If firmware upgrading is impossible at this moment, what else I can do to avoid this vulnerability?
Zyxel Employee
1. If it is not absolutely necessary to manage devices from the WAN side, you can turn off the FTP/TELNET/SSH/HTTPS/HTTP/SNMPv3 service on WAN. These services are disabled by default, so you won’t have to do so unless you have enabled it in the past.
Go to CONFIGURATION > Security Policy > Policy Control and check the service of the rule "WAN_to_Device".
Go to CONFIGURATION > Object > Service > Service group > Default_Allow_WAN_To_ZyWALL. If the service group "Default_Allow_WAN_To_ZyWALL" contains any service of FTP/TELNET/SSH/HTTPS/HTTP/SNMPv3, remove them from Member list.
2. If you still need to manage devices from the WAN side, please enable Policy Control and add rules to only allow accesses from those trusted source IP addresses. If you cannot gather a list of fixed source IP addresses, you can still conduct remote management through VPN then access from LAN directly.
Go to CONFIGURATION > Object > Address/Geo IP > Address and click "Add" to create trusted IP manually. You can add multiple trusted IP addresses as you need.
Go to CONFIGURATION > Object > Address/Geo IP > Address Group and click "Add" to create an address group for trusted IP group. Move trusted address IPs to Member list.
Go to CONFIGURATION > Security Policy > Policy Control and edit the rule "WAN_to_Device".
The original setting of Source is any. Select the new created address group “Trusted_IPs” as Source.
Go to CONFIGURATION > Security Policy > Policy Control and make sure "Enable Policy Control" is enabled.
3. Enable Policy Control on the LAN side and add rules to only allow trusted IP addresses for better protection.
Go to CONFIGURATION > Object > Address/Geo IP > Address and click "Add" to create trusted LAN IP manually. You can add multiple trusted LAN IP addresses as you need.
Go to CONFIGURATION > Object > Address/Geo IP > Address Group and click "Add" to create an address group for trusted LAN IP group. Move trusted address IPs to Member list.
Go to CONFIGURATION > Security Policy > Policy Control and edit the rule "LAN1_to_Device".
The original setting of Source is any. Select the new created address group “Trusted_LAN_Group” as Source.
Follow the same steps to edit the rule "LAN2_to_Device".
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 76 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 894 Nebula FAQ
- 415 Security FAQ
- 233 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight