
Oracle SBC Security Guide
Administrators are the only ones who have any sort of system logon permissions. The system provides
Role Based Access Control with dedicated user accounts that have pre-assigned privilege levels in the
Command Line Interface. These are discussed further in the section on management interfaces. RADIUS
and TACACS+ can be enabled as well to enable an outside authentication and authorization function. The
minimum authorization class for RADIUS and command set should be considered for the administrator’s
role.
Monitor System Activity
Monitoring system activity is critical to determine if someone is attempting to abuse system services and
to detect if there are performance or availability issues. Useful monitoring information can be acquired
through SNMP, RADIUS accounting, Historical Data Recording (HDR), and Syslog. At a minimum
SNMP should be configured, and use of an external syslog server should be considered.
Keep Up To Date on Latest Security Information
Security issues that require a software or configuration update will be communicated in quarterly Critical
Patch Updates (CPU). The latest CPUs as well as instructions to subscribe to them can be found at
http://www.oracle.com/technetwork/topics/security/alerts-086861.html. A free Oracle Technology
Network account is required to receive CPUs.
SBC Specific Security Principles
Security teams should consider the following guidelines when deploying a Unified Communications (UC)
system. These are some of the areas where the SBC family will provide value.
Create a demarcation and enforcement point for the UC network: The enforcement point provides
demarcation between zones of varying trust, such as the internal enterprise network, a BYOD
network, a guest network, a demilitarized zone, or the public Internet.
Hide topology: Hackers can plan attacks by ascertaining information about network equipment
(determining equipment types and software versions) or by detecting the IP addressing scheme a
company employs. A UC demarcation device should remove any protocol fields that may assist in
“fingerprinting” and should provide NAT (network address translation) at all protocol levels to
conceal internal addressing schemes.
Encrypt endpoint communications: Businesses should encrypt communications flows when transiting
public networks to prevent eavesdropping or impersonation. Encryption should also be considered on
private networks to verify identity and prevent eavesdropping on privileged communications.
Encryption can hinder lawful interception or other regulatory and corporate compliance requirements,
so be sure to understand any impacts in your environment. By establishing a UC demarcation point
and anchoring, unencrypting, and re-encrypting sessions at the network perimeter, security teams can
tap or replicate sessions in the clear for compliance purposes.
Normalize protocol differences on-demand: Because UC venders implement SIP differently, using
devices from multiple venders may cause interoperability problems. In extreme cases, the “normal”
messaging from one manufacturer might cause failures or outages for another. Rather than depending
on vendors to fix these interoperability issues, it is preferable to do so, in real-time, using an SBC.
Prevent DoS attacks and overloads: DoS or Distributed DoS (DDoS) attacks and other non-malicious
events such as registration floods can impair IP communications infrastructure (border elements,
application servers, endpoints) and disturb critical applications and services. Attackers may try to
flood a network from one or more endpoints or may send malformed messages (protocol fuzzing) to
Komentarze do niniejszej Instrukcji