5 The OCSS Access Control Lists Tab

The Oracle® Communications Security Shield (OCSS) Access Control Lists tab displays lists of rules and phone numbers that you create to enforce actions on inbound and outbound calling numbers and called numbers.

The OCSS Access Control Lists Tab Display and Operations

The Oracle® Communications Security Shield (OCSS) Access Control Lists tab displays lists of phone numbers and rules you create to control call traffic in and out of your telecommunications network. You can create lists for enterprise-wide control as well as for controlling calls to specific individuals or destinations.

The Access Control List tab displays the system-generated All Rules List along with any lists you create in the left pane and the details of the lists in the right pane. The All Rules List is a summary view of all your access controlled phone numbers and rules.

When you add, edit, or delete rules on any of your user-created lists, the All Rules List updates accordingly. Likewise, when you add, edit, or delete a phone number on the All Rules List, OCSS updates the user-created list that contains the rule and number. The Activity Log reports such changes.

Note:

You cannot rename or delete the All Rules List.

The following screen capture shows an example of the Access Control List tab with the system-named All Rules List, and some user-created lists in the left pane and the details of the highlighted list in the right pane.

This screen capture shows the Access Control List landing page, as described in the preceding and following paragraphs.

The left pane displays the Add button for adding more lists. You can add up to ten lists. When you reach the limit, the system deactivates the Add button. Each user-created list displays the edit and delete icons when you hover over the list name. For new customers, the Access Control List tab displays only the All Rules List, which is empty until you add lists. For upgrading customers, the system imports your preexisting access control lists and populates the All Rules List with the numbers from the imported lists.

The right pane displays the Add button for adding rules to user-created lists. Each rule on a list displays the edit and delete icons, when you hover over the row in the table.
  • When working with the All Rules List, the right pane displays the Search field and the Simulate Lookup button.
  • When working with a user-created list, the right pane displays the Search field but not the Simulate Lookup button.

Note:

You may find that Search on the All Rules List is especially to useful when you don't know which access control list contains a number you want to find because the search results identifies the list.

When no user-created Access Control lists exist, for example, when you first install OCSS or when you delete all your user-created lists, OCSS displays the message shown in the following screen capture. (Click Add to add a list.)

This screen capture shows the message that the GUI displays when there are no user-created access lists. The message says: There are no Access Control list. Click to add one. The GUI also displays the Add button below the message.

When a user-created Access Control list contains no rules, for example, when you first create the list or when you delete all the rules on the list, OCSS displays the message shown in the following screen capture. (Click Add to add a phone number.)

This screen capture shows the message that the GUI displays when the selected list contains no phone numbers. The message says: There are no numbers in this Access Control list. Click to add one. The GUI also displays the Add button below the message.

When you create access control lists, the OCSS reports their cumulative enforcement actions on the Access Control List Enforcement Actions tile on the Dashboard. The tile shows total number of inbound and outbound enforcement actions taken and displays a pie chart with the percent of actions taken per enforcement type. When you hover over a section of the pie chart, the tile shows the action taken and the number of call actions for the type.

This screen capture shows the Access Control List Enforcement Actions tile on the Dashboard, as described in the preceding paragraph.

OCSS processes Access Control Lists (ACL) independently from regular threat processing and an action taken due to an ACL match over-rides decisions made due to threat analysis. Calls that match an ACL rule are also fully analyzed for threat status. The threat status is reported as part of the OCSS Dashboard statistics and is also available in the analytics reports environment. The system reports both the ACL status and the threat status of the call.

About Access Control Lists and Upgrades

When Oracle upgrades Oracle® Communications Security Shield (OCSS), the system migrates your preexisting access control lists with their preexisting names and rules.

In the upgrade process, OCSS migrates you preexisting numbers configured for inbound to the Calling Number list and numbers configured for outbound to the Called Number list.

Access Control List Rule Enforcement Actions

When you create an access control list rule, you must specify the enforcement action that you want Oracle® Communications Security Shield (OCSS) to apply.

You can choose from the following enforcement actions for an access control list rule.

