Security Rules

Zenconsole (Centralized Cloud Management Portal) allows you to define Zenarmor Security Rules easily. Zenconsole streamlines the process of defining security rules, putting the power of customization at your fingertips. You can seamlessly establish, modify, or fine-tune your security protocols directly from this intuitive platform.

Overview

We developed Zenarmor in a way that almost every network security restrictions are configurable by yourself easily.

On the Security page of the policy, you can define general rules of how threat analysis will work.

info

The engine processes your request, queries to Zenarmor Cloud and decides whether it will be allowed or blocked in real-time. It checks against 300+ Million Websites under 120+ categories in milliseconds.

The Cloud Threat Intelligence data is queried real-time when any device on your network attempts to connect to anywhere on the internet. It allows us to respond to malware and wireless outbreaks in real-time.

Zenarmor's robust security architecture leverages the combined strength of Zenarmor CTI DB and BrightCloud Threat Intelligence, providing an advanced defense mechanism against evolving threats. Here's a summary of their contributions:

• Zenarmor CTI DB processes requests and queries to the Zenarmor Cloud, deciding real-time allowance or blockage. It analyzes over 300 million websites across 120+ categories in mere milliseconds.
• BrightCloud Threat Intelligence, with its expansive reach, finds threats across 4.39 billion+ IPv4 and in-use IPv6 addresses. It delves deep into insights from 1 billion+ domains for automated policy-based decisions. With real-time lookups from 38 billion+ records, it offers protection against malicious and whitelisted file behaviors. Furthermore, it actively prevents zero-day and polymorphic malware.

info

BrightCloud Threat Intelligence is only available for Business Edition

Together, these two powerhouses create a multi-dimensional shield for your network. Zenarmor CTI DB's rapid decision-making aligns seamlessly with BrightCloud's extensive threat detection and prevention capabilities. This collaboration equips Zenarmor to provide near-instantaneous, proactive, and comprehensive protection against an array of security challenges.

Figure 1. Zenarmor Security Rules on Zenconsole

Free Edition provides users only Essential Security options. Advanced Security options are available through Zenarmor Premium Subscriptions (Home, SOHO, Premium).

Advanced Security options provide Advanced Threat Protection against the latest viruses, malware and phishing attacks by blocking websites that are known to host viruses, malware and launch phishing attacks. With Zenarmor's Advanced Threat Protection capabilities, you are provided with near-real-time commercial-grade threat protection and tracking.

Essential Security

Zenconsole provides three predefined Essential Security profiles:

1. Permissive: There are no restrictions on this profile.
2. Moderate Control: Only risky security categories such as Malware/Virus, Phishing, Hacking, Spam sites, and Potentially Dangerous, are blocked in this profile.
3. High Control: All essential security categories are blocked in this profile.

To enable Essential Security on your Zenarmor firewall via Zenconsole, you may follow these steps:

1. Select the Firewall that you want to enable Essential Security rules on Zenconsole UI.
2. Navigate to the Security tab on the policy configuration page.
3. Click 3-dot menu with ... icon at the top right corner of the Essential Security pane. This will open a drop-down menu displaying the available profiles.
4. Select one of the Essential Security profiles as you want.

tip

Instead of choosing a predefined Essential Security profile, you may also block individual Security categories by turning on the corresponding toggle bar.

Figure 2. Selecting Zenarmor Essential Security Profiles

Zenarmor Essential Security options are outlined below.

DNS over HTTPS (DoH)

By enabling this option, you can block DoH traffic on your network.

DNS over HTTPS (DoH) is a protocol designed to encrypt DNS queries, bolstering network security by preventing eavesdropping and DNS-based attacks. Malicious actors use DoH to hide their actions, making it difficult to identify and stop DNS-related threats Zenarmor integrates DoH protection to fortify your network security.

Zenarmor actively monitors and blocks any attempts to use DoH to bypass traditional DNS security measures. By continuously monitoring and blocking DoH connections, Zenarmor helps you maintain control over DNS traffic on your network, in line with best practices recommended by security experts.

info

As of v1.18, DNS over HTTPS sessions that were previously categorized as a Security category, is classified as a Web category.

Malware/Virus

By enabling this option you can block sites that are known to host malware.

