Collaborative Detection & Response
Overview
Collaborative Detection & Response (CDR) allows you to detect wired and WiFi clients that are sending malicious traffic in your network and then block or quarantine traffic coming from them. In this way, malicious traffic is not spread throughout the network. Secure policies can block malicious traffic for specific traffic flows, but CDR can block malicious traffic from the sender. Malicious traffic is identified using a combination of Web Filtering, Anti-Malware and IPS (IDP) signatures.
In the following example scenario, clients C1 to C6 are connected to the network. Intrusion Prevention (IPS) or Anti-Malware signatures have identified malicious traffic coming from clients C1, C2, C4 and C5.
You have configured CDR to take the following actions.
Key CDR Setting | Result |
|---|---|
Block wireless client is selected in Configuration > Security Service > CDR > Collaborative Detection & Response. | Traffic from WiFi client C1 is blocked at the AP. |
Block wireless client is not selected in Configuration > Security Service > CDR > Collaborative Detection & Response. | Traffic from WiFi client C2 is blocked at the Zyxel Device. |
Block wireless client is not selected in Configuration > Security Service > CDR > Collaborative Detection & Response. | Traffic from wired client C5 is blocked at the Zyxel Device. This traffic can still be broadcast to other clients in the same subnet, such as C6. |
Quarantine VLAN ID is selected in Configuration > Security Service > CDR > Collaborative Detection & Response. | Traffic from WiFi client C4 is isolated from the network through a quarantine VLAN. Quarantined traffic in a VLAN isolates traffic from other clients in the same subnet, and only broadcasts to other clients in that same VLAN. |
This the graphic key.
Label | definition |
|---|---|
C1 to C4 | WiFi clients |
C5 to C6 | Wired clients |
AP | Access Point |
S | VLAN-aware Switch |
ZD | Zyxel Device |
R | Router giving access to the Internet |
VLAN | VLAN configured to isolate traffic from a quarantined client |
Before You Begin
• You must have active and up-to-date Web Filtering, Anti-Malware, IPS (Intrusion Prevention System), and CDR (Collaborative Detection & Response) licenses.
• Malicious traffic is detected in two phases.
• Web Filtering (URL Threat Filtering), Anti-Malware (Anti-Virus) and IPS (IDP) signatures first identify malicious traffic and inform the CDR daemon. If these licenses have expired or are not active, then no checking for malicious traffic is done.
• CDR signatures are a subset of the above license signatures. If a specific number of signature matches are detected within a defined time period, then the CDR containment policy is triggered. These are the signatures that apply to CDR at the time of writing:
security Signatures | Signatures applied to CDR |
|---|---|
Web Filtering | URL Threat Filter Categories: Browser Exploits, Malicious Downloads, Malicious Sites, Phishing |
IPS | IDP Signatures: • CVE-2019-0708 (117760, 130797, 130801) • CVE-2020-0796(130822,130823,130824,130825) • 117723, 117724, 117726 |
Anti-Malware | All signatures |
• Blocking traffic from an infected client causes the Zyxel Device to drop all traffic received from the client. This traffic can still be broadcast to other clients in the same subnet as the infected client.
• Blocking traffic from an infected WiFi client causes the AP it is connected with to drop all traffic received from the client if Block wireless client is selected in Configuration > Security Service > CDR > Collaborative Detection & Response.
• The Zyxel Device can only block traffic from Nebula-managed APs in your network using CDR.
• Quarantining traffic from an infected WiFi client blocks traffic at the Zyxel Device or AP and also isolates traffic from other clients in the same subnet. Traffic from the infected WiFi is only broadcast to other clients in the quarantine VLAN. You must configure the quarantine VLAN on the Zyxel Device and any switches or routers in your network through which you want to route the VLAN traffic.
• There are 2 requirements to block or quarantine WiFi clients:
• The AP must be managed by the Zyxel Device.
• The AP must be in the Zyxel Device's supported list. At the time of writing, there are 5 supported AP models:
Managed ap models |
|---|
• WAX650S |
• WAX610D |
• WAX510D |
• WAC500 |
• WAC500H |
Please see your AP product page at the Zyxel web site to see if it can be managed by the Zyxel Device.• You must decide how long to contain (block or quarantine) a suspect client, before allowing traffic to be sent from it again. This will depend on how quickly you can contact the owner of the suspect client and how long they need to remove the malicious software from their device.
