To submit recommendations for changes or comments, email Richard Travis, Ribbon Program Manager at rtravis@rbbn.com.
Revision History
Document | Date | Editor | Details |
---|---|---|---|
V1.1 | 15 October 2014 | Ribbon Federal | Initial |
V1.2 | 15 October 2014 | Ribbon Federal | Reformatted guide |
V1.3 | 2014 | Ribbon Federal | Edited Initial Config., step 4d. |
V2.0 | 12 January 2015 | Ribbon Tech Pubs | Replaced contact name in Intro section |
V3.0 | 1 September 2017 | Ribbon Tech Pubs | Updated for release 5.1 and to include SBC SWe in the list of SBC platforms |
V4.0 | 1 September 2017 | Ribbon Tech Pubs | Updated CONDITIONS of Fielding section. |
V5.0 | 20 October 2017 | Ribbon Tech Pubs | Updated published date and SW version per DTR 1 |
V6.0 | 31 August 2018 | Ribbon Tech Pubs | Updated company name, page title, published date, and Conditions of Fielding per DTR2. This guide is revised to support SBC SWe TN 163401 DTR2 and SBC 5x10 TN 1314804 DTR2 |
V7.0 | 10 September 2019 | Ribbon Tech Pubs | Updated 5.1.2 PDF filenames to 6.2.2 and 6.2.1. Also updated Installation, Initial Configuration, Procedure, and Conditions of Fielding section. |
V8.0 | 16 September 2019 | Ribbon Tech Pubs | Added step to the Initial Configuration procedure |
V9.0 | 20 December 2019 | Ribbon Tech Pubs | Republished guide to align with the latest test efforts. No material changes made. |
V10.0 | 26 May 2020 | Ribbon Tech Pubs | Republished guide to reflect updated publication date. No material changes made. |
V11.0 | 21 August 2020 | Ribbon Tech Pubs | Republished guide to reflect updated publication date and release update from 6.2.3 to 7.2.1. No material changes made. |
V12.0 |
| Ribbon Tech Pubs | Release update to 7.2.5R002. Added note regarding SBC SWe on VMware. |
V15.0 | Ribbon Tech Pubs | Added Related articles section. Added specific links to installation and configuration of the SBC (CLI and EMA methods). Added CLI configuration code blocks for reference. | |
V16.0 |
| Ribbon Tech Pubs | Updated the images and procedure. Provided links to the latest 7.2 version of the documents. |
V17.0 |
| Ribbon Tech Pubs | Updated the images and procedure. Provided links to the latest 10.01 version of the documents. |
V17.1 |
| Ribbon Tech Pubs | Added steps for command Zone - Block Direction - CLI. |
V02.01 |
| Ribbon Tech Pubs | Changed to new versioning schema: from V17.1 to V02.01 |
Conditions of Fielding
Users must reference and follow the Conditions of Fielding (COF) found in the Information Assurance Assessment Report/Cybersecurity Assessment Report (IAAR/CAR).
Links to Installation and Configuration
Installation
The links below are the starting points for all elements of installation and configuration of a Ribbon SBC. Follow the "First Steps" guidance