Activate the Malware Activity option to fortify your network's defenses against a potent threat. By enabling this feature, Zenarmor effectively prevents access to sites that are confirmed hosts of malware. Malware-infected websites can quickly compromise devices and networks, leading to data breaches, system vulnerabilities, and unauthorized access.

Zenarmor's Malware Activity feature is your proactive defense against these insidious threats. By cutting off access to known malware-hosting sites, you minimize the risk of unwittingly exposing your network to malicious code. This robust protection contributes to maintaining the integrity and security of your digital ecosystem.

Phishing Servers

By enabling this option you can block sites that are known to host malicious software being used by phishing campaigns.

Enabling the Phishing Servers option empowers your network to repel phishing attacks with precision. Phishing campaigns often leverage malicious software hosted on specific servers. By activating this feature, Zenarmor thwarts access to sites known for harboring such malicious components.

The Block Phishing Servers feature is a strategic defense against falling victim to these deceptive tactics. It disrupts the attackers' infrastructure and prevents users from interacting with domains that could compromise sensitive data or credentials. By enhancing your network's defenses against phishing, Zenarmor contributes to a safer online experience for your users.

Hacking Sites

By enabling this option you can block sites that distribute hacking-related content.

Safeguard your network's integrity and data by enabling the Block Hacking Sites option. This proactive measure prevents access to websites known for distributing hacking-related content. Such sites often provide resources and tools that facilitate cybercriminal activities.

Zenarmor's Hacking Sites feature fortifies your network against potential threats arising from engaging with hacking related content. By blocking access to these sites, you curtail the risk of users inadvertently obtaining tools or information that could be misused for malicious purposes. This proactive stance enhances your network's security posture and safeguards against unauthorized activities.

Spam Sites

By enabling this option you can block sites that distribute spam.

Shield your network from the deluge of unwanted and potentially harmful content by activating the Block Spam Sites option. This feature prevents access to websites from distributing spam, which can lead to a cluttered inbox, wasted resources, and potential security risks.

Zenarmor's Spam Sites feature is your ally in maintaining a clean and secure digital environment. By filtering out spammy sites, you not only improve operational efficiency but also reduce the exposure to potential phishing attempts or malware.

Potentially Dangerous Sites

You can block potentially dangerous sites by enabling this option. We're not %100 sure that they are malicious but they have suspicious activities which resemble a malicious site.

Elevate your network's security with the Potentially Dangerous Sites option. This feature empowers Zenarmor to pre-emptively thwart access to sites displaying suspicious activities that mirror the behavior of malicious websites. While these sites might not be definitively malicious, their resemblance to known threats necessitates a proactive response.

The Potentially Dangerous Sites feature is a key aspect of Zenarmor's proactive security strategy. By blocking access to sites showing suspicious traits, you reduce the risk of users stumbling upon sites that might compromise their security. This approach helps fortify your network's defenses against emerging threats.

Parked Domains

Safeguard your network from both inconveniences and potential dangers by activating the Parked Domains feature. Parked domains are often single-page websites crowded with ads, offering minimal value to users. While legitimate domain registrars may employ them to monetize visits, parked domains can also harbor suspicious or malicious content, especially when manipulated by malicious ad providers.

On the other hand, parked domains can also host suspicious and/or malicious content, especially when used by an Ad provider. Ad providers are known to be leveraged by cyber criminals to serve malvertisements.

What's more, landing pages of parked domains are known to serve malware on a large scale.

The Parked Domains feature takes a proactive stance against these multifaceted risks. By restricting access to parked domains, Zenarmor helps prevent users from inadvertently interacting with potentially harmful advertisements, malvertisements, or even malware-laden landing pages. This measure bolsters your network's security and ensures a safer online experience for your users.

Firstly Seen Sites

The Firstly Seen Sites option provides an additional layer of protection by addressing sites our Web Categorization engine has not encountered before. These sites, categorized as Firstly Seen, are previously unknown entities.

By activating this option, Zenarmor anticipates potential threats by preventing access to sites that have not yet been classified or categorized by our system. This proactive measure shields your network from engaging with sites that might harbor malicious content, enhancing your security posture against novel or evolving risks.

info

When we see a Firstly Seen Site, it is immediately being queued for processing by our AI based classification system.

