User Guide for GRANDSTREAM models including: GCC6000, GCC6000 Series Security Defense Guide, GCC6000 Series, Security Defense Guide, Defense Guide, Guide

GCC6000 Series - Security Defense Guide - ation Center

• Google Docs
• Google Drive
• Download [pdf]
• Download Optimized
• Document:
  • References

File Info : application/pdf, 7 Pages, 987.27KB

Grandstream Networks, Inc.
GCC6000 Series Security Defense Guide

GCC6000 Series - Security Defense Guide
Introduction
Security Defense is a mechanism implemented in the GCC convergence device, to protect the network from common cyber attacks, such as DoS attacks, Man-in-the-middle attack, ARP Spoofing... Each tool will have a set of parameters and configuration items to either block, isolate or delete the source endpoint from where the attack is detected. In this guide, we will go through some of the defense methods used by the GCC device to protect the network from potential down time or security vulnerabilities. The guide will cover the following configurations:
DoS Defense ARP Protection
DoS Defense
The Flood attack defense, as the name implies, is used to block connected endpoints from flooding the network with SYNC requests, this is achieved by performing a SYNC FLOOD defense on network service ports (port 443, port 80...), and if it notices that too many requests are being sent to a targeted device, it will block sync messages, or inform the network administrator, depending on the way it is configured.
DoS Attack Diagram Some initial attack indications are: port scanning, where the GCC would signal an attempted scan for all internal service ports, and sees if any specific port is currently used, such as port 21 for FTP, port 22 for SSH access..., these kind of information can cause a vulnerability in the network if obtained by the wrong person, and can help him in some cases flood the network and launch a Denial-of-Service attack, to minimize the risks, we can enable the port scan detection feature to let us know, when a user is attempting a port scan.
Preventing the DoS attack
To prevent a flooding attack, we can follow the below steps on the GCC device: 1. Under "Firewall Module  Security Defense  DoS Defense", Enable the DoS Defense option. 2. Set the action to "Block", this will notify the user of an attempted SYN FLOOD, and at the same time, block the user from sending SYN FLOOD attacks, setting the action to "Monitor" will only inform the user that an attack is attempted, the information can be viewed on the security logs of the GCC device. 3. Set the TCP SYN Flood Packet Threshold (packets/s) to 2000 packets per second, if the amount exceeds that, the system will consider it as a SYN Flood.
In the same manner, you have the possibility to enable Flood attack defense for other protocols such as UDP, ICMP, or for the TCP Acknowlegments.

Preventing Flood Attack 4. Additionally, we will enable the Port Scan detection option, the GCC device will notify us when a connected host is trying to launch a SYN flood attack, which can help us take preventive measures. 5. Define the Port Scan Packet Threshold (packets/s) to be 50 packets per second, If the port packets reach the threshold, port scanning detection will start immediately.
Port Scan detection After applying the above configuration, after a user attempts to flood the network, it will be blocked, and the GCC device will not experience any downtime. You can view security logs displaying information about the exact time of the attack and the type of action, monitored only, or blocked
Security Log

Details about the TCP SYN FLOOD log
Details about the Port Scan log
ARP Protection
Spoofing Defense is a security mechanism used to prevent connected users, to alter and modify their network information, in our case, we will focus on taking preventive measures against MAC spoofing attacks. A MAC spoofing attack involves changing the MAC address of a network interface on a device to impersonate another device on the network. This can be used to bypass network access controls, such as the 802.1X authentication, disguise the attacker's device, or intercept network traffic intended for another device.
ARP Spoofing Attack

