1. Security Guide
  2. Security Features
  3. Security Specific Feature Sets

Security Specific Feature Sets

This section details security-focused feature sets on the SBC.

IDS Reporting

The SBC supports a wide range of intrusion detection and protection capabilities for vulnerability and attack profiles identified to date. The IDS reporting feature provides more detailed reporting of intrusions the system detects. It is useful for enterprise customers’ requirement to report on intrusions and suspicious behavior that it currently monitors. This feature requires the IDS Reporting license, which is included in new purchases but was not in some older deployments. The “IDS Advanced” feature should be present in the output of the show features command.

See Appendix F: Intrusion Detection System for a detailed description of the functionality enabled. Configuration is also detailed in Section 15 “Security” of the ACLI Configuration Guide.

FIPS Feature (Optional)

FIPS is supported on the enterprise software release ECZ80 on the Acme Packet1100, VME, Acme Packet3900, Acme Packet 4600 and Acme Packet 6300 platforms. See “Oracle Enterprise Session Border Controller FIPS Compliance Guide”.

Administrative Security Features (Optional)

See “Oracle Enterprise Session Border Controller Administrative Security Guide”

This feature set includes support for: multiple administrative users, enhanced password strength, password usage policies, user roles, management of administrative users, and serial console port control.

CAVEATS
  • This feature set requires the Admin Security license.
  • This feature set is not intended for all customer use. The customer should consult their Oracle Systems Engineer to understand the security and restriction ramifications of enabling these features.
  • The following system features are disabled: ACP (affects acquiring new configs from the HA peer); telnet and FTP access; operating system access.
  • Passwords can only be reset to factory defaults by running the diags image.
  • Deletion of the Admin Security license alone does not remove its features. Equipment must be returned to manufacturing once the license is enabled.

With the Admin Security feature, access to the SBC is much more restrictive. For example, telnet and FTP cleartext login is disabled in favor of SSH and SFTP secure logins. The SBC can be configured to lock out an interface if the threshold of unsuccessful login attempts is exceeded and for how long. The new user model for administrative login is single-user, single-class. The 3 supported local user names are user, admin and li-admin.

Login parameters are changed with the login-config. When RADIUS login is enabled then local logins are disabled. Furthermore, when a local or RADIUS user logs into the system via console or SSH connection, a banner appears and must be acknowledged. The banner informs the user when they last logged in and whether there have been unsuccessful login attempts. Customers can also create a custom banner by uploading a banner.txt file in /code/banners. (Custom banners are available without the Admin Security license) Banners can be disabled by the customer. No banner appears for SFTP connections.

Upon initial login, passwords must be changed from the factory defaults. Password strength and history are imposed only on local users. Password aging is applied from the date since the last password change. Password-policy can be configured to change password properties. With RADIUS enabled, user passwords are stored on the remote RADIUS server, not on the SBC. Password policy doesn’t apply when RADIUS logins are enabled.

Optionally, SSH public keys can be imported into the SBC. Parameters surrounding SSH re-keying are set in the ssh-config. Key aging will be applied from the date of activating the config.

There are new SFTP file access privileges via a new RADIUS authentication VSA called Acme-User-Privilege. These values are (non case-sensitive fields):
  • sftpForAudit - allows audit log access.
  • sftpForAccounting - allows system logs to be accessed.
  • sftpForHDR - allows HDR to be accessed.
  • sftpForAll - allows all logs to be accessed.

Furthermore, a new RADIUS authorization class is added for Acme-User-Class called SystemAdmin. It shares the same permissions as admin except it cannot access security related information and issue “show security” commands. The login prompt for this user is ACMEPACKET$.

The Security Admin license enables audit logs which provide data on all user driven system events such as changes to configuration and public keys. It is recommended to configure push servers to SFTP audit logs periodically to remote servers.

Configuration is detailed in the Administrative Essentials.