AI based classification system tries to classify it. If there is success, the web category is immediately updated and in one hour, this new information is propagated to the entire Cloud Web Categorization & Threat Intelligence System.

If the AI based classification cannot classify the web site, it is marked as Unknown or Uncategorized, and queued again for further processing.

Figure 3. Zenarmor: Essential Security Control Settings

Advanced Security

Zenarmor Premium subscription takes your network security to the next level by proactively blocking domains with suspicious activity. This includes domains that have been compromised, expired, and newly registered, all of which are favored by threat actors for launching malicious campaigns.

Research substantiates the risk associated with newly registered domains (NRDs) as they frequently serve as conduits for malware, phishing, and online scams. Zenarmor Premium recognizes this threat and takes preemptive action to block these domains, safeguarding your network and users.

Furthermore, Zenarmor Premium's protection extends to expired DynDNS sites, a breeding ground for potential threats. By proactively blocking these sites, we ensure that your network remains shielded from any latent dangers associated with expired domains.

Zenarmor Premium's advanced security features are designed to mitigate the evolving tactics of cybercriminals. Our commitment is to provide you with a comprehensive defense strategy that anticipates, detects, and neutralizes threats before they can inflict damage. With Zenarmor Premium, you can confidently navigate the digital landscape, knowing that your network is fortified against a multitude of risks.

Zenarmor provides three predefined Advanced Security profiles:

1. Permissive: There are no restrictions on this profile.
2. Moderate Control: Only highly risky security categories such as Recent Malware/Phishing/Virus Outbreaks, Botnet C&C, Botnet DGA Domains, DNS Tunneling, Compromised Website, Spyware and Adware, Keyloggers and Monitoring, and Malformed DNS are blocked in this profile.
3. High Control: All security categories are blocked in this profile.

To enable Advanced Security on your Zenarmor firewall you may follow these steps:

1. Navigate to the Security tab on the policy configuration page.
2. Scroll down to the Advanced Security pane.
3. Click 3-dot menu with ... icon at the top right corner of the pane. This will open a drop-down menu displaying the Advanced Security profiles.
4. Select one of the Advanced Security profiles as you want.

tip

Instead of choosing a predefined Advanced Security profile, you may also block individual Security categories by turning on the corresponding toggle bar.

Figure 4. Selecting Zenarmor Advanced Security Profiles

Zenarmor Advanced Security options are outlined below:

Recent Malware/Phishing/Virus Outbreaks

Zenarmor's Block Recent Malware/Phishing/Virus Outbreaks feature empowers your network's defense against the most current threats. This functionality detects and prevents malicious software, phishing attempts, and virus campaigns that have been identified in the recent timeframe. Often, these attacks might still need to be included in signature and identification databases, leaving you vulnerable to these new and advanced threats. Zenarmor's capability automatically identifies and blocks such threats, enhancing your network's security.

Many attackers exploit new threats by rapidly disseminating them, attempting to surpass security solutions. Zenarmor's implementation counteracts this by thwarting emergent outbreaks and bolstering your network's resilience against cyberattacks. This ensures that the latest and most potent security threats are effectively mitigated.

By enabling this option, you can block phishing, malware, and virus campaigns that are known to have come into existence very recently (within the last 0-2 weeks).

Botnet C&C

This option is used to block Botnet Command and Control Centers.

The Botnet Command and Control Centers (C&C) feature serves as a critical defense against botnet activities by preventing their communication with command and control servers.

Zenarmor's capability to block botnet C&C centers adds an essential layer of security to your network. Botnets are networks of compromised devices controlled by malicious actors through C&C servers. These servers dictate the actions of the compromised devices, often directing them to launch large-scale attacks, spread malware, or engage in other harmful activities.

By enabling this option, Zenarmor identifies and obstructs the communication between compromised devices on your network and the remote command and control servers. This impedes the botnet's ability to receive instructions or transmit stolen data, rendering the botnet ineffective. Botnets pose a significant threat to both individual devices and the overall internet ecosystem. They can be used to launch devastating Distributed Denial of Service (DDoS) attacks, facilitate data breaches, and distribute malware. Zenarmor's Block Botnet Command and Control Centers feature ensures that your network remains shielded from such threats, safeguarding your data, devices, and online operations.

