USG FLEX H Series - New Algorithm Kyber768 Supported

Zyxel_Claudia

The latest uOS update introduces support for the Kyber768 algorithm, which is gaining traction due to its adoption by major browsers like Google Chrome and Microsoft Edge. However, this new algorithm has also introduced an unexpected issue related to content filtering.

Background

With the adoption of Kyber768, browsers such as Google Chrome (version 134 and above) and Microsoft Edge (version 134 and above) have started sending Client Hello messages in jumbo frames. These jumbo frames, larger than the typical packet size, can cause issues with firewalls that need to inspect the payload for the Server Name Indication (SNI) to apply content filtering rules.

Previous Behavior (uOS Version 1.20)

• If the firewall could not determine the SNI from a fragmented Client Hello, it would bypass the content filter.
• This meant that regardless of the content filtering rules, the traffic would be allowed through, potentially exposing the network to unwanted or harmful content.

New Behavior (uOS Version 1.21)

• The firewall can now inspect and reassemble fragmented traffic caused by the excessive length of the Client Hello message.
• This allows the firewall to extract the SNI from the reassembled packet and apply the appropriate content filtering rules.

Conclusion

The support for the Kyber768 algorithm and the ability to handle jumbo frames in uOS version 1.21 significantly enhances the security and effectiveness of the Zyxel firewall's content filtering capabilities. This update ensures that all traffic, including fragmented packets, is subject to rigorous inspection and policy enforcement, maintaining the integrity and security of the network.