7.3.3 System_Config_Options Table
This table is used to configure various options, which customizes various countermeasure behavior.
Table 7-6 System_Config_Options Fields
Field | Description |
---|---|
MCC or VPLMN-ID |
Indicates the source and destination node IDs configured in TimeDistChk_Country_Config Table are MCCs or VPLMN-IDs. If MCC_Or_VPLMNID is configured as MCC_Based, then the source and destination node IDs are treated as MCC values. If MCC_Or_VPLMNID is configured as VPLMNID_Based, then the source and destination node IDs are treated as VPLMN-ID values. |
Vulnerable If Time Distance entry Not Configured |
Defines the behavior when no matching source and destination node ID is configured while executing business logic. If vulnerable_If_TimeNotConfigured is configured as Yes, then the message is considered as vulnerable when no matching source and destination node is configured. If vulnerable_If_TimeNotConfigured is configured as No, the message is not considered as vulnerable when no matching source and destination node is configured. The message is processed further by other countermeasures (if provisioned). |
Ingress Message Validation For Origin-Realm Screening |
Defines the behavior to screen or not to screen the Origin-Realm AVP of the ingress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr). If Ingress_Msg_Chk_For_OR_Scr is configured as Yes, then the Origin-Realm AVP of the ingress diameter message is checked for vulnerability. If Ingress_Msg_Chk_For_OR_Scr is configured as No, then the Origin-Realm AVP of the ingress diameter message is not checked for vulnerability. |
Ingress Message Validation For Destination-Realm Screening |
Defines the behavior to screen or not to screen the Destination-Realm AVP of the ingress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr). If Ingress_Msg_Chk_For_DR_Scr is configured as Yes, then the Destination-Realm AVP of the ingress diameter message is checked for vulnerability. If Ingress_Msg_Chk_For_DR_Scr is configured as No, then the Destination-Realm AVP of the ingress diameter message is not checked for vulnerability. |
Egress Message Validation For Destination-Realm Screening |
Defines the behavior to screen or not to screen the Destination-Realm AVP of the egress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr). If Egress_Msg_Chk_For_DR_Scr is configured as Yes, then the Destination-Realm AVP of the egress diameter message is checked for vulnerability. If Egress_Msg_Chk_For_DR_Scr is configured as No, then the Destination-Realm AVP of the egress diameter message is not checked for vulnerability. |
Exception Realms For OhOrCstChk | Exception_Realms_For_OhOrCstChk holds the list of Whitelist Realms. If received as Origin-Realm in the ingress diameter message, then the message is not screened by Origin Host and Origin Realm Consistency Check (OhOrCstChk) countermeasure for checking vulnerability. |
Error Action if UDR Failure |
Defines the action performed if a UDR failure occurs while executing the business logic of a Stateful countermeasure. If Error_Action_for_UDR_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further. If Error_Action_for_UDR_Failure is configured as Drop, then the message is discarded at DSR and is not processed/relayed any further. |
Error Action if countermeasure’s business logic execution failure |
Defines the action performed if any logical error occurs while executing the countermeasure’s business logic. If Error_Action_for_CmExec_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further. If Error_Action_for_CmExec_Failure is configured as Drop, thenthe message is discarded at DSR and is not processed/relayed any further. |
Enable Tracing |
Defines DSA tracing status. If Enable_Tracing is configured as Yes, then vulnerable message details are added to DSA log file. If Enable_Tracing is configured as No, then vulnerable message details are not added to DSA log file. |
Process_Foreign_RSR_Msg |
If checked, the DSA Application will process the ingress RSR message from a foreign node. If not checked, the DSA Application will ignore the ingress RSR Message from a foreign node. |
TDC_Chk_For_First_ULR_AIR_Msg | If checked, the DSA Application will screen first ULR/AIR message for vulnerability by Time Distance Check Countermeasure. |
Error_Action_For_CASM_Failure |
Defines the action performed if a CreateAndSendMsg request failure occurs while executing the business logic of a Stateful countermeasure. If Error_Action_for_CASM_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further. If Error_Action_for_UDR_Failure is configured as Drop, then the message is discarded at DSR and is not processed/relayed any further. |
Avg_Flight_Velocity | Defines the Average Flight speed considered to calculate the Distance between two points using latitude and longitude for Time Distance Check CM. [Velocity in km]. |
TDC_Chk_For_Neighbour_Country | To decide whether Time Distance Check CM should be exempted for neighboring countries. |
Max_Tuple_For_SrcHostValHss |
(Bug#30133341) Defines the Max tuple to be stored in the UDR Db for Source Host Validation HSS CM for each subscriber. Either of 'Maximum Size of Application State' or Max_Tuple_For_SrcHostValHss ' is reached the limit, Oldest Tuple in UDR State Data will be popped off to store the latest tuple. |
CounterMeasure_Exception_Chk | To decide whether to Enable or Disable the Security Exception function for the CounterMeasure. |
MCCMNC_AVP | To decide from which AVP, MCCMNC value is to be fetched for Session Integrity validation Check [SesIntValChk] Countermeasure. |
This table describes the field details for the System_Config_Options Table.
Note:
While the failure of a UDR is rare, loss of connectivity to a remote UDR can sometimes occur due to network fluctuations. Loss of connectivity is also treated by the DSA as a UDR failure and it is therefore desirable to set the value for the Error Action if UDR Failure parameter (in the System_Config_Options table) as Continue Processing. This ensures the requests are not dropped and roaming subscribers continue to receive service.In the rare case of a UDR failure that results in loss of a significant amount of data in the database, Oracle recommends switching the Operating mode for any enabled stateful countermeasures (in the Security_Countermeasure_Config table) to Detection_Only for 24 hours. The setting can be reverted to its original setting after 24 hours.
Table 7-7 Field Details for System_Config_Options
Field Name | Unique | Mandatory | Data Type, Range, and Default Value | Description |
---|---|---|---|---|
MCC_Or_VPLMNID | Yes | Yes |
Enumerated Range: MCC_Based: 1 VPLMNID_Based: 2 Default: MCC_Based |
To check the mode of configuration for TimeDistChk_Config Table. MCC_Based: Source and Destination ID configuration is MCC based. VPLMNID_Based: Source and Destination ID configuration is VPLMNID based. |
Vulnerable_If_TimeNotConfigured | N/A | N/A |
Boolean Range: Yes/No Default: No |
To decide whether mark the message as vulnerable by countermeasure if no matching Source and Destination ID is configured in TimeDistChk_Config Table. Yes: Mark vulnerable No: Ignore the message |
Ingress_Msg_Chk_For_OR_Scr | N/A | N/A |
Boolean Range: Yes/No Default: Yes |
To decide whether to screen Origin-Realm for ingress Diameter Request messages for vulnerability by Origin Realm and Destination Realm whitelist screening (RealmWLScr). Yes: Check for vulnerability No: Do not check for vulnerability |
Ingress_Msg_Chk_For_DR_Scr | N/A | N/A |
Boolean Range: Yes/No Default: Yes |
To decide whether to screen Destination-Realm for ingress Diameter Request messages for vulnerability by Origin Realm and Destination Realm whitelist screening (RealmWLScr). Yes: Check for vulnerability No: Do not check for vulnerability |
Egress_Msg_Chk_For_DR_Scr | N/A | N/A |
Boolean Range: Yes/No Default: No |
To decide whether to screen Destination-Realm for egress Diameter Request messages for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr). Yes: Check for vulnerability No: Do not check for vulnerability |
Exception_Realms_For_OhOrCstChk | Yes | No |
UTF8String Range: 1–2048 characters Default: N/A |
List of Whitelist Realms (in valid format) separated by semicolon “;” for which Origin host and Origin Realm consistency is not checked. |
Error_Action_for_UDR_Failure | Yes | Yes |
Enumerated Range: Continue_Processing: 1 Drop: 2 Default: Continue_Processing |
Error action performed if UDR failure occurs. Continue_Processing: The message is treated as non-vulnerable and is processed further. Drop: The message is treated as vulnerable and is dropped. |
Error_Action_for_CmExec_Failure | Yes | Yes |
Enumerated Range: Continue_Processing: 1 Drop: 2 Default: Continue_Processing |
Error action performed if countermeasure execution failed. Continue_Processing: The message is treated as non-vulnerable and is processed further. Drop: The message is treated as vulnerable and is dropped. |
Enable_Tracing | N/A | N/A |
Boolean Range: Yes/No Default: No |
Log the message details if found vulnerable by a countermeasure. Yes: Log the message details No: Do not log the message details |
Process_Foreign_RSR_Msg | N/A | N/A |
Boolean Range: Yes/No Default: No |
To decide whether to process RSR Message received from a Foreign Network Yes: Process RSR Message No: Don't process RSR Message |
TDC_Chk_For_First_ULR_AIR_Msg | N/A | N/A |
Boolean Range: Yes/No Default: No |
To decide whether to screen first ULR/AIR for vulnerability by Time Distance Check CM. Yes: Check first ULR/AIR for Vulnerability |
Error_Action_For_CASM_Failure | Yes | Yes |
Enumerated Range: Continue_Processing: 1 Drop: 2 Default: Continue_Processing |
[CASM:- CreateAndSendMsg] Perform Error Action when CreateAndSendMsg gets failed. Continue_Processing: The message will be treated as nonVulnerable and will be processed further. Drop: The message will be treated as Vulnerable and will be dropped. |
TDC_Chk_For_Continent | N/A | N/A |
Boolean Range: Yes/No Default:Yes |
To decide whether to screen ULR/AIR message for Continent check by Time Distance Check CM. Yes: Apply Continent check on AIR/ULR message for Vulnerability No: Don't Apply Continent check on AIR/ULR message for Vulnerability |
MCCMNC_AVP | N/A | N/A |
Enumerated: 3GPP_SGSN_MCC_MNC:1, 3GPP_User_Location_Info:2 |
To decide from which AVP, MCCMNC value is to be fetched for Session Integrity validation Check [SesIntValChk] Countermeasure. |