• You must also decide if there are trusted clients in your network that are exempt from CDR and never have their traffic blocked or quarantined.
• You can use the Monitor > CDR > Containment List screen to prematurely release a blocked or quarantined client, or add a client to a list exempted from CDR checking.
• If you disable CDR or your CDR license expires, then all blocked and quarantined clients are released.
• If you restart the Zyxel Device or restart an AP connected to the Zyxel Device, blocked and quarantined clients are still blocked until the Containment Period expires.
• Wired clients are blocked based on IP address by default. You can change that to blocking based on MAC address using the cdr blocked-by mac command in configuration mode in the Command Line Interface (CLI). Note that if you have a switch between the client and the Zyxel Device, then blocking by MAC address could block all traffic from the switch if the client MAC address is not forwarded through the switch.
• WiFi clients are blocked or quarantined based on MAC address by default.
The Collaborative Detection & Response Screen
Use this screen to turn CDR on or off, manage CDR policies, and select the containment action the Zyxel Device takes when an event occurs more than the threshold within a defined duration.
The following table describes the labels in this screen.
Label | Description |
|---|---|
General Settings | |
Enable | Select this check box to activate Collaborative Detection & Response. Make sure you have active Web Filtering, Anti-Malware, IPS (Intrusion Prevention System), and CDR (Collaborative Detection & Response) licenses. |
Policy | Select a heading to order entries by the heading type. |
Edit | Select a policy and then click this button to change the Occurrence, Duration or Containment settings. |
Category | Category refers to the signature type that identified the malicious traffic: Web Threat (URL Threat Filtering), Malware (Anti-Malware, Anti-Virus) and IDP (IPS). |
Event Type | This displays some details on the category of malicious traffic detected. |
Occurrence (1-100) | Type the number of security events that need to occur within the defined Duration to trigger a CDR Containment action. |
Duration (1-1440) | Type the length of time in minutes the event should occur from a client the Occurrence number of times to trigger a CDR Containment action. For example, Occurrence is set to 10, and Duration is set to 100. If the Zyxel Device detects 10 or more occurrences of malicious traffic in less than 100 minutes, then CDR Containment is triggered. |
Containment | Select the action to be taken when the number of security events exceed the threshold within the defined duration. Alert: Select this if you just want to send an email to the suspect client owner or Zyxel Device admin. Block: Select this if you want to block traffic from a suspect client at the Zyxel Device, or from a suspect WiFi client at the AP connected to the Zyxel Device. Traffic is still broadcast to other clients in the same subnet. A ‘notification’ web page is displayed when this action is triggered. Quarantine: Select this if you want to isolate traffic from a suspect client at the Zyxel Device in a quarantine VLAN. Traffic is not broadcast to other clients in the same subnet. A ‘notification’ web page is displayed to the client when this action is triggered. |
Containment | Use this section to configure the selection containment action. |
Alert | |
Email | Type a valid email address in the user@domain.com format of the owner of the suspect client or another person who should be informed that CDR was triggered. |
Block & Quarantine | |
Notification Page | This is the notification web page that is displayed when a Block or Quarantine action is triggered. Denied access message: Type the message that is displayed on the default Zyxel Device notification page. The client is redirected here when a Block or Quarantine action is triggered. For example, “Malicious traffic is coming from your device so traffic is temporarily stopped. Please contact the network administrator.” Redirect external URL: Type a URL in “http://domain” or “https://domain” format to an external notification page. The client is redirected here when a Block or Quarantine action is triggered. Make sure the external notification page is accessible from the Zyxel Device. |
Containment Period | Enter how long the client should be blocked or quarantined. This should be at least twice the DHCP server lease time in order to prevent false positives. |
Block | Type how long a suspect client should be blocked or quarantined. You can type from 1 minute to 1 day (1,440 minutes). 0 means the suspect is blocked forever until released in Monitor > CDR > Containment List. |
Block wireless client | Select this to have traffic from the suspect client blocked at the AP. Clear this to have traffic from the suspect client blocked at the Zyxel Device. |
Quarantine | |
Quarantine VLAN ID | Select a previously configured VLAN that was created to isolate traffic from suspect clients. Traffic from a suspect client is broadcast to all members in the VLAN. |
Add VLAN | Click this to create a quarantine VLAN to specifically isolate traffic from suspect clients. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Add VLAN
Click Add VLAN to create a new entry. The following screen appears.
