RedMax EXtreme EX-LRT Instrukcja Naprawy Pobierz pdf (Strona 75)

Oracle SBC Security Guide

 Whether the assigned trust level is denying more than one endpoint (e.g. issues with NAT)

 CAC or session count thresholds, and whether they are impacting service

Once this knowledge base is built and properly document for future reference, threshold values for

reasonable variations in these counters should be defined and implemented in the monitoring platforms

handling the SNMP Traps, HDR data, Sys-logs provided by the Session Border Controller.

It’s strongly recommended to parse and evaluate the information provided in any

apSysMgmtInetAddrWithReasonDOSTrap SNMP traps received. Using this information it should be

possible to identify SIP UAs and accounts involved, and understand whether legitimate traffic is being

denied. Further actions may be required after this analysis; for example: configuration improvements to

avoid illegitimate traffic from reaching the Host CPU may be needed, or, if the traffic is expected,

adjustment of the appropriate constraints to allow the legitimate traffic to flow properly.

This process is an iterative loop where the fine-tuning and documenting illegal behavior flows can be

continuously improved. This is especially true if the Session Border Controller is exposed to the Internet

in an Access Scenario. When connected to the Internet, different trends and attempted illegal behaviors

may be seen as the complexity of SIP attacks and trends evolve.

Constraints Limiting

The Session Border Controller provides two distinct mechanisms to throttle any SIP method: session

constraints and rate-constraints. While session constraints are responsible for throttling both INVITE and

constraints and rate constraints can be configured in either Session-Agent or SIP-interface config objects

(via session-constraints). NOTE: Make sure to enable the sip-config > extra-method-stats option before

configuring any constraints since this enables the constraint counters.

Session-Constraints

The session-constraints configuration element defines session layer constraints for session measurements

such as maximum concurrent sessions, maximum outbound concurrent sessions, maximum session burst

rate, and maximum session sustained rate.

The SIP interface configuration’s constraint-name parameter applies a pre-defined session-constraint

configuration. Using the constraints defined, the SBC checks and limits traffic according to those settings

for the SIP interface. If session constraints are not configured or applied on the SIP interface, the SIP

interface will be unconstrained. If a single session-constraint element is applied to multiple SIP interfaces,

each SIP interface will maintain its own copy of the session-constraint statistics.

 name – name of the session-constraint, this must be an unique identifier

 max-sessions - maximum sessions allowed for this constraint

 max-inbound-sessions— maximum inbound sessions allowed for this constraint

 max-outbound-sessions— maximum outbound sessions allowed for this constraint

 max-burst-rate—maximum burst rate (invites per second) allowed for this constraint

 max-inbound-burst-rate—maximum inbound burst rate (number of session invitations per

second) for this constraint

 max-inbound-sustain-rate—maximum inbound sustain rate (of session invitations allowed

within the current window) for this constraint

 max-outbound-burst-rate—maximum outbound burst rate (number of session invitations per

second) for this constraint

1 2 ... 70 71 72 73 74 75 76 77 78 79 80 ... 141 142

Brak uwag

RedMax EXtreme EX-LRT Instrukcja Naprawy Strona 75