Zyxel USG 1000 - TLS 1.2

mm_bret
mm_bret Posts: 56  Ally Member
First Anniversary 10 Comments
Our USG 1000 firewalls are no longer accessible using Firefox. Complains the
router does not support TLS 1.2
Before we get rid of the routers, is there an update to solve this?

We have several, and they work fine.

Bret

Accepted Solution

«1

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    mm_bret said:
    Our USG 1000 firewalls are no longer accessible using Firefox. Complains the
    router does not support TLS 1.2
    Before we get rid of the routers, is there an update to solve this?

    AFAIK no. In any case, you can force disabling of weak cyphers via a SSH command. Dig into KB, currently i don't have at hand the URL. Commands should be the same that the one for USG20, USG50, USG100 and so on.
    mm_bret said:
    We have several, and they work fine.

    Bret

    I'm glad that you have satisfaction using them. But AFAIK, they are out of support since a long time. Latest firmware is seven years old (January 2015). If they are publicly exposed in any way, IMVHO your safety is considerably lower than an updated device. Moreover, I think that configuration cannot be migrated without intermediated steps to latest 5.x firmware version. Also, maybe a newer device can be as a lower tier if you're not using all the capabilities of USG 1000
  • mm_bret
    mm_bret Posts: 56  Ally Member
    First Anniversary 10 Comments
    Not sure I understand. PeterUK, are you saying there is a firmware update?..seems as though you are

    ..mMontana
    We use advanced features and high numbers of vpns, l2tp vpns as allowed by this device.

    Unfortunate, since a new TLS protocol update is probably a small detail for a firmware update.

    We'll see...we have a new pfSense device we're playing with, but Zyxel has been rock solid.







  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    mm_bret said:
    Not sure I understand. PeterUK, are you saying there is a firmware update?..seems as though you are

    The link above shows for USG1000 and that All models support TLS 1.2 protocol with that firmware is what I'm seeing.


  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    ..mMontana
    We use advanced features and high numbers of vpns, l2tp vpns as allowed by this device.
    Unfortunate, since a new TLS protocol update is probably a small detail for a firmware update.
    @mm_bret TLS 1.2 is not "new" at all. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2 According to Wikipedia, first public RFC was dated 2008, and refined in 2011. Thererfore, a device which was supported until 2015 has to support it. And AFAIK until latest "official" firmware it does, but it's not used as some defaults. According to this KB article dated march 2015 should be possible to disable some weak cyphers also from old USG like your 1000... And my 20W
    Consider that if your VPNs are using weak cyphers (according to the change of setup) might encounter some issues. Currently i don't trust at all DES/3DES/MD5 tunnels.
    The current enforcing on TLS 1.2 and 1.3 is for cut the rope with older and insecure security layers like SSL v1,2,3 and madness.
    We'll see...we have a new pfSense device we're playing with, but Zyxel has been rock solid.
    I can't say anything different for the first USG group (20, 20W, 100 are the ones i played with... 20W really sucks as wireless performances), they were rock solid and until lightnings or dead PSUs did not kill them, worked like a charm and without a lot of the issues and vulnerabilities found on newer devices (4.x most of all). And I'm still using one, with a lab firmware and with Firefox 101.0.1.
    Lab Firmware is two year younger than latest USG1000 official, but both USG 20 and USG 20W were supported longer than USG100, 200, 300, 1000 and 2000, which arrived before on the market compared with 20 and 50. In some environments is still safe to use them as VPN endpoints because they call the other endpoint behind a Carrier-grade NAT or a router.

    Anyway.
    IMVHO you're using great but old machines. IMVHO you should also take a look into USG Flex 700 (and not USG 1900 which are going to be EOL at the end of the year), at least for having something with more updated vulnerability patches.
    Few specs compared:
    Specific USG 1000 USG Flex 700
    throughput SPI 400 mbps 5.400 mbps
    throughput VPN AES 180 mbps 1.100 mbps
    Max Sessions 500.000 1.600.000
    Conc. IPSec 1000 500
    Power draw 200W 46W

    I can see the drawback of VPN tunnels. I don't know if you're using full capacity of this on your USG 1000 but...
  • mm_bret
    mm_bret Posts: 56  Ally Member
    First Anniversary 10 Comments
    mMontana,
    Great comments and info.

    These USG 1000 devices are all over our infrastructure. We recently added a gb fiber
    connection, and I soon found out the old girl may not keep up. We can only get about 350mb
    out of ours.

    I'll probably run the update on a backup USG 1000 to see how it effects any services. Funny, I still have a few new in boxes. Time indeed flies.

    I'll investigate the Flex 700 as well.

    Many thanks for all the comments,
    BS
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    If you choose a replacement, I'd like to know.
  • Zyxel_James
    Zyxel_James Posts: 606  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hello @mm_bret,
    We have a patch firmware for USG1000 that supports TLS 1.2 as @PeterUK provided. However, USG1000 is an EoL product, I would also recommand USG FLEX 700 as a replacement.
    Thank you.

    James
  • mm_bret
    mm_bret Posts: 56  Ally Member
    First Anniversary 10 Comments
    Update.
    I updated the firmware on one of my backup USG 1000 devices to: 330AQV7ITS-WK48-r74988.bin

    The device behaved great, and allowed me to connect to it from my Firefox browser without and TLS
    version issues.

    HOWEVER the following problem presents itself
    after updating I see the attached error dialog when saving (TrustedLan1) (P3)
    configuration.

    This message did not appear under the previous firmware: 330AQV7C0.bin

    What can I do to configure p3 and p4 to be part of a single TrustedLan?






    This message did not appear under the previous firmware: 330AQV7C0.bin

    cli show interface all displays

    1   Comcast         1000M/Full          0.0.0.0    255.255.255.248 Static
    2   wan2            Down                0.0.0.0         0.0.0.0         DHCP client
    3   TrustedLan1     Port Group Up       192.168.40.1    255.255.255.0   Static
    4   TrustedLan2     Port Group Inactive 192.168.40.243  255.255.255.0   Static
    5   dmz             100M/Full           192.168.46.1    255.255.255.0   Static
    6   aux             Inactive            0.0.0.0         0.0.0.0         Dynamic


    Can I ask this question here, or start a new thread?
    Regards,
    Bret






  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    mm_bret said:
    Update.
    HOWEVER the following problem presents itself
    after updating I see the attached error dialog when saving (TrustedLan1) (P3)
    configuration.

    This message did not appear under the previous firmware: 330AQV7C0.bin

    What can I do to configure p3 and p4 to be part of a single TrustedLan?

    This message did not appear under the previous firmware: 330AQV7C0.bin
    In my personal opinion, is correct than this message appear. Overlapping subnets among different interfaces is never a good thing, unless is "part of something bigger" like HA, trunking, bridging, ad so on. Is this arrangement working? According to your message... YES. Therefore, IMO this is only a informative message.

    Anyway, test thoroughly before making any changes.

    Problem is: you have TrustedLan1 (P3,P4) and TrustedLan2 (Unknown) with the same subnet. Why? What are you trying to achieve?

Security Highlight