ZLD4.65 for ZyWALL USG Series/ZyWALL 110/310/1100
ZLD5.02 for ZyWALL ATP Series/USG FLEX Series/VPN Series
You can do cloud auto upgrade by clicking the cloud icon.
Or download firmware from Myzyxel.com server and upload firmware from local PC.
Password notification and security policy check are implemented in this release. Follow below steps to provide optimized protection to your device.
Password change notification
After upgrading firmware to 4.65/5.02, your first login attempt will pop-up a password change notification page that includes,
a. All admin-type user accounts
b. Date of the last password change
c. Password expiration date
We strongly recommend to change all admin-type password again and remove all unwanted admin account.
Security Policy Check
If there is any HTTPS/SSL VPN service port open from WAN to ZyWALL without any restriction on source address, a Security Check Notification page will pop up.
Follow the wizard to change service port for HTTPS/ SSL VPN with trusted Host and change 2FA authentication service port.
After finish, system will auto create policy control rules.
Note: If you changed Web management service port to others, then you have to enter correct service port in your browser to log back in
We also strongly recommend running a thorough configuration examination to see if your device has been compromised. From our field observation, the compromised device will add unwanted accounts and add Policy/Firewall rules to allow undesired traffic into your network.
Delete the unknown accounts
Remove the unknown firewall rules
If you are unable to immediately upgrade to the latest available firmware, please follow the Mitigation Steps to minimize the risk. However, the best solution is still to upgrade to the latest available firmware.
Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately. A guidance to help you identify, remediate, and defend against the incident is available on the Zyxel forum.
The new features include:
Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series
- Two-Factor Authentication Enhancement
Supports configurable 2FA service port
- Security Check Enhancement
Disables HTTP port automatically while allowing WAN management in security check wizard
- Password Change Reminder
- Log Enhancement
Enhances admin-type user change logs to alert level
Release Date: July 6th, 2021
Firmware ZLD V4.65: ZyWALL USG Series/ ZyWALL 110/310/1100
Firmware ZLD V5.02: ZyWALL ATP Series/ ZyWALL USG FLEX Series/ ZyWALL VPN Series
We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled. This mitigation firmware will actively guide users to follow general security best practices to reduce the attack surface. The new features include:
- Initial Setup Wizard Enhancements
Helps users to enforce security policies against access to the web management interface and SSL VPN service from the Internet.
- Security Policy Check
Shows misconfiguration of security policies through a pop-up notification, along with firmware update and change password reminder.
- Configurable SSL VPN and WAN Access
Separates access options on SSL VPN and WAN Access service.
- Log Enhancement
Provides a log history when the user object has been changed.
- GeoIP Now a Complimentary Feature
Built-in GeoIP feature to strengthen security access-which is now available free of charge for the entire firewall range.
Release Date: June 28th, 2021
Firmware ZLD4.64: ZyWALL USG Series/ZyWALL 110/310/1100
Firmware ZLD5.01: ZyWALL ATP Series/USG FLEX Series/VPN Series
Is "let's encrypt" SSL certificate support planned on the USG40 (and higher)?
With which version is this activated?
Best Practices to Secure a Distributed Network Infrastructure
In the post-pandemic era, more and more employees are forced to work primarily from home, thus the way people get connected and the way people accessing corporate resources has changed forever. Now that the network perimeter is no longer fixed in the office, securing a distributed network infrastructure to support a more fluid type of working has become a challenge for IT professionals.
1. Reduce the attack surface
- It's recommended to change passwords regularly for the accounts. Zyxel firewall supports the password regularly changing notification with stronger complexity
- Whenever you provide Internet-facing services, there definitely comes with a risk of security breach. We start by investigating what services or applications are mandatory to open for remote access. Because of the new WFH culture, lots of SMB need remote access for administrative login to network equipment, as well as allow employee access to office network via SSL VPN or L2TP VPN.
- Configure your perimeter firewall correctly based on least privilege principle. For example, if remote admin access/SSLVPN is required, then we can implement a list of restricted geo-IP while explicitly allowing access from a set of source IP or country. If you are using a Zyxel firewall, here is a link about how-to.
- Configure 2FA authentication for your administrative login will add extra layer of security Zyxel firewalls support 2FA for VPN connection and admin access. Here it is the tutorial about how to implement 2FA feature Case 1: 2FA for SSL VPN connection Case 2: 2FA for admin access
- If you are determined to completely lock your network from WAN access, and there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.
2. Patch! Patch! Patch!
The vast majority of cyberattacks take advantage of known software and hardware vulnerabilities (not to mention unsuspecting users!). The 2015 edition of the Verizon Data Breach Investigations Report revealed 70% of successful cyberattacks
exploited known vulnerabilities from software with available patches. This means that many victims could have prevented a data breach if they’d only updated their OS and apps. Think of a software patch as an armor that repels attacks and protects against various exploits. However, with the sheer number of vulnerabilities being exposed all the time (hundreds of millions of new pieces of malware released each year), many IT professionals struggle to keep pace in the arms race between the hackers discovering security holes and the “good guys” releasing patches to cover them up.
Though it’s difficult, bear in mind that unpatched software can be a magnet for malware and viruses, especially on widely used app like Adobe Flash or Microsoft Office. A classic example of this is a global wave of cyberattacks and data breaches that began in January 2021. After four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, attackers gained full access to user emails and passwords, administrator privileges, and access to connected devices on the same network.
There are tons of network inventory tools that can help IT professionals spot out unpatched endpoints or servers, and even make life easier by automating the patching process!