Allow —Allows calls from the selected calling and called numbers on the list to proceed in the specified direction.

Block —Blocks calls from the selected calling and called numbers on the list from proceeding in the specified direction.

Redirect —Sends inbound calls from the selected calling and called numbers on the list to the destination that you specify. For example, you can route specific numbers with a history of fraudulent activity associated with them, or that come from specific international destinations, to a security desk for additional screening. All calls to a specific phone number go to the same specified redirect destination because OCSS does not support redirecting to multiple locations per phone number. You can specify a redirect number per inbound phone number.

Throttle —Limits the number of calls from the selected calling and called numbers on the list by allowing only the configured percentage of calls. For example, you might want to throttle international calls to limit such expensive calls beyond the threshold you set. You can configure the percentage of outbound calls to throttle for each number on the list through the Add Number and Edit Number Attributes dialogs. When OCSS throttles a particular phone number, the system chooses the calls to block to that number in a random manner such that overall percentage of calls allowed matches the configured percentage.

Note:

You might see some fluctuation where the actual value sometimes differs from the configured value.

Access Control List Number Sorting Behavior on Phone Number Searches

The following information explains how Oracle® Communications Security Shield (OCSS) sorts phone numbers when you perform a phone number search on an access control list. OCSS uses the longest matched pattern, whether from a regular entry or from a wild card entry, to return search results. A regular entry will return an exact match and the wild card entry will return the phone number with the fewest wild card characters.

The scenarios used for the explanation assume that the database contains two tables. One table contains regular phone numbers, which contain no wild card characters, and the other table contains phone numbers that contain wild card characters.

The following table contains the list of regular phone numbers used for the subsequent explanation in this topic.

Table 5-1 Regular Entries

ID List ID Phone Number Action Direction
1 101 9871562313 Allow Inbound
3 101 +9871562313 Block Inbound
5 101 1234567890 Block Outbound
7 101 3276458901 Allow Inbound
9 101 774436712 Block Outbound

The following table contains the list of phone numbers with wild cards used for the subsequent explanation in this topic.

Table 5-2 Wild card Entries

ID List ID Phone Number Action Direction
2 101 98715623XX Allow Inbound
4 101 +9871XXXXXX Block Inbound
6 101 1XXXXXXXXX Block Outbound
8 101 8373XXXXXX Allow Inbound
10 101 77442671X Allow Outbound
12 101 12XXXXXXXX Allow Outbound
14 101 123XXXXXXX Block Outbound
16 101 1234XXXXXX Allow Outbound
18 101 12345XXXXX Block Outbound
20 101 123456XXXX Allow Outbound
22 101 1234567XXX Block Outbound
24 101 12345678XX Allow Outbound
26 101 123456789X Block Outbound
28 101 123456782X Block Inbound

Longest Match Scenarios

The following scenarios explain how the OCSS bases its search results on the longest pattern match.
  • Regular Entries—Assume that OCSS receives a lookup request for 1234567890, which is an Outbound call. Our example database includes ten numbers that match this pattern. The first match is a direct match, which is the regular entry ID 5. Other matches come from the wild card table with IDs 6, 12, 14, 16, 18, 20, 22, 24 and 26, as X can represent any number from 0-9. Because the regular entry 1234567890 is a direct match, OCSS discards other entries and displays only 1234567890 as the response.
  • Wild card Entries—Assume that OCSS receives a lookup request for 1234567891. The Regular Entries table contains no matching number, but the Wild card Entries table displays potential matches in IDs 6, 12, 14, 16, 18, 20, 22, 24 and 26. OCSS seeks the longest match among those IDs, which comes from the wild card pattern with the fewest number of wild card characters (X). ID 26 satisfies the criteria and OCSS displays 123456789x as the response.

