RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung PDF herunterladen (Seite 29)

Oracle SBC Security Guide

Session constraints should be applied to the sip-interface to limit the max-sessions, max-burst-rate, max-

sustain-rate, and rate constraints for individual method types. Further information is found in Section 5.3

“Constraint Limiting” of “520-0013-05 TECH NOTE Theory of the Session-agent.”

The SBC's default SIP routing behavior is to comply with Route headers as received. Thus there is a

security "hole" wherein a trusted device could construct a Route header and use the SBC as a reflector for

signaling to another known device. Furthermore, the SBC will also use the Request-URI to route traffic

even if there's no matching local-policy. This is mitigated by using techniques such as stripping Route

headers on ingress (proceed with caution) and configuring "null routes" with 0.0.0.0 as the next-hop.

Configuration is detailed in Section 5 “SIP Signaling Services” and Section 10 “Session Routing and

Load Balancing” of the ACLI Configuration Guide.

Service ACLs

ACLs on service ports provide more functions than the basic permit and deny operations that are provided

by the ACLs on management ports. Service ACLs have effects on traffic management through average

rate limitations, trust level, and signaling thresholds similar to those specified on a realm.

To prevent misunderstanding these traffic management settings, keep in mind these general rules:

 Define an ACL for all peering partners and all core systems to which traffic will be routed. The

ACL is used to permit trusted hosts, deny untrusted hosts, and guarantee bandwidth in peak

periods.

 The minimum-reserved-bandwidth setting does not permanently reserve bandwidth. It will only

be used in peak periods to prioritize traffic. Set the minimum-reserved-bandwidth to the

maximum signaling bandwidth capable for the system. If more than one core device is used,

divide the bandwidth number equally. The number here is not really bandwidth but a priority

metric.

 Hosts with a trust levels of high will never be demoted or blacklisted. However, if an invalid-

signal-threshold of one is configured on the ACL, a syslog event will be written which might help

detect attempted abuse.

 The trust level specified on the ACL should match the trust level on the realm from which it will

communicate. Trust level mismatches can have unintended consequences such as permitting

traffic that is intended to be denied. Refer to the scenario below that illustrates how this can be

problematic.

In this scenario there is a trusted core PBX on a private network, and two PBXs on an external public

network. The trust level on the ACL applied to the external interface and the trust level on the external

realm are depicted in the tables below, along with what will happen to traffic sent from a source IP of

“.100” or “.111”. In Table 1: IP .111 permitted in ACL the effects of having the 192.168.1.111 address

permitted are depicted. Table 2 shows the opposite, when the 192.168.1.111 address is denied. Note what

access the 192.168.1.100 address has based on the trust level of the realm and ACL.

1 2 ... 24 25 26 27 28 29 30 31 32 33 34 ... 141 142

Keine Kommentare

RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung Seite 29