Note: Only IPv4 addresses can be used in quarantine VLANs.
Label | Description |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
General Settings | |
Enable Interface | Select this to turn this interface on. Clear this to disable this interface. |
Interface Properties | |
Interface Type | Select one of the following options depending on the type of network to which the Zyxel Device is connected. internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The Zyxel Device automatically adds default SNAT settings for traffic flowing from this interface to an external interface. external is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk. For general, the rest of the screen’s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. |
Interface Name | This field is read-only if you are editing an existing VLAN interface. Enter the number of the VLAN interface. You can use a number from 0~4094. For example, use vlan0, vlan8, and so on. The total number of VLANs you can configure on the Zyxel Device depends on the model. |
Zone | Select the zone to which the VLAN interface belongs. |
Base Port | Select the Ethernet interface on which the VLAN interface runs. |
VLAN ID | Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 - 4094. (0 and 4095 are reserved.) |
Priority Code | This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. . The setting configured in Configuration > BWM overwrites the priority setting here. |
Description | Enter a description of this interface. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Spaces are allowed, but the string can’t start with a space. |
IP Address Assignment | |
Get Automatically | Select this if this interface is a DHCP client. In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically. You should not select this if the interface is assigned to a VRRP group. |
DHCP Option 60 | DHCP Option 60 is used by the Zyxel Device for identification to the DHCP server using the VCI (Vendor Class Identifier) on the DHCP server. The Zyxel Device adds it in the initial DHCP discovery message that a DHCP client broadcasts in search of an IP address. The DHCP server can assign different IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI. Type a string using up to 63 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./:;<=>?@\[\\\]^_`{}] to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. |
Use Fixed IP Address | Select this if you want to specify the IP address, subnet mask, and gateway manually. |
IP Address | This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. |
Subnet Mask | This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network. |
Gateway | This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The Zyxel Device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. |
Metric | Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. |
Enable IGMP Support | Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface. |
IGMP Upstream | Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server. |
IGMP Downstream | Enable IGMP Downstream on the interface which connects to the multicast hosts. |
Interface Parameters | |
Egress Bandwidth | Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576. |
Ingress Bandwidth | This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the Zyxel Device can receive from the network through the interface. Allowed values are 0 - 1048576. |
MTU | Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. |
Connectivity Check | The Zyxel Device can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often to check the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. |
Enable Connectivity Check | Select this to turn on the connection check. |
Check Method | Select the method that the gateway allows. Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available. Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. |
Check Period | Enter the number of seconds between connection check attempts. |
Check Timeout | Enter the number of seconds to wait for a response before the attempt is a failure. |
Check Fail Tolerance | Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. |
Check Default Gateway | Select this to use the default gateway for the connectivity check. |
Check these addresses | Select this to specify one or two domain names or IP addresses for the connectivity check. Enter that domain name or IP address in the field next to it. |
Check Port | This field only is displayed when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. |
Probe Succeeds When | This field applies when you specify two domain names or IP addresses for the connectivity check. Select any one if you want the check to pass if at least one of the domain names or IP addresses responds. Select all if you want the check to pass only if both domain names or IP addresses respond. |
DHCP Setting | The DHCP settings are available for the OPT, LAN and DMZ interfaces. |
DHCP | Select what type of DHCP service the Zyxel Device provides to the network. Choices are: None - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the Zyxel Device routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network. DHCP Server - the Zyxel Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The Zyxel Device is the DHCP server for the network. |
These fields appear if the Zyxel Device is a DHCP Relay. | |
Relay Server 1 | Enter the IP address of a DHCP server for the network. |
Relay Server 2 | This field is optional. Enter the IP address of another DHCP server for the network. |
These fields appear if the Zyxel Device is a DHCP Server. | |
IP Pool Start Address | Enter the IP address from which the Zyxel Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP. If this field is blank, the Pool Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. |
Pool Size | Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the Zyxel Device can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. |
First DNS Server Second DNS Server Third DNS Server | Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses. Custom Defined - enter a static IP address. From ISP - select the DNS server that another interface received from its DHCP server. Zyxel Device - the DHCP clients use the IP address of this interface and the Zyxel Device works as a DNS relay. |
First WINS Server, Second WINS Server | Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. |
Default Router | If you set this interface to DHCP Server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’ default gateway. To use another IP address as the default router, select Custom Defined and enter the IP address. |
Lease time | Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. The default is 2 days. |
Extended Options | This table is available if you selected DHCP server. Configure this table if you want to send more information to DHCP clients through DHCP packets. |
Add | Click this to create an entry in this table. See Add/Edit DHCP Extended Options. |
Edit | Select an entry in this table and click this to modify it. |
Remove | Select an entry in this table and click this to delete it. |
# | This field is a sequential value, and it is not associated with any entry. |
Name | This is the option’s name. |
Code | This is the option’s code number. |
Type | This is the option’s type. |
Value | This is the option’s value. |
PXE Server | PXE (Preboot eXecution Environment) allows a client computer to use the network to boot up and install an operating system via a PXE-capable Network Interface Card (NIC). PXE is available for computers on internal interfaces to allow them to boot up using boot software on a PXE server. The Zyxel Device acts as an intermediary between the PXE server and the computers that need boot software. The PXE server must have a public IPv4 address. You must enable DHCP Server on the Zyxel Device so that it can receive information from the PXE server. |
PXE Boot Loader File | A boot loader is a computer program that loads the operating system for the computer. Type the exact file name of the boot loader software file, including filename extension, that is on the PXE server. If the wrong filename is typed, then the client computers cannot boot. |
Enable IP/MAC Binding | Select this option to have the Zyxel Device enforce links between specific IP addresses and specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. |
Enable Logs for IP/MAC Binding Violation | Select this option to have the Zyxel Device generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device’s MAC address. |
Static DHCP Table | Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface. Otherwise, the Zyxel Device assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This field is a sequential value, and it is not associated with a specific entry. |
IP Address | Enter the IP address to assign to a device with this entry’s MAC address. |
MAC Address | Enter the MAC address to which to assign this entry’s IP address. |
Description | Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
RIP Setting | |
Enable RIP | Select this to enable RIP on this interface. |
Direction | This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. |
Send Version | This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 and 2. |
Receive Version | This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2. |
V2-Broadcast | This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting. |
OSPF Setting | |
Area | Select the area in which this interface belongs. Select None to disable OSPF in this interface. |
Priority | Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR, and the second-highest-priority interface identifies the BDR. Set the priority to zero if the interface can not be the DR or BDR. |
Link Cost | Enter the cost (between 1 and 65,535) to route packets through this interface. |
Passive Interface | Select this to stop forwarding OSPF routing information from the selected interface. As a result, this interface only receives routing information. |
Authentication | Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use. Choices are: Same-as-Area - use the default authentication method in the area None - disable authentication Text - authenticate OSPF routing information using a plain-text password MD5 - authenticate OSPF routing information using MD5 encryption |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MAC Address Setting | This section appears when Interface Properties is External or General. Have the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer. |
Use Default MAC Address | Select this option to have the interface use the factory assigned default MAC address. By default, the Zyxel Device uses the factory assigned MAC address to identify itself. |
Overwrite Default MAC Address | Select this option to have the interface use a different MAC address. Either the MAC address in the field. Once it is successfully configured, the address will be copied to the configuration file. It will not change unless you change the setting or upload a different configuration file. |
Proxy ARP | Proxy ARP is available for external or general interfaces on the Zyxel Device. See Proxy ARP for more information on Proxy ARP. |
Enable Proxy ARP | Select this to allow the to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: • Ethernet • VLAN • Bridge See Proxy ARP for more information. |
Add | Click Add to create an IPv4 Address, an IPv4 CIDR (for example, 192.168.1.1/24) or an IPv4 Range (for example, 192.168.1.2-192.168.1.100) as the target IP address. The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses. For example, if the IPv4 Address is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address. Select an existing entry and click Remove to delete that entry. |
Related Setting | |
Configure WAN TRUNK | Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN trunk for load balancing. |
Configure Policy Route | Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
The Exempt List Screen
Click to display IPv4 and /or MAC addresses of devices that are exempt from CDR checking.
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Exempt List | This is a list of trusted clients in your network that are and never have their traffic blocked or isolated. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
IP/MAC | Click Add to create a new entry or select an existing entry, and then click Edit to modify it. Type a valid IPv4 Address, such as 192.168.1.5, or a valid MAC address of an IPv4 client, such as |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |