IDS Reporting
The Oracle® Enterprise Session Border Controller supports a wide range of intrusion detection and protection capabilities for vulnerability and attack profiles identified to date. The IDS reporting feature is useful for enterprise customers requirement to report on intrusions and suspicious behavior that it currently monitors.
Basic Endpoint Demotion Behavior
Each session agent or endpoint is promoted or demoted among the trusted, untrusted, and denied queues depending on the trust-level parameter of the session agent or realm to which it belongs. Users can also configure access control rules to further classify signaling traffic so it can be promoted or demoted among trust queues as necessary.
An endpoint can be demoted in two cases:
- Oracle® Enterprise Session Border Controller receiving too many signaling packets within the configured time window (maximum signal threshold in realm config or access control)
- Oracle® Enterprise Session Border Controller receiving too many invalid signaling packets within the configured time window. (invalid signal threshold in realm config or access control)
Endpoint Demotion Reporting
The Oracle® Enterprise Session Border Controller counts the number of endpoint or session agent promotions and demotions. Further, the Oracle® Enterprise Session Border Controller counts when endpoints or session agents transition from trusted to untrusted and when endpoints transition from untrusted to denied queues. These counts are maintained for SIP signaling applications. They appear as the Trust->Untrust and Untrust->Deny rows in the show sipd acls command.
SNMP Reporting
These per-endpoint counters are available under APSYSMGMT-MIB -> acmepacketMgmt -> apSystemManagementModule -> apSysMgmtMIBObjects -> apSysMgmtMIBGeneralObjects.
| MIB NAME | MIB OID | PURPOSE |
|---|---|---|
| apSysSipEndptDemTrustToUntrust | .1.3.6.1.4.1.9148.3.2.1.1.19 | Global counter for SIP endpoint demotions from trusted to untrusted. |
| apSysSipEndptDemUntrustToDeny | .1.3.6.1.4.1.9148.3.2.1.1.20 | Global counter for SIP endpoint demotions from untrusted to denied. |
Endpoint Demotion SNMP Traps
An SNMP trap can be sent when the Oracle® Enterprise Session Border Controller demotes an endpoint to the denied queue. This is set by enabling the trap on demote to deny parameter located in the media manager config configuration element.
When the trap on demote to deny parameter is enabled, apSysMgmtInetAddrWithReasonDOSTrap trap is sent. This trap supersedes the apSysMgmtInetAddrDOSTrap trap.
When the trap on demote to deny parameter is disabled the apSysMgmtInetAddrWithReasonDOSTrap trap is not sent from the Oracle® Enterprise Session Border Controller, even when an endpoint is demoted to the denied queue.
This apSysMgmtInetAddrWithReasonDOSTrap contains the following data:
- apSysMgmtDOSInetAddressType—Blocked IP address family (IPv4 or IPv6)
- apSysMgmtDOSInetAddress—Blocked IP address
- apSysMgmtDOSRealmID—Blocked Realm ID
- apSysMgmtDOSFromURI—The FROM header of the message that caused the block (If available)
- apSysMgmtDOSReason—The
reason for demoting the endpoint to the denied queue: This field can report the
following three values:
- Too many errors
- Too many messages
- Too many admission control failures
Note:
By default, this parameter is enabled for upgrade configurations, as the current behavior is to send a trap for every endpoint that is demoted to deny. However, for a new configuration created, the value to this configuration is disabled.
Trusted to Untrusted Reporting
Endpoints, however, transition to an intermediate state, untrusted, prior to being denied service. The Oracle® Enterprise Session Border Controller provides an ACLI parameter, trap-on-demote-to-untrusted, that generates an SNMP trap when a previously trusted endpoint transitions to the untrusted state. Trap generation is disabled by default.
SNMP Reporting
Endpoint state transitions continue to be tracked by two counters available under APSYSMGMT-MIB -> acmepacketMgmt -> apSystemManagementModule -> apSysMgmtMIBObjects -> apSysMgmtMIBGeneralObjects.
| MIB NAME | MIB OID | PURPOSE |
|---|---|---|
| apSysSipEndptDemTrustToUntrust | .1.3.6.1.4.1.9148.3.2.1.1.19 | Global counter for SIP endpoint demotions from trusted to untrusted. |
| apSysSipEndptDemUntrustToDeny | .1.3.6.1.4.1.9148.3.2.1.1.20 | Global counter for SIP endpoint demotions from untrusted to denied. |
Endpoint Demotion Trusted-to-Untrusted SNMP Trap
The system can generate an SNMP trap when an endpoint transitions from the trusted to the untrusted state. The trap is structured as follows.
apSysMgmtInetAddrTrustedToUntrustedDOSTrap NOTIFICATION-TYPE
OBJECTS { apSysMgmtDOSInetAddressType,
apSysMgmtDOSInetAddress,
apSysMgmtDOSRealmID,
apSysMgmtDOSFromUri,
apSysMgmtDOSReason }
STATUS current
DESCRIPTION
"This trap is generated when an IP is placed on a untrusted list from trusted list, and provides the ip address that has been demoted, the realm-id of that IP, (if available) the URI portion of the SIP From header of the message that caused the demotion."
::= { apSysMgmtDOSNotifications 5 }
The trap OID is 1.3.6.1.4.1.9148.3.2.8.0.5.
Endpoint Demotion Syslog Message
A Syslog message can be generated when an endpoint is demoted. Setting the media manager config, syslog-on-demote-to-deny parameter to enabled writes and endpoint demotion warning to the syslog every time an endpoint is demoted to the denied queue. By default, this configuration option is set to disabled. The syslog message has a WARNING Level and looks like this:
Jan 15 12:22:48 172.30.60.12 ACMESYSTEM sipd[1c6e0b90] WARNING SigAddr[access:168.192.24.40:0=low:DENY] ttl=3632 guard=798 exp=30 Demoted to Black-List (Too many admission control failures)
Event Log Notification Demotion from Trusted to Untrusted
You can enable your Oracle® Enterprise Session Border Controller to provide event log notification (a syslog message) any time it demotes an endpoint from trusted to untrusted. The log message contains this data: IP address of the demoted endpoint, the endpoint’s configured trust level, and the reason for demotion. This feature is enabled with the syslog-on-demote-to-untrusted parameter in the media manager.
Endpoint Demotion Configuration
To configure the Oracle® Enterprise Session Border Controller to send traps and/or write syslog messages on endpoint demotion:
Endpoint Demotion due to CAC overage
The Oracle® Enterprise Session Border Controller can demote endpoints from trusted to untrusted queues when CAC failures exceed a configured threshold. The Oracle® Enterprise Session Border Controller can also demote endpoints from untrusted to denied queues when CAC failures exceed a another configured threshold.
The Oracle® Enterprise Session Border Controller maintains CAC failures per-endpoint. The CAC failure counter is incremented upon certain admission control failures only if either one of cac-failure-threshold or untrust-cac-fail-threshold is non-zero.
The cac failure threshold parameter is available in the access control and realm configuration elements. Exceeding this parameter demotes an endpoint from the trusted queue to the untrusted queue. The untrust cac-failure-threshold parameter is available in the access control and realm configuration elements. Exceeding this parameter demotes an endpoint from the untrusted queue to the denied queue.
If both the cac failure threshold and untrusted cac failure threshold are configured to 0, then admission control failures are considered and counted as invalid signaling messages for determining if the invalid-signal-threshold parameter value has been exceeded.
CAC Attributes used for Endpoint Demotion
The Oracle® Enterprise Session Border Controller determines CAC failures only by considering the calling endpoint’s signaling messages traversing the calling realms' configuration. If an endpoint exceeds the following CAC thresholds, the Oracle® Enterprise Session Border Controller will demote the endpoint when the CAC failure thresholds are enabled.
- sip-interface user CAC sessions (realm-config, user-cac-sessions)
- sip-interface user CAC bandwidth (realm-config, user-cac-bandwidth)
- External policy server rejects a session
Authentication Failures used for Endpoint Demotion
If an endpoint fails to authenticate with the Oracle® Enterprise Session Border Controller using SIP HTTP digest authentication OR endpoint fails authentication with an INVITE with authentication incase registration-caching is disabled, and receives back a 401 or 407 response from the registrar
When the Oracle® Enterprise Session Border Controller receives a 401 or 407 message from the registrar in response to one of the following conditions, the endpoint attempting authentication is demoted.
- endpoint fails to authenticate with the Oracle® Enterprise Session Border Controller using SIP HTTP digest authentication
- endpoint fails to authenticate with the Oracle® Enterprise Session Border Controller using INVITE message when registration-caching is disabled
