1. User's Guide
  2. Access Control Lists

7 Access Control Lists

Oracle® Communications Security Shield Cloud Service (Security Shield) Access Control Lists allow you to configure rules and enforcement actions for inbound and outbound calling numbers and called numbers.

Topics:

Access Control Lists Controls and Actions

The Oracle® Communications Security Shield Cloud Service (Security Shield) Access Control Lists page displays lists of phone numbers and rules you create to control call traffic in and out of your telecommunications network. You can create lists for enterprise-wide control as well as for controlling calls to specific individuals or destinations.

The Access Control List page displays the system-generated All Rules List along with any lists you create in the left pane and the details of the lists in the right pane. The All Rules List is a summary view of all your access controlled phone numbers and rules.

When you add, edit, or delete rules on any of your user-created lists, the All Rules List updates accordingly. Likewise, when you add, edit, or delete a phone number on the All Rules List, Security Shield updates the user-created list that contains the rule and number. The Activity Log reports such changes.

Note:

You cannot rename or delete the All Rules List.

The following screen capture shows an example of the Access Control List page with the system-named All Rules List, and some user-created lists in the left pane and the details of the highlighted list in the right pane.

This screen capture shows the Access Control List landing page, as described in the preceding and following paragraphs.

Use the Add New ACL button to add an Access Control list. You can add up to ten lists. When you reach the limit, the system deactivates the Add New ACL button. Each user-created list displays the edit and delete icons when you hover over the list name. For new customers, the Access Control List interface displays only the All Rules List, which is empty until you add lists. For upgrading customers, the system imports your preexisting access control lists and populates the All Rules List with the numbers from the imported lists.

The right pane displays the Add Rule button for adding new rules to user-created lists. Each rule on a list displays the edit and delete icons.
  • When working with the All Rules List, the right pane displays the Search field and the Simulate Lookup button.
  • When working with a user-created list, the right pane displays the Search field but not the Simulate Lookup button.

Note:

You may find that Search on the All Rules List is especially useful when you don't know which access control list contains a number you want to find because the search results identifies the list.

When no user-created Access Control lists exist, for example, when you first install Security Shield or when you delete all your user-created lists, Security Shield displays the message shown in the following screen capture. (Click Add ACL List to add a list.)

This screen capture shows the message that the GUI displays when there are no user-created access lists. The message says: Set up lists to control call traffic in and out of your telecommunications network. The GUI also displays the Add button below the message.

When a user-created Access Control list contains no rules, for example, when you first create the list or when you delete all the rules on the list, Security Shield displays the message shown in the following screen capture. (Click Add ACL Rule to add a phone number.)

This screen capture shows the message that the GUI displays when the selected list contains no phone numbers. The message says: Set up rules to control traffic in and out of your telecommunications network The GUI also displays the Add ACL Rule button below the message.

When you create access control lists, the Security Shield reports their cumulative enforcement actions on the Access Control List Enforcement Actions tile on the Dashboard. The tile shows total number of inbound and outbound enforcement actions taken and displays a pie chart with the percent of actions taken per enforcement type. When you hover over a section of the pie chart, the tile shows the action taken and the number of call actions for the type.

This screen capture shows the Access Control List Enforcement Actions tile on the Dashboard, as described in the preceding paragraph.

Security Shield processes Access Control Lists (ACL) independently from regular threat processing and an action taken due to an ACL match over-rides decisions made due to threat analysis. Calls that match an ACL rule are also fully analyzed for threat status. The threat status is reported as part of the Security Shield Dashboard statistics and is also available in the analytics reports environment. The system reports both the ACL status and the threat status of the call.

About Access Control Lists and Upgrades

When Oracle upgrades Oracle® Communications Security Shield Cloud Service (Security Shield), the system migrates your preexisting access control lists with their preexisting names and rules.

In the upgrade process, Security Shield migrates you preexisting numbers configured for inbound to the Calling Number list and numbers configured for outbound to the Called Number list.

Access Control List Enforcement Actions

When you create an access control list rule, you must specify the enforcement action that you want Oracle® Communications Security Shield Cloud Service (Security Shield) to apply.

You can choose from the following enforcement actions for an access control list rule.

Allow —Allows inbound calls, but will evaluate the inbound call against Traffic Pumping, Spoofing, and Toll Fraud threat detection. Allow ignores the risk assessment and classifies the call as "Good". The Allow action does not evaluate the call against Fraud, Spam, and Call Center detection

Block —Blocks calls from the selected calling and called numbers on the list from proceeding in the specified direction.

Exclude—Allows inbound calls while still evaluating against Traffic Pumping, Spoofing, and Toll Fraud threat detection. Exclude ignores the risk assessment and classifies excluded calls as "Good". The Exclude action does not evaluate against Fraud Risk, Spam Risk, and Call Center call detection.

Redirect —Sends inbound calls from the selected calling and called numbers on the list to the destination that you specify. For example, you can route specific numbers with a history of fraudulent activity associated with them, or that come from specific international destinations, to a security desk for additional screening. All calls to a specific phone number go to the same specified redirect destination because Security Shield does not support redirecting to multiple locations per phone number. You can specify a redirect number per inbound phone number.

Throttle —Limits the number of calls from the selected calling and called numbers on the list by allowing only the configured percentage of calls. For example, you might want to throttle international calls to limit such expensive calls beyond the threshold you set. You can configure the percentage of outbound calls to throttle for each number on the list through the Add Number and Edit Number Attributes dialogs. When Security Shield throttles a particular phone number, the system chooses the calls to block to that number in a random manner such that overall percentage of calls allowed matches the configured percentage.

Note:

You might see some fluctuation where the actual value sometimes differs from the configured value.

Access Control List Number Sorting Behavior on Phone Number Searches

The following information explains how Oracle® Communications Security Shield Cloud Service (Security Shield) sorts phone numbers when you perform a phone number search on an access control list. Security Shield uses the longest matched pattern, whether from a regular entry or from a wild card entry, to return search results. A regular entry will return an exact match and the wild card entry will return the phone number with the fewest wild card characters.

The scenarios used for the explanation assume that the database contains two tables. One table contains regular phone numbers, which contain no wild card characters, and the other table contains phone numbers that contain wild card characters.

The following table contains the list of regular phone numbers used for the subsequent explanation in this topic.

Table 7-1 Regular Entries

ID List ID Phone Number Action Direction
1 101 9871562313 Allow Inbound
3 101 +9871562313 Block Inbound
5 101 1234567890 Block Outbound
7 101 3276458901 Allow Inbound
9 101 774436712 Block Outbound

The following table contains the list of phone numbers with wild cards used for the subsequent explanation in this topic.

Table 7-2 Wild card Entries

ID List ID Phone Number Action Direction
2 101 98715623XX Allow Inbound
4 101 +9871XXXXXX Block Inbound
6 101 1XXXXXXXXX Block Outbound
8 101 8373XXXXXX Allow Inbound
10 101 77442671X Allow Outbound
12 101 12XXXXXXXX Allow Outbound
14 101 123XXXXXXX Block Outbound
16 101 1234XXXXXX Allow Outbound
18 101 12345XXXXX Block Outbound
20 101 123456XXXX Allow Outbound
22 101 1234567XXX Block Outbound
24 101 12345678XX Allow Outbound
26 101 123456789X Block Outbound
28 101 123456782X Block Inbound

Longest Match Scenarios

The following scenarios explain how the Security Shield bases its search results on the longest pattern match.
  • Regular Entries—Assume that Security Shield receives a lookup request for 1234567890, which is an Outbound call. Our example database includes ten numbers that match this pattern. The first match is a direct match, which is the regular entry ID 5. Other matches come from the wild card table with IDs 6, 12, 14, 16, 18, 20, 22, 24 and 26, as X can represent any number from 0-9. Because the regular entry 1234567890 is a direct match, Security Shield discards other entries and displays only 1234567890 as the response.
  • Wild card Entries—Assume that Security Shield receives a lookup request for 1234567891. The Regular Entries table contains no matching number, but the Wild card Entries table displays potential matches in IDs 6, 12, 14, 16, 18, 20, 22, 24 and 26. Security Shield seeks the longest match among those IDs, which comes from the wild card pattern with the fewest number of wild card characters (X). ID 26 satisfies the criteria and Security Shield displays 123456789x as the response.

Sorting Order Rules

Security Shield bases the sort order on the following rules;
  • Security Shield sorts the results by the length of the number. For example, the Regular Entry with ID 9 and the Wild card Entry with ID 10 both have a length equal to nine characters or digits, therefore these phone numbers come before numbers with a length greater than nine characters or digits in ascending order and the opposite in descending order.
  • If a number contains the plus character (+) it earns lower priority in the sorting order than the same number that does not containing plus character in ascending order and high priority in descending order. For example, Regular Entry with ID 1 (9871562313) and with ID 3 (+9871562313), In Ascending order the correct order is 9871562313 > +9871562313 and in descending order it is +9871562313 > 9871562313.
  • Wild cards always earn lower priority than regular numbers after some of the digits have been directly matched and opposite for descending order. For example, Regular Number 1234567890 will always come before 123456789X in ascending order and the opposite in descending order.

Descending Order

The following list shows the descending sort order for the results of the preceding example entries.

+9871XXXXXX

98715623XX

+9871562313

9871562313

9871562313

8373XXXXXX

3276458901

1XXXXXXXXX

12XXXXXXXX

123XXXXXXX

1234XXXXXX

12345XXXXX

123456XXXX

1234567XXX

12345678XX

123456789X

1234567890

123456782X

774436712

77442671X

Ascending Order

The following list shows the ascending sort order for the results of the preceding example.

77442671X

774436712

123456782X

1234567890

123456789X

12345678XX

1234567XXX

123456XXXX

12345XXXXX

1234XXXXXX

123XXXXXXX

12XXXXXXXX

1XXXXXXXXX

3276458901

8373XXXXXX

9871562313

+9871562313

98715623xx

+9871xxxxxx

The All Numbers List

On the Access Control List page, the Oracle® Communications Security Shield Cloud Service (Security Shield) displays the system-named All Numbers List. The All Numbers list is a summary view of all your access control lists. You can edit and delete phone numbers on the All Numbers List and add new numbers. You cannot rename or delete the All Numbers list.

The Access Control List page always displays the All Numbers List as the first list in the left pane. In the right pane, the All Numbers List displays the Search field, the Simulate Lookup button, and the Add Rule button. The display lists the phone numbers and their attributes under the Calling Numbers, Called Numbers, Call Direction, Enforcement Action, Access Control List headings and the Actions icons. The pane also includes a description of the list, when one exists. (You can write a description for any user-created list.) If you do not know which list contains the phone number you want to edit, use Search on the All Numbers List. The search results identify the list.

This screen capture shows the All Numbers list at the top of the left pane. When highlighted, as shown in this screen capture, the right pane displays the contents of the list. The contents are displayed in a page format with the headings from left to right as Calling Numbers, Called Numbers, Call Direction, Enforcement Action, Access Control List, and Action. Each row below the headings represents one rule.

Note:

When you add phone numbers, edit phone number attributes, and delete phone numbers on one of your user-created access control lists, the All Numbers List reflects the same information.

Search Field

At the top-left of the right pane, the All Numbers List displays the Search field. Use Search when looking for an exact match to a phone number.

Search supports searching for phone numbers that include wild card characters in the suffix. For example, 1615410x. Any number matching this search criteria from left to right (exact match) is a match. The following are matches: +1615410x, +1615410xx, and +1615410xxx.

You can also perform partial-number search by typing as much of the first part of a phone number as you want and omit the trailing numbers. For example, suppose you want to see all phone numbers that begin with +1 615 410 because you are looking for +1 615 410 0001 or you want to see all numbers with the +1 615 410 prefix. Enter +1 615 410 in Search and the system will display all phone numbers that begin with +1 615 410. For each phone number found on the All Numbers List, the results also show the specified call direction, the specified enforcement action, and the name of the user-created list that contains the phone number, as shown in the following screen capture.

This screen capture shows an example of the All Numbers list.

  • Match found—The Access Control Lists page displays the Calling Numbers, Called Numbers, Call Direction,Enforcement Action, and name of the list that contains the number, as shown in the following screen capture.This screen capture shows an example of a simulated number look up.
  • No match found—The Access Control Lists page displays a message that says "No Data Available". If you want to add the number to the list, click + Add Rule. When you save the rule, the system adds it to the All Numbers List and to the user-created list that you specified (if you specified one). This screen capture shows the number lookup response when Security Shield cannot find the number.

Note:

Search can display up to 1,000 results, which you can scroll through. The results display in ascending order, only

Simulate Lookup Button

Near the top-right of the right pane, the All Numbers List page displays the Simulate Lookup button. Use Simulate Lookup when you want to know how the Security Shield will enforce access control on a phone number on your list. The results show the Call Direction, the Enforcement Action that the session border controller will apply, and the name of the list that contains the phone number, as shown in the following screen capture.

This screen capture shows a partial phone number entered in the Search field and the resulting list of numbers.

When Simulate Lookup does not find a match to the number you entered, the GUI allows the call because the phone number does not exist on any of your access control lists. The Simulate Phone Number Lookup Results page displays the "We couldn't find any match" message as shown in the following screen capture.

This screen capture shows an example of the message that the system displays when it does not find a match to the phone number you entered. The message says, Your simulated lookup did not match any numbers. If the call were a real, Security Shield would allow the call.

Add a New Access Control List

You can create your own access control lists to organize phone numbers and rules for how you want to control inbound and outbound calls. Oracle® Communications Security Shield Cloud Service (Security Shield) supports up to ten user-created access control lists.

Procedure
  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, click Add New ACL.
    Security Shield opens the Add Access Control List drawer.
  3. In the Name field, enter a unique name for the list. 100 characters, maximum.
  4. Optional—In the Description field, enter a description of the list. 256 characters, maximum.
  5. Do one of the following:
    • To add only one list, click Add. Security Shield closes the dialog and saves the list.
    • To add another list, click Add Another. Security Shield re-displays the Add Access Control List drawer. After you create the last rule you want, click Add to close the drawer and save the lists.

Delete an Access Control List

When you want to delete an Oracle® Communications Security Shield Cloud Service (Security Shield) access control list, you can do so at any time from the Access Control List page.

  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, hover over the list that you want to delete, and click the delete icon.
    The system displays a confirmation dialog.
  3. Click Delete.
    Security Shield saves the change.

Edit the Name of an Access Control List

When you want to edit the name of an Oracle® Communications Security Shield Cloud Service (Security Shield) access control list, you can do so at any time from the Access Control List page.

Procedure
  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, hover over the list that you want to edit, and click the edit icon.
    Security Shield displays the Edit Access Control List drawer.
  3. In the Name field, edit the name of the list.
  4. Optional—Edit the Description field.
  5. Click Save.
    Security Shield saves the change.

Add a New Rule to an Access Control List

When you want to add one or more rules to an Oracle® Communications Security Shield Cloud Service (Security Shield) access control list, you can do so at any time from the Access Control Lists page.

Procedure

In the following procedure, you can specify one or more Calling Numbers, Called Numbers, or both for the rule to use as criteria for matching calls to the enforcement action. You can select only one call direction per rule.

Phone numbers must be from 1-25 digits or in E.164 international format. You can use the x character as a wild card for number ranges, but only as a suffix. For example, To specify an 11-digit number in the range +1 603-555-0000 to +1 603-555-9999, enter +1 603-555-xxxx.

Note:

If you try to add the same phone number with the same attributes to two access control lists, the system displays an error message.
  1. Access the Access Control Lists page.
  2. In the left pane, select the list you want to edit.
  3. In the right pane, click + Add Rule.
  4. In the Add ACL Rule drawer, do the following:
    1. Calling Numbers—Specify one or more Calling Numbers for this rule by entering the number and clicking the + button. You can add up to 100 Calling Numbers per rule.
    2. Called Numbers—Specify one or more Called Numbers for this rule by entering the number and clicking the + button. You can add up to 100 Called Numbers per rule.
    3. Call Directions—Select either Inbound or Outbound for this rule. Default: Inbound. Valid values: Inbound | Outbound.
    4. Enforcement Action—Select an enforcement action for this rule from the drop-down list. Default: Allow. Valid values: Allow | Block | Throttle | Exclude | Redirect (Not supported for Outbound calls).
    5. (Conditional)—If you selected Redirect for the enforcement action, enter a number in the Redirect To Number field. Enter 1-15 digits or a number in E.164 international format. Redirect does not support wild cards or the Outbound call direction.
    6. (Conditional)—If you selected Throttle for the enforcement action, set a number in the Percentage Allowed field. Default: 50%. Valid values: 1%-99%.
  5. Do one of the following:
    • To add only one rule, click Add. Security Shield closes the drawer and saves the rule.
    • To add another rule, click Add Another. Security Shield re-displays the Add ACL Rule drawer. After you enter the last rule you want to create, click Add to close the drawer and save the rules.

