Security_Countermeasure_Config Table
This table is used to configure various supported countermeasures. It allows to customize the countermeasure behavior using the following options.
Table 7-2 Security_Countermeasure_Config Fields
| Field | Description |
|---|---|
| Countermeasure Type | CounterMeasure_Type lists the countermeasure name (suffixed with their short-names). |
| Admin Status | Admin_Status defines the current Admin State of the countermeasure. If the Admin_Status is configured as Enable, then only the countermeasure business logic is executed. If the Admin_Status is configured as Disable, then the countermeasure business logic is not executed. |
| Operating Mode |
Defines the action taken if a message is found to be vulnerable by the countermeasure. If the Operating_Mode is configured as Detection_Only, then the countermeasure works on monitoring mode. The vulnerable message is only reported to the user. DSA further processes the message (depending upon Continue If vulnerable configuration) for executing the next available countermeasure. If the Operating_Mode is configured as Detection_And_Correction_By_Drop, then the vulnerable diameter message is rejected at DSR and is not processed/relayed any further. If the Operating_Mode is configured as Detection_And_Correction_By_Send_Answer, then the vulnerable diameter message is discarded by DSR by sending an Error Answer and is not processed/relayed any further. |
| Result Code | Result_Code defines the Result Code that is added in DSA generated Error Answer message when the Operating_Mode is configured as Detection_And_Correction_By_Send_Answer and the message is found to be vulnerable by the countermeasure. |
| Error Message |
Defines the error text added in DSA generated Error Answer message when the Operating_Mode is configured as Detection_And_Correction_By_Send_Answer and the message is found to be vulnerable by the countermeasure. If Error_Message is configured, Error-Message AVP is added with the specified error text; otherwise, no Error-Message AVP is added. |
| Vendor ID |
Indicates the configured Result_Code is added to Result-Code AVP or Experimental-Result AVP. If Vendor_ID is configured, then the Result_Code is added to the Experimental-Result AVP with the configured Vendor_ID; otherwise, the Result_Code is added to the Result-Code AVP. |
| Continue If Vulnerable |
Defines if the message is found to be vulnerable and Operating_Mode is Detection_Only, then the message is processed further by remaining countermeasures. If Continue_If_Vulnerable is configured as Yes, then the vulnerable message is processed by remaining countermeasures for checking more vulnerability. If Continue_If_Vulnerable is configured as No, then the vulnerable message is not processed further by DSA. |
| Foreign WL Peer Cfg Set | Foreign_WL_Peer_Cfg_Set defines the Foreign Whitelist Peer Configuration Set name (configured in Foreign_WL_Peers_Cfg_Sets Table). This configuration lists the foreign peers for which the countermeasure is executed for checking vulnerability. |
Note:
Upon enabling a new countermeasure, ensure that the associated configuration table is configured properly for countermeasure to take effect. Any misconfiguration will lead to the countermeasure not working properly.For both stateless and stateful countermeasures, Oracle recommends setting the Operating Mode parameter in the Security_Countermeasure_Config table as Detection_Only first to analyze and validate the configurations. This helps avoid traffic loss due to misconfiguration. Once configuration is validated, the Operating Mode parameter in the Security_Countermeasure_Config table can be changed as desired.
For stateful countermeasures, Oracle recommends setting the Operating Mode parameter in the Security_Countermeasure_Config table as Detection_Only for at least the first 24 hours. This allows the security application to learn about any subscribers who are already roaming in partner networks without impacting their service. The operating mode can be changed to Detection and Correction after that period, if desired by the operator.
Table 7-3 Field Details for Security_Countermeasure_Config
| Field Name | Unique | Mandatory | Data type, Range, and Default Value | Description |
|---|---|---|---|---|
| countermeasure_Type | Yes | Yes |
Enumerated Range: Application_ID_and_Command_Code_consistency_check_AppCmdCst: 1 Origin_Realm_and_Destination_Realm_whitelist_screening_RealmWLScr: 2 Subscriber_Identity_validation_SubsIdenValid: 3 Specific_AVP_screening_SpecAVPScr: 4 Origin_host_and_Origin_Realm_consistency_check_OhOrCstChk: 5 Visited_PLMN_ID_and_Origin_Realm_consistency_check_VplmnORCst: 6 Realm_and_IMSI_consistency_check_RealmIMSICst: 7 Destination_Realm_and_Origin_Realm_match_check_DrOrMatch: 8 AVP_Multiple_Instance_check_AVPInstChk: 9 Application_Id_whitelist_screening_AppIdWL: 10 Previous_Location_Check_PreLocChk: 11 Time_Distance_Check_TimeDistChk: 12 Source_Host_validation_MME_SrcHostValMme: 13 Message_rate_monitoring_MsgRateMon: 14 Source_Host_validation_HSS_SrcHostValHss: 15 Session_Integrity_Validation_Check_SesIntValChk: 16 Default: N/A |
List of various supported countermeasures. |
| Admin_Status | No | Yes |
Enumerated Range: Disable: 1 Enable: 2 Default: Disable |
Countermeasure's Admin Status. If enabled, countermeasure is applied to the message; otherwise, skipped. |
| Operating_Mode | No | Yes |
Enumerated Range: Detection_Only: 1 Detection_And_Correction_By_Drop: 2 Detection_And_Correction_By_Send_Answer: 3 Default: Detection_Only |
Countermeasure's Mode of Operation. Detection_Only: Monitor Diameter Traffic and report Diameter Vulnerabilities. Detection_And_Correction_By_Drop: Drop messages if vulnerable. Detection_And_Correction_By_Send_Answer: Send Answer if vulnerable. |
| Result_Code | No | No |
Integer Range: 1000–5999 Default: N/A |
This configuration is applicable when the countermeasure's Operating_Mode is set to Detection_And_Correction_By_Send_Answer. This value is used to set the Result-Code AVP of the Answer Message. |
| Error_Message | No | No |
UTF8String Range: 1–64 characters Default: N/A |
This configuration is applicable when the countermeasure's Operating_Mode is set to Detection_And_Correction_By_Send_Answer. If specified, the Answer Message is added with Error-Message AVP with the specified Text. |
| Vendor_ID | No | No |
Integer Range: 1–4294967295 Default: N/A |
This configuration is applicable when the Operating_Mode is set to Detection_And_Correction_By_Send_Answer. If the value is specified, the Answer Message consists of Experimental-Result grouped AVP with the specified Vendor-ID |
| Continue_If_Vulnerable | No | Yes |
Enumerated Range: No: 1 Yes: 2 Default: No |
This configuration is applicable when the Operating_Mode operation mode is set to Detection_Only. Specifies if subsequent countermeasures are required to be executed for same Diameter Message, which has been tagged as vulnerable by this countermeasure. |
| Foreign_WL_Peer_Cfg_Set | No | Yes |
UTF8String Range: 1–64 characters Default: N/A |
The Whitelist Foreign Peer configuration set name (configured in Foreign_WL_Peers_Cfg_Sets Table) applicable for this countermeasure. |