GRANDSTREAM GCC6000 Series Umhlahlandlela Wokuvikela Wokuvikela Umhlahlandlela Womsebenzisi

Okuqukethwe fihla

1 GRANDSTREAM GCC6000 Series Security Defense

2 Imiyalo yokusetshenziswa komkhiqizo

3 Isingeniso

4 Ukuvikelwa kwe-ARP

5 Amadivayisi Asekelwe

6 Amadokhumenti / Izinsiza

6.1 Izithenjwa

GRANDSTREAM GCC6000 Series Security Defense

Imininingwane

Umkhiqizo: GCC6000 Series Security Defence Guide
Umkhiqizi: Grandstream Networks, Inc.
Izici: I-DoS Defense, Ukuvikelwa kwe-ARP

Imiyalo yokusetshenziswa komkhiqizo

I-DoS Defense
Isici Sokuvikela se-DoS sisiza ukuvikela inethiwekhi ekuhlaselweni kwezikhukhula ngokuvimbela izicelo ze-SYNC. Landela lezi zinyathelo ukuze uvimbele ukuhlaselwa kwe-DoS:

Nika amandla ukuvikela kokuhlasela kwezikhukhula ezimbobeni zesevisi yenethiwekhi njenge-port443 ne-port 80.
Lungiselela ukuvikela kokuhlasela kweZikhukhula kwezinye izivumelwano ezifana ne-UDP, ICMP, noma i-TCP Acknowledgements.

Nika amandla ukutholwa kwe-Port Scan ukuze waziswe uma umsingathi ezama ukuhlasela kwezikhukhula ze-SYN.

Ukuvikelwa kwe-ARP
Isici sokuvikela se-ARP sisiza ukuvimbela ukuhlaselwa kwe-ARP Spoofing. Nansi indlela yokumisa ukuvikelwa kwe-ARP:

Nika amandla i-Spoofing Defense ngaphansi kwe-Firewall Module Security Defense ARP Protection.
Setha isenzo ukuze Vimba ukuze uvimbele imizamo ye-ARP Spoofing.

Nika amandla i-ARP Spoofing Defense futhi ulungiselele izinketho ukuze uvimbele Izimpendulo ze-ARP ezinamakheli e-MAC angahambisani.

Uhlu lwe-ARP olumile
Ukuze udale Uhlu Lwe-ARP Olumile ukuze uthole ukuvikelwa okwengeziwe:

Qinisekisa ukuthi ukuvikela kwe-Spoofing kunikwe amandla ngaphansi kwe-Firewall Module Security Defense ARP Protection.
Engeza isimiso esisha sokuhlela ngekheli le-IP lendawo kanye nekheli le-MAC elihambisanayo.

Chaza uhlobo lwesixhumi esibonakalayo ngokusekelwe esimweni sakho sokusetha.

Imibuzo Evame Ukubuzwa (FAQ)

Q: Ngingakwenza kanjani view izingodo zokuphepha ngemva kokumisa izivikelo zokuphepha?
A: Ungakwazi view amalogi okuvikela abonisa ulwazi olumayelana nokuhlasela nezenzo ezithathwe esigabeni Serekhodi Lokuvikeleka lesixhumi esibonakalayo sedivayisi ye-GCC.

Q: Yini okufanele ngiyenze uma ngisola ukuhlasela kwe-ARP Spoofing?
A: Uma usola ukuhlasela kwe-ARP Spoofing, nika amandla i-Spoofing Defense futhi ulungiselele izinketho zokuvikela i-ARP Spoofing ukuze uvimbele Izimpendulo ze-ARP ezingaguquki.

Isingeniso

Ukuvikela Ezokuphepha kuyindlela esetshenziswa kudivayisi yokuhlangana ye-GCC, ukuvikela inethiwekhi ekuhlaselweni okuvamile ku-inthanethi, njengokuhlasela kwe-DoS, ukuhlasela kwe-Man-in-the-middle, i-ARP Spoofing...
Ithuluzi ngalinye lizoba nesethi yamapharamitha nezinto zokucushwa ezingavimba, zihlukanise noma zisuse isiphetho somthombo lapho kutholwa khona ukuhlasela.
Kulo mhlahlandlela, sizodlula kwezinye zezindlela zokuvikela ezisetshenziswa idivayisi ye-GCC ukuvikela inethiwekhi kusukela esikhathini esingase sibe khona noma ekubeni sengozini kwezokuvikela.
Umhlahlandlela uzohlanganisa ukucupha okulandelayo:

I-DoS Defense
Ukuvikelwa kwe-ARP

I-DoS Defense
Ukuzivikela kokuhlasela kukaZamcolo, njengoba negama lisho, kusetshenziselwa ukuvimba izindawo zokugcina ezixhunyiwe ekukhukhuleni inethiwekhi ngezicelo ze-SYNC, lokhu kufinyelelwa ngokwenza ukuzivikela kwe-SYNC FLOOD ezimbobeni zesevisi yenethiwekhi (port 443, port 80…), futhi uma iqaphela. ukuthi izicelo eziningi kakhulu zithunyelwa kudivayisi eqondiwe, izovimba imilayezo yokuvumelanisa, noma yazise umlawuli wenethiwekhi, kuye ngendlela ecushwe ngayo.

Ezinye izinkomba zokuhlasela zokuqala yilezi: ukuskena kwechweba, lapho i-GCC izobonisa khona ukuzama ukuskena zonke izimbobo zesevisi yangaphakathi, futhi ibone ukuthi ingabe ikhona yini indawo ethile esetshenziswayo njengamanje, njengechweba elingu-21 le-FTP, imbobo 22 ukuze uthole ukufinyelela kwe-SSH…, lolu hlobo ulwazi lungabangela ubungozi kunethiwekhi uma lutholwa umuntu ongalungile, futhi lungamsiza kwezinye izimo agcwalise inethiwekhi futhi aqalise ukuhlasela kwe-Denial-of-Service, ukunciphisa ubungozi, singakwazi ukunika amandla isici sokutholwa kwe-port scan ukuze usazise, uma umsebenzisi ezama ukuskena kwembobo.

Ukuvimbela ukuhlasela kwe-DoS
Ukuze uvimbele ukuhlasela kwezikhukhula, singalandela izinyathelo ezingezansi kudivayisi ye-GCC:

Ngaphansi kwe-“Firewall Module → Security Defence → DoS Defense”, Nika amandla inketho ye-DoS Defense.
Setha isenzo sibe "Vimba", lokhu kuzokwazisa umsebenzisi ngokuzama kwe-SYN FLOOD, futhi ngesikhathi esifanayo, uvimbele umsebenzisi ekuthumeleni ukuhlasela kwe-SYN FLOOD, ukusetha isenzo kokuthi "Qapha" kuzokwazisa kuphela umsebenzisi ukuthi ukuhlasela wazama, ulwazi kungaba viewed kumalogi okuvikela edivayisi ye-GCC.

Setha i-TCP SYN Flood Packet Threshold (amaphakethe/s) kuya kumaphakethe angu-2000 ngomzuzwana, uma inani lidlula lokho, isistimu izoyibheka njenge-SYN Flood.
Ngendlela efanayo, unethuba lokuvumela ukuvikela kokuhlasela kweSikhukhula kwezinye izivumelwano ezifana ne-UDP, ICMP, noma i-TCP Acknowlegments.
Ukwengeza, sizovumela inketho yokuthola i-Port Scan, idivayisi ye-GCC izosazisa uma umsingathi oxhunyiwe ezama ukuqalisa ukuhlasela kwezikhukhula kwe-SYN, okungasisiza ukuthi sithathe izinyathelo zokuvimbela.

Chaza i-Port Scan Packet Threshold (amaphakethe/s) ukuthi ibe amaphakethe angu-50 ngomzuzwana, Uma amaphakethe embobo efika embundwini, ukutholwa kokuskena kwembobo kuzoqala ngokushesha. Ngemva kokusebenzisa ukucushwa okungenhla, ngemva kokuba umsebenzisi ezame ukugcwala inethiwekhi, izovinjelwa, futhi idivayisi ye-GCC ngeke ihlangabezane nanoma yisiphi isikhathi sokungasebenzi.
Ungakwazi view amalogi okuphepha abonisa ulwazi mayelana nesikhathi esiqondile sokuhlasela kanye nohlobo lwesenzo, esigadwayo kuphela, noma esivinjiwe

