Grandstream Networks, Inc.
GCC6000 Series Intrusion Detection and Prevention Guide
GCC6000 Series - Intrusion Detection and Prevention Guide
Introduction
The GCC convergence device comes equipped with two main important security features which are the IDS (Intrusion detection System) and IPS (Intrusion Prevention System), each serves a specific purpose to actively monitor and prevent malicious activities by identifying and blocking various types and levels of threat in real time.
Intrusion Detection Systems (IDS): passively monitor traffic and alert administrators of potential threats without direct intervention. Intrusion Prevention Systems (IPS): intercept harmful activities immediately.
IDS vs IPS Diagram
In this guide, we will configure an intrusion detection and prevention protection against one common type of web attacks known as SQL injections.
Preventing attacks using IDS/IPS
SQL injection attack, is a type of attack designated to place malicious code in SQL statements, in the goal of retrieving unauthorized information from the web server's database, or break the database by entering a harmful command or input.
Please follow the below steps to prevent the injection attack:
Navigate to Firewall Module Intrusion Prevention Signature Library.
Click the icon
to make sure the Signature Library Information is up to date.
Update Library
Note The threat database is regularly and automatically updated by the GCC depending on the purchased plan. The update interval can be scheduled to be triggered either weekly, or on an absolute date/time.
Navigate to Firewall Module Intrusion Prevention IDS/IPS. Set the mode to Notify & Block, this will monitor for any suspicious action and save it in the security log, it will also block the source of the attack. Select the Security Protection Level, different protection levels are supported:
1. Low: When the protection is set to "Low", the following attacks will be monitored and/ or blocked: Injection, Brute Force, Path Traversal, DoS, Trojan, Webshell.
2. Medium: When the protection is set to "Medium", the following attacks will be monitored and/or blocked: Injection, Brute Force, Path Traversal, DoS, Trojan, Webshell, Vulnerability Exploit, File Upload, Hacking Tools, Phishing.
3. High: When the protection is set to "High", the following attacks will be monitored and/or blocked: Injection, Brute Force, Path Traversal, DoS, Trojan, Webshell, Vulnerability Exploit, File Upload, Hacking Tools, Phishing.
4. Extremely High: All the attack vectors will be blocked. 5. Custom: the custom protection level allows the user to select only specific types of attacks to be detected and
blocked by the GCC device, please refer to [Attack Types Definitions] section for more information, we will set the security Protection Level to Custom.
Configure Security Protection Level Once the configuration is set, If an attacker attempts to launch an SQL injection, it will be monitored and blocked by the GCC device, and the corresponding action information will be displayed on the security logs as shown below:
IDS/IPS Security Logs Examples To view more information on each log, you can click the icon corresponding to the log entry:
IPS Block
Monitor IDS
Attack Types Definitions
The IDS/IPS tool has the ability to protect against various attack vectors, we will briefly explain each one of them on the below table:
Attack Type Injection Brute Force Unserialize Information
Description
Example
Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing unauthorized data.
SQL Injection in a login form can allow an attacker to bypass authentication.
Brute force attacks involve trying many passwords or passphrases with the hope of eventually guessing correctly by systematically checking all possible passwords.
Attempting multiple password combinations on a login page.
Unserialization attacks occur when untrusted data is deserialized, leading to arbitrary code execution or other exploitations.
An attacker providing malicious serialized objects.
Information disclosure attacks aim to gather information about the target system to facilitate further attacks.
Exploiting a vulnerability to read sensitive con guration les.
Path Traversal
Path traversal attacks aim to access les and directories stored outside the web root folder by manipulating variables that reference les with "../" sequences.
Accessing /etc/passwd on a Unix system by traversing directories.
Exploitation of Vulnerabilities
Exploitation involves taking advantage of software vulnerabilities to cause unintended behavior or gain unauthorized access.
Exploiting a buffer over ow vulnerability to execute arbitrary code.
File Upload
File upload attacks involve uploading malicious les to a server to execute arbitrary code or
commands.
Uploading a web shell script to gain control over the server.
Network Protocol
Monitoring and detecting anomalies in network protocols to identify potentially malicious tra c.
Unusual use of protocols such as ICMP, ARP, etc.
DoS (Denial of Service)
DoS attacks aim to make a machine or network resource unavailable to its intended users by overwhelming it with a ood of internet tra c.
Sending a high volume of requests to a web server to exhaust its resources.
Phishing
Phishing involves tricking individuals into divulging con dential information through deceptive emails or websites.
A fake email that appears to be from a trusted source, prompting users to enter their credentials.
Tunnel
Tunneling attacks involve encapsulating one type of network tra c within another to bypass security controls or rewalls.
Using HTTP tunneling to send non-HTTP tra c through an HTTP connection.
IoT (Internet of Things)
Monitoring and detecting anomalies in IoT devices to prevent potential attacks targeting these devices.
Unusual communication patterns from IoT devices indicating a possible compromise.
Trojan
Trojan horses are malicious programs that mislead users of their true intent, often providing a backdoor to the attacker.
A seemingly harmless program that gives an attacker access to the system when executed.
CoinMiner
CoinMiners are malicious software designed to mine cryptocurrency using the infected machine's resources.
A hidden mining script that utilizes CPU/GPU power to mine cryptocurrency.
Worm
Worms are self-replicating malware that spread across networks without the need for human intervention.
A worm that spreads through network shares to infect multiple machines.
Ransomware
Ransomware encrypts a victim's les and demands a ransom payment to restore access to the data.
A program that encrypts les and displays a ransom note demanding payment in cryptocurrency.
APT (Advanced Persistent Threat)
APTs are prolonged and targeted cyberattacks where an intruder gains access to a network and remains undetected for an extended period.
A sophisticated attack targeting sensitive data of a speci c organization.
Webshell
Web shells are scripts that provide a web-based interface for attackers to execute commands on a compromised web server.
A PHP script uploaded to a web server that allows the attacker to run shell commands.
Hacking Tools
Hacking tools are software designed to facilitate unauthorized access to systems.
Tools like Metasploit or Mimikatz used for penetration testing or malicious hacking.
Attack Types Definitions
Supported Devices
Device Model GCC6010W GCC6010 GCC6011
Firmware Required 1.0.1.7+ 1.0.1.7+ 1.0.1.7+
Need Support? Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT
documentation.grandstream.com/knowledge-base/gcc6000-series-intrusion-detection-and-prevention-guide/?hkb-redirect&nonce=04f52c5a7f&check=2nufl&redirect=helpdesk.grandstream.com&otype=ht_kb_article&oid=93377&source=widget
documentation.grandstream.com/wp-content/uploads/2024/07/IDS_IPS-difference.png
documentation.grandstream.com/wp-content/uploads/2024/11/IDS_IPS-Security-Logs.png
documentation.grandstream.com/wp-content/uploads/2024/11/IPS-Block.png
documentation.grandstream.com/wp-content/uploads/2024/11/monitor-IDS.png
documentation.grandstream.com/wp-content/uploads/2024/11/update-interval.png
documentation.grandstream.com/wp-content/uploads/2024/12/IDS-IPS-basic-Settings.png