Firewall, Static defense – Grandstream UCM6100 Security Manual User Manual

UCM6100 Security Manual Page 16 of 23

FIREWALL

The firewall functionality provided by UCM6100 model consists of Static defense, Dynamic defense and

Fail2ban. User could manually configure each of the three options to block certain malicious attack.

STATIC DEFENSE

It can be configured from Web UI->Settings->Firewall->Static Defense. One main purpose of static

defense is using pre-configured filtering rules. Three type of filtering rules are supported, ACCEPT,

REJECT, and DROP. UCM6100 administrator can configure filtering rules based on source/destination IP

addresses and ports. For example, if a remote host allowed to connect to a certain service using port X is

known with IP x.x.x.x, the administrator can create an ACCEPT rule to allow traffic from IP x.x.x.x destined

to port X on UCM6100.

The options to configure static defense rule are as follows:



Rule Name: Created by user to identify this rule.



Action: Accept, Reject or Drop depending on how the user would like the rule to perform.



Type: In/out indicates the traffic direction.



Interface: Select network interface where the traffic will go through.



Service: Users can select the pre-defined service (FTP/SSH/Telnet/TFTP/HTTP/LDAP) or

“Custom”

which allows a specific restriction.

If “Custom” is selected, please define source and destination IP

address +

Port. Users need to select “Protocol” as TCP, UDP or Both.

In addition, Static Defense also provides three pre-configured defense mechanism:

1. Ping Defense

Once enabled, ICMP response will not be allowed for Ping request. This is a predefined mechanism in

order to protect flooding Ping attack.

2. SYN-Flood Defense

Once enabled, UCM6100 can response to the SYN flood denial-of-service (DOS) attack.

3. Ping-of-Death defense

Once enabled, UCM6100 can response to the Ping packet that is greater than 65,536 bytes.