[2024 June Spotlight] The solution you must know: Collaborative Detection & Response (CDR)

Zyxel_JudyH Posts: 13  Zyxel Employee
First Anniversary First Comment Zyxel Certified Sales Associate
edited June 4 in Security Highlight

How do Zyxel firewalls collaborate with access points to isolate threats at the network edge?

Network administrators may wish to prevent clients from engaging in malicious activities. Collaborative Detection & Response (CDR) is always our popular solution. If you're not familiar with it yet, this article demonstrates how CDR can accomplish this task.

What’s Collaborative Detection & Response (CDR)?

Collaborative Detection & Response (CDR) is used to identify threats and risks posed in the more complex organization workforce, workload, and workplace. On-premise firewalls or Nebula firewalls, providing network admins with a rule-based security policy.

The firewalls detect a threat on any of the connected clients and will sync with the Nebula control center, then automatically respond to cyber threats and contain the device(s) at the edge (Wireless Access Point) of your network.

When a client's traffic reaches its threshold in CDR, the device will block the client's traffic. It is a perfect fit for IT to address the requirements of a decentralized network infrastructure and provide automatic protection.

*Note: CDR is only supported by USG FLEX/ ATP series.

How to configure CDR?

[On-premise Firewall]

Please visit the following link to see the configuration process.

[On-cloud Firewall]

1. Go to Site-wide > Configure > Collaborative detection & response, and click on “Enable” to activate CDR feature.

Figure 1. Collaborative detection & response

2. Here is the policy table where you can configure the criteria and the actions, as the figure below:

Figure 2. Collaborative detection & response

Terms explanations:

Occurrence: How many times of threat hit [HW1] by a client. Duration: Within the time duration, CDR detects a threat. Containment: The action when both criteria have been triggered. Alert: NCC sends an alert email to administrators when triggered. Security service functions will block illegal traffic. Block: NCC sends an alert email to administrators. Gateway or AP will block the traffic and redirect it to the block page. *Block wireless client is only supported on AP. The client cannot connect to the WiFi during the block duration. Quarantine: NCC sends an alert email to administrators. AP will disconnect the client’s WiFi connection and then when the client connects to the WiFi again, it will get the quarantine VLAN IP. *Quarantine function only works on AP.

4. Block is to prevent the malicious client from accessing the wireless network, while
Quarantine is for AP (that supports CDR), which isolates clients using dynamic VLAN assignment.

5. Exempt list is a whitelist where you can input the IP or MAC of the device that you don’t want to be blocked by CDR.

 Figure 3. Exempt list

Example of a client blocked by CDR

When a client had surfed a malicious website and the act triggered the CDR criteria, the client browser will pop-out a warning message as the figure shown below:

Figure 4. CDR warning message

How can the administrator release the client?

Go to Site-wide > Monitor > Containment list, you may choose “Release” or “Add to Exempt list”.

Figure 5. Containment list