RedMax EXtreme EX-LRT Průvodce řešením problémů Strana 1

Oracle SBC Security Guide ORACLE® ACME PACKET SBC FAMILY SECURITY GUIDE July 2014

Oracle SBC Security Guide  Per-device signaling and media overload control, with deep packet inspection and call rate control to prevent DoS attack

Oracle SBC Security Guide Description Raw message Transfer of an HDR file failed because the key used for authentication is incorrect May 3 17:20:11

Oracle SBC Security Guide Error reading an internal temperature sensor. There may be a motherboard issue. Error reading LM75 Device! Error reading an

Oracle SBC Security Guide Minor session usage threshold session usage xx percent is over minor threshold of xx percent. Critical deny ACL allocation

Oracle SBC Security Guide o Party that disconnects the call o 0 = unknown, 1 = calling party, 2 = called party, 3 = internal

Oracle SBC Security Guide Appendix J: Historical Data Records (HDR) HDR refers to a management feature that collects statistics about SBC system ope

Oracle SBC Security Guide 1369336364,404 Not Found ,0,0 1369336364,405 Not Allowed ,0,0 1369336364,406 Not Acceptable ,0,0 1369336364,407

Oracle SBC Security Guide Appendix K: ACLI Commands for Monitoring Data available via HDR, SNMP, CDR, or Syslog is usually sufficient for analysis a

Oracle SBC Security Guide  show sipd errors o Error count related to SIP Media  show mbcd realms o Displays media (RTP) related information pre

Oracle SBC Security Guide Appendix L: SRTP Configuration and Troubleshooting Introduction The Secure Real-time Transport Protocol (SRTP) provides en

Oracle SBC Security Guide If SRTP is enabled for the inbound realm/interface, the SBC will handle the request according to the capabilities defined

Oracle SBC Security Guide Administrators are the only ones who have any sort of system logon permissions. The system provides Role Based Access Contr

Oracle SBC Security Guide If the configuration specifies “pass-through” mode, the SBC will not intercept the crypto attribute exchange between the c

Oracle SBC Security Guide Software Requirements S-CX6.2.0 software image or higher is required to support SRTP termination on the SD. It is always re

Oracle SBC Security Guide srtp-encrypt enabled srtcp-encrypt enabled egress-offer-format same-as-ingress use-ing

Oracle SBC Security Guide There is a warning in the verify-config when a security-policy has the remote-ip-addr-match set to 0.0.0.0, which we can sa

Oracle SBC Security Guide The main aspects treated here focused on which traffic is desired under a realm, so each design needs to consider the follo

Oracle SBC Security Guide (media-sec-policy)# show media-sec-policy name removeCrypto pass-through

Oracle SBC Security Guide Where “sdes1” is the configured sdes-profile used for this implementation. In the same way, mikey-profile could be used if

Oracle SBC Security Guide Note that in the case where the SIP traffic runs on a different IP/Subnet from media, then this second security-policy for

Oracle SBC Security Guide The “mode” under the media-sec-policy should be set to ANY. Also, the profile should be configured with the sdes/mikey-prof

Oracle SBC Security Guide name SRTP1 pass-through disabled inbound

Oracle SBC Security Guide overwhelm network devices. A UC demarcation device can ensure continued service availability by identifying DoS and DDoS at

Oracle SBC Security Guide trans-protocol-match UDP direction both local-ip-mask

Oracle SBC Security Guide To simplify the use of this BCP, no other elements are configured in this case, so no redundancy or DDoS prevention are con

Oracle SBC Security Guide Secured-network parameter is set to ENABLED under the access sip-interface and ENABLED on the core sip-interface. Only one

Oracle SBC Security Guide To troubleshoot SRTP on the Session Border Controller, following commands can be used:  Log.secured provides logs of the

Oracle SBC Security Guide encr-algo : aes-128-ctr auth-algo : hmac-sha1 auth-tag-length : 80 flags - ms: 5