3. Be wary of phishing
Cyber attackers use phishing techniques such as spam emails and phone calls to find out information about employees, obtain their credentials, or infect systems with malware.
The basic defense can be simple and consists of only two steps:
- Get a properly configured spam filter and ensure that the most obvious spam is always blocked.
- Educate your employees about popular phishing techniques and the best ways to deal with them.
Luckily, education and awareness training do work, and people now are much more aware of cyber threats. Verizon’s 2018 Data Breach Investigation Report highlights that 73% of people didn’t click on a single malicious email in 2017, is a good example.
4. Use two-factor authentication
Two-factor authentication (2FA, aka 2-step verification) is an additional layer of security to ensure only authenticated users gain access to an online account. Initially, a user will enter their username and a password, as usual. Then, rather than gaining access straight away, they will be required to provide additional credential.
This second factor could be one of the following:
- Something you own: a code from an authenticator app on your mobile phone, or a code sent by SMS to your phone.
- Something you are: a biometric indicator, like your fingerprint (Touch ID) or facial recognition (Face ID)
With 2FA, a potential compromise of the password will not compromise the account itself. As a result, even if your password is stolen, or your mobile phone is astray, the chances of someone else having access to both factors is unlikely to happen.
5. Back up your data
Backing up data is one of the best practices of information security that has gained increased relevance in recent years. With the advent of ransomware, having a full and current backup of all your data can save your business when bad things happen.
You can handle backups by making sure that they’re well protected, encrypted, and frequently updated. It’s also important to divide backup duty among several people to mitigate insider threats. The United States Computer Emergency Readiness Team (US-CERT) provides a document detailing different data backup options.
6. Raise employee awareness
Leaving an office network means missing out on some basic security protections provided by the company's security products that run on corporate networks, many of which are invisible to the employee. We would like to share best practice advice for all employees on how to keep devices and data secure when working from a location other than the office network.
First off, employees must consider the environment they are working at. For many, "home" means working from a location where they will not be overlooked and are at no immediate risk of having a device stolen or tampered with. But the unfortunately reality is your home may not be as safe and secure as you may think it is.
Ten tips that will greatly help you improving security level:
- Those working in shared or public locations should lock their screens when not in use and always have physical possession of the device.
- A VPN should always be used when working from home.
- Do not allow family members or friends to access work devices for non-work tasks.
- Create and maintain strong passwords. Do not write down the password on a post-it.
- Always apply new security updates to operating systems and applications immediately!
- Update the security of other devices on the home network, such as the home router, with the latest firmware and always change the default password.
- Do not connect non-work USB drives to your work device.
- Do not transfer data from personal devices to work devices or vice versa.
- Use a headset to avoid having calls overheard.
Know how to contact the company IT for advice in the case of suspicious
4 steps to enjoy advanced ZYXEL services!
1. Where can I purchase the licenses?
Buy online directly Already a ZYXEL Partner?
✓ Let’s go to Circle
✕ Just visit Zyxel Marketplace
P.S. You may also find the above links from the upper right corner of any ZYXEL portal.
Find a Store near you Here!
2. Where can I register the licenses?
For a Nebula service, just register it in Nebula Control Center.
Navigate to Organization-wide > Configure > License & Inventory, click on the Action.
Picture 1. Device related service in Nebula
Navigate to My device & services for MSP license, click on the Register.
Picture 2. For MSP license in Nebula
Other services just register it in myZyxel.
Picture 3. License registration in myZyxel
3. Link/Associate the license to the device
The following license(s) could skip the step:
✕ Nebula MSP license
Other licenses should be device-based; they need to link/associate to the device in myZyxel or Nebula as the following pictures show:
Picture 4. Link license in myZyxel
For Nebula, navigate to Organization-wide > Configure > License & Inventory > License, to select the licenses and click on the Action.
Picture 5. Link/Associate license in Nebula
Here is a wizard to help you assign the licenses into the devices.
Picture 6. Assign licenses wizard in Nebula
4. How to activate the license?
The license must be activated then you can start to use the service. Some licenses will automatically be activated once the payment is successful. If not,
A. For Nebula service, it could only be activated in Nebula Control Center.
- For NCC service, if all your devices in the organization have enough license (every device should have a least one NCC license), you may see the “Upgrade now” button. Once you upgrade the organization successfully, all license will be activated automatically.
Navigate to Organization-wide > Configure > License & Inventory, click on the Upgrade now.
Picture 7. Activate license in Nebula
- For UTM/Secure WiFi service, if you register a UTM license from NCC, it will be automatically activated in most cases. If not, you may also activate it from NCC as below:
Navigate to Organization-wide > Configure > License & Inventory, click on the Device tab and hover to the License info of the device.
Picture 8. Activate UTM/Secure WiFi license in Nebula
- For MSP license, you need to activate it manually.
Navigate to My device & services for MSP license, click on the Activate of license.
Picture 9. Activate MSP license in Nebula
B. Activate in the device web GUI (Only for on-premises mode of Security gateway)
Login your device’s Web GUI, go to Configuration > Licensing > Registration > Service, click the Activate button to initiate the license.
Picture 10. Activate license in Device
After the service has been activated, please click the Service License Refresh button to update the Status.
Picture 11. Refresh service after activate license in Device
C. Activate in myZyxel
- Navigate to Device Management > My Device, click on the MAC Address hyperlink of your device.
- In the Linked Services tab click on Details button of the license.
- You opt to initiate the services license by clicking on Activate button.
Picture 12. Activate license in myZyxel