RedMax EXtreme EX-LRT Průvodce řešením problémů stáhnout pdf (Strana 20)

Oracle SBC Security Guide

are not used. If the SBCs are deployed in HA configuration, then the remote-control parameter

needs to be enabled for the acquire-config feature to function properly.

Configuration is detailed in Section 3 “System Configuration” of the ACLI Configuration Guide.

Web Management

Depending on the release of code in use, a web based management interface may be accessible via the

management network connected to wancom0. Service Provider SBCs only use the web interface for SIP

Monitoring and Tracing, but Enterprise SBCs include a full featured management and provisioning

system.

By default the web interface is disabled. It can be accessed via the wancom0 IP address when enabled.

Note that even if the web interface is disabled that the SBC will respond on port 80 by default. However,

all new connection requests are immediately torn down with a TCP RST since there is no web server

process running, and no kernel rule to forward the request to the web server.

Oracle recommends that HTTPS be enabled on this interface so TLS will be used instead of the default

HTTP. Care should be taken when defining the cipher list in the tls-profile so that administrative traffic

cannot be compromised. The default cipher list is “ALL”, which includes some insecure ciphers for

backwards compatibility. The cipher list should be set manually to remove insecure ciphers. The

recommended cipher list in order of preference includes:

 For release SC7.2 and above on 6000 series hardware:

o TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384

o TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256

o TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256

o TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256

 For releases below SC7.2 or on hardware other than the 6000 series

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA

o TLS_RSA_WITH_AES_256_CBC_SHA

o TLS_RSA_WITH_AES_128_CBC_SHA

Note that the DHE ciphers provide perfect forward secrecy, which prevents the session from being

decrypted later even if the private key is discovered.

Configuration is detailed in Section 2 “Getting Started” of the ACLI Configuration Guide.

Resiliency

Several features enable availability, a key component of a secure deployment.

High Availability

It is strongly recommended that the SBC be deployed in a High Availability (HA) architecture with a

Primary node and a Secondary node connected over both Wancom1 and Wancom2 interfaces for

resiliency. It is also recommended that the two units in an HA pair be directly cabled together. While they

can be separated and connected via an Ethernet switch or layer 2 VPN, this introduces latency and can

significantly impact capacity. Since session replication is performed over a clear text connection, it may

also expose call or configuration data sent in the replication process. In short, a geographically redundant

pair of SBCs is not recommended. If geo-redundancy is an absolute requirement, a secure site-to-site

1 2 ... 15 16 17 18 19 20 21 22 23 24 25 ... 141 142

Žádné komentáře

RedMax EXtreme EX-LRT Průvodce řešením problémů Strana 20