Management Interfaces

Serial (Console) Interface

As with any industry standard serial interface to a network element, minimal security functions are available. The physical security of the installation location should be assured since console access cannot be blacklisted. However, the Admin Security license (discussed later) does allow for the console port to be disabled.

To avoid unauthorized access to the console interface the console-timeout should be configured to automatically disconnect the console session after an appropriate period of time (i.e. 300 seconds). Timeouts are disabled by default.

If the console port detects a cable disconnect it will also log out any logged in user to prevent unauthorized use.

The console interface should only be connected to a terminal server if the terminal server is deployed in a secure non-public network.

Configuration is detailed in Section 3 “System Configuration” of the ACLI Configuration Guide.

Management Port Configuration

The Wancom0 management interface MUST be connected to and configured on a management network or subnet separate from the service interfaces. If it is not, the SBC is subject to ARP overlap issues, and loss of system access when the network is down or under DDoS attack. Oracle does not support SBC configurations with management and media and service interfaces on the same subnet.

Configuration is detailed in Section 2 “Getting Started” and Section 3 “System Configuration” of the ACLI Configuration Guide.

Passwords

The SBC provides two levels of user accounts through the Acme Packet Command Line Interface (ACLI): User and Superuser (the “user” and “admin” accounts). SBC no longer supports default passwords and requires these to be changed on first login.

Alternatively, the SBC supports the management of passwords via external RADIUS and TACACS+ servers for finer grain access control. The SBC supports communications with up to six RADIUS servers for this function. At least two entries should be configured to prevent service interruption.

The SBC encrypts sensitive configuration data in the configuration file using a Protected Configuration Password (PCP). This administratively configured password provides security and convenience when migrating configurations to different SBCs. All user passwords should be changed; however, it is especially important to change the PCP (“config” user password) so passwords and keys stored in the config file are secure. TLS, IPsec, and HDR features are protected by the PCP:

CAUTION: Once the PCP password is changed the sensitive information (certificates, IPSec shared secrets, etc) in your configuration file will be re-encrypted using the new PCP the new encryption “salt.”. As a result, previously backed up configuration files cannot be restored unless the password is restored to the value that configuration file was encrypted with.

Configuration is detailed in Section 2 “Getting Started” of the ACLI Configuration Guide, and Section 4 “System Management” of the Maintenance and Troubleshooting Guide in the subsection entitled “Setting a Protected Configuration Password: Matching Configurations.”

The SBC provides a backup user for HDR file synchronization that must be changed. The backup user password can be set using the command “secret backup”. The “secret” command is detailed in Section 3 of the ACLI Reference Guide.

The SBC provides one user for administration of legal intercept functions when a Lawful Intercept (“LI”) license is installed – li-admin. The first time lawful interception is configured you will be prompted to change the password. However if you have installed the license, but never configured lawful interception, the default password may be active and usable via SSH. Procedures to change the password are detailed in the LI Documentation Set.

Boot Flags

Boot parameters specify what information the system uses at boot time when it prepares to run applications. The boot parameters allow definition of an IP on the management interface, set the system prompt, and determine the software load that will be used. In addition, there is a boot flag setting that may modify the file location to be used, but may also enable additional features. Administrator access to the command line interface is required to modify the bootflags.

There is seldom a reason to change the boot flag from its default value (0x08). Changes to the boot flags are usually only needed for hardware testing or recovery, debugging, etc.

A few boot flag values that are disabled by default have security implications. These should only be enabled at the direction of Oracle technical support.

0x01 – Turns off the hardened interface protection on the media interfaces, allowing all ingress traffic
0x10 – Enables a second sshd server that provides access to the linux system console. This server process is different from the ssh server used to access the ACLI for configuration.
0x80008 – enable source routing on the management port

For further information on boot flags refer to “Configuration Elements A-M” of the ACLI Reference Guide.

System ACLs

The Wancom0 Ethernet management interface should always be deployed in a secure non-public network.

The SBC provides static System Access Control List functionality (ACL) to protect the Wancom0 interface from other devices that can access the management LAN remotely. Only the management station(s) authorized for SBC access such as the Oracle Communications Session Element Manager should be permitted with ACLs. All system ACLs are considered “allow” ACLs, and include a specific IP source address / netmask and the IP protocol allowed. As the first ACL is created an implicit deny rule is inserted as the final ACL.

The “system-access-list” configuration is detailed in Section 3 “System Configuration” of the ACLI Configuration Guide.

Telnet/SSH

Telnet has been removed and only SSH is supported starting 8.0 release.

To avoid unauthorized access to the SSH interface, a timeout should be configured to automatically disconnect the terminal session after an appropriate period of time (i.e. 300 seconds). Timeouts are disabled by default.

The SBC supports viewing, importing, and deleting public ssh keys used for authentication of SSHv2 sessions.

You can select the algorithms which the Oracle Communications Session Border Controller offers during SSH session negotiation.

Oracle recommends:

ssh-config, encr-algorithms, do not use any *-cbc cipher
hash-algorithm = hmac-sha2-s56
host-key = ssh-rsa
keyex-algorithms = diffie-hellman-group-exchange-sha256

Configuration is detailed in “Getting Started” of the ACLI Configuration Guide, and “System Management” of the Maintenance and Troubleshooting Guide.

FTP/SFTP

Only SFTP is supported.

GUI Management

The SBC can be managed by the Oracle Communications Session Element Manager via ACP through the management interface over TCP ports 3000 and 3001.

By default these ports are enabled in system-config > remote-control. If the SBCs are not remotely controlled by a Session Element Manager then this feature should be disabled.

Oracle recommends protecting ACP communication is recommended to be protected by with TLS. Enable ACP over TLS by configuring acp-tls-profile in system-config.

CAUTION: Disabling the remote-control feature is incompatible with the SBC HA architecture. Hence this functionality is considered optional and should only be deployed where HA and EMS are not used. If the SBCs are deployed in HA configuration, then the remote-control parameter needs to be enabled for the acquire-config feature to function properly.

Configuration is detailed in “System Configuration” of the ACLI Configuration Guide.

Web Management

Depending on the release, a web based management interface may be accessible via the management network connected to wancom0. The web interface is disabled and not supported for Service Provider SBCs, but Enterprise SBCs include a full featured management and provisioning system.

By default the web interface is disabled. It can be accessed via the wancom0 IP address when enabled. Note that even if the web interface is disabled that the SBC will respond on port 80 by default. However, all new connection requests are immediately torn down with a TCP RST since there is no web server process running, and no kernel rule to forward the request to the web server.

Oracle recommends that only HTTPS be enabled on this interface so TLS will be used instead of the default HTTP. Care should be taken when defining the cipher list in the tls-profile so that administrative traffic cannot be compromised. The default cipher list is “ALL”, which includes some insecure ciphers for backwards compatibility. The cipher list should be set manually to remove insecure ciphers. The recommended cipher list in order of preference includes:

On 6000 series hardware:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_SHA256
TLS_DHE_RSA_WITH_AES_128_SHA256

On hardware other than the 6000 series

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Note that the DHE ciphers provide perfect forward secrecy, which prevents the session from being decrypted later even if the private key is discovered. Following is an example of system->web-server-config:

        state                   enabled
        inactivity-timeout      5
        http-state              disabled
        http-port               80
        https-state             enabled
        https-port              443
        tls-profile             strong-ciphers-tls-profile

Configuration is detailed in Section 2 “Getting Started” of the ACLI Configuration Guide.

REST API

The REST API method of configuring and managing the SBC can only be used over HTTPS.