Building an extended anti-virus protection system for a small enterprise. Part 3

In this part, we continue the description of the multi-stage protection solution based on the USG Performance Series gateways, in particular, the Zyxel USG40W. Previous parts: first and second . But in the beginning it is worth remembering the reasons that encourage system administrators and IT security specialists to use such devices.

Next, we move on to the description of the Zyxel USG40W, based on both versions of the web interface: “Simple Mode” and “Expert Mode”.

Why do you need multistage protection?

Sometimes you can hear the opinion on the topic: that the multi-stage protection is rather a category of luxury than the necessary things.

"Our desk is small, there is a corporate antivirus (Enterprise version, by the way) and it seems to be enough for now ..."

As arguments in support of such a position, various statements are put forward. For example, it is exaggerated from all sides that it is impossible to check encrypted traffic on the stream (and this is natural, it is just encrypted so as not to be read on intermediate nodes).

NOTE. On modern devices, a whole range of tools is installed to enhance the level of security, which may include: antivirus, antispam, context filtering, intrusion protection system.

It is also sometimes given the argument that when checking with the hardware and software anti-virus gateway, you cannot use a behavioral analyzer. But local antivirus this method is widely used.

Let's face it - it would be strange to introduce such a mechanism on the Internet gateway. Roughly speaking, imagine a picture when each executable file, a picture, in a word, any object is first stored on an intermediate device, checked in a test environment on a dedicated machine, and only then, after some time, for example, two days, is given to the user. Such is the "correspondence tetris".

It should be noted that the described off-line method is still used, but for very different tasks. For example, when introducing new software, testing updates and so on. Having a sandbox in a closed test environment on a separate server is also one of the parts of multistage protection. For Internet gateways, this test option is not suitable.

NOTE. In order to reduce the risks on the Internet, you can use a content filtering system that restricts access to porn products, pirated resources and other most likely malware habitats.

It is very important to understand that multistage protection is exactly TWO and MORE (!) Stages of protection. Antivirus Internet gateway is in no way an antivirus replacement on the end device. The main task of the anti-virus gateway is to remove the load from the local antivirus.

For example, a large number of malicious and phishing attachments still come through email spam. If the local antivirus on the user's computer will check all unfiltered mail, it will be hard for him, to put it mildly. The presence of an antispam gateway saves the security system on a separate computer from having to check most of these emails. The anti-virus on the gateway can cut off a significant part of the letters with "surprises". And the share of the local antivirus will not have much work.

It is important to note that danger may arise on every computer on the network. It doesn’t matter that hundreds of users check everything perfectly, and a single antivirus didn’t receive updates on time and missed the malicious code. In the end, it doesn't matter where the trouble came from - from a single computer, where the user opened a letter with a trojan or from all at once. The centralized cut-off of such “gifts” by anti-spam and antivirus on the gateway can protect all users who are covered by the protection policy.

NOTE. Use multistage protection to unload the local antivirus. This is especially true with a large number of triggers for simple threats. Installing a security gateway will take over some of the work involved in analyzing simple cases, which will have a positive effect on the speed of the system as a whole.

In order to once and for all understand the difference between a solution from a single corporate antivirus and a multi-stage protection, you can compare the IT infrastructure with a residential building.

In modern homes everywhere there is an electronic lock with an intercom. This is done in order to limit access to the porch of all sorts of "incomprehensible personalities." And this method of cutting off unwanted visitors justifies itself.

Yes, any method of protection is imperfect. In the case of the same intercom, an attacker can slip past the tenant into the open door, find out the code for the intercom, or get a key. Therefore, it is still necessary to have a good strong door and a reliable lock to protect the apartment. But if you assess the situation as a whole, then life with intercoms is much more comfortable than where the doors to the entrance are unbuttoned and every resident is forced to take care of security by itself.

That's about such "super-intercoms" for the IT infrastructure from the company Zyxel and will be discussed below.

USG Performance Series USG40 / USG40W / USG60 / USG40W Gateways - Interface and Features

In the previous part, we reviewed the process of setting up a login to the web-interface, its division into main modes, and firmware upgrade.

The main purpose of the current article is to help navigate the management and configuration of such gateways.

Recall that there are two control options: “Simple mode” and “Advanced user mode”.

Simple Mode

Simple mode control is mostly based on the use of wizards and is a step-by-step configuration. In this way, you can configure the connection to the external network (WAN interface), VPN, Wi-Fi and so on.


