dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7389
share rss forum feed


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
Reviews:
·TekSavvy DSL
·Bell Fibe

4 edits

2 recommendations

Secure your USG - quick how-to

Few tips on securing the ZyWall USG (not in particular order and not comprehensive )

1) Segregate users. Don't use admin for everything. Even if you're the sole user of the box, have separate admin account for managing the box and regular user for your VPN (SSL, L2TP and/or regular monitoring). Don't grant admin rights to your non-admin account.

2) Make sure your default firewall rule (the last one) is set to 'deny'. Firewall rules are evaluated from top to bottom, when matching rule is found no other rules are applied. To make sure you don't lock yourself out ensure first rule is 'LAN1-to-ZyWALL allow' at least for testing period, you can change this later. If you lock yourself out you can ALWAYS access USG via serial console and modify your firewall rules from CLI.

3) Use secure services whenever you can. Use HTTPS instead of HTTP, use SSH instead of TELNET, use FTP with TLS, change SNMP community strings to non-default.

4) Disable unsecured, unused services if you don't use them. i.e. Telnet, FTP, HTTP, SNMP.

5) Restrict access to USG web management pages. This is particularly important when having HTTPS/443 exposed to internet for SSL VPN access. Using example configuration below, will allow SSL VPN users to get to login page over internet (assuming firewall is open) but won't allow any admin type users to log in (those will be silently denied i.e. admin can login from LAN1 and IPSec VPN only).




6) If using SNMP restrict it to source IP. SNMP is typically used by a monitoring server(s), nobody else typically needs access ... and SNMP reveals too much information that's nobody's business.

7) Use remote syslog server for logging. If not using remote syslog server get a big USB stick and send logs to it. Make sure you log rather more than less. You'll thank yourself later.

8) Un-check "Allow Asymmetrical Route" in firewall. Most of the time there's no need for this and it's potential security risk. If you need it you most likely know why and don't need to read this. If you're curious check the on-line help for explanation.
quote:
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).
Note:
Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.

9) Firewall, only allow services you need. Check your default groups and remove service members you don't need, better yet don't use default service groups.

10) IPSec VPN, use certificates whenever you can instead of Pre-shared keys. Don't use DES, 3DES, NULL or MD5 unless you have to or you know what you're doing. AES/SHA should be compatible with most devices out there.

11) If you need to have admin access to USG from internet and VPN is no option, then most secure way (IMO) is HTTPS with client certificates. You can create CA signed or self-signed certificate on USG, export it to your browser used for management (you can import the certificate to multiple browsers if you need).
This can be used for SSL VPN access too ... just create certificate one for everybody or one for each person.
Caution: If you use remote admin access and SSL VPN for regular users everybody will have to have valid client certificate - this is global option. See example pictures below.
Caution 2: If you don't have the right cert in your browser and you turn this on then you lock yourself out from HTTPS access (have another access i.e. HTTP enabled while testing this!!!)


After you have enabled client certification check and have your cert imported into a browser, after trying to access USG you'll get prompt similar to this (varies by browser).



12) If you care about internal audit trail / logs avoid using 'NAT Loopback' for your servers. Rather use DNS to point to server's internal IP. The problem is that when accessing your LAN server A, from LAN PC B, using A's public IP via loopback source IP of A is going to be showing in logs as the USG LAN IP ... in other words you loose source IP of the original server A in the logs.
quote:
Enable NAT loopback to allow users connected to any interface (instead of just the specified Incoming Interface) to use the NAT rule's specified Original IP address to access the Mapped IP device. For users connected to the same interface as the Mapped IP device, the ZyWALL uses that interface's IP address as the source address for the traffic it sends from the users to the Mapped IP device.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Thanks for that Brano.


hardly
Premium
join:2004-02-10
USA

1 recommendation

reply to Brano

This post should be a sticky in this forum.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

Not unless he figures out how to spell comprehensive. ;-P

Edit, ignore my comment its been fixed LOL.



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

I think he has it.

I do agree, it is a good choice to be a sticky.


hyde1

join:2012-11-16

1 edit
reply to Brano

said by Brano:

2) Make sure your default firewall rule (the last one) is set to 'deny'. firewall rules are evaluated from top to bottom, when matching rule is found no other rules are applied. To make sure you don't lock yourself out ensure first rule is 'LAN1-to-ZyWALL allow' at least for testing period, you can change this later. If you lock yourself out you can ALWAYS access USG via serial console and modify your firewall rules from CLI.

Hi Brano,
I locked my self out. I was trying to follow your VPN instructions and for some reason when I created the rule for deny, it was placed as priority 1 in the settings, I tried to move it to 14 and when I hit enter it (not realizing Apply was highlighted) it just applied the rules. I was connected via remote management, so I am not sure if this will apply to LAN as well or only WAN.
If it includes LAN, would you please give me the CLI command to simply disable Firewall so I can access again and adjust priority?
The FTP links in other posts are dead.

Does ZyWall USG50 support Serial to RJ-45 connection so I can use my laptop? I may have some cables somewhere in the office.. Or I will have to hunt for some old PC.


Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

1 edit

Doesn't the back panel have a serial port? Hopefully you can still access the GUI when local.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
Reviews:
·TekSavvy DSL
·Bell Fibe

1 recommendation

reply to hyde1

USG50 has RS-232 port on the back panel
You need:
1) RS232 cable that came with USG (or any other null modem cable you may have)
2) If your PC/laptop does not have serial port you need USB-to-serial dongle. You can get these pretty much anywhere for less than $5
3) CLI manual from here »ftp://ftp2.zyxel.com/ZyWALL_USG_50/cli···50_4.pdf
4) Terminal emulator program such as HyperTerm on windows or minicom on linux
5) Login as admin, fix your default rule to allow, continue from web gui.


hyde1

join:2012-11-16

1 recommendation

Thanks, firewall commands are on page 139.
I was trying to move the rules and I am not sure if it moved before saving or if deny is still in position 1. Can I just use "[no] Firewall Activate" to disable the firewall? Otherwise I will try "firewall delete 1" because I am pretty sure that rule would still be 1.

I don't have hyperterminal, is putty OK with ZyWall?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

HyperTerm is default win app, look in Accessories. But PuTTY is going to do the same job.

no firewall activate should do the trick



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

HyperTerm was not included in the Vista and Windows7 release.


hyde1

join:2012-11-16
reply to Brano

said by Brano:

HyperTerm is default win app, look in Accessories. But PuTTY is going to do the same job.

Like Hank said, there is no HT in 7, not even in pro edition. They are pushing people to simply use modems.

You would have to copy it off another XP or older windows, but then in some cases it limits connection to USB only.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

1 recommendation

Yeah OK, I'm using linux, so I actually have no idea and guessing when comes to windows ... don't tell anybody


hyde1

join:2012-11-16

1 edit

said by Brano:

Yeah OK, I'm using linux, so I actually have no idea and guessing when comes to windows ... don't tell anybody

Thank you so much for your help, got back in finally!