Sorting Order Rules

OCSS bases the sort order on the following rules;
  • OCSS sorts the results by the length of the number. For example, the Regular Entry with ID 9 and the Wild card Entry with ID 10 both have a length equal to nine characters or digits, therefore these phone numbers come before numbers with a length greater than nine characters or digits in ascending order and the opposite in descending order.
  • If a number contains the plus character (+) it earns lower priority in the sorting order than the same number that does not containing plus character in ascending order and high priority in descending order. For example, Regular Entry with ID 1 (9871562313) and with ID 3 (+9871562313), In Ascending order the correct order is 9871562313 > +9871562313 and in descending order it is +9871562313 > 9871562313.
  • Wild cards always earn lower priority than regular numbers after some of the digits have been directly matched and opposite for descending order. For example, Regular Number 1234567890 will always come before 123456789X in ascending order and the opposite in descending order.

Descending Order

The following list shows the descending sort order for the results of the preceding example entries.

+9871XXXXXX

98715623XX

+9871562313

9871562313

9871562313

8373XXXXXX

3276458901

1XXXXXXXXX

12XXXXXXXX

123XXXXXXX

1234XXXXXX

12345XXXXX

123456XXXX

1234567XXX

12345678XX

123456789X

1234567890

123456782X

774436712

77442671X

Ascending Order

The following list shows the ascending sort order for the results of the preceding example.

77442671X

774436712

123456782X

1234567890

123456789X

12345678XX

1234567XXX

123456XXXX

12345XXXXX

1234XXXXXX

123XXXXXXX

12XXXXXXXX

1XXXXXXXXX

3276458901

8373XXXXXX

9871562313

+9871562313

98715623xx

+9871xxxxxx

OCSS Phone Number Format Requirements

Oracle® Communications Security Shield (OCSS) requires the following conventions for phone numbers for inbound and outbound calls.

Note:

If your Session Border Controller does not use phone numbers in the E.164 format, Oracle may need to work with you before deploying OCSS to determine how to normalize your phone numbers to work effectively with OCSS.
  • The general number format convention is country code followed by the subscriber phone number <country code><subscriber phone number>. The country code can be up to three digits long. The subscriber phone number may include an area code and is typically seven to eleven digits long, depending on the national number conventions. For international formatting, you may format the number with a + character (+<country code><subscriber phone number>, for example, +15551234567) or without the + character. For outbound calls to international destinations you can use either the + character or the international dialing prefix for your country. Check with your SIP trunk provider for the number format convention it supports.
  • You can use wild cards at the end of the phone number to indicate a range. For example: To specify a seven digit phone number that begins with 91920, enter 91920xx.
  • If you choose to configure the Presentation Number, you must use only the number format convention supported by the SIP trunk provider. When you use multiple SIP trunk providers, you must use a Presentation Number format that each SIP Trunk provider can support. For example, in the United States you use [country code][area code][local phone number] or the more commonly used [area code][local phone number]. In the European Union and United Kingdom you use [+][country code][area code][local phone number].

The All Rules List

On the Access Control List tab, the GUI displays the system-named All Rules List. The All Rules list is a summary view of all your access control lists. You can edit and delete phone numbers on the All Rules List and add new numbers. You cannot rename or delete the list.

The Access Control List tab always displays the All Rules List as the first list in the left pane. In the right pane, the All Rules List displays the Search field, the Simulate Lookup button, and the Add button. The display lists the phone numbers and their attributes under the Calling Number, Called Number, Call Direction, Enforcement Action, and Access Control List headings. The pane also includes a description of the list, when one exists. (You can write a description for any user-created list.) If you do not know which list contains the phone number you want to edit, use Search on the All Rules List. The search results identify the list.

This screen capture shows the All Numbers list at the top of the left pane. When highlighted,as shown in this screen capture, the right pane displays the contents of the list. The contents are displayed in a table format with the headings from left to right as Calling Number, Called Number, Call Direction, Enforcement Action, and Access Control List. Each row below the headings represents one rule.

Note:

When you add phone numbers, edit phone number attributes, and delete phone numbers on one of your user-created access control lists, the All Numbers List reflects the same information.

Add Buttons

Left pane—Use to add lists.

Right pane—Use to add rules.

Search Field and Button

At the top-left of the right pane, the All Rules list displays the Search field and the Search button. Use Search when looking for an exact match to a phone number.

  • Match found—The GUI displays the Calling Number, Called Number, Call Direction,Enforcement Action, and name of the list that contains the number, as shown in the following screen capture.This screen capture shows the results of a successful phone number search, as described in the preceding paragraph.
  • No match found—The GUI displays a message that says "No matches found" and displays the "Add rule for this number?" link below the Search field, as shown in the following screen capture. Click the link and the GUI displays the Add number dialog pre-populated with the number. You can then specify the Access Control List and the attributes that you want for the rule. When you save the rule, the system adds it to the All Rules List and to the user-created list that you specified (if you specified one). This screen capture shows the result of searching for a phone number that does not exist on the list and the result of clicking the Add this number link, as described in the preceding paragraph.

Search supports searching for phone numbers that include wild card characters in the suffix. For example, 1615410x. Any number matching this search criteria from left to right (exact match) is a match. The following are matches: +1615410x, +1615410xx, and +1615410xxx.

You can also perform partial number search by typing as much of the first part of a phone number as you want and omit the trailing numbers. For example, suppose you want to see all phone numbers that begin with +1 615 410 because you are looking for +1 615 410 0001 or you want to see all numbers with the +1 615 410 prefix. Enter +1 615 410 in Search and the system will display all phone numbers that begin with +1 615 410. For each phone number found on the All Numbers List, the results also show the specified call direction, the specified enforcement action, and the name of the user-created list that contains the phone number, as shown in the following screen capture.

This screen capture shows a partial phone number entered in the Search field and the resulting list of numbers.

Note:

Search can display up to 1,000 results, which you can scroll through. The results display in ascending order, only

Simulate Lookup Button

At the top-right of the right pane, the All Numbers List tab displays the Simulate Lookup button. Use Simulate Lookup when you want to know how the OCSS will enforce access control on a phone number on your list. The results show the call direction, the enforcement action that the session border controller will apply, and the name of the list that contains the phone number, as shown in the following screen capture.

This screen capture shows an example of a simulated phone number look-up that resulted in a match. The screen displays the number you searched for, its specified call direction, the enforcement action the Session Border Controller will apply, and the name of the access control list that contains the phone number.

When Simulate Look-up does not find a match to the number you entered, the GUI allows the call because the phone number does not exist on any of your access control lists, and displays the message shown in the following screen capture.

This screen capture shows an example of the message that the system displays when it does not find a match to the phone number you entered. The message says, Your simulated look-up did not match any numbers. If the call were a real, the OCSS would allow the call.

User-Created Access Control Lists

On the Access Control Lists tab, the Web GUI displays user-created access control lists. You can create such lists to organize phone numbers and rules for how you want to control inbound and outbound calls.

You can add up to ten access control lists to which you can add, edit, and delete phone numbers, change attributes, add and delete rules.

The Access Control Lists tab always displays the All Numbers List as the first list in the left pane. User-created lists follow in alphabetical order.

Search Field and Button

At the top-left of the right pane, the user-created list displays the Search field and the Search button. Use Search when looking for an exact match to a phone number.

When found—the GUI displays the Calling Number, Called Number, Call Direction and Enforcement Action, as shown in the following screen capture.

This screen capture shows the results of a successful phone number search, as described in the preceding paragraph.

When not found—the GUI displays a message that says "No matches found" and displays the "Add rule for this number?" link below the Search field, as shown in the following screen capture. Click the link and the GUI displays the Add ACL Rule dialog pre-populated with the number. You can set the attributes that you want for the rule.

This screen capture shows the result of searching for a phone number that does not exist on the list and the result of clicking the Add this number link, as described in the preceding paragraph.

You can also perform partial number search by typing as much of the first part of a phone number as you want and omit the trailing numbers. For example, suppose you want to see all phone numbers that begin with 555 because you are looking for 555-111-2222 or you want to see all numbers with the 555 prefix. Enter 555 in Search and the system will display all phone numbers that begin with 555. For each phone number found on the All Numbers List, the results show the Calling Number, Called Number, Call Direction, and Enforcement action, as shown in the following screen capture.

