15 R226 Security Recommendation Compliance
The Oracle Communications Session Border Controller (SBC) provides functionality designed to comply with the R226 recommendations, a set of Information Technology Security Standard developed by the National Cybersecurity Agency of France (ANSSI)
This chapter presents the following features, which align with R226 recommendations to harden the operational security of the SBC. The features presented here require that you enable the ANSSI R226 Compliance entitlement.
- Bootparameter Security
- SIPREC Licensing—SIPREC cannot be used on a system without a license. The purpose of this is to present a barrier that requires external approval before an SBC user can configure and use SIPREC.
- SFTP Access Restrictions
Bootparam Security
An Oracle Communications Session Border Controller ignores attempts to modify security related boot flags from the ACLI. The SBC still supports changing security related boot flags through the bootloader.
Table 15-1 Security Related Boot flags
Boot flag | Description |
---|---|
0x00000001 | Disable all security filtering on all network interfaces |
0x00000010 | Enable direct Linux login on port 2200 via SSH for debugging |
0x00000020 | Enable the debug console |
0x01000000 | Enable SFTP access to protected files and directories |
0x20000000 | Enter failsafe mode |
0x40000000 | Boot directly to the Linux shell |
R226 and SIPREC License Management
Enabling the R226 Certification self-entitlement disables the ability to enable SIPREC through the self-entitlement mechanism.
- The R226 entitlement cannot be disabled through the self-entitlement mechanism.
- Any previously installed SIPREC entitlement is flushed from the system.
- SIPREC is no longer an
option under the
setup entitlements
command. - SIPREC can only be enabled with a license key.
To disable the R226 self-entitlement, contact Oracle Support and follow the factory reset instructions in the Admin Security Guide.
SFTP Access Restrictions
In the default
restricted mode, the user and admin factory accounts are restricted from adding,
deleting, renaming, modifying, viewing, or listing sensitive system files when accessing
the file system with SFTP. Set the boot flag to 0x01000000
to allow access
to sensitive files. If the ANSSI R226 Compliance entitlement is enabled, boot flags can only be
set through the bootloader during a reboot.
SHA-2 Authentication-Password Hashing
The Oracle Communications Session Border Controller supports SHA-2 hashing of user login passwords. The SBC hashes passwords using a randomly generated salt with 65532 iterations of the SHA-512 algorithm.
Enabling SHA-2 Password Hashing
Passwords are changed with the secret login command. All newly set passwords are hashed with SHA-2, the SHA-1 hash is removed, and thereafter the SBC uses SHA-2 to validate the password for that user. Oracle recommends that all users change their passwords after upgrading the system.
WARNING:
Regarding upgrades to this software, versions of Session Deliver Manager prior to SDM 8.1 do not support managing SHA-2 enabled SBCs. To manage an SBC, you must use SDM 8.1 with basic authentication.WARNING:
If you downgrade to a release that only supports SHA-1 hashing after a user login password has been SHA-2 hashed, users will be locked out until all passwords are cleared. To clear passwords, contact Oracle Support.