Intrusion Detection System; Enabling Ids - AudioCodes E-SBC User Manual
Hide thumbs
Also See for E-SBC:
- User manual (1482 pages) ,
- Hardware installation manual (39 pages) ,
- User manual (887 pages)
Table of Contents
Advertisement
CHAPTER 14 Security
Intrusion Detection System
The device's Intrusion Detection System (IDS) feature detects malicious attacks on the device and
reacts accordingly. A remote host is considered malicious if it has reached or exceeded a user-
defined threshold (counter) of specified malicious attacks.
If malicious activity is detected, the device can do the following:
■
Block (blacklist) remote hosts (IP addresses / ports) considered by the device as malicious.
The device automatically blacklists the malicious source for a user-defined period after which it
is removed from the blacklist.
■
Send SNMP traps to notify of malicious activity and/or whether an attacker has been added to
or removed from the blacklist. For more information, see
The Intrusion Detection System (IDS) is an important feature as it ensures legitimate calls are not
being adversely affected by attacks and to prevent Theft of Service and unauthorized access.
There are many types of malicious attacks, the most common being:
■
Denial of service: This can be Denial of Service (DoS) where an attacker wishing to prevent a
server from functioning correctly directs a large amount of requests – sometimes meaningless
and sometimes legitimate, or it can be Distributed Denial of Service (DDoS) where the attacker
controls a large group of systems to coordinate a large scale DoS attack against a system:
●
Message payload tampering: Attacker may inject harmful content into a message, e.g., by
entering meaningless or wrong information, with the goal of exploiting a buffer overflow at
the target. Such messages can be used to probe for vulnerabilities at the target.
●
Message flow tampering: This is a special case of DoS attacks. These attacks disturb the
ongoing communication between users. An attacker can then target the connection by
injecting fake signaling messages into the communication channel (such as CANCEL
messages).
●
Message Flooding: The most common DoS attack is where an attacker sends a huge
amount of messages (e.g., INVITEs) to a target. The goal is to overwhelm the target's
processing capabilities, thereby rendering the target inoperable.
■
SPAM over Internet Telephony (SPIT): VoIP spam is unwanted, automatically dialed, pre-
recorded phone calls using VoIP. It is similar to e-mail spam.
■
Theft of Service (ToS): Service theft can be exemplified by phreaking, which is a type of
hacking that steals service (i.e., free calls) from a service provider, or uses a service while
passing the cost to another person.
The IDS configuration is based on IDS Policies, where each policy can be configured with a set of
IDS rules. Each rule defines a type of malicious attack to detect and the number of attacks during
an interval (threshold) before an SNMP trap is sent. Each policy is then applied to a target under
attack (SIP interface) and/or source of attack (Proxy Set and/or subnet address).
Enabling IDS
By default, IDS is disabled. You can enable it, as described below.
➢
To enable IDS:
1.
Open the IDS General Settings page (Setup menu > Signaling & Media tab > Intrusion
Detection folder >IDS General Settings).
2.
From the 'Intrusion Detection System' drop-down list, select Enable.
Mediant 1000 Gateway & E-SBC | User's Manual
Viewing IDS
- 144 -
Alarms.
- Quick Links:
- Default Ip Address
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
