Configuring IDS Policies

An IDS Policy is configured using two tables with "parent-child" type relationship:

■

IDS Policies table ("parent"): Defines a name and provides a description for the IDS Policy. You can configure up to 20 IDS Policies.

■

IDS Rules table ("child"): Defines the actual rules for the IDS Policy. Each IDS Policy can be configured with up to 20 rules.

A maximum of 100 IDS rules can be configured (regardless of how many rules are assigned to each policy).

The device provides the following pre-configured IDS Policies that can be used in your deployment (if they meet your requirements):

■

"DEFAULT_FEU": IDS Policy for far-end users in the WAN

■

"DEFAULT_PROXY": IDS Policy for proxy server

■

"DEFAULT_GLOBAL": IDS Policy with global thresholds

●

You can edit and delete the default IDS Policies.

●

If the IDS Policies table is empty (i.e., you have deleted all IDS Policies) and you want to return the default IDS Policies, disable IDS and then enable it again.

The following procedure describes how to configure IDS Policies through the Web interface. You can also configure it through ini file or CLI:

■

IDS Policy table: IDSPolicy (ini file) or configure voip > ids policy (CLI)

■

IDS Rules table: IDSRule (ini file) or configure voip > ids rule (CLI)

➢

To configure an IDS Policy:

Open the IDS Policies table (Setup menu > Signaling & Media tab > Intrusion Detection folder > IDS Policies); the table displays the pre-configured IDS policies:

Click New; the following dialog box appears:

Configure an IDS Policy name according to the parameters described in the table below.

Click Apply.

IDS Policies Table Parameter Descriptions

Parameter	Description
'Index' policy [IDSPolicy_Index]	Defines an index number for the new table row. Note: Each row must be configured with a unique index.
'Name' rule [IDSPolicy_Name]	Defines a descriptive name, which is used when associating the row in other tables. The valid value is a string of up to 40 characters. Note: The parameter value cannot contain a forward slash (/).
'Description' description [IDSPolicy_Description]	Defines a brief description for the IDS Policy. The valid value is a string of up to 100 characters.

Parameter

Description

'Index'

policy

[IDSPolicy_Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Name'

rule

[IDSPolicy_Name]

Defines a descriptive name, which is used when associating the row in other tables.

The valid value is a string of up to 40 characters.

Note: The parameter value cannot contain a forward slash (/).

'Description'

description

[IDSPolicy_Description]

Defines a brief description for the IDS Policy.

The valid value is a string of up to 100 characters.

In the IDS Policies table, select the required IDS Policy row, and then click the IDS Rule link located below the table; the IDS Rule table opens.

Click New; the following dialog box appears:

The figure above shows a configuration example: If 15 malformed SIP messages ('Reason') are received within a period of 30 seconds ('Threshold Window'), a minor alarm is sent ('Minor-Alarm Threshold'). Every 30 seconds, the rule’s counters are cleared ('Threshold Window'). If more than 25 malformed SIP messages are received within this period, the device blacklists for 60 seconds the remote IP host ('Deny Threshold') from where the messages were received.

Configure an IDS Rule according to the parameters described in the table below.

Click Apply, and then save your settings to flash memory.

IDS Rule Table Parameter Descriptions

Parameter

Description

General

'Index'

rule-id

[IDSRule_RuleID]

Defines an index number for the new table record.

'Reason'

reason

[IDSRule_Reason]

Defines the type of intrusion attack (malicious event).

■

[0] Any = All events listed below are considered as attacks and are counted together.

■

[1] Connection abuse = (Default) Connection failures, which includes the following:

✔

Incoming TLS authentication (handshake) failure

✔

Incoming WebSocket connection establishment failure

■

[2] Malformed message = Malformed SIP messages, which includes the following:

✔

Message exceeds a user-defined maximum message length (50K)

✔

Any SIP parser error

✔

Message Policy match (see Configuring SIP Message Policy Rules)

✔

Basic headers not present

✔

Content length header not present (for TCP)

✔

Header overflow

■

[3] Authentication failure = SIP authentication failure, which includes the following:

✔

Local authentication ("Bad digest" errors)

✔

Remote authentication (SIP 401/407 is sent if original message includes authentication)

■

[4] Dialog establish failure = SIP dialog establishment (e.g., INVITE) failure, which includes the following:

✔

Classification failure (see Configuring Classification Rules).

✔

Call Admission Control (CAC) threshold exceeded (see Configuring Call Admission Control)

✔

Routing failure (i.e., no routing rule was matched)

✔

Local reject by device (prior to SIP 180 response): REGISTER not allowed due to IP Group's 'RegistrationMode' parameter, or SIP requests rejected based on a registered users policy (configured by the SRD_BlockUnRegUsers or SIPInterface_BlockUnRegUsers parameters).

✔

No user found when routing to a User-type IP Group (similar to a SIP 404)

✔

Remote rejects (prior to SIP 18x response). To specify SIP response codes to exclude from the IDS count, see Configuring SIP Response Codes to Exclude from IDS.

✔

Malicious signature pattern detected (see Configuring Malicious Signatures)

■

[5] Abnormal flow = SIP call flow that is abnormal, which includes the following:

✔

Requests and responses without a matching transaction user (except ACK requests)

✔

Requests and responses without a matching transaction (except ACK requests)

'Threshold Scope'

threshold-scope

[IDSRule_ThresholdScope]

Defines the source of the attacker to consider in the device's detection count.

■

[0] Global = All attacks regardless of source are counted together during the threshold window.

■

[2] IP = Attacks from each specific IP address are counted separately during the threshold window.

■

[3] IP+Port = Attacks from each specific IP address:port are counted separately during the threshold window. This option is useful for NAT servers, where numerous remote machines use the same IP address but different ports. However, it is not recommended to use this option as it may degrade detection capabilities.

'Threshold Window'

threshold-window

[IDSRule_ThresholdWindow]

Defines the threshold interval (in seconds) during which the device counts the attacks to check if a threshold is crossed. The counter is automatically reset at the end of the interval.

The valid range is 1 to 1,000,000. The default is 1.

Alarms

'Minor-Alarm Threshold'

minor-alrm-thr

[IDSRule_MinorAlarmThreshold]

Defines the threshold that if crossed a minor severity alarm is sent.

The valid range is 1 to 1,000,000. A value of 0 or -1 means not defined.

'Major-Alarm Threshold'

major-alrm-thr

[IDSRule_MajorAlarmThreshold]

Defines the threshold that if crossed a major severity alarm is sent.

The valid range is 1 to 1,000,000. A value of 0 or -1 means not defined.

'Critical-Alarm Threshold'

critical-alrm-thr

[IDSRule_CriticalAlarmThreshold]

Defines the threshold that if crossed a critical severity alarm is sent.

The valid range is 1 to 1,000,000. A value of 0 or -1 means not defined.

Deny

'Deny Threshold'

deny-thr

[IDSRule_DenyThreshold]

Defines the threshold that if crossed, the device blocks (blacklists) the remote host (attacker).

The default is -1 (i.e., not configured).

Note: The parameter is applicable only if the 'Threshold Scope' parameter is set to IP or IP+Port.

'Deny Period'

deny-period

[IDSRule_DenyPeriod]

Defines the duration (in sec) to keep the attacker on the blacklist, if configured using the 'Deny Threshold' parameter.

The valid range is 0 to 1,000,000. The default is -1 (i.e., not configured).

Note: The parameter is applicable only if the 'Threshold Scope' parameter is set to IP or IP+Port.