RedMax EXtreme EX-LRT Guía para resolver problemas descargar pdf (Pagina 25)

Oracle SBC Security Guide

report on intrusions and suspicious behavior that it currently monitors. This feature requires the IDS

Reporting license, which is included in new purchases but was not in some older deployments. The “IDS

Advanced” feature should be present in the output of the show features command.

See Appendix F: Intrusion Detection System for a detailed description of the functionality enabled.

Configuration is also detailed in Section 15 “Security” of the ACLI Configuration Guide.

Administrative Security Features (Optional)

The Administrative Security features were first available in S-C6.2.0. This feature set includes support

for: multiple administrative users, enhanced password strength, password usage policies, user roles,

management of administrative users, and serial console port control.

CAVEATS

 This feature set requires the Admin Security license.

 This feature set is only supported on the NN3800 and NN4500 SBC hardware platform.

 This feature set is not intended for all customer use. The customer should consult their Oracle

Systems Engineer to understand the security and restriction ramifications of enabling these

features.

 The following system features are disabled: ACP (affects acquiring new configs from the HA

peer); telnet and FTP access; operating system access.

 Passwords can only be reset to factory defaults by running the diags image.

 Deletion of the Admin Security license alone does not remove its features. Equipment must be

returned to manufacturing once the license is enabled.

With the Admin Security feature, access to the SBC is much more restrictive. For example, telnet and

FTP cleartext login is disabled in favor of SSH and SFTP secure logins. The SBC can be configured to

lock out an interface if the threshold of unsuccessful login attempts is exceeded and for how long. The

new user model for administrative login is single-user, single-class. The 3 supported local user names are

user, admin and li-admin.

disabled. Furthermore, when a local or RADIUS user logs into the system via console or SSH connection,

a banner appears and must be acknowledged. The banner informs the user when they last logged in and

whether there have been unsuccessful login attempts. Customers can also create a custom banner by

uploading a banner.txt file in /code/banners. (Custom banners are available without the Admin Security

license) Banners can be disabled by the customer. No banner appears for SFTP connections.

Upon initial login, passwords must be changed from the factory defaults. Password strength and history

are imposed only on local users. Password aging is applied from the date since the last password change.

Password-policy can be configured to change password properties. With RADIUS enabled, user

passwords are stored on the remote RADIUS server, not on the SBC. Password policy doesn’t apply

when RADIUS logins are enabled.

Optionally, SSH public keys can be imported into the SBC. Parameters surrounding SSH re-keying are

set in the ssh-config. Key aging will be applied from the date of activating the config.

There are new SFTP file access privileges via a new RADIUS authentication VSA called Acme-User-

Privilege. These values are (non case-sensitive fields):

 sftpForAudit - allows audit log access.

 sftpForAccounting - allows system logs to be accessed.

1 2 ... 20 21 22 23 24 25 26 27 28 29 30 ... 141 142

Sin comentarios

RedMax EXtreme EX-LRT Guía para resolver problemas Pagina 25