RedMax EXtreme EX-LRT Instrukcja Naprawy Strona 31

  • Pobierz
  • Dodaj do moich podręczników
  • Drukuj
Przeglądanie stron 30
Oracle SBC Security Guide
low
medium
Permit
Deny
low
high
Permit
Deny
medium
none
Permit
Deny
medium
low
Permit
Deny
medium
medium
Permit
Deny
medium
high
Permit
Deny
high
none
Permit
Deny
high
low
Permit
Deny
high
medium
Permit
Deny
high
high
Permit
Deny
TLS for SIP
Transport Layer Security (TLS) provides end-to-end authentication and encryption of SIP signaling. TLS
protects against eavesdropping, tampering, forgery, and potential theft of service. For this reason, TLS
should be used wherever possible.
The SBC supports mutual-authentication within a TLS profile. Although disabled by default, this should
be enabled when endpoints support it.
All supported products have TLSv1 capabilities, and newer releases (SC7.2 and above with SSM3 cards)
also support TLS1.2. However, it should be noted that very few SIP clients or servers actually support
anything greater than TLSv1.
The SBC supports three TLS Exchange / Authentication models:
Basic The client authenticates the SBC certificate by using the CA public key, and checks
expiration, common name, and ciphers supported. This provides confidentiality and integrity
through encryption but does not establish the identity of the endpoint. Credential cracking is still
possible, and the move to TLS (based on TCP) may make port exhaustion DoS a bit easier for an
attacker.
Mutual A step is added in which the client certificate is sent to the SBC for verification. Single
or individual client certificates can be used. This model has the same characteristics of the basic
model with the advantage of verifying that the client is likely trusted since an issued certificate is
present. If a single certificate is used for all clients then theft or compromise of an endpoint may
allow access to an attacker. Individual certificates are more secure but require more
administrative effort to issue and manage.
Mutual with certificate revocation Certificate revocation for individual clients is possible,
which guarantees only expired or revoked clients are refused access. An external Online
Certificate Status Protocol (OCSP) server is required to check against the Certificate Revocation
List.
Note: The SBC does not support local CRLs due to onboard storage limitations.
Some other key information regarding TLS includes:
Certificates installed on the SBC must be derived from a local Certificate Signing Request in
PKCS-10 PEM/Base 64 format. Certificates cannot be installed without a CSR.
Przeglądanie stron 30
1 2 ... 26 27 28 29 30 31 32 33 34 35 36 ... 141 142

Komentarze do niniejszej Instrukcji

Brak uwag