Botnet URLs, typically IP addresses, that are determined to be part of a botnet and from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.

Botnet DGA Domains

Botnet DGA Domains feature is designed to enhance your network's security by preemptively blocking attempts by Botnet agents to establish communication with their Command and Control (C&C) servers using Domain Generation Algorithm (DGA) mechanisms.

Zenarmor's future addition, the Block Botnet DGA Domains feature, serves as a crucial defense against advanced threat vectors. Botnets often utilize DGA to generate a multitude of domains, making it challenging to predict which domains they will use for communication. This allows Botnet agents to evade traditional domain-based detection methods.

By enabling this option, Zenarmor will proactively identify and block any communication attempts by Botnet agents leveraging DGA for domain generation. This measure ensures that your network remains resilient against these sophisticated attack strategies, thwarting their attempts to establish contact with C&C servers.

Botnet DGA domains pose a significant challenge to cybersecurity due to their dynamic nature. Zenarmor's Block Botnet DGA Domains feature is poised to overcome this challenge, providing your network with an advanced layer of protection against evolving threats.

DNS Tunneling

The DNS Tunneling feature is designed to fortify your network's security by proactively blocking attempts at DNS tunneling, a method frequently exploited to bypass network security filtering.

Zenarmor's addition, the Block DNS Tunneling feature, serves as a potent defense against a tactic employed by cybercriminals to evade detection. DNS tunneling involves using DNS requests and responses to transmit malicious data, often bypassing traditional network security measures.

By enabling this option, Zenarmor detects and prevents DNS tunneling attempts. This proactive approach ensures that your network remains resilient against these sophisticated evasion techniques, thwarting cybercriminals' attempts to circumvent security filtering through covert channels.

DNS tunneling poses a significant challenge to network security due to its covert nature. Zenarmor's Block DNS Tunneling feature is poised to address this challenge, enhancing your network's defense against emerging threats.

Compromised Websites

By enabling this option, you can prevent your users from accessing compromised websites.

Compromised websites are websites that have been infiltrated or hacked by unauthorized entities with malicious intent. Compromised websites can serve as vectors for malware distribution, leading to potential data breaches and system compromises. Zenarmor's vigilant monitoring and blocking of compromised sites safeguard your network and user devices from these risks.

Zenarmor employs threat detection mechanisms to identify and block access to compromised websites. This proactive approach prevents users on your network from inadvertently visiting websites that have been infiltrated or hacked by malicious actors.

Spyware and Adware

This option is used to block Spyware and Adware activities on your network.

Zenarmor is your shield against spyware and adware, two types of malware that can compromise user privacy and disrupt network operations. Spyware is malicious software designed to collect information from a computer system without the user's knowledge or consent. Adware is software that automatically displays advertisements online, often without user consent.

Zenarmor actively identifies and blocks spyware and adware infections, preventing them from infiltrating your network and compromising user devices. This proactive approach ensures that your network remains free from these intrusive threats.

Keyloggers and Monitoring

By implementing Zenarmor's keylogger and monitoring protection, you can maintain control over your network's security posture. This protection extends to all devices and users, providing a comprehensive defense against these invasive threats.

Keyloggers and monitoring software are programs that covertly record user keystrokes or monitor web browsing habits, often without the user's knowledge or consent. Zenarmor provides comprehensive protection against keyloggers and monitoring threats, which can compromise user privacy and security.

Zenarmor actively detects and blocks keyloggers and monitoring software attempting to infiltrate your network. This proactive defense prevents unauthorized access to sensitive data, such as login credentials and private information.

Dead Sites

Enabling the Dead Sites option empowers your network to prevent access to sites whose domain registrations have expired. This proactive measure is essential as cybercriminals are known to exploit expired domains by re-registering them for malicious purposes.

Zenarmor's Dead Sites feature is a safeguard against a tactic frequently employed by malicious actors. After a domain's registration expires, cybercriminals can swiftly acquire it and use it to spread malware, launch phishing attacks, or engage in other harmful activities. Users who unwittingly visit these re-registered domains might be exposed to various security risks.

