In this section:

Purpose

This document provides a checklist to help with hardening SBC Edge against malicious network-based attacks.

Security Hardening Checklist

The following table provides a checklist for security hardening.

StepComponent(s)More Information
  1. Configure the SBC Edge to meet network user needs and to comply with enterprise security guidelines. You can deploy the SBC Edge either on the network edge using the built-in firewall, or in a DMZ behind an enterprise firewall. Take the appropriate actions to allow signaling and protocol/service traffic based on the SBC placement. 
     
Firewall and DMZ

2. Address port, protocol, and service needs of all call flows when using the SBC Edge with Microsoft Teams on-premises.

Note: This step does not apply to SfB deployments.

Teams
3. Address port, protocol, and service needs of all call flows when running Microsoft Teams and SBC SWe Lite hosted in Azure.Teams

4. Use the latest versions of SBC Edge software; maintenance releases include fixes for known vulnerabilities in operating systems and common third-party software.

software updates

5. Configure Access Control Lists to prevent excessive unwanted traffic, such as Denial of Service (DoS) attacks on the SBC Edge.

SBC ACLs

6. Use TLS/SRTP for SIP/Media.

    • Use TLS for signaling and SRTP for media.
    • Do not use UDP/RTP for signaling and media because they are not encrypted.
 Protocols

 7. Only use Certificates from a trusted Certificate Authority (CA).

    • Always use certificates from a trusted CA.
    • Do not use self-signed certificates, or limit self-signed certificate use to scenarios for which the systems with the self-signed certificates are within a trusted network
 Certificates
8. Enable enhanced password security for SBC operator accounts.
    • When new SBC operator accounts are created, enhanced security measures such as complex passwords, limited account duration, limiting the number of login sessions, etc., are not implemented by default.
    • Administrators must enable security measures supported on the SBC to deter malicious/unauthorized login attacks on the system.

Accounts and Passwords

9. When configuring Active Directory services on SBC Edge, use TLS with Active Directory.

 

Active Directory

10. Check whether RADIUS is used for user authentication and/or for Call Detail Records (CDRs). The RADIUS use applies to select employments where the customers send CDRs for protection, billing, and such.

    • Passwords are encrypted during RADIUS authentication process. However, RADIUS works on UDP and fields other than the user's credentials are not encrypted. Because RADIUS servers and the SBC Edge are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN), this is not normally an issue.
    • If confidentiality is critical even inside the trusted domain, consider other options for user authentication.
RADIUS
 11. Check whether RADIUS CDR confidentiality is required.
    • RADIUS CDR transport is based on UDP and this data is not encrypted. However, RADIUS servers and SBC Edge are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN), consequently this is not an issue.
    • If confidentiality is important inside the trusted domain, RADIUS should not be used.
 CDRs
12. For CCE deployments, configure firewall settings as recommended. CCE

 

13. If the ASM module is present, configure the ASM Firewall.

ASM

14. If the ASM module is present, configure the ASM security template.

ASM

 

Monitoring Security

Once the system is fully configured,the operator should periodically monitor the system. Many alarms supported by the system are triggered upon security events.

  1. Review system security logs and user-login activity.
  2. .Review web-access logs:
  3. Review alarms.