Collaborative Detection and Response (CDR) for H Series Firewalls

Zyxel_Lynn

H Series Automated Security: Collaborative Detection and Response (CDR)

The Zyxel H Series now supports Collaborative Detection and Response (CDR), an automated system that extends security beyond simple packet filtering to actively contain compromised hosts at the network edge.

CDR vs. Traditional UTM

While standard Unified Threat Management (UTM) signatures block specific malicious packets, they do not prevent a compromised host from communicating with other local devices or sending legitimate traffic. CDR bridges this gap by monitoring how frequently a host triggers security services such as "anti-malware, IDP/IPS, and IP reputation" and taking action against the host identity (IP and MAC) itself.

The Containment Workflow

When a client exceeds a user-defined threshold, such as 4 security hits within 3 minutes, the firewall adds that client to a "containment list". Nebula Control Center (NCC) queries this list every 5 minutes and pushes the information to all cloud-managed Access Points (APs). This ensures that once a client is flagged, they are restricted across both wired and wireless segments of the network.

Defensive Actions

• Alert: Sends an email notification to the administrator without restricting the user.
• Block: Redirects the client to a customized block page on the firewall, effectively cutting off internet access.
• Quarantine: Specifically for wireless clients, this disconnects the user and dynamically assigns them to a restricted "Quarantine VLAN".

Implementation Best Practices

A critical configuration requirement is managing DHCP lease times. Zyxel recommends that the DHCP lease time should be at least twice as long as the CDR containment duration. This prevents a new, clean device from being assigned a "blocked" IP address that previously belonged to a compromised host. 

This feature requires a Gold Security Pack license.