This screen capture shows a partial phone number entered in the Search field and the resulting list of numbers.

Note:

The GUI can display up to 1,000 search results.

Add an Access Control List

When you want to allow, block, redirect, or throttle calls, you can create lists of phone numbers to affect with those actions. Oracle® Communications Security Shield (OCSS) supports up to ten user-created access control lists.

  1. Access the Access Control Lists tab.
  2. On the Access Control Lists tab, click Add at the top of the left pane.
    The Web GUI displays the Add Access Control List dialog.
  3. In the Name field, enter a unique name for the list. 100 characters, maximum.
  4. Optional—In the Description field, enter a description of the list. 256 characters, maximum.
  5. Do one of the following:
    • To add only one list, click Add. OCSS closes the dialog and saves the list.
    • To add another list, click Add Another. OCSS re-displays the Add Access Control List dialog. After you create the last rule you want, click Add to close the dialog and save the lists.

Delete an Access Control List

When you want to delete an access control list, you can do so at any time from the Access Control List tab.

  1. Access the Access Control Lists tab.
  2. On the Access Control Lists tab, hover over the list that you want to delete, and click the delete icon.
    The system displays a confirmation dialog.
  3. Click Delete.
    OCSS saves the change.

Edit the Name of an Access Control List

When you want to edit the name of an access control list, you can do so at any time from the Access Control List tab.

  1. Access the Access Control List tab.
  2. On the Access Control List tab, hover over the list that you want to edit, and click the edit icon.
    The GUI displays the Edit Access Control List dialog.
  3. In the Name field, edit the name of the list.
  4. Optional—Edit the Description field.
  5. Click Save.
    OCSS saves the change.

Add a Rule to an Access Control List

When you want to add one or more rules to an access control list, you can do so at any time from the Access Control List tab.

In the following procedure, you can specify one or more Calling Numbers, Called Numbers, or both for the rule to use as criteria for matching calls to the enforcement action. You can select only one call direction per rule.

Phone numbers must be from 1-25 digits or in E.164 international format. You can use the x character as a wild card for number ranges, but only as a suffix. For example, To specify an 11-digit number in the range +1 603-555-0000 to +1 603-555-9999, enter +1 603-555-xxxx.

Note:

If you try to add the same phone number with the same attributes to two access control lists, the system displays an error message.
  1. Access the Access Control Lists tab.
  2. In the left pane, select the list you want to edit.
  3. In the right pane, click Add (at the top of the right pane).
  4. In the Add ACL Rule dialog, do the following:
    1. New Calling Number to Add—Specify one or more Calling Numbers for this rule by entering the number and clicking the + button. You can add up to 100 Calling Numbers per rule.
    2. New Called Number to Add—Specify one or more Called Numbers for this rule by entering the number and clicking the + button. You can add up to 100 Called Numbers per rule.
    3. Call Direction—Select either Inbound or Outbound for this rule. Default: Inbound. Valid values: Inbound | Outbound.
    4. Enforcement Action—Select an enforcement action for this rule from the drop-down list. Default: Allow. Valid values: Allow | Block | Redirect (Not valid for Outbound calls) | Throttle.
    5. (Conditional)—If you selected Redirect for the enforcement action, enter a number in the Redirect To Number field. Enter 1-15 digits or a number in E.164 international format. Redirect does not support wild cards or the Outbound call direction.
    6. (Conditional)—If you selected Throttle for the enforcement action, set a number in the Throttle % field. Default: 50%. Valid values: 1%-99%.
  5. Do one of the following:
    • To add only one rule, click Add. OCSS closes the dialog and saves the rule.
    • To add another rule, click Add Another. OCSS re-displays the Add ACL Rule dialog. After you enter the last rule you want to create, click Add to close the dialog and save the rules.

Delete a Rule from an Access Control List

When you want to delete one or more rules from an access control list, you can do so at any time from the Access Control List tab.

