3 Security Features
This section outlines specific SBC security mechanisms.
IKE Configuration
There are two ways to configure IKE security parameters.
The first is directly configuring the
security,
ike,
ike-interface
configuration element. The second method is to configure the
security,
ike,
ike-config which
defines IKE parameters globally, for all
ike-interface
configuration elements. The following recommendation is the same for both
configuration methods:
- Use IKEv2 by setting ike-version to 2. IKEv2 is more secure than IKEv1.
- Enable IKEv2 rekey by setting v2-rekey to enabled.
- Ensure that the IKE SA rekey interval for IKEv2 rekey is set: v2-ike-life-secs. The recommended value is 24 hours (86400 secs).
- Ensure that the time interval for IKEv2 IPSec SAs is set: v2-ipsec-life-secs: The recommended value is one hour (3600 secs).
- Use certificates for SBC authentication by setting sd-authentication-method to certificate. This is more secure than shared-password.
ike-config specific recommendations
The following recommendation is only for the ike-config
configuration element.:
- negotiation-timeout: Recommended value is 15 seconds or smaller
- event-timeout Recommended value is 60 seconds
- anti-replay: Recommended value is to enable anti-reply
- overload-threshold Recommended value is 85%
- overload-interval Recommended value is 30 seconds
- overload-action: Recommended value is to drop new connection
- overload-critical-threshold: Recommended value is 95%
- overload-critical-interval: Recommended value is 30 seconds
ike-sainfo specific recommendations
The ike-sainfo configuration element is used for IPSec security
associations negotiated by IKEv2. The following recommendations apply:
- security-protocol: Recommended value is esp-auth
- auth-algo: Recommended value is either sha2-256 or sha2-384
- encryption-algo: Recommended value is aes-ctr