Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb41059c, userName='null'}
REV5UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c99e02c0, userName='null'}
REV4UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c91d01f9, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ce5f0b8d, userName='null'}

Section
Column
width400px

...

Panel

In this section:

Table of Contents
maxLevel3

Purpose

This document provides a checklist to help with hardening 

Spacevars
0product
against malicious network-based attacks.

Security Hardening Checklist

The following

...

table provides a

...

checklist for security hardening.

StepComponent(s)More Information
  1. Configure the 
    Spacevars
    0product
     to meet network user needs and to comply with enterprise security guidelines. You can deploy the
    Spacevars
    0product
    either on the network edge using the built-in firewall, or in a DMZ behind an enterprise firewall. Take the appropriate actions to allow signaling and protocol/service traffic based on the SBC placement.
     

     
Firewall and DMZ

2. Address port, protocol, and service needs of all call flows when using the SBC Edge with Microsoft Teams on-premises.

Note: This step does not apply to SfB deployments.

Teams
3. Address port, protocol, and service needs of all call flows when running Microsoft Teams and SBC SWe Lite hosted in Azure.Teams

4. Use the latest versions of 

Spacevars
0product

...

 software; maintenance releases include fixes for known vulnerabilities in operating systems and common third-party software

...

Spacevars
0company

...

...

to prevent excessive

...

unwanted traffic

...

, such as Denial of Service (DoS) attacks on the 

Spacevars
0product
.

...

...

SBC ACLs

6. Use TLS/SRTP for SIP/Media.

    • Use TLS for signaling and SRTP for media.
    • Do not use UDP/RTP for signaling and media because they are not encrypted.

...

...

a trusted Certificate Authority (CA).

    • Always use certificates from a trusted CA.
    • Do not use self-signed certificates

...

    • , or limit self-signed certificate use to scenarios for which the systems with the self-signed certificates are within

...

    • a trusted network

...

 Certificates

...

...

8. Enable enhanced password security for SBC operator accounts.

    ...

      • When new SBC operator accounts are created, enhanced security measures such as complex passwords, limited account duration, limiting the number of login sessions, etc., are not

    ...

      • implemented by default.
      • Administrators must enable security measures supported on the SBC to deter malicious/unauthorized login attacks on the system.

    ...

    ...

    9. When configuring Active Directory services

    ...

    on 

    Spacevars
    0product
    , use TLS with Active Directory.

    ...

    ...

    10. Check whether RADIUS is used for user authentication and/or for Call Detail Records (CDRs). The RADIUS use applies to select employments where the customers send CDRs for protection, billing, and such.

      • Passwords are encrypted during RADIUS authentication process. However, RADIUS works on UDP and fields other than the user's credentials are not encrypted. Because RADIUS servers and

    ...

      • the 
        Spacevars
        0product

    ...

      •  are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN)

    ...

      • , this is not normally an issue

    ...

      • .
      • If confidentiality is

    ...

      • critical even inside the trusted domain,

    ...

      • consider other options for user authentication.
    RADIUS

    ...

    ...

    whether RADIUS CDR confidentiality is required.
      • RADIUS CDR transport is based on UDP and this data is not encrypted.

    ...

      • However, RADIUS servers and 
        Spacevars
        0product

    ...

      •  are usually within the same trusted domain (inside corporate LAN protected by firewall or over VPN), consequently this is not an issue.

    ...

      • If confidentiality is important inside the trusted domain, RADIUS should not be used.

    ...

     CDRs
    12. For CCE deployments, configure firewall settings as recommended. CCE

     

    13. If the ASM module is present, configure the ASM Firewall.

    ...

    ASM

    14. If the ASM module is present, configure the ASM security template.

    ...

     

    Monitoring Security

    Once the system is fully configured,the operator should periodically monitor the system. Many alarms supported by the system are triggered upon security events.

    1. Review system security logs and user-login activity.
    2. .Review web-access logs:
    3. Review alarms.

    Pagebreak