RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung PDF herunterladen (Seite 63)

Oracle SBC Security Guide

Not all endpoints support installation of third party certificates or TLS encryption, and it may be difficult

for an organization to issue and manage individual client certificates. TLS (and optionally SRTP) may

also require additional hardware for encryption acceleration.

Endpoint Whitelisting: If an organization manages the endpoints in use it can fingerprint them the same

way we fingerprint attack tools. Endpoints will advertise a SIP User-Agent value or may have proprietary

SIP headers that provide identifying values. Messages from endpoints that do not have these

characteristics can be rejected using a Header Manipulation Rule. Section 3 of this Tech Note describes

the Header Manipulation Rules required to perform User-Agent whitelisting.

Threat Identification Alternative 1: sipShield SPL plug-in

The Session Plug-in Language (SPL) is an Oracle API library that exposes core functions to an embedded

LUA processor via call-backs. A plug-in is an additional piece of software written using SPL that runs on

the SBC to implement a custom feature. It is supported via Oracle Consulting Services.

sipShield enables the SBC to drop SIP messages containing the identifying characteristics of known

malicious tools with absolutely no response to the attacker. The sipShield plug-in examines multiple

characteristics of each message, and is superior to our second option, “Header Manipulation Rules for

Scanner Mitigation” described below. It is recommended that sipShield should be used wherever possible.

Since sipShield requires a specific SPL API version, it is not available for all software releases. Only

recent releases of software support sipShield at this time. To determine if sipShield is supported issue the

“show spl” command in the ACLI. If the SPL version found is 2.0.1 or greater then sipShield is

supported. If the command is not found then SPL is not included in the software release.

ACMEPACKET# show spl

SPL Version: C2.0.1

Threat Identification Alternative 2: Header Manipulation Rules for

Scanner Mitigation

If sipShield is not appropriate for your environment, the second alternative is to use SIP header

manipulation rules (HMR) to drop messages received from known, fraudulent User-Agent(s). The HMR

rule processes each inbound message, and if a match is found, it marks the message as invalid or

“Rogue”. Subsequent responses back to the attacker are dropped. Unfortunately the SD’s B2BUA will

usually respond with an initial response (“100 Trying” or a 4xx error) prior to evaluation with the HMR

(the specific response depends on realm settings). This gives the attacker the knowledge that there is a SIP

process running (even though the INVITE response is dropped). As they continue their attack, INVITE

and REGISTER messages will be dropped without reaching the core, and they will eventually be demoted

or blacklisted depending on your DoS settings.

Header Manipulation Rules for Scanner Mitigation are covered below.

Enforcement: Implement DoS Prevention

Some scanning tools will not match a known pattern because they are either new, or a skilled attacker has

changed SIP fields to make them less detectable. DoS/DDoS prevention settings can protect against

attacks that cannot be identified by their SIP messaging. Endpoint actions can be limited by requiring

them to register first, and by enforcing defined message thresholds. The administrator can determine what

happens when the thresholds are exceeded – either a ‘demotion’ to a queue with less bandwidth, or

blacklisting for a configurable period.

1 2 ... 58 59 60 61 62 63 64 65 66 67 68 ... 141 142

Keine Kommentare

RedMax EXtreme EX-LRT Anleitung zur Fehlerbehebung Seite 63