Security Enhancements in Switch Firmware Version 4.80/4.90

Zyxel_Claudia
Zyxel_Claudia Posts: 81  Zyxel Employee
First Comment Friend Collector Second Anniversary
edited August 20 in Other Topics

In this section, we will discuss the security enhancements introduced in the latest firmware version of 4.80/4.90 for Zyxel switches. These updates are crucial to meet modern cybersecurity standards and improve the overall security of our networking devices. Here are the four main security enhancements included in this update:

Security Enhancement 1: PSTI Compliance

Background: The Product Security and Telecommunications Infrastructure (PSTI) regulation in the UK mandates stringent cybersecurity measures for computer products, including secure default password policies.

Solution:

  1. Mandatory Password Change on First Login:
    • Users are required to change the default admin password on their first login, both via Web GUI and CLI.
  2. Modify Default Admin Username:
    • Users can now change the default admin username, adding an additional layer of security by preventing attackers from knowing the admin username.

Security Enhancement 2: Disable Telnet by Default

Background: Telnet transmits data, including credentials, in plain text, making it vulnerable to interception and eavesdropping.

Solution:

  • Telnet is disabled by default in the latest firmware version of 4.80/4.90.
  • Users who still require Telnet can enable it manually.

Security Enhancement 3: Update SSH Algorithms

Background: OpenSSH version 8.7 and newer have deprecated the default SSH-RSA algorithm due to security vulnerabilities.

Solution:

  • The default SSH algorithm is updated to ECDSA (Elliptic Curve Digital Signature Algorithm), which is more secure and supported by modern systems.

Security Enhancement 4: Increase RSA Key Length

Background: Modern computational power and cryptographic techniques have made 1024-bit RSA keys insecure. The new standard is 2048-bit keys.

Solution:

  • The RSA host key length is increased from 1024 bits to 2048 bits.

Implementation:

  • For existing switches, users need to regenerate the RSA key through the maintenance page: SSH host keys> RSA >Regenerate key.
  • For new switch models, the 2048-bit RSA key length will be hardcoded.

Conclusion

The security enhancements in the latest firmware version of 4.80/4.90 are designed to meet modern cybersecurity standards and improve the protection of our networking devices. By implementing mandatory password changes, disabling insecure protocols by default, updating cryptographic algorithms, and increasing key lengths, Zyxel ensures a more secure and robust network infrastructure for its users.