Preventing the ARP Spoofing
The GCC device allows its users to prevent such ARP spoofing attacks, by implementing specific rules to block the device from reconnecting and obtaining the modified MAC address, this can be done by following the below steps:
1. Under "Firewall Module  Security Defense ARP Protection", Enable the Spoofing Defense option. 2. Set the action to "Block", this will block the device from sniffing the traffic between the victim device and the router, it will
also notify the user that an ARP spoofing attempt happened, this can be viewed in the security log. 3. Enable the ARP Spoofing Defense, by enabling the following options, "Block ARP Replies with Inconsistent Source
MAC Addresses" , and "Block ARP Replies with Inconsistent Destination MAC Addresses" 4. Additionally you can enable "Decline VRRP MAC Into ARP Table" to decline including any generated virtual MAC address in the ARP table.
Block ARP Replies with Inconsistent Source MAC Addresses: The GCC device will verify the destination MAC address of a specific packet, and when the response is received by the device, it will verify the source MAC address and it will make sure that they match. Otherwise, the GCC device will not forward the packet. Block ARP Replies with Inconsistent Destination MAC Addresses: The GCC601X(W) will verify the source MAC address when the response is received. The device will verify the destination MAC address and it will make sure that they match. Otherwise, the device will not forward the packet. Decline VRRP MAC Into ARP Table: Virtual Router Redundancy Protocol (VRRP) allows multiple routers to manage a single virtual IP address for high availability. This defense ensures that VRRP MAC addresses are not accepted into the ARP table, which can prevent certain types of attacks that involve VRRP.
Preventing ARP Spoofing
Static ARP List
In addition to the above mentioned tools and options used, another useful approach would be to map MAC to IP address, this is done by stating to the GCC firewall, a list of IP addresses in your local network, and their corresponding allowed MAC addresses, this means that if an attacker, within your LAN tries to impersonate one of the IP addresses added but with a different MAC address, it will be detected as a spoofing attempt and will be blocked, This is achieved through the feature called Static ARP List. We will take the below example for better understanding: For a connected internal server with the local static IP address 192.168.3.230, we will do the following:

1. Go to Firewall Module  Security Defense ARP Protection Static ARP List, before that make sure Spoofing defense is enabled under Firewall Module  Security Defense ARP Protection Spoofing Defense

2. Click

to Add a new Mapping rule.

3. Define the local IP address of the endpoint, in our case it is "192.168.3.230".

4. You have the option to either manually enter the MAC address of the connected unit, or click on "Automatic Acquisition" to be able to retrieve the MAC address of the device automatically from the list of connected devices. this will map the MAC address with the local IP address

5. Defining the Interface type depends on your set up scenario, in our case we will select LAN: LAN: Selecting the LAN interface is used when you want to protect your internal devices against internal spoofing attempts, by mapping each device in the LAN to its corresponding IP address, it is important to note that the IP address must be set statically to avoid having to update the mapping rule each time with the new IP address.

WAN: The WAN interface will be selected when we want to protect our Internal network by defining to the Firewall the public IP address of the ISP gateway provided , and its corresponding MAC address, which is the MAC address of the gateway device used, this is useful if you have a server hosted on your network and that is exposed to the internet, and you want to ensure that only traffic coming from the gateway is allowed to communicate with it.

6. Define a description that matches the device.

Static ARP List
Results
With the ARP spoofing defense mechanism applied, the GCC device can help you prevent many security threats, such as Manin the middle attack, and altering MAC address to bypass the NAC authentication.
The security logs will display the information about the blocked ARP spoofing attempt, make sure to set the type of attack to DoS & Spoofing to view the logs, as shown below:

ARP Spoofing Security Log

Supported Devices
Device Model GCC6010W GCC6010 GCC6011

Detailed Spoofing Log
Firmware Required 1.0.1.7+ 1.0.1.7+ 1.0.1.7+

Need Support? Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT



References

• documentation.grandstream.com/knowledge-base/gcc6000-series-security-defense-guide/?hkb-redirect&nonce=04f52c5a7f&check=2nufl&redirect=helpdesk.grandstream.com&otype=ht_kb_article&oid=89724&source=widget
• documentation.grandstream.com/wp-content/uploads/2024/07/ARP-Spoofing.png
• documentation.grandstream.com/wp-content/uploads/2024/07/DoS-Diagram-2.png
• documentation.grandstream.com/wp-content/uploads/2024/11/Local-Server-ARP-LIST.png
• documentation.grandstream.com/wp-content/uploads/2024/11/Port-Scan-Detection.png
• documentation.grandstream.com/wp-content/uploads/2024/11/Preventing-ARP-Spoofing.png
• documentation.grandstream.com/wp-content/uploads/2024/11/Preventing-Flood-Attack.png
• documentation.grandstream.com/wp-content/uploads/2024/11/Security-Log-1.png
• documentation.grandstream.com/wp-content/uploads/2024/12/ARP-Spoofing-Security-Log.png
• documentation.grandstream.com/wp-content/uploads/2024/12/Detailed-Spoofing-Log.png
• documentation.grandstream.com/wp-content/uploads/2024/12/Details-about-the-log-for-TCP-SYN-Flood.png
• documentation.grandstream.com/wp-content/uploads/2024/12/Details-about-the-port-scan-log.png