[2023 June Security Monthly Express] 7 Easy Ways to Reduce Your Attack Surface

zyxel_Lin Posts: 73  Zyxel Employee
First Anniversary Friend Collector

7 Easy Ways to Reduce Your Attack Surface

As securing your networks has always been Zyxel's top priority, our security experts constantly work on adding new features and collaborating with cybersecurity researchers to address and investigate potential security exploits that may affect our products. In this article, we share the 7 easy ways you can reduce your attack surface.

1. Block access to administrative WebGUI from outside the Internet-facing firewall

When you are outside the security perimeter, don’t access the administrative WebGUI. Make sure there is strict access control policy properly configured in your Internet facing firewall. Double check your active access control policies. Block access to your Internet facing firewall using protocols including HTTP, HTTPS, PING, SSH, SSL VPN, and TELNET. Alternatively, you can deploy cloud-managed firewall, where there is no direct administrative access to the firewall appliance, thus keeping the holes closed.

2. If you’re not using VPN, disable it

Based on our investigation regarding recent CVE-2023-33009 and CVE-2023-33010, VPN service is the main target. In addition to upgrading to the latest firmware, we strongly advise disabling VPN services if you’re not utilizing any VPN features such as L2TP, Site-to-Site VPN, or Remote Access VPN. Here is the procedure to disable the VPN service.

Navigate to Object > Service > Service Group.

From the group "Default_Allow_WAN_To_ZyWALL", remove the services AH, ESP, IKE, and NATT.

If your usage is limited to a site-to-site VPN, we suggest permitting VPN services exclusively for specific source IP addresses.

Additionally, enforcing strict password policy against administrative accounts. Such as using a minimum of 12 characters, combination of lower/upper case, numeric/special characters, and changing password on a monthly basis. Password should not be reused. Always enforce two-factor authentication with administrative logins to your Internet facing firewall.

3. Stop exposing office network/resource to the Internet

It’s risky to configure NAT/port forwarding on the Internet-facing firewall. Always deploy VPNs, in the event when your employees are working from home or on-the-go and have the need to access internal network resources such as a NAS, webcam, or printer.

4. Businesses are strongly recommended to use an SSLVPN alternative

There are tons of vulnerabilities discovered from top brands of SSLVPN products. There are better alternatives for securing remote access to company network. IKEv2 plus authentication (e.g. MSCHAPv2) is better alternative to SSLVPN.

5. Deploy multi-layered defense of the advanced security firewall

The objective is to block cyber kill chain, so it can mitigate threat vectors. Enabling IP reputation and IPS: the technologies that help detect port scan, Denial-of-Service, exploits, and brute force attacks. Enabling Threat Filter, Anti-malware: the technologies that help block downloader of backdoors/malware, stopping the phone home connections, preventing the target from being compromised further. Proactively alert, tracing, and managing threat vectors by adopting Sandbox technology and security event analytic report.

6. Backup configurations on a regular basis

Creating configuration backups enables you to restore a firewall configuration anytimewhen a network disaster strikes. To ensure high security, configuration backups should be encrypted before being saved into the database.

7. Pay attention to vendor's security advisory

Vendors usually provide customer’s organization with recommendations to prepare for potential cyberattacks as a direct or indirect result of the current cyber threat crisis. It is important to stay informed, vigilant and keeping software up to date to mitigate security risks.