Zenarmor Security Rules on OPNsense

Zenarmor is developed in a way to give all the controls to your hands. To achieve this, we did our best to make almost everything configurable. On the Security page of a policy, you can set your general policy of how threat analysis will work and set the rest on the App Control and Web Control modules. You can easily define Zenarmor Security Rules in your policies, policies depending on your requirements.

info

The engine processes the request, queries to Zenarmor Cloud in real-time, and decides whether it will be blocked or allowed. We check against 300+ Million Websites, under 120+ categories in milliseconds.

The Cloud Threat Intelligence data is queried in real-time when any connection attempt is made through your network. It allows us to respond to malware and wireless outbreaks in real-time and very quickly.

Using the combined strengths of DNSsense and BrightCloud Threat Intelligence, Zenarmor's comprehensive security architecture provides an advanced defense mechanism against evolving threats. The following is a summary of their contributions:

• Zenarmor CTI DB processes requests and queries to the Zenarmor Cloud, determining in real-time whether they are permitted or blocked. In mere milliseconds, it analyzes more than 300 million websites across 120+ categories.
• BrightCloud Threat Intelligence, with its broad scope, detects threats across more than 4.39 billion IPv4 and IPv6 addresses in use. It analyzes in-depth insights from over one billion domains in order to automate policy-based decisions. It offers protection against malicious and whitelisted file behaviors through real-time lookups of 38 billion+ records. In addition, it actively defends against zero-day and polymorphic malware.

Together, these two formidable assets form a multidimensional shield for your network. BrightCloud's extensive threat detection and prevention capabilities align perfectly with Zenarmor CTI DB's quick decision-making. This partnership enables Zenarmor to provide near-immediate, proactive, and comprehensive security against a variety of security threats.

info

BrightCloud Threat Intelligence is exclusive to the Business Edition.

Figure 1. Zenarmor Security Control Settings

Essential Security options are available in Free Edition whereas Advanced Security options which are available through Zenarmor Premium Subscriptions (Home, SOHO, Business) provide Advanced Threat Protection against the latest malware, viruses, and phishing attacks by blocking websites that are known to host malware and viruses and launch phishing attacks. With Zenarmor`s Advanced Threat Protection feed, users are provided with near-real-time commercial-grade threat tracking and protection.

Essential Security

Zenarmor provides three predefined Essential Security profiles:

1. Permissive: There are no restrictions on this profile.
2. Moderate Control: Only risky security categories such as Malware/Virus, Phishing, Hacking, Spam sites, and Potentially Dangerous, are blocked in this profile.
3. High Control: All essential security categories are blocked in this profile.

To enable Essential Security on your Zenarmor firewall, you may follow these steps:

1. Navigate to the Security tab on the policy configuration page.
2. Click 3-dot menu with ... icon at the top right corner of the Essential Security pane. This will open a drop-down menu displaying the available profiles.
3. Select one of the Essential Security profiles as you want.

tip

Instead of choosing a predefined Essential Security profile, you may also block individual Security categories by turning on the corresponding toggle bar.

Figure 2. Selecting Zenarmor Essential Security Profiles

Zenarmor Essential Security options are outlined below:

DNS over HTTPS (DoH)

By enabling this option, you can block DoH traffic on your network.

DNS over HTTPS (DoH) is a protocol designed to encrypt DNS queries, bolstering network security by preventing eavesdropping and DNS-based attacks. Malicious actors use DoH to hide their actions, making it difficult to identify and stop DNS-related threats Zenarmor integrates DoH protection to fortify your network security.

Zenarmor actively monitors and blocks any attempts to use DoH to bypass traditional DNS security measures. By continuously monitoring and blocking DoH connections, Zenarmor helps you maintain control over DNS traffic on your network, in line with best practices recommended by security experts.

info

As of v1.18, DNS over HTTPS sessions that were previously categorized as a Security category, is classified as a Web category.

Malware/Virus

By enabling this option you can block sites that are known to host malware.

Block Malware/Virus to strengthen your network's defenses against a formidable threat. By activating this feature, Zenarmor effectively blocks access to known malware-hosting websites. Websites contaminated with malware can rapidly compromise devices and networks, resulting in data breaches, system vulnerabilities, and illicit access.

