USG FLEX H Series - Self Protection

Zyxel_Richard
Zyxel_Richard Posts: 254  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
edited May 17 in Other Topics

USG FLEX H Series - Self Protection

Overview

The Self Protection feature enhances the security of the USG FLEX H Series by addressing vulnerabilities associated with the IKE port (UDP 500). This port is commonly exploited by malicious users to perform denial of service (DoS) or other types of attacks. With version 1.20, the firewall includes mechanisms to reduce these risks by disabling the IKE port unless it is actively needed for VPN services.

Key Features

IKE Port (UDP 500) Disabled by Default:

  • The firewall now disables UDP port 500 by default to prevent potential attacks. This port will remain closed unless a VPN service is actively enabled.

Dynamic Enabling of IKE Port:

  • If a VPN rule or VPN profile is created and active, the IKE service on UDP port 500 will be enabled. This ensures that the port is only open when necessary for VPN functionality.

IP Reputation for System Protection:

  • The firewall itself is now protected by the IP reputation service, in addition to protecting clients accessing the internet. This means any malicious traffic trying to use the firewall for unauthorized access will be blocked based on the IP reputation database.

Detailed Explanation

IKE Port (UDP 500) Management

  • Disabled by Default: By default, UDP port 500 will be in a disabled state if no VPN services are active. This significantly reduces the attack surface for potential denial of service (DoS) or other vulnerability exploitation attempts.
  • Enabling on Demand: When a VPN tunnel or profile is configured and activated, the IKE port will be automatically enabled to support the necessary VPN communications.

IP Reputation for Firewall Protection

  • Internal Protection: Previously, IP reputation was mainly used to protect clients on the network from accessing malicious sites. Now, the firewall itself will be protected. This means any internal processes or unauthorized access attempts from the firewall itself will be checked against the IP reputation database.
  • Mitigating Internal Threats: If an attacker gains partial access to the firewall and tries to use it as a proxy or to access malicious sites, these attempts will be blocked based on IP reputation scores.

Licensing Requirements

  • IP Reputation License: An active security service license is required for the firewall to utilize the IP reputation feature, even for protecting the firewall itself. Confirmation from the internal team is pending, but users should ensure they have the necessary licenses activated for full protection.

Conclusion

The Self Protection feature in the USG FLEX H Series adds an important layer of security by managing the IKE port dynamically and extending IP reputation services to protect the firewall itself. These enhancements help mitigate common attack vectors and ensure that the firewall is not only a protector of the network but also protected from internal threats. Always ensure that your firewall has the necessary licenses and regularly monitor logs to maintain robust security.