RedMax EXtreme EX-LRT Guía para resolver problemas descargar pdf (Pagina 24)

Oracle SBC Security Guide

 cache-challenges and reg-overload-protect: The SBC will temporarily promote the endpoint to

trusted level after the registrar challenges the REGISTER message with a 401/407 response.

 max-register-forward: Limit rate of REGISTERs to forward to the registrar. Set to 75% of max

registers/sec the registrar can handle.

 max-register-refresh: Limit rate of REGISTER refreshes from endpoints. Set to 150% of

number of endpoints divided by the refresh interval.

 register-grace-timer: Grace period in seconds before a cached registration is deleted from the

SBC after expiration. Recommended to set this value to 32.

 reject-register=refresh: Lets the REGISTER in, but will check the load limit if there is not a

cached registration that it can use for a response.

For the session-agent representing the core Registrar, the max-register-burst-rate should be configured to

throttle REGISTER messages sent to it. In addition, session-constraints should be enabled with rate-

constraints configured to limit the rate of REGISTER messages coming into the core network. Session-

constraints are applied on the Access sip-interface or realm. In the sip-config parameter, extra-method-

stats must be enabled for rate-constraints to take effect.

Please contact your Oracle Systems Engineer to discuss planning for DDoS protection configuration and

deployment. Basic DDoS configuration is found in Appendix C: DDoS Prevention for Peering

Environments and Appendix D: DDoS Prevention for Access or Hybrid Environments. Configuration is

detailed in Section 5 “SIP Signaling Services” and Section 15 “Security” of the ACLI Configuration

Guide.

Net-SAFE Architecture: Topology Hiding & SIP Manipulation

Topology hiding is primarily performed by the SBC’s Back-to-Back User Agent (B2BUA) function. Use

of the SIP-NAT configuration object or the flexible SIP Manipulation feature provide capabilities to

dynamically alter any identifying information pertaining to a customer core network in signaling

messages.

SIP Manipulation rules allow the customer to check for a value in any element of any SIP message and

take action if a rule matches. Actions include changing a value, deleting an element or parameter,

completing a header, or adding a completely new header to the message. As of software image S-C6.2.0,

requests can be rejected, and MIME types and bodies can also be manipulated. To provide further

topology hiding in the SDP portion of a SIP message, the customer should enable SDP anonymization.

An example of the SIP-NAT feature used for topology hiding is available in the document “520-0005-04

BCP - SIP Access Configuration.” An example of the SIP Manipulation feature used for topology hiding

is presented in Section 7 “HMR Bridging” of “520-0038-01 BCP SIP Peering Configuration”.

Configuration of SIP HMR (Header Manipulation Rules) is detailed in Section 5 “SIP Signaling

Services” of the ACLI Configuration Guide. Configuration of SDP anonymization is detailed in Section

15 “Security” of the ACLI Configuration Guide.

Security Specific Licenses

IDS Reporting

The SBC supports a wide range of intrusion detection and protection capabilities for vulnerability and

attack profiles identified to date. In software release S-C6.2.0, the IDS reporting feature provides more

detailed reporting of intrusions the system detects. It is useful for enterprise customers’ requirement to

1 2 ... 19 20 21 22 23 24 25 26 27 28 29 ... 141 142

Sin comentarios

RedMax EXtreme EX-LRT Guía para resolver problemas Pagina 24