Oracle SBC Security Guide 04 00000000 00000000 00000001 Enhanced Traffic Controller (ETC) NIU support Hardware and software support

Oracle SBC Security Guide bad-param : 0 alloc-fail : 0 dealloc-fail : 0 t

Oracle SBC Security Guide write-failed : 0 parse-err : 0 encode-err : 0 p

Oracle SBC Security Guide Collapsed : false SRTCP Only : true Crypto In ------------------ de

Oracle SBC Security Guide ARP Wait Errors 0 0 0 Exp CAM Not Found 0 0 0 Drop Unknown Exp Flow

Oracle SBC Security Guide Part 2: Secure Installation and Configuration Recommended Deployment Topologies This section outlines the planning process

Oracle SBC Security Guide 22:29:44-172 MBCD Status -- Period -- -------- Lifetime -------- Active High Total

Oracle SBC Security Guide Exp Flow Events 1 1 1 Exp Flow Not Found 0 0 0 Transaction Timeouts

Oracle SBC Security Guide Requests sent 1 1 1 Req retransmissions 0 0 0 Replies received

Oracle SBC Security Guide VLAN_flow_key : 980 Protocol_flow_key : 17 Ingress_flow_key : 1 Ingress Slot : 1 Ingress Port : 0 NAT IP Flo

Oracle SBC Security Guide IFD 0x00000005: acceptCount = 0x00001f35 ---------------------------------------------- dump-etc-stats This command

Oracle SBC Security Guide Mgt_Cfg : addr(0xd8010b40): 0x00000000 Uni_Addr_Word0 : addr(0xd8010b80): 0x00000000 Uni_Addr_Word1 : addr(0xd8010b8

Oracle SBC Security Guide PHY Stats on ch7: PHY Stats on ch7: Ctl_Reg : addr(0xd801f000): 0x00001140 Status_Reg : addr(0xd801f004): 0x000001e8 P

Oracle SBC Security Guide PPMs: ppmid_debug[2]: 33 ppmid_debug[3]: 23 ppmid_errors[4]: 30036 ppmid_debug[5]: 2737 Exceptions

Oracle SBC Security Guide ------------------- Octeon PPM Statistics---------------------------- --------------- SRTP_E stats ------------------- all

Oracle SBC Security Guide Memory Details: Memory Size: 4010 MB FW Init Size: 1187 MB PPMs Init Size: 192 MB Memory Avail: 2631 MB (26947

Oracle SBC Security Guide Access In an access model the SBC is contacted by a SIP endpoint to relay endpoint signaling information. The IP address o

Oracle SBC Security Guide Octeon Command Tx Packets: 22 Octeon Command Tx Failed: 0 Octeon Tx MsgQ Tx Failed: 0 Octeon Tx MsgQ Rx Fa

Oracle SBC Security Guide number of mbufs: 5000 number of times failed to find space: 0 number of times waited for space: 0 number of times drained p

Oracle SBC Security Guide dump-etc-stats ipt show all show ip connection show mbcd all show security ipsec debug References [1] Oracle, “Net-Net 4000

Oracle SBC Security Guide Core Session Manager The Core Session Manager, which should never be positioned at a network edge, is used as a core sessi

Oracle SBC Security Guide Session Router The Session Router is a “pure” SIP session router that can be positioned in either a core network or at netw

Oracle SBC Security Guide A few of the general rules for Realm design include:  Separate endpoints into realms based on trust level (high, medium,

Oracle SBC Security Guide Passwords The SBC provides two levels of user accounts through the Acme Packet Command Line Interface (ACLI): User and Supe

Oracle SBC Security Guide  0x10 – Enables a second sshd server that provides access to the linux system console. This server process is different f

Oracle SBC Security Guide Copyright ©2014, 2012, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provi

Oracle SBC Security Guide are not used. If the SBCs are deployed in HA configuration, then the remote-control parameter needs to be enabled for the a

Oracle SBC Security Guide VPN should be implemented for session replication, and thorough testing should be conducted to understand impacts to sessio

Oracle SBC Security Guide Part 3: Security Features This section outlines specific SBC security mechanisms. The Security Model The Oracle Communic

Oracle SBC Security Guide  Multi-queue access fairness for unknown traffic  Automatic behaviorally driven promotion/demotion/denial of devices 

Oracle SBC Security Guide  cache-challenges and reg-overload-protect: The SBC will temporarily promote the endpoint to trusted level after the regi

Oracle SBC Security Guide report on intrusions and suspicious behavior that it currently monitors. This feature requires the IDS Reporting license, w

Oracle SBC Security Guide  sftpForHDR - allows HDR to be accessed.  sftpForAll - allows all logs to be accessed. Furthermore, a new RADIUS author

Oracle SBC Security Guide naming policies. All management stations used for accounting monitoring services should have a permit ACL configured. Confi

Oracle SBC Security Guide authorization response. If TACACS+ grants authorization, the pending command is executed; if authorization is not granted,

Oracle SBC Security Guide Session constraints should be applied to the sip-interface to limit the max-sessions, max-burst-rate, max-sustain-rate, and

Oracle SBC Security Guide Contents Part 1: Overview ...

Oracle SBC Security Guide Figure 2: ACL and Realm scenario Table 1: IP .111 permitted in ACL Realm Trust Level ACL Trust Level src:100 src:111 none

Oracle SBC Security Guide low medium Permit Deny low high Permit Deny medium none Permit Deny medium low Permit Deny medium medium Permit Deny medium

Oracle SBC Security Guide  A Signaling Security Module (SSM) daughter card is required for cryptographic acceleration when using TLS (with the exce

Oracle SBC Security Guide The protocol specifies the data exchanged between an OCSP client (such as the Net-Net SBC) and an OCSP responder, the Certi

Oracle SBC Security Guide The following IKEv1 functionality is supported:  IKE pre-shared secret support  IKE/ISAKMP Main Mode support  IKE/ISA

Oracle SBC Security Guide The session-agent's max-burst-rate and max-sustain-rate are used to throttle the calls per second (CPS) of traffic sen

Oracle SBC Security Guide Attacks can be prevented through configuration of Access Control Lists, appropriately sized traffic queues, and trust level

Oracle SBC Security Guide Part 4: Appendices Appendix A: Secure Deployment Checklist The following security checklist includes guidelines that help

Oracle SBC Security Guide Appendix B: Port Matrix Ethernet Ports Protocol Service Optional Configurable Port Default Port State Server or Client De

Oracle SBC Security Guide Ethernet Ports Protocol Service Optional Configurable Port Default Port State Server or Client Description Services Ports 8

Oracle SBC Security Guide Part 3: Security Features ...

Oracle SBC Security Guide Appendix C: DDoS Prevention for Peering Environments Configuration Models: The settings outlined in this appendix apply to

Oracle SBC Security Guide The recommended values for these media-manager parameters for each test scenario are listed later by system model. Paramet

Oracle SBC Security Guide The following sip-interface->sip-ports parameter SHOULD be used for Peering environments. Setting “allow-anonymous” to

Oracle SBC Security Guide Define a number to set the maximum rate of call (per second) this session agent will allow. Once the rate limit is reached,

Oracle SBC Security Guide NN 4250 64k CAM 1G memory w/single copper GigE Platform NN 4250 CAM 64K Memory 1G Software Release 6.2.0m4 Configuration

Oracle SBC Security Guide NN 4250 256k CAM 2G memory w/single copper GigE Platform NN 4250 CAM 256K Memory 2G Software Release 6.2.0m4 Configurati

Oracle SBC Security Guide NN 4500 CPU-1 256k CAM 3G memory w/copper GigE Platform NN 4500 CPU-1 CAM 256K Memory 3G Software Release 6.2.0m4 Config

Oracle SBC Security Guide NN 4500 CPU-2 256k CAM 3G memory w/copper GigE Platform NN 4500 CPU-2 CAM 256K Memory 3G Software Release 6.2.0m4 Config

Oracle SBC Security Guide NN 3820 128k CAM 3G memory – copper single GigE Platform NN 3820 CAM 128K Memory 3G Software Release 6.2.0m4 Configurati

Oracle SBC Security Guide NN 6300 724k CAM 16G memory – copper single GigE Platform NN 6300 CAM 724K Memory 16G Software Release 7.1.2 Configurati

Oracle SBC Security Guide Realm Configuration ...

Oracle SBC Security Guide from one customer to the next. Please contact your Sales Representative for more information on Professional Services avail

Oracle SBC Security Guide Appendix D: DDoS Prevention for Access or Hybrid Environments Configuration Models: The settings outlined in this appendix

Oracle SBC Security Guide The following are Media Manager parameters that have platform specific defaults. For this appendix, these defaults will be

Oracle SBC Security Guide show acl info Access Control List Statistics: | # of entries | % utilization | Reserved Entry Co

Oracle SBC Security Guide NN 4250 64k CAM 1Gb memory w/single copper GigE Platform NN 4250 CAM 64K Memory 1Gb Software Release S-C6.2.0m4 Configura

Oracle SBC Security Guide NN 4250 256k CAM 2Gb memory w/single copper GigE Platform NN 4250 CAM 256K Memory 2Gb Software Release S-C6.2.0m4 Configu

Oracle SBC Security Guide NN 4500 CPU-1 256k CAM 3Gb memory w/copper GigE Platform NN 4500 CPU-1 CAM 256K Memory 3Gb Software Release S-CX6.2.0m4 and

Oracle SBC Security Guide NN 4500 CPU-2 256k CAM 3Gb memory w/copper GigE Platform NN 4500 CPU-2 CAM 256K Memory 3Gb Software Release S-CX6.2.0m4 and

Oracle SBC Security Guide Configuration Model PBRB SSNHTN SNB media-manager max-signaling-bandwidth 1041040 options/s 3080 bytes/option 338 max-untru

Oracle SBC Security Guide NN 6300 724k CAM 16G memory – copper single GigE Platform NN 6300 CAM 724K Memory 16G Software Release 7.1.2 Configurati

Oracle SBC Security Guide Thresholds and Trending Analysis ...

Oracle SBC Security Guide avalanche from untrusted sources, temporary promotion based on the initial REGISTER request sent from a specific source hel

Oracle SBC Security Guide Appendix E: Mitigating SIP Attacks Goals The goal of this appendix is to provide configuration recommendations to be imple

Oracle SBC Security Guide peering does happen over an untrusted network, such as OTT, the ACL entry drops incoming requests from unknown sources. It

Oracle SBC Security Guide Not all endpoints support installation of third party certificates or TLS encryption, and it may be difficult for an organi

Oracle SBC Security Guide Basic DDoS configuration settings are outlined in the other appendices. However, for the best DDoS protection, the configur

Oracle SBC Security Guide Some customers have asked about using the “reject” action in HMRs to send a “677 Rogue” response rather than routing to a d

Oracle SBC Security Guide action add comparison-type boolean msg-type

Oracle SBC Security Guide . in-translationid out-translationid in-manipulationid addRouteHeader Session Agent:

Oracle SBC Security Guide become trusted through SIP registration. The untrusted-signal-threshold value should be confirmed by collecting and analyzi

Oracle SBC Security Guide access-control realm-id peer description source-address

Oracle SBC Security Guide Related Documentation The following table lists related documentation. Document Name Document Description ACLI Configuratio

Oracle SBC Security Guide Appendix F: Intrusion Detection System The SBC supports intrusion detection and protection capabilities using anomaly base

Oracle SBC Security Guide 3. It receives too many signaling messages from an untrusted source within the configured time window (untrusted-signal-th

Oracle SBC Security Guide SNMP Traps Enabling the trap-on-demote-to-deny parameter located in the media-manager-config configuration element enables

