypted and this has greatly reduced the ability of hardware firewalls to detect malware.

System administrators face a difficult choice. On the one hand, you can catch malware on the end device by installing antivirus software and paying for licenses for each workstation. On the other hand, it would be better to “shoot” them on the way, but for this the device needs to see unencrypted data. Today we will look at how the Zyxel USG Flex 200H solves this dilemma and how it prevents various malware from penetrating the protected network.

Inspecting SSL

So, our task is to understand what exactly is happening inside the encrypted connection. For a device to do this, the connection must first be decrypted and then checked for compliance with security policies. If nothing suspicious is found, then re-encrypt the connection and send it to the recipient. If a malicious file or script is detected, drop the connection so that it does not get into the local network.

The problem with this scheme is that the recipient will receive a warning about an insecure connection and the browser may even block the requested page. To avoid this, you need to export the certificate from the Zyxel USG Flex 200H, and add it to the list of root trusted certification authorities on the recipient's computer. This way, the recipient's operating system will still consider the connection secure:

^{SSL inspection operation scheme}

It sounds great, but you should immediately take into account that this method can compromise the security of confidential and sensitive data, so you will need to create and maintain an up-to-date list of resources where such “opening” of traffic is undesirable:

business applications,

medical portals and the like.

This will reduce the resource consumption for decryption and re-encryption. However, you need to be prepared to periodically review the list of resources excluded from verification and actively work with users to replenish it in a timely manner. Well, don’t forget about keeping logs to detect hacking attempts.

We identify pests

^{Example of a threat statistics page by URL per day}

Now that the device has access to traffic, it is possible to protect users from malicious applications and phishing sites. For this purpose, the Zyxel Flex 200H has Antivirus, Content filter, Threat filter And Sandbox.

The antivirus works locally using a signature database that is periodically updated from Zyxel servers. If the signature you are looking for is not present, but heuristics determine it as suspicious, then the hash is sent for verification to an extensive cloud database. Copies of suspicious executable files and scripts can also be sent to the Sandbox, where the file gets inside an isolated virtual machine, runs and the security system analyzes its behavior.

If a signal of malicious activity is received from the Sandbox, the original file will be destroyed by default. This system works quite quickly, since the Sandbox is built on high-performance servers that check tens of thousands of files and scripts every second.

Of course, a total check of all downloaded file formats will require a large amount of resources. A good practice would be to first observe what threats the device most often encounters and subsequently adjust the list of formats to be scanned:

^{Available file types for on-the-fly scanning}

Well, the scourge of our time is phishing sites masquerading as legitimate resources, for example, online banking portals, social networks and email services. For an experienced and attentive user, they rarely pose a threat, because the domain is always displayed in the address bar. But an ordinary user can simply get hooked and enter his personal or financial data, which will instantly go into the attackers’ database.

The consequences of such an action are sad: large sums are debited from credit cards, accounts on social networks are hacked and spam is sent from them, and captured email addresses can give access to many more services without two-factor authentication enabled.

The Zyxel USG Flex 200H solves this issue with the Threat Filter, which is able to recognize phishing URLs, giving the user a warning instead of a fake page:

^{Example of a blocking page when trying to navigate to a phishing site}

The database of phishing URLs is constantly updated, and the system administrator can manually maintain a “black list” of resources that the user should not visit. To have a complete picture of what is happening, it is worth checking the logs more often, especially since the device’s logging system is very convenient and informative:

^{Log viewing page in the web interface}

In addition, the device supports SecuReporter, a cloud-based intelligent analytics and reporting service with data collection and correlation functions. Once a week, you will receive a PDF file with a detailed security report by email.

In addition to URL ranking, the device can detect and automatically block DNS requests for malicious domains. It is also possible to on-the-fly match IP addresses requested by users against a database of known malicious IP addresses and block traffic from (and to) them.

In addition, the Zyxel USG Flex 200H can monitor email server traffic in real time and identify dangerous emails, for example, by tracking and destroying malicious attachments such as specially crafted PDF files. This is an excellent opportunity to protect your network and employees from possible email attacks.

Setup in 5 minutes

Export certificate

By default, the device has a factory certificate that can be used to set up SSL inspection. To see its parameters, go to the web interface and open the page

System

Certificates

. On the tab

Gateway Certificates

The only installed certificate will be displayed. Check the box next to it and click

Export

^{Export default certificate}

If desired, set a password and save default.crt to your computer. On the client machine, add this certificate to Trusted Root Certification Authorities (Trusted Root Certificate Authorities). This can be done in different ways, depending on the operating system used, we will not dwell on this. From this moment on, any SSL connection from the firewall will be perceived by the browser as legitimate.

Of course, you can import any of your own certificates into the gateway's list of certificates, for example, your organization's certificate.

Creating a Profile

Open

Security Services

SSL Inspection

. On the tab

Profiles

click the button

Add

. Provide a name and select a certificate from the list. In our case, this is the default device certificate. After that, click the button

Apply

^{Creating a new profile for SSL Inspection}

Applying a profile

The system will warn you that the profile has been saved, but for it to work, you need to link it to the security policy and will offer to do this now. Agree by clicking

. Now select the security policy you need. For the test, we will apply the profile to all available policies by highlighting them all and clicking

^{Selecting a security policy}

The setup is complete. The new profile will be saved and you will be able to see the statistics on the page Security Statistics > SSL Inspection:

^{Example of an SSL inspection statistics page}

Conclusion

A defense strategy in which threats are neutralized on the external perimeter of the network is justified in most cases. Yes, modern browsers and operating systems are able to detect malicious files and block them in a timely manner, but this does not always work correctly. In addition, not only himself may suffer from the actions of a user who, despite warnings, downloads and opens an infected file.

Of course, we should not forget that the Zyxel USG Flex 200H is primarily a firewall and its main task is to filter out potentially dangerous connections. But at the same time, it is able to better protect the network by using additional services and maximizing the utilization of its own system resources.