Note:

If you do not know which list contains the rule you want to delete, use Search on the All Rules List. The search results identify the list.
  1. Access the Access Control Lists tab.
  2. In the Access Control Lists tab, go to the list that contains the rule you want to delete and hover over the rule.
  3. Click Delete.
    OCSS displays a confirmation dialog.
  4. Click Delete.
    OCSS deletes the rule.

Edit a Phone Number on an Access Control List Rule

When you want to edit phone a number in an Access Control List rule, you can do so at any time from the Access Control List tab.

Note:

If you do not know which list contains the phone number you want to edit, use Search on the All Rules List. The search results identify the list.
  1. Access the Access Control Lists tab.
  2. On the Access Control Lists tab, go to the list that contains the number you want to edit and hover over the rule that contains the number.
  3. Click the edit icon.
  4. In the Edit ACL Rule dialog, hover over the phone number you want to edit, and click the edit icon (near the right end of the field).
    OCSS activates the selected phone number field.
  5. Edit the number and click the check mark icon.

    Note:

    The phone number and call direction must be unique among all your access control lists.
  6. Click Save.
    OCSS saves the change.

Change the Call Direction for an Access Control List Rule

When you want to change the call direction on an access control list rule, you can do so at any time from the Access Control List tab.

Note:

If you do not know which list contains the rule you want to edit, use Search on the All Rules List. The search results identify the list.
  1. Access the Access Control Lists tab.
  2. On the Access Control Lists tab, go to the list that contains the rule you want to change and hover over the rule.
  3. Click the edit icon.
  4. In the Edit ACL Rule dialog, go to Call Direction, and change the call direction. Default: Inbound. Valid values: Inbound | Outbound.

    Note:

    The rule and call direction must be unique among all your access control lists.
  5. Click Save.
    OCSS saves the change.

Change the Enforcement Action on an Access Control List Rule

When you want to change the enforcement action on an Access Control List Rule, you can do so at any time from the Access Control List tab.

Because OCSS allows you to change the enforcement action on a particular rule, be aware that the name of the access control list might start to loose meaning or become confusing when you change the enforcement action on a rule.

For example, suppose an access control list is named "Allow Inbound Calls" and you change the enforcement action on a rule in that list to "Block". The block rule still belongs to the "Allow Inbound Calls" list, which can cause confusion because the enforcement action does not correspond to the list name. Oracle recommends either renaming the list or moving the changed number to a list of blocked numbers. If you do not have one, you can create one.

Note:

If you do not know which list contains the rule you want to edit, use Search on the All Rules List. The search results identify the list.
  1. Access the Access Control Lists tab.
  2. On the Access Control Lists tab, go to the list that contains the rule you want to change and hover over the rule.
  3. On the selected rule, click the edit icon.
  4. In the Edit ACL Rule dialog, go to Enforcement Action and change the action. Default: Allow. Valid values: Allow | Block | Redirect | Throttle.
  5. Conditional—If you select Redirect, enter the Redirect To Number.
  6. Conditional—If you select Throttle, set the Percentage Allowed.
  7. Click Save.
    OCSS saves the change.

Simulate a Phone Number Lookup

When you want to know what enforcement action your Session Border Controller will apply to a phone number, or which of your Oracle® Communications Security Shield (OCSS) Access Control lists contains a phone number, use the Simulate Lookup function.

In the following procedure, you must enter both the Called Number and the Calling Number. Simulate Lookup cannot return a result with only one or the other. Simulate Phone Number Lookup does not accept wild cards.
  1. Access the Access Control Lists tab and select the All Rules List.
  2. On the All Rules List page, click Simulate Lookup.
  3. In the Simulate Phone Number Lookup dialog, do the following:
    • Calling Number—Enter the complete Calling Number.
    • Called Number—Enter the complete Called Number.
    • Call Direction—Set the call direction. Default: Inbound. Valid values: Inbound | Outbound.
  4. Click Lookup.
    OCSS displays the result, which includes the Enforcement Action and name of the Access Control List that contains the phone number.