Figure 1. General view of the “Simple mode” interface.

The advantages of this control method in the simplicity of the initial setting, as they say "without further ado." At the same time, this is a limitation - some of the parameters remain “behind the scenes” and in order to change them one has to switch to the “Experienced User” mode.


Figure 2. A fragment of the initial setup wizard.

NOTE. If you find it difficult to quickly find one or another setting in the “Experienced User” mode, try switching to the “Simple Mode” and performing the necessary action through the wizard. Then you can use the created settings as a template for more subtle tuning.

Advanced User Mode

As mentioned above, this mode is designed to perform the most complete adaptation to existing needs.

There really are a lot of settings. Therefore, it is highly recommended to read the documentation before starting work.

The USG Performance Series line has a very rich feature set. And within the framework of a small article it will not be possible to plunge deeply into this area. We confine ourselves to the description of general principles in order to make it easier to navigate in the web interface. We will also consider some of the actions that should be performed, as they say "immediately after meeting".

Web-interface devices USG Performance Series consists of 4 main sections.
Switching between modes takes place using active elements on the left side of the screen.

It should be noted that the division of functions into these sections is rather conditional. Below is a brief description of each.

1. System Monitor

This is the very first thing that a user sees after logging into the system in the “Experienced User” mode.

This section is intended for express control and for obtaining information about events that have occurred. The English name is Dashboard, that is, a window for quick access to the most used functions and important information.


Figure 3. The System Monitor section. Additionally, the red contour highlighted "on-screen buttons" for switching between sections.

In principle, everything that is presented here is duplicated in other sections. System Monitor allows you to speed up access to the necessary functions, but does not replace the standard methods of monitoring settings. Dashboard, he and in Africa - Dashboard.

2. Monitoring

This extensive interface area is used to obtain operational information about the state of the system and events that have occurred.

This section consists of several subsections:

• System status;
• Wireless network;
• VPN status;
• UTM statistics;
• Log

Each of these clauses in turn contains additional sub-clauses. In general, the monitoring section contains a large amount of information on a wide range of events.


Figure 4. The Monitoring section.

For a more detailed description it is worth referring to the documentation.

3. Configuration

The main purpose is to perform fine tuning of the security system, access via VPN, filtering rules on the firewall and many other useful things.

Section "Configuration" includes subsections:

• A set of masters "Quick Setup";
• Licensing;
• Wireless network;
• Network;
• Web authentication;
• Security policy;
• Cloud CNM;
• VPN;
• BWM;
• UTM profile;
• An object;
• System;
• Logs & Reports.

Figure 5. Section "Configuration".

We will return to this section when we consider the necessary actions.

4. Service

Designed to perform work on maintaining the operating state of the system.

Contains subsections:

• File manager;
• Diagnostics;
• Routing overview;
• Completion of work.

As I wrote above, the division of the assignment of a particular function in any of the sections is conditional. But, in general, such a breakdown by sections allows you to systematize the numerous functions of these devices and helps you navigate faster.


Figure 6. Service Section.

Initial action

The first thing to do after registering a device is to register. This can be done from the web-interface by going to the “Configuration” section - the “Licensing” subsection - and then the “Registration” item.


Figure 7. “Configuration” section - Device registration.

After registration, you must install licenses for the required services: antivirus, antispam, intrusion protection, content filtering.

To do this, in the same window (section "Configuration" - subsection "Licensing" - "Registration") select "Service" and in turn activate the necessary services using the active element in the form of an "Activate" link.


Figure 8. “Configuration” section - Antivirus activation.

Now, after becoming familiar with the interface and registering the product, you can proceed to setting up the gateway for your infrastructure.

Administrator services - detailed documentation, Knowledge Base and advanced Zyxel technical support service.

Conclusion

Zyxel USG Performance Series gateways can be compared to a multi-purpose warship capable of solving a wide range of security tasks in a given region.

However, to manage such a combat unit, it is necessary to stock up with the necessary knowledge and skills. Therefore, the stage of familiarization with the documentation will not be superfluous.
At the same time, the developed user-friendly web-interface and the command line interface (CLI) will allow to easily adapt both to specialists with experience working with network equipment of other vendors, as well as to completely new users.

Sources:

1. USG Performance Series Page on Zyxel.ru
2. User Guides for USG Performance Series Products
3. USG Performance Series License Information