15 R226 Security Recommendation Compliance

The Oracle Communications Session Border Controller (SBC) provides functionality designed to comply with the R226 recommendations, a set of Information Technology Security Standard developed by the National Cybersecurity Agency of France (ANSSI)

This chapter presents the following features, which align with R226 recommendations to harden the operational security of the SBC. The features presented here require that you enable the ANSSI R226 Compliance entitlement.

• Bootparameter Security
• SIPREC Licensing—SIPREC cannot be used on a system without a license. The purpose of this is to present a barrier that requires external approval before an SBC user can configure and use SIPREC.
• SFTP Access Restrictions

SBC features associated with R226 compliance, but not requiring the ANSSI R226 Compliance entitlement are listed below with pointers to their description and configuration documentation:

• Restricting Logon to TACACS
• TACACS+ over IPsec for wancom0
• SHA-2 Authentication-Password Hashing
• Manage SSH Keys
• Securing Communications Between the SBC and SDM with TLS
• The set-boot-loader, backup-boot-loader, and delete-boot-file command

Bootparam Security

An Oracle Communications Session Border Controller ignores attempts to modify security related boot flags from the ACLI. The SBC still supports changing security related boot flags through the bootloader.

Table 15-1 Security Related Boot flags

Boot flag	Description
0x00000001	Disable all security filtering on all network interfaces
0x00000010	Enable direct Linux login on port 2200 via SSH for debugging
0x00000020	Enable the debug console
0x01000000	Enable SFTP access to protected files and directories
0x20000000	Enter failsafe mode
0x40000000	Boot directly to the Linux shell

R226 and SIPREC License Management

Enabling the R226 Certification self-entitlement disables the ability to enable SIPREC through the self-entitlement mechanism.

Once the R226 entitlement is enabled:

• The R226 entitlement cannot be disabled through the self-entitlement mechanism.
• Any previously installed SIPREC entitlement is flushed from the system.
• SIPREC is no longer an option under the setup entitlements command.
• SIPREC can only be enabled with a license key.

To disable the R226 self-entitlement, contact Oracle Support and follow the factory reset instructions in the Admin Security Guide.

SFTP Access Restrictions

In the default restricted mode, the user and admin factory accounts are restricted from adding, deleting, renaming, modifying, viewing, or listing sensitive system files when accessing the file system with SFTP. Set the boot flag to 0x01000000 to allow access to sensitive files. If the ANSSI R226 Compliance entitlement is enabled, boot flags can only be set through the bootloader during a reboot.

SHA-2 Authentication-Password Hashing

The Oracle Communications Session Border Controller supports SHA-2 hashing of user login passwords. The SBC hashes passwords using a randomly generated salt with 65532 iterations of the SHA-512 algorithm.

Enabling SHA-2 Password Hashing

Passwords are changed with the secret login command. All newly set passwords are hashed with SHA-2, the SHA-1 hash is removed, and thereafter the SBC uses SHA-2 to validate the password for that user. Oracle recommends that all users change their passwords after upgrading the system.

WARNING:

Regarding upgrades to this software, versions of Session Deliver Manager prior to SDM 8.1 do not support managing SHA-2 enabled SBCs. To manage an SBC, you must use SDM 8.1 with basic authentication.

WARNING:

If you downgrade to a release that only supports SHA-1 hashing after a user login password has been SHA-2 hashed, users will be locked out until all passwords are cleared. To clear passwords, contact Oracle Support.