[2023 Mar. Security Monthly Express] Every Network Professional thinks “this security” is must-have

zyxel_Lin Posts: 73  Zyxel Employee
First Anniversary Friend Collector

70% of Threats Can Be Stopped by Reputation Filter Service

While running a daily business, it is possible to become a victim of a well-known cyberattack like WannaCry, botnets, Cryptojacking, and many more. Cyberattacks never stop and the risk spikes up when your network isn’t patched up. IP Reputation technology investigates the beginning of connection establishment to determine if it’s related to threat activities. 70% of threats can be stopped by Reputation Filter Service and only requires little computing power.

When it comes to the Zyxel Reputation Filter, we are talking about 3 services: IP Reputation, DNS threat Filter, and URL threat filter. In this article, we're going to show you how Reputation Filter services work and how they are used. 

IP Reputation - Keep Networks Secure

IP reputation service provides a database of known malicious public IP addresses that enables the gateway to take action on receiving traffic from/to an IP address on the list.

Note! IP Reputation only supports IPv4 addresses.

URL Threat Filter - Keeps Malicious Sites Away

URL Threat Filter helps mitigate malware and phishing attacks by blocking malicious webpages by filtering the malicious traffic based on URL category. It compares access to specific URLs against a database of blocked or allowed sites. Both USG FLEX and ATP series support URL Threat Filters.

Note! URL Threat Filter only checks HTTP (port 80) and HTTPS (port 443) traffic.

DNS Threat Filter- Completes the Reputation Services

DNS Threat filter is blocking domain names that are based on the categorization and databases that are known on the internet. If a domain has been known to be e.g. phishing before, the firewall will automatically block that domain once a user tries to access that domain name.DNS Threat Filter is effective against any IP protocol.

Difference between URL Threat Filter and DNS Threat Filter

In the packet flow, DNS Filter has higher priority than URL Threat Filter. When both URL Threat Filter and DNS Threat Filter are enabled, the traffic will be checked by DNS Threat Filter. If the access is blocked by DNS Threat Filter, then it will not be sent to URL Threat Filter for checking.

Using URL Threat Filter, we can block access to malicious webpage: http://example.com/malicious but allow access to safe webpage: http://example.com/pictures. For DNS threat Filter, we are only able to block access to all web pages under http://example.com

What can we do about DoH?

Modern browsers and latest operating systems are using new encryption technologies – DNS over TLS (DoT) and DNS over HTTPS (DoH) – to combat against unauthorized DNS services. It can be a great tool for privacy protection, but it can also open potential threats to your organizations and IT professionals. To provide precise visibility of internal network traffic, Zyxel is working to fully integrate the DNS over HTTPS (DoH) protocol with ATP/USG FLEX series in a secure way that will help every organization to enhance cybersecurity. Once firewall detects the DNS over HTTPS queries from the clients to known DoH servers, firewall will block these DNS queries to prevent users from bypassing internet restriction policies.

Now USG FLEX/ATP Gold Security Pack supports Reputation Filter service, consisting of IP Reputation, DNS threat filter, and URL threat filter.Provide granular protection against ever-evolving cyber threats.