Best Practices to Secure a Distributed Network Infrastructure

Zyxel_Jerry Posts: 457  Zyxel Employee
edited July 28 in Security

Best Practices to Secure a Distributed Network Infrastructure

In the post-pandemic era, more and more employees are forced to work primarily from home, thus the way people get connected and the way people accessing corporate resources has changed forever. Now that the network perimeter is no longer fixed in the office, securing a distributed network infrastructure to support a more fluid type of working has become a challenge for IT professionals.



1.   Reduce the attack surface

  • It's recommended to change passwords regularly for the accounts. Zyxel firewall supports the password regularly changing notification with stronger complexity 

  • Whenever you provide Internet-facing services, there definitely comes with a risk of security breach. We start by investigating what services or applications are mandatory to open for remote access. Because of the new WFH culture, lots of SMB need remote access for administrative login to network equipment, as well as allow employee access to office network via SSL VPN or L2TP VPN
  • Configure your perimeter firewall correctly based on least privilege principle. For example, if remote admin access/SSLVPN is required, then we can implement a list of restricted geo-IP while explicitly allowing access from a set of source IP or country. If you are using a Zyxel firewall, here is a link about how-to.
  • Configure 2FA authentication for your administrative login will add extra layer of security Zyxel firewalls support 2FA for VPN connection and admin access. Here it is the tutorial about how to implement 2FA feature Case 1: 2FA for SSL VPN connection Case 2: 2FA for admin access 

  • If you are determined to completely lock your network from WAN access, and there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

2.   Patch! Patch! Patch!

The vast majority of cyberattacks take advantage of known software and hardware vulnerabilities (not to mention unsuspecting users!). The 2015 edition of the Verizon Data Breach Investigations Report revealed 70% of successful cyberattacks exploited known vulnerabilities from software with available patches. This means that many victims could have prevented a data breach if they’d only updated their OS and apps. Think of a software patch as an armor that repels attacks and protects against various exploits. However, with the sheer number of vulnerabilities being exposed all the time (hundreds of millions of new pieces of malware released each year), many IT professionals struggle to keep pace in the arms race between the hackers discovering security holes and the “good guys” releasing patches to cover them up.

Though it’s difficult, bear in mind that unpatched software can be a magnet for malware and viruses, especially on widely used app like Adobe Flash or Microsoft Office. A classic example of this is a global wave of cyberattacks and data breaches that began in January 2021. After four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, attackers gained full access to user emails and passwords, administrator privileges, and access to connected devices on the same network.

There are tons of network inventory tools that can help IT professionals spot out unpatched endpoints or servers, and even make life easier by automating the patching process!


3.   Be wary of phishing

Cyber attackers use phishing techniques such as spam emails and phone calls to find out information about employees, obtain their credentials, or infect systems with malware.

The basic defense can be simple and consists of only two steps:

-    Get a properly configured spam filter and ensure that the most obvious spam is always blocked.

-    Educate your employees about popular phishing techniques and the best ways to deal with them.

Luckily, education and awareness training do work, and people now are much more aware of cyber threats. Verizon’s 2018 Data Breach Investigation Report highlights that 73% of people didn’t click on a single malicious email in 2017, is a good example.


4.   Use two-factor authentication

Two-factor authentication (2FA, aka 2-step verification) is an additional layer of security to ensure only authenticated users gain access to an online account. Initially, a user will enter their username and a password, as usual. Then, rather than gaining access straight away, they will be required to provide additional credential.

This second factor could be one of the following: 

- Something you own: a code from an authenticator app on your mobile phone, or a code sent by SMS to your phone. 

- Something you are: a biometric indicator, like your fingerprint (Touch ID) or facial recognition (Face ID)


With 2FA, a potential compromise of the password will not compromise the account itself. As a result, even if your password is stolen, or your mobile phone is astray, the chances of someone else having access to both factors is unlikely to happen.

Here is how the Zyxel solution can help you enforce 2FA.


5.   Back up your data

Backing up data is one of the best practices of information security that has gained increased relevance in recent years. With the advent of ransomware, having a full and current backup of all your data can save your business when bad things happen.

You can handle backups by making sure that they’re well protected, encrypted, and frequently updated. It’s also important to divide backup duty among several people to mitigate insider threats. The United States Computer Emergency Readiness Team (US-CERT) provides a document detailing different data backup options.



6.   Raise employee awareness

Leaving an office network means missing out on some basic security protections provided by the company's security products that run on corporate networks, many of which are invisible to the employee. We would like to share best practice advice for all employees on how to keep devices and data secure when working from a location other than the office network.

First off, employees must consider the environment they are working at. For many, "home" means working from a location where they will not be overlooked and are at no immediate risk of having a device stolen or tampered with. But the unfortunately reality is your home may not be as safe and secure as you may think it is.

Ten tips that will greatly help you improving security level:

- Those working in shared or public locations should lock their screens when not in use and always have physical possession of the device.

- A VPN should always be used when working from home.

- Do not allow family members or friends to access work devices for non-work tasks.

- Create and maintain strong passwords. Do not write down the password on a post-it.

- Always apply new security updates to operating systems and applications immediately!

- Update the security of other devices on the home network, such as the home router, with the latest firmware and always change the default password.

- Do not connect non-work USB drives to your work device.

- Do not transfer data from personal devices to work devices or vice versa.

- Use a headset to avoid having calls overheard.

- Know how to contact the company IT for advice in the case of suspicious activities. 



All Replies

  • rookierunner
    rookierunner Posts: 13  Freshman Member
    @Zyxel_Jerry - can you explain why moving the policy to be the first rule will limit the attack surface?  The policy still allows traffic from WAN to ZyWALL because the policy is to allow traffic, not deny.
  • kunz
    kunz Posts: 14  Freshman Member
    edited July 5
    Yup, I think the WAN to ZyWALL, maybe that should be deny…all
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 894  Zyxel Employee
    edited July 5
    Hi @rookierunner
    The first rule is for build-in VPN service. (e.g. IPSec VPN, L2TP VPN)
    You can also make sure the group objects are not include HTTP/HTTPS in allows rules.
    Then HTTP/HTTPS request traffic from WAN to ZyWALL will block by default rule.
  • rookierunner
    rookierunner Posts: 13  Freshman Member
    Thanks @Zyxel_Stanley!  That makes sense.  I think I am going to update the name of the service to “Default_Allow_VPN_From_WAN_To_ZyWALL” to make it more clear about what that service allows.

    Also, if I only use the L2TP VPN, can I disable the default “SSL_VPN_to_Device” rule (#12 in your picture above) and the default “TUNNEL_to_Device” rule (#13 in your picture above)?

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 894  Zyxel Employee

    Hi @ rookierunner 

    “SSL_VPN_to_Device” and “TUNNEL_to_Device” are configurations for SSL VPN and VPN tunnel traffic.

    After creating VPN rules, then system will join the VPN tunnels as zone member automatically.

    You can move your mouse to the zone and make sure if there is any member exist in drop-down list.

    If not, you can inactivate the rule from your policy control rule.

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!