Page History

Purpose

This document provides a checklist to help with hardening 

...

1. Use latest versions of 

   Spacevars
   0 product

   software. When new security vulnerabilities are reported in operating systems and common third-party software,

   Spacevars
   0 company

   produces maintenance releases incorporating the fixes.
2. Configure Access Control Lists.
   • Configure access lists to prevent excessive amounts of unwanted traffic (Dos attacks) on the

     Spacevars
     0 product

     . 
   • Documentation Links:
     
     • Managing Access Control Lists
     • Creating and Modifying Rules for IPv4 Access Control Lists
3. Use TLS/SRTP for SIP/Media.
   • Use TLS for signaling and SRTP for media. Do not use UDP/RTP for signaling and media because they are not encrypted.
   • Some documentation links:
     • Managing TLS Profiles
     • SBC ISDN To SIP Routing for Dummies - TLS
     • Configuring SBC Edge for Standard and Mutual TLS Authentication
     • Managing SDES-SRTP Profiles
4. Only use Certificates from Trusted CA. Do not use self-signed certificates (unless the systems with self-signed certificates are within your trusted network).
   • Always use certificates from a trusted certificate authority, do not use self-signed certificates.
   • Documentation Links: 
     • Working with Certificates
     • Common Troubleshooting Issues with Certificates in SBC Edge
5. Enable enhanced password security for SBC operator accounts.
   • By default, when new SBC operator accounts are created, enhanced security such as complex passwords, limited account duration, limiting the number of login sessions, etc., are not enforced. This must be enabled by the administrator to limit the number of malicious/unauthorized login attacks on the system.
   • Documentation:
     • Managing Global Security Options
     • Monitoring User Activity
     • How do I find a logged in user's IP address
6. If Active Directory is used, use TLS with Active Directory.
   • Use TLS when configuring Active Directory services on

     Spacevars
     0 product

     .
   • Documentation: 
     • Configuring the SBC Edge for Active Directory
     • How User Authentication Works
7. Check if RADIUS is used for user authentication.
   • Passwords are encrypted during RADIUS authentication process. However, RADIUS works on UDP and fields other than the user's credentials are not encrypted. RADIUS servers and the

     Spacevars
     0 product

     are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN) and so this is not an issue at all. However, if confidentiality is important even inside the trusted domain, RADIUS should not be used.
   • Documentation links:
     • How User Authentication Works
     • Configuring the SBC Edge for RADIUS
     • RADIUS User Authentication Tips Using FreeRADIUS
8. Check if RADIUS CDR confidentiality is required
   • RADIUS CDR transport is based on UDP and this data is not encrypted. In all cases however, RADIUS servers and 

     Spacevars
     0 product

     are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN), consequently this is not an issue. However, if confidentiality is important inside the trusted domain, RADIUS should not be used.

   • Documentation link:

     • Configuring the SBC for CDR

9. If the ASM module is present, configure the ASM Firewall.
   • Documentation link:
     • Configuring the ASM Firewall
10. If the ASM module is present, configure the ASM security template
• • Documentation link:
    • Applying an SBA Security Template

...

Once the system is fully configured,the operator should periodically monitor the system. Many alarms supported by the system are triggered upon security events.

1. Review system security logs and user-login activity.
   
   • Monitoring User Activity
2. .Review web-access logs:
• Managing Local Logs
3. Review alarms.
• Viewing Alarms and Events

...