General Security Principles

Keep Software Up To Date

One of the principles of good security practice is to keep all software versions up to date. Oracle maintains multiple SBC streams or versions that are updated with applicable security patches. Always review the Critical Patch Updates and Release Notes relevant to the stream installed to determine whether an update should be applied.

Restrict Network Access to Critical Services

By design, the SBC family defaults to a closed state. No signaling or media can pass through the system unless it is explicitly configured.

Only services required for initial configuration of the system are available on a dedicated management Ethernet port (wancom0) which should be connected to a management network. Insecure services such as telnet and FTP should be disabled. Access to management services should be protected through the use of system level Access Control Lists (ACL) specifying allowed IP address ranges.

Signaling and media are only available on a separate set of Ethernet ports designated for services. ACLs should also be used on services ports for SIP peering deployments where possible. Some management capabilities can be enabled on these services ports by an administrator, so care should be taken to determine the risk of doing so in individual cases. In general it is not recommended to enable services other than perhaps ICMP.

Services should also be protected from DoS abuse through configuration of call admission controls, signaling thresholds, blacklisting, and attack tool detection, elements covered as part of this guide.

Follow the Principle of Least Privilege

The SBC family provides some implicit least privilege because direct user access is usually not provided. In most cases, the system acts as a proxy device so there is no direct user interaction. In other cases the system may provide a registrar function. However, providing the registrar function does not give the user access to any system level commands.

Administrators are the only ones who have any sort of system logon permissions. The system provides Role Based Access Control with dedicated user accounts that have pre-assigned privilege levels in the Command Line Interface. These are discussed further in the section on management interfaces. RADIUS and TACACS+ can be enabled as well to enable an outside authentication and authorization function. The minimum authorization class for RADIUS and command set should be considered for the administrator’s role.

Monitor System Activity

Monitoring system activity is critical to determine if someone is attempting to abuse system services and to detect if there are performance or availability issues. Useful monitoring information can be acquired through SNMP, RADIUS accounting, Historical Data Recording (HDR), and Syslog. At a minimum SNMP should be configured, and use of an external syslog server should be considered.

Keep Up To Date on Latest Security Information

Security issues that require a software or configuration update will be communicated in quarterly Critical Patch Updates (CPU). The latest CPUs as well as instructions to subscribe to them can be found at http://www.oracle.com/technetwork/topics/security/alerts-086861.html. A free Oracle Technology Network account is required to receive CPUs.