Delete a Rule from an Access Control List

When you want to delete one or more rules from an Oracle® Communications Security Shield Cloud Service (Security Shield) access control list, you can do so at any time from the Access Control List page.

Procedure

Note:

If you do not know which list contains the rule you want to delete, use Search on the All Rules List. The search results will identify the list.
  1. Access the Access Control Lists page.
  2. On the All Numbers List page, go to the list that contains the rule you want to delete and click the delete icon.
    Security Shield displays a confirmation dialog.
  3. Click Delete.
    Security Shield deletes the rule.

Edit a Phone Number on an Access Control List Rule

When you want to edit phone a number in an Oracle® Communications Security Shield Cloud Service (Security Shield) Access Control List, you can do so at any time from the Access Control List page.

Procedure

Note:

If you do not know which list contains the phone number you want to edit, use Search on the All Rules List. The search results identify the list that contains the number.
  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, locate the list that contains the number you want to edit and click the corresponding edit icon.
    Security Shield opens the Edit ACL Rule drawer.
  3. In the Edit ACL Rule drawer, edit any of the fields or parameters that you want to change.

    Note:

    The rule and call direction must be unique among all your access control lists.
  4. Click Save.
    Security Shield saves the change.

Change the Call Direction for an Access Control List Rule

When you want to change the call direction on an Oracle® Communications Security Shield Cloud Service (Security Shield) access control list rule, you can do so at any time from the Access Control Lists page.

Procedure

Note:

If you do not know which list contains the rule you want to edit, use Search on the All Rules List. The search results will identify the list that contains the number.
  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, locate the list that contains the number you want to edit and click the corresponding edit icon.
    Security Shield opens the Edit ACL Rule drawer.
  3. In the Edit ACL Rule drawer, go to Call Direction, and change the call direction. Default: Inbound. Valid values: Inbound | Outbound.

    Note:

    The rule and call direction must be unique among all your access control lists.
  4. Click Save.
    Security Shield saves the change.

Change the Enforcement Action on an Access Control List Rule

When you want to change the enforcement action on an Oracle® Communications Security Shield Cloud Service (Security Shield) Access Control List Rule, you can do so at any time from the Access Control List page.

Procedure

Because Security Shield allows you to change the enforcement action on a particular rule, be aware that the purpose of the access control list might start to loose meaning or become confusing when you change the enforcement action on a rule.

For example, suppose an access control list is named "Allow Inbound Calls" and you change the enforcement action on a rule in that list to "Block". The block rule still belongs to the "Allow Inbound Calls" list, which can cause confusion because the enforcement action does not correspond to the list name. Oracle recommends either renaming the list or moving the changed number to a list of blocked numbers. If you do not have one, you can create one.

Note:

If you do not know which list contains the rule you want to edit, use Search on the All Rules List. The search results will identify the list that contains the number.
  1. Access the Access Control Lists page.
  2. On the Access Control Lists page, locate the list that contains the number you want to edit and click the corresponding edit icon.
    Security Shield opens the Edit ACL drawer.
  3. In the Edit ACL Rule drawer, go to Enforcement Action and change the action. Default: Allow. Valid values: Allow | Block | Throttle | Exclude | Redirect (Not valid for Outbound calls).
  4. Conditional—If you select Redirect, enter the Redirect To Number.
  5. Conditional—If you select Throttle, set the Percentage Allowed.
  6. Click Save.
    Security Shield saves the change.

Simulate a Phone Number Lookup

When you want to know what enforcement action your Session Border Controller will apply to a phone number, or which of your Oracle® Communications Security Shield Cloud Service (Security Shield) Access Control lists contains a phone number, use the Simulate Lookup function.

Procedure

In the following procedure, you must enter both the Called Number and the Calling Number. Simulate Lookup cannot return a result with only one or the other. Simulate Phone Number Lookup does not accept wild cards.

  1. Access the Access Control Lists page and select the All Rules List.
  2. On the All Numbers List, click Simulate Lookup.
  3. In the Simulate Phone Number Lookup dialog, do the following:
    • Calling Number—Enter the complete Calling Number.
    • Called Number—Enter the complete Called Number.
    • Call Direction—Set the call direction. Default: Inbound. Valid values: Inbound | Outbound.
  4. Click Lookup.
    Security Shield displays the result, which includes the Enforcement Action and name of the Access Control List that contains the phone number.