By activating this option, Zenarmor identifies expired domains and effectively blocks access to them, considering these dead sites as Uncategorized sites. This not only prevents users from inadvertently accessing potentially compromised sites but also thwarts cybercriminals' attempts to leverage abandoned domains for malicious intent. By staying ahead of this tactic, you ensure that your network remains secure and that your users are shielded from potential threats.

Expired domains can be repurposed by threat actors to deceive users, making it difficult to distinguish between legitimate and malicious websites. Zenarmor's Block Dead Sites feature eliminates this risk, contributing to a safer online experience for your network's users.

Dynamic DNS Sites

Enabling the Dynamic DNS Sites option fortifies your network against potential threats by preventing access to sites utilizing dynamic DNS services. This proactive measure is crucial, as malicious actors often exploit dynamic DNS to conceal their activities and launch attacks.

Zenarmor's Dynamic DNS Sites feature offers a robust defense against a well-known tactic employed by cybercriminals. Dynamic DNS services allow websites to maintain their online presence by associating changing IP addresses with domain names. Malicious entities can abuse this by frequently changing the IP address associated with a domain, making it difficult to track their activities.

By activating this option, Zenarmor identifies and blocks access to sites utilizing dynamic DNS services. This prevents users from accessing potentially malicious domains that might be used for phishing, malware distribution, or other harmful actions. Blocking dynamic DNS sites ensures that your network remains resilient against this evasive tactic, ultimately enhancing your overall security posture.

Dynamic DNS sites are particularly challenging to track and categorize due to their constantly changing IP addresses. Zenarmor's Block Dynamic DNS Sites feature eliminates this challenge, reducing the risk of exposing your network and users to malicious content.

Newly Registered Sites

By enabling this option you can block newly registered domains which are an effective tool for threat actors. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent via a URL from a malicious campaign.

Activate the Newly Registered Sites feature to bolster your network's defenses against emerging threats. This proactive measure prevents access to domains that have recently been registered, which malicious actors often exploit as effective tools for their campaigns. From a security standpoint, there are typically very few legitimate reasons for someone to visit a domain that has just come online. In many cases, such domains are sent via URLs within malicious campaigns.

Zenarmor's Newly Registered Sites feature is a powerful deterrent against cybercriminal tactics. Attackers frequently rely on new domains to evade detection, making them harder to trace and categorize. By blocking access to these unestablished domains, you reduce the risk of inadvertently engaging with harmful content and falling victim to potential threats.

Enabling this option aligns with best practices in cybersecurity, as legitimate users rarely require access to newly registered domains. By doing so, you significantly diminish the chances of users being exposed to malicious campaigns that might direct them to these domains.

Newly Recovered Sites

Enable the Newly Recovered Sites feature to heighten your network's security by preventing access to domains that have recently re-emerged after a prolonged period of inactivity. This proactive measure is vital, as cybercriminals can exploit these sites, leveraging their prior good reputation history to evade reputation-based security mechanisms.

Similar to newly registered sites, domains that have been dormant for an extended period and have recently become active could be weaponized by threat actors. Attackers may utilize sites with established positive reputations to bypass security measures and carry out malicious campaigns undetected.

Zenarmor's Newly Recovered Sites feature serves as a critical line of defense against such tactics. By preventing access to recently revived domains, you reduce the risk of inadvertently engaging with potentially harmful content. This proactive approach is especially beneficial in thwarting phishing attacks where users might not exercise caution while clicking on URLs.

Enabling this option aligns with modern cybersecurity best practices. While reputable sites coming back online might seem harmless, they could pose hidden risks. By blocking access to these newly revived domains, Zenarmor enhances your network's resilience against emerging threats and contributes to a safer online experience for your users.

Malformed DNS

Enable the Malformed DNS option to increase the security of your network by blocking cyber threats targeting your DNS server. A vulnerability exploitation attack targeting the name server or resolver specified by the destination IP address could manifest as malformed DNS queries. Additionally, they might suggest the presence of malfunctioning devices connected to your network. These types of issues may arise due to the presence of malware or unsuccessful attempts to eliminate malware.

Figure 5. Zenarmor: Advanced Security Control Settings

Here is a video about the Zenarmor Advanced Security Controls.