Ukuvikelwa kwe-ARP

I-Spoofing Defense iyindlela yokuvikela esetshenziselwa ukuvimbela abasebenzisi abaxhunyiwe, ukushintsha nokuguqula ulwazi lwenethiwekhi yabo, esimweni sethu, sizogxila ekuthatheni izinyathelo zokuvimbela ukuhlaselwa kwe-MAC spoofing.
Ukuhlasela okukhohlisayo kwe-MAC kuhilela ukushintsha ikheli le-MAC lesixhumi esibonakalayo senethiwekhi kudivayisi ukuze onge enye idivayisi kunethiwekhi. Lokhu kungasetshenziswa ukuze kudlule izilawuli zokufinyelela kunethiwekhi, njengokuqinisekisa kwe-802.1X, ukufihla idivayisi yomhlaseli, noma ukuvimbela ithrafikhi yenethiwekhi ehloselwe enye idivayisi.

Ukuvimbela i-ARP Spoofing
Idivayisi ye-GCC ivumela abasebenzisi bayo ukuthi bavimbele ukuhlasela okunjalo kokukhwabanisa kwe-ARP, ngokusebenzisa imithetho ethile ukuze uvimbele idivayisi ekuxhumekeni kabusha nokuthola ikheli le-MAC elilungisiwe, lokhu kungenziwa ngokulandela izinyathelo ezingezansi:

Ngaphansi kwe-“Firewall Module → Security Defence →ARP Protection”, Nika amandla inketho yokuvikela i-Spoofing.

Setha isenzo sibe "Vimba", lokhu kuzovimba idivayisi ekuhogeleni ithrafikhi phakathi kwedivayisi eyisisulu kanye nomzila, futhi kuzokwazisa umsebenzisi ukuthi kwenzeke umzamo wokukhwabanisa we-ARP, lokhu kungaba viewed kulogi yezokuphepha.
Nika amandla i-ARP Spoofing Defense, ngokunika amandla izinketho ezilandelayo, "Vimba Izimpendulo ze-ARP Ngamakheli E-MAC Omthombo Angahambisani” , kanye "Vimba Izimpendulo ze-ARP Ngamakheli E-MAC Angahambelani"

Ukwengeza ungakwazi ukunika amandla okuthi “Yenqaba I-VRRP MAC Kuthebula Le-ARP” ukuze wenqabe kuhlanganise nanoma yiliphi ikheli le-MAC elikhiqiziwe elikhiqiziwe kuthebula le-ARP.

Vimba Izimpendulo ze-ARP ezinamakheli e-MAC Omthombo Ongahambisani: Idivayisi ye-GCC izoqinisekisa ikheli le-MAC okuyiwa kulo lephakethe elithile, futhi uma impendulo itholwa idivayisi, izoqinisekisa ikheli lomthombo we-MAC futhi izokwenza isiqiniseko sokuthi ayahambelana. Uma kungenjalo, idivayisi ye-GCC ngeke idlulisele iphakethe.

Vimba Izimpendulo ze-ARP ezinamakheli e-MAC endawo okuyiwa kuyo Angahambisani: I-GCC601X(W) izoqinisekisa umthombo wekheli le-MAC lapho impendulo yamukelwe. Idivayisi izoqinisekisa ikheli le-MAC okuyiwa kulo futhi izoqinisekisa ukuthi ayafana. Uma kungenjalo, idivayisi ngeke idlulisele iphakethe.

Yenqaba i-VRRP MAC Kuthebula Le-ARP: I-Virtual Router Redundancy Protocol (VRRP) ivumela amarutha amaningi ukuthi aphathe ikheli elilodwa le-IP elibonakalayo ukuze libe khona kakhulu. Lokhu kuvikela kuqinisekisa ukuthi amakheli e-VRRP MAC awamukelwa etafuleni le-ARP, okungavimbela izinhlobo ezithile zokuhlasela ezihilela i-VRRP.

Uhlu lwe-ARP olumile
Ngaphezu kwamathuluzi ashiwo ngenhla kanye nezinketho ezisetshenzisiwe, enye indlela ewusizo kungaba ukwenza imephu ye-MAC iye ekhelini le-IP, lokhu kwenziwa ngokusho ku-firewall ye-GCC, uhlu lwamakheli e-IP kunethiwekhi yangakini, kanye namakheli awo ahambisanayo e-MAC avumelekile, lokhu kusho ukuthi uma umhlaseli, ku-LAN yakho ezama ukuzenza elinye lamakheli e-IP angeziwe kodwa ngekheli elihlukile le-MAC, lizotholwa njengomzamo wokukhwabanisa futhi lizovinjelwa, Lokhu kufinyelelwa ngesici. ebizwa ngokuthi Static ARP List.

Sizothatha i-ex engezansiample ukuze uthole ukuqonda okungcono:
Ukuze uthole iseva yangaphakathi exhunyiwe enekheli le-IP lendawo elimile elithi 192.168.3.230, sizokwenza okulandelayo:

Iya ku-Firewall Module → Ukuvikela Kokuvikela → Ukuvikelwa kwe-ARP → Uhlu lwe-ARP olumile, ngaphambi kwalokho qiniseka ukuthi ukuvikela i-Spoofing kunikwe amandla ngaphansi kweMojula ye-Firewall → Ukuvikela Ukuphepha → Ukuvikelwa kwe-ARP → Ukuvikela Okuyi-Spoofing
Chofoza ukuze Ungeze umthetho omusha Wokwenza Imephu.
Chaza ikheli le-IP lendawo lendawo yokugcina, kithina ithi “192.168.3.230”.
Unenketho yokufaka mathupha ikheli le-MAC leyunithi exhunyiwe, noma uchofoze okuthi “Ukutholwa Okuzenzakalelayo” ukuze ukwazi ukubuyisa ikheli le-MAC ledivayisi ngokuzenzakalelayo ohlwini lwamadivayisi axhunyiwe. lokhu kuzomepha ikheli le-MAC nekheli le-IP lendawo
Ukuchaza uhlobo lwesixhumi esibonakalayo kuncike esimweni sakho sokusetha, kithi sizokhetha i-LAN:
- I-LAN: Ukukhetha isixhumi esibonakalayo se-LAN kusetshenziswa uma ufuna ukuvikela izisetshenziswa zakho zangaphakathi emizamweni yokuphamba yangaphakathi, ngokwenza imephu idivayisi ngayinye ku-LAN iye ekhelini layo le-IP elihambisanayo, kubalulekile ukuqaphela ukuthi ikheli le-IP kumele limiswe ngokwezibalo ukuze ugweme ukuze ubuyekeze umthetho wokwenza imephu isikhathi ngasinye ngekheli elisha lasesizindeni se-inthanethi.
- I-WAN: Isixhumi esibonakalayo se-WAN sizokhethwa uma sifuna ukuvikela inethiwekhi yethu yangaphakathi ngokuchaza ku-Firewall ikheli le-IP lomphakathi lesango le-ISP elinikeziwe , kanye nekheli lalo le-MAC elihambisanayo, okuyikheli le-MAC ledivayisi yesango elisetshenzisiwe, leli yi. iwusizo uma uneseva esingethwe kunethiwekhi yakho futhi evezwe ku-inthanethi, futhi ufuna ukuqinisekisa ukuthi ithrafikhi kuphela evela esangweni evunyelwe ukuxhumana nayo.
Chaza incazelo efana nedivayisi.

Imiphumela
Ngokusetshenziswa kwendlela yokuvikela ekhohlisayo ye-ARP, idivayisi ye-GCC ingakusiza ukuvimbela izinsongo eziningi zokuphepha, ezifana nokuhlasela kwe-Man-in the middle, kanye nokushintsha ikheli le-MAC ukuze udlule ukuqinisekiswa kwe-NAC.
Amalogi okuvikela azobonisa ulwazi mayelana nomzamo wokukhwabanisa we-ARP ovinjelwe, qiniseka ukuthi usetha uhlobo lokuhlasela ku-DoS & Spoofing ukuze view izingodo, njengoba kuboniswe ngezansi:

Amadivayisi Asekelwe

Imodeli Yedivayisi	I-Firmware iyadingeka
I-GCC6010W	1.0.1.7+
I-GCC6010	1.0.1.7+
I-GCC6011	1.0.1.7+

Udinga Usekelo?
Awuyitholi impendulo oyifunayo? Ungakhathazeki sikhona ukuze sikusize!

Amadokhumenti / Izinsiza

GRANDSTREAM GCC6000 Series Umhlahlandlela Wokuvikela Wokuvikela [pdf] Umhlahlandlela Womsebenzisi
GCC6000, GCC6000 Series Security Defence Guide, GCC6000 Series, Security Defence Guide, Defence Guide, Guide

Izithenjwa

Imaniwali yosebenzisayo