Wish there was a dedicated GE port just for Admin stuff for the GUI.

kunz
kunz Posts: 14  Freshman Member
edited July 20 in Security Ideas
I wish there was a dedicated “Admin” GE port, besides having the DB9 Console port for the CLI.

The Console port is ok, but  I think that would be really nice to have a dedicated GE port just for the Admin GUI that It would be isolated from all internet traffic and lan traffic to the dedicated Admin Laptop/Desktop. Although updating the firmware and subscription to security service updates through the said dedicated port would maybe inspire more confidence and ease with the peace of mind that the dedicated Laptop/Desktop will not connect all over the place, since it will be isolated. Configure to your hearts content.

The recent “sophisticated threat actor” is really very worry some. 

Plus the “Help” feature I wish was just in the Zyxel device and not having to connect to the internet all the time while configuring the device. I think the old USG50 that we had before, had the “Help” feature already in there together when ever the firmware was upgraded, the help was also updated together with the release notes. It was a long time ago, but I think it was. Now you have to connect to the internet just for the “Help” while configuring. 

Well I guess it’s just a wish.
1 votes

Active · Last Updated

Comments

  • EricNepean2
    EricNepean2 Posts: 6
    edited July 3
    Port 5 on my USG40W is not being used for anything. I have designated this as my rescue port. Could also be dsignated as the "admin" port. I gave this port its own zone; the DHCP pool for this port has a unique range. My security policies are such that this zone is not connected to the WAN, nor to other LAN Ports, and there are no barriers between this port and the Zywall. Haven't checked but I think its possible to restrict a user (e.g. admin) to connecting only from one IP range or one zone.
  • dpipro
    dpipro Posts: 54  ZCNE Certified
    Hi @EricNepean2

    yes you can restrict by Zone and IP Address at System -> WWW-> Admin Service Control

    Best regards
  • kunz
    kunz Posts: 14  Freshman Member
    edited July 3
    EricNepean2

    I did something similar with my ATP500, using Port 4. Created it’s own zone. I did not follow the default LAN and created my own zones for all ports.  Originally, I created a specific object ip address for each the ATP500 and the Admin device in a restrictive net mask 255.255.255.252. But after a couple of resets, I decided to go with Configuration>Object>IPv4 Address Configuration with object name “admin-subnet-ge-4” type “interface subnet” interface “ge4”.

    In the IPv4 Address Configuration output for “Name” admin-subnet-ge-4 , “Type” interface subnet , “IPv4 Address” ge-4 172…/30

    then a service object using TCP 8443 (Remote-Assitance_HTTPS)…then made a rule in Security Policy>Policy Control>

    named it admin-to-atp500, “from” zone-ge-4-admin, “to” ZyWALL, “source” admin-subnet-ge-4 (your admin device), “destination” atp500-ip-address (the atp500 address in port 4), “service” Remote-Assistance_HTTPS (TCP 8443) , “user” any, “schedule” none, “action” allow, “log matched traffic” log

    For “Profile” DNS Content Filter “admin-to-atp500” ( made one where all is checked except for “Private IP Address”, there was no option to add the specific private ip address ).

    The rule after that, is the “Default”, set to “deny” and “alert log”…quite frankly I did get locked out a couple of times in while creating this…did a couple of resets…

    Further up the rule set, I did a rule to “ssh-to-deny-any”,actually my first rule. Will up date that in a later time with a rule against Remote Terminal access, I don’t do any remote management from the WAN side and or even within the network. Not a large network at all. It’s just easier to just physically go to the client device to troubleshoot them there, then just check atp500 logs and adjust policy any rules accordingly if there any issues really. Vice versa, if need be. 

    If I really needed to do any console stuff, I guess i would use the dedicated console port for that. Basically I don’t allow any terminal access within the network, may that be SSH, Telnet, etc. 

    With the earlier firmware, quite a while back the….Configuration>System>FTP>General Settings>check box for “Enable” kept on being enabled once in a while, no matter how much I kept on unchecking the box…after a period of time…it would would have a check again???

    But with the recent past two or three firmware release, it seemed to no longer happen…unfortunately, now it’s the SSH page…the ”Enable” check box, seems to enable itself from time to time, even when you constantly disable the service check box…it’s annoying actually…not sure if it’s a bug…In the “Service Control” part of the SSH page, I added ALL>ALL>Deny…together with the Policy Control of deny SSH…I suppose that should work.

    Anyway i hope this helps, just sharing.


    Thanks

    Kunz