Oracle SBC Security Guide Jan 15 12:22:48 172.30.60.12 ACMESYSTEM sipd[1c6e0b90] WARNING SigAddr[access:192.168.24.40:0=low:DENY] ttl=3632 guard=798

Oracle SBC Security Guide Per-endpoint Call Admission Control The SBC can demote endpoints from trusted to untrusted, or untrusted to denied queues w

Oracle SBC Security Guide  Whether the assigned trust level is denying more than one endpoint (e.g. issues with NAT)  CAC or session count thresh

Oracle SBC Security Guide  max-sustain-rate—maximum rate of session invitations allowed within the current window for this constraint  max-inboun

Oracle SBC Security Guide Oracle recommends configuration of INVITE and REGISTER method rate constraints on session agents. For SIP access deployment

Oracle SBC Security Guide Session Agent 192.168.60.10() [In Service] -- Period -- -------- Lifetime --------

Oracle SBC Security Guide Reject actions may also indirectly generate SNMP traps. Two parameters in the session-router-config define how many message

Oracle SBC Security Guide Part 1: Overview Product Overview The Oracle Session Border Controller (SBC) family of products are designed to increase s

Oracle SBC Security Guide This feature can be used to log important details from specific suspicious users, such as well-known SIP User-Agents, call

Oracle SBC Security Guide Appendix G: Blacklisting with Local Routing Tables Several industry groups such as the GSMA Fraud Forum and the Communicat

Oracle SBC Security Guide policy-attribute next-hop lrt:blacklist;key=$FROM realm

Oracle SBC Security Guide media-profiles lookup single next-key

Oracle SBC Security Guide <next type="regex">!(^.*$)!sip:\[email protected]!</next> </route> </localRoutes> Once

Oracle SBC Security Guide element-rule name logstatus parameter-name type

Oracle SBC Security Guide inside a 30 second window. This is an indicator that the administrator should examine the matched.log file to determine the

Oracle SBC Security Guide After applying a new LRT, verify if by doing the same command from above “show lrt route-entry blacklist 3712900” at the A

Oracle SBC Security Guide Appendix H: Simple Network Management Protocol (SNMP) SNMP OIDs Simple Network Management Protocol (SNMP) polling (GET and

Oracle SBC Security Guide o Number of messages rejected by the SBC due to matching criteria apSysStorageSpaceTable (1.3.6.1.4.1.9148.3.2.1.1.23) apS

Oracle SBC Security Guide Figure 1: Net-SAFE Framework The Net-SAFE Framework spans seven general functions: 1. Denial of Service (DoS) protection

Oracle SBC Security Guide  apSigRealmStatsPeriodASR (1.3.6.1.4.1.9148.3.2.1.2.4.1.18) o The answer-to-seizure ratio expressed as a percentage duri

Oracle SBC Security Guide  enable-snmp-syslog-notify – enable syslog conversion to SNMP  enable-snmp-monitor-traps – enable unique trap-IDs for e

Oracle SBC Security Guide o Generated if the system temperature falls below the monitoring level.  apSysMgmtFanTrap (1.3.6.1.4.1.9148.3.2.6.0.3) o

Oracle SBC Security Guide  apLicenseApproachingCapacityNotification (1.3.6.1.4.1.9148.3.5.3.0.1) o Generated when the total number of active sessi

Oracle SBC Security Guide Appendix I: Syslog The SBC can be configured to send system event logs to logging servers [1]. It is recommended to config

Oracle SBC Security Guide Description Raw message An endpoint exceeded a defined constraint and was blacklisted. This is the result of DoS configurat

Oracle SBC Security Guide Description Raw message The sipShield SPL plug-in (v1.3) detected a message from a known SIP scanner and dropped it Mar 28

Oracle SBC Security Guide Description Raw message A message was rejected by the SD. The status code and reason given in parenthesis will change based

Oracle SBC Security Guide Description Raw message A user entered enable mode (administrator level). This is not necessarily an issue, but may be an i

Oracle SBC Security Guide Description Raw message The SIP protocol stack is now active. This may be an indication that a power failure occurred or th