The Malware/Virus feature of Zenarmor is your proactive defense against such attacks. By blocking access to known malware-hosting websites, you reduce the likelihood of inadvertently exposing your network to malware. This comprehensive protection aids in preserving the security and integrity of your digital ecosystem.

Phishing Servers

By enabling this option you can block sites that are known to host malicious software being used by phishing campaigns.

Blocking Phishing Servers enables your network to repel phishing attacks with pinpoint accuracy. Typically, phishing campaigns utilize malicious software hosted on particular servers. By activating this feature, Zenarmor prevents access to websites that are known to contain these malicious components.

The Phishing Servers feature is a preventative measure against falling prey to these deceptive methods. It disrupts the infrastructure of the perpetrators and prevents users from interacting with domains that may compromise sensitive information or credentials. By strengthening your network's defenses against phishing, Zenarmor contributes to the safety of your users' online experience.

Hacking Sites

By enabling this option you can block sites that distribute hacking-related content.

Protect the integrity of your network and its data by activating the Hacking Sites option. This proactive measure prevents access to websites that are known to distribute content related to cybercrime. These sites frequently provide resources and instruments that facilitate cybercrime.

The Hacking Sites feature of Zenarmor protects your network from potential hazards posed by hacking related content. By restricting access to these websites, you reduce the possibility that users will obtain malicious tools or information by accident. This proactive stance strengthens the security posture of your network and prevents unauthorized activities.

Spam Sites

By enabling this option you can block sites that distribute spam.

By activating the Spam Sites option, you can protect your network from a flood of unsolicited and potentially hazardous content. This feature inhibits access to websites that distribute spam, which can clog inboxes, squander resources, and pose security risks.

The Spam Sites feature of Zenarmor is your ally in maintaining a secure and pure digital environment. Filtering out fraudulent websites not only improves operational efficiency but also reduces the risk of phishing or malware attacks.

Potentially Dangerous Sites

Block sites that are potentially dangerous. Those are the sites that we're not %100 sure that they are malicious but they are displaying suspicious activity which resembles a malicious site.

Enhance the security of your network with the Potentially Dangerous Sites option. This feature enables Zenarmor to prevent access to websites that exhibit dubious activities that resemble the behavior of malicious websites. While it is possible that these websites are not malevolent, their similarity to known threats requires a proactive response.

Zenarmor's proactive security strategy relies heavily on the Potentially Dangerous Sites function. By barring access to suspicious websites, you reduce the likelihood that users will stumble upon sites that could compromise their security. This strategy strengthens your network's defenses against new attacks.

Parked Domains

By activating the Parked Domains feature, you can protect your network from annoyances and potential threats.

Frequently, parked domains are single-page websites cluttered with advertisements that provide little value to users. Despite the fact that legitimate domain registrars may employ them to monetize visits, parked domains can conceal dubious or malicious content, particularly when manipulated by malevolent ad providers.

Alternatively, parked domains may host suspicious and/or malevolent content, particularly when used by an ad provider. Cybercriminals are known to utilize ad providers to serve malvertisements. In addition, landing pages of parked domains are widely known to serve malware.

The Parked Domains feature is proactive against these numerous threats. By limiting access to parked domains, Zenarmor prevents users from inadvertently interacting with potentially harmful advertisements, malvertisements, or malware-infected landing pages. This measure strengthens the security of your network and provides your users with a safer online experience.

Firstly Seen Sites

The Block Firstly Seen Sites option provides an additional layer of security by blocking access to sites that our Web Categorization engine has not yet encountered. These websites are categorized as First Seen if they were previously obscure.

By activating this option, Zenarmor prevents access to websites that have not yet been classified or categorized by our system in order to anticipate potential threats. This preventative measure prevents your network from interacting with websites that may contain nefarious content, thereby enhancing your security posture against novel or evolving threats.

info

When we see a Firstly Seen Site, it is immediately queued for processing by our AI-based classification system.

AI-based classification system tries to classify it. If there is success, the web category is immediately updated and in one hour, this new information is propagated to the entire Cloud Web Categorization & Threat Intelligence System.

If the AI-based classification cannot classify the website, it is marked as Unknown or Uncategorized, and queued again for further processing.

Figure 3. Zenarmor Essential Security Control Settings

Advanced Security

The Zenarmor Premium subscription takes network security to the next level by blocking suspicious domains proactively. This includes compromised, expired, and newly registered domains, all of which are frequently used by threat actors to initiate malicious campaigns.

Newly registered domains (NRDs) are frequently used as entry points for malware, phishing, and online schemes, as supported by research. Zenarmor Premium recognizes this threat and blocks these domains in advance, protecting your network and users.

In addition, Zenarmor Premium extends its protection to expired DynDNS sites, which are breeding grounds for potential attacks. By barring these sites proactively, we ensure that your network is protected from any potential threats associated with expired domains.

The advanced security features of Zenarmor Premium are designed to counteract the evolving strategies of cybercriminals. Our goal is to provide you with a comprehensive defense strategy that anticipates, identifies, and neutralizes threats before they can cause damage. You can confidently navigate the digital landscape with Zenarmor Premium, knowing that your network is protected against a variety of threats.

Zenarmor provides three predefined Advanced Security profiles:

1. Permissive: There are no restrictions on this profile.
2. Moderate Control: Only highly risky security categories such as Recent Malware/Phishing/Virus Outbreaks, Botnet C&C, Botnet DGA Domains, DNS Tunneling, Compromised Website, Spyware and Adware, Keyloggers and Monitoring, and Malformed DNS are blocked in this profile.
3. High Control: All security categories are blocked in this profile.

To enable Advanced Security on your Zenarmor firewall you may follow these steps:

1. Navigate to the Security tab on the policy configuration page.
2. Scroll down to the Advanced Security pane.
3. Click 3-dot menu with ... icon at the top right corner of the pane. This will open a drop-down menu displaying the Advanced Security profiles.
4. Select one of the Advanced Security profiles as you want.

tip

Instead of choosing a predefined Advanced Security profile, you may also block individual Security categories by turning on the corresponding toggle bar.

Figure 4. Selecting Zenarmor Advanced Security Profiles

Zenarmor Advanced Security options are outlined below:

Recent Malware/Phishing/Virus Outbreaks

Recent Malware/Phishing/Virus Outbreaks is a feature of Zenarmor that bolsters your network's defense against the most recent attacks. This feature detects and prevents recently identified malicious software, phishing attempts, and infection campaigns. Frequently, these attacks must be added to signature and identification databases, leaving you vulnerable to these new and sophisticated threats. This capability of Zenarmor automatically identifies and inhibits such threats, enhancing the security of your network.

Many assailants attempt to outpace security solutions by swiftly disseminating newly discovered threats. The implementation of Zenarmor counteracts this by preventing emerging outbreaks and enhancing your network's resistance to intrusions. This guarantees that the most recent and dangerous security threats are effectively mitigated.

By activating this option, you can prevent phishing, malware, and virus campaigns that are known to have emerged within the last 0 to 2 weeks.

Botnet C&C

This option is used to block Botnet Command and Control Centers.

The Botnet C&C feature is a crucial defense against botnet activity because it prevents botnets from communicating with command and control servers.

The capability of Zenarmor to inhibit botnet C&C centers adds an essential layer of network security. Botnets are networks of compromised devices controlled by malicious actors via command and control (C&C) servers. These servers direct the compromised devices to initiate large-scale attacks, disseminate malware, or engage in other detrimental activities.

Enabling this option enables Zenarmor to detect and block communication between compromised devices on your network and remote command and control servers. This prevents the botnet from receiving instructions and transmitting stolen data, rendering it ineffective.

Botnets pose a substantial risk to both individual devices and the internet ecosystem as a whole. They can be utilized to initiate devastating Distributed Denial of Service (DDoS) attacks, facilitate data breaches, and spread malware. The Botnet C&C feature of Zenarmor safeguards your network against such attacks, thereby protecting your data, devices, and online operations.

Botnet URLs, typically IP addresses, from which network attacks originate and are determined to be part of a botnet. The attacks may consist of SPAM messages, DOS, SQL injections, proxy theft, and other unsolicited communications.

Botnet DGA Domains

The Botnet DGA Domains feature is intended to increase the security of your network by barring Botnet agents' attempts to communicate with their Command and Control (C&C) servers using Domain Generation Algorithm (DGA) mechanisms.

The Botnet DGA Domains feature of Zenarmor provides a crucial defense against advanced threat vectors. Botnets frequently use DGA to generate a large number of domains, making it difficult to anticipate which domains they will employ for communication. This enables Botnet agents to circumvent domain-based detection techniques.

By enabling this option, Zenarmor will identify and block any communication attempts by Botnet agents utilizing DGA for domain generation. This measure guarantees the resilience of your network against these sophisticated attack techniques by thwarting their attempts to establish contact with C&C servers.

The dynamic character of botnet DGA domains poses a significant challenge to cybersecurity. This obstacle will be surmounted by the Botnet DGA Domains feature of Zenarmor, which provides your network with an advanced layer of protection against evolving threats.

DNS Tunneling

The DNS Tunneling feature is intended to strengthen the security of your network by proactively barring attempts to circumvent network security filtering via DNS tunneling.

The DNS Tunneling feature of Zenarmor is a potent defense against a technique used by cybercriminals to avoid detection. DNS tunneling utilizes DNS requests and responses to transmit malicious data, frequently circumventing conventional network security.

Enabling this option will allow Zenarmor to detect and thwart DNS tunneling attempts. This proactive approach guarantees the resilience of your network against these sophisticated evasion techniques, thwarting cybercriminals' attempts to circumvent security filtering via covert channels.

The covert nature of DNS tunneling poses a significant threat to network security. This challenge is addressed by the DNS Tunneling feature of Zenarmor, augmenting your network's defense against emergent threats.

Compromised Websites

By enabling this option, you can prevent your users from accessing compromised websites. Compromised websites are websites that have been infiltrated or hacked by unauthorized entities with malicious intent. Compromised websites can serve as vectors for malware distribution, leading to potential data breaches and system compromises. Zenarmor's vigilant monitoring and blocking of compromised sites safeguard your network and user devices from these risks.

Zenarmor employs threat detection mechanisms to identify and block access to compromised websites. This proactive approach prevents users on your network from inadvertently visiting websites that have been infiltrated or hacked by malicious actors.

Spyware and Adware

This option is used to block Spyware and Adware activities on your network.

Zenarmor is your shield against spyware and adware, two types of malware that can compromise user privacy and disrupt network operations. Spyware is malicious software designed to collect information from a computer system without the user's knowledge or consent. Adware is software that automatically displays advertisements online, often without user consent.

Zenarmor actively identifies and blocks spyware and adware infections, preventing them from infiltrating your network and compromising user devices. This proactive approach ensures that your network remains free from these intrusive threats.

Keyloggers and Monitoring

By implementing Zenarmor's keylogger and monitoring protection, you can maintain control over your network's security posture. This protection extends to all devices and users, providing a comprehensive defense against these invasive threats.

Keyloggers and monitoring software are programs that covertly record user keystrokes or monitor web browsing habits, often without the user's knowledge or consent. Zenarmor provides comprehensive protection against keyloggers and monitoring threats, which can compromise user privacy and security.

Zenarmor actively detects and blocks keyloggers and monitoring software attempting to infiltrate your network. This proactive defense prevents unauthorized access to sensitive data, such as login credentials and private information.

Dead Sites

Enabling Dead Sites enables your network to block access to websites whose domain registrations have expired. Cybercriminals are known to exploit expired domains by reregistering them for malicious purposes, making this preventative measure essential.

The Dead Sites feature of Zenarmor protects against a common tactic employed by malevolent actors. After a domain's registration expires, cybercriminals can quickly acquire it and use it for malware distribution, phishing attacks, and other malicious activities. Users who visit these re-registered domains inadvertently may be exposed to numerous security hazards.

By activating this option, Zenarmor identifies and effectively blocks access to expired domains, classifying them as Uncategorized websites. This not only prevents users from accidentally accessing potentially compromised sites, but also foils cybercriminals' attempts to exploit abandoned domains for malicious purposes. By remaining ahead of this tactic, you ensure the security of your network and protect your users from potential attacks.

Threat actors can repurpose expired domains to deceive users, making it difficult to distinguish between malicious and legitimate websites. This risk is eliminated by Zenarmor's Dead Sites feature, contributing to a safer online experience for your network's users.

Dynamic DNS Sites

Enabling the Dynamic DNS Sites option protects your network from potential hazards by blocking access to websites that employ dynamic DNS services. This preventative measure is essential, as malicious actors frequently utilize dynamic DNS to conceal their activities and initiate attacks.

The Dynamic DNS Sites feature of Zenarmor provides a robust defense against a common cybercriminal tactic. By associating varying IP addresses with domain names, dynamic DNS services enable websites to maintain an online presence. This can be abused by malicious entities to conceal their activities by frequently altering the IP address associated with a domain.

By activating this option, Zenarmor blocks access to websites that employ dynamic DNS services. This prevents users from accessing potentially malicious domains that could be used for phishing, the distribution of malware, or other harmful actions. Blocking dynamic DNS domains ensures your network's resilience against this evasion technique, thereby enhancing your network's overall security.

Due to their continuously shifting IP addresses, dynamic DNS sites are particularly difficult to monitor and categorize. This challenge is eliminated by Zenarmor's Dynamic DNS Sites feature, reducing the risk of exposing your network and users to malicious content.

Newly Registered Sites

Enable Newly Registered Sites to strengthen your network's defenses against new threats. This proactive measure prevents access to newly registered domains, which malignant actors frequently exploit as effective campaign tools. From a security perspective, there are typically very few valid reasons for someone to visit a newly-launched domain. Such domains are frequently distributed via URLs in malicious campaigns.

The Newly Registered Sites feature of Zenarmor is an effective deterrent against cybercriminal techniques. Attackers frequently use new domains to elude detection, making it more difficult to track and classify them. By preventing access to these unrecognized domains, the risk of inadvertently engaging with detrimental content and falling victim to potential threats is decreased.

This option is consistent with cybersecurity best practices, as legitimate users rarely require access to newly registered domains. This substantially reduces the likelihood that users will be exposed to malicious campaigns that may direct them to these domains.

Newly Recovered Sites

Enable the Newly Recovered Sites option to increase the security of your network by blocking access to domains that have recently reemerged after an extended period of inactivity. Cybercriminals can exploit these sites by leveraging their prior good reputation history to circumvent reputation-based security mechanisms, making this proactive measure crucial.

Similar to newly registered websites, threat actors may weaponize dormant domains that have recently become active. Attackers are able to circumvent security measures and conduct malevolent campaigns undetected by utilizing websites with established positive reputations.

The Newly Recovered Sites function of Zenarmor is a crucial line of defense against such strategies. By restricting access to recently revived domains, you reduce the likelihood of inadvertently interacting with potentially harmful content. This proactive approach is especially useful for preventing phishing attacks against users who may not exercise caution when visiting URLs.

Enabling this option adheres to contemporary cybersecurity recommendations. While returning reputable websites may appear innocuous at first glance, they may pose hidden dangers. By preventing access to these newly revived domains, Zenarmor strengthens your network's resistance to emergent threats and contributes to a secure online environment for your users.

Malformed DNS

Enable the Malformed DNS option to increase the security of your network by blocking cyber threats targeting your DNS server. A vulnerability exploitation attack targeting the name server or resolver specified by the destination IP address could manifest as malformed DNS queries. Additionally, they might suggest the presence of malfunctioning devices connected to your network. These types of issues may arise due to the presence of malware or unsuccessful attempts to eliminate malware.

Figure 5. Zenarmor Advanced Security Control Settings

Activating the rules

When you complete the changes, click on the Apply Changes button in the top right corner of the screen and activate the rules.

Here is a video about the Zenarmor Advanced Security Controls.