1. Feature Guide
  2. DSR Features and Functions
  3. DSR OAMP
  4. Security

2.3.8 Security

Oracle addresses Product Security with a comprehensive strategy that covers the design, deployment, and support phases of the product life-cycle. Drawing from industry standards and security references, Oracle hardens the platform and application to minimize security risks. Security hardening includes minimizing the attack surface by removing or disabling unnecessary software modules and processes, restricting port usage, consistent use of secure protocols, and enforcement of strong authentication policies. Vulnerability management ensures that new application releases include recent security updates. In addition, a continuous tracking and assessment process identifies emerging vulnerabilities that may impact fielded systems. Security updates are delivered to the field as fully tested Maintenance Releases.

Networking topologies provide separation of signaling and administrative traffic to provide additional security. Firewalls can be established at each server with IP Table rules to establish White List and/or Black List access control. The DSR supports transporting Diameter messages over IPSec thereby ensuring data confidentiality and data integrity of Diameter messages traversing the DSR.

Oracle realizes the importance of having distinct interfaces at the Network-Network Interface layer. To maintain the separation of traffic between internal and external Diameter elements, the DSR supports separate network interfaces towards the internal and external traffic. The routing tables in DSR support the implementation of a Diameter Access Control List which make it possible to reject requests arriving from certain origin-hosts or origin-realms or for certain command codes.

Oracle recommends that Layer 2 and Layer 3 ACLs be implemented at the Border Gateway. However, Professional Services available from the Oracle Consulting team can implement Layer 2 and Layer 3 ACLs at the aggregation switch which serves as the demarcation point or at the individual MPs that serve the Diameter traffic.

In addition to supporting security at the transport and network layers, Oracle’s solution provides Access Control Lists based on IP addresses to restrict user access to the database on IP interfaces used for querying the database. These interfaces support SSL.

DSR maintains a record of all system users’ interactions in its Security Logs. Security Logs are maintained on OAM servers. Each OAM server is capable of storing up to seven days’ worth of Security Logs. Log files can be exported to an external network device for long term storage. The security logs include:

  • Successful logins
  • Failed login attempts
  • User actions (for example, configure a new OAM, initiate a backup, view alarm log).

Please see the Diameter Signaling Router (DSR) 8.6.0.0.0 Security Guide – Available at Oracle.com docIPSec

The DSR optionally supports IPSec encryption per Diameter connection or association. Use of IPSec reduces MPS throughput by up to 40%. IPSec is supported for SCTP over IPv6 connections. The DSR IPSec implementation is based on 3GPP TS 33.210 version 9.0.0 and supports the following:

  • Encapsulating Security Payload (ESP).
  • Internet Key Exchange (IKE) v1 and v2.
  • Tunnel Mode (entire IP packet is encrypted and/or authenticated).
  • Up to 100 tunnels.
  • Encryption transforms/ciphers supported: ESP_3DES (default) and AES-CBC (128 bit key length).
  • Authentication transform supported: ESP_HMAC_SHA-1.
  • Configurable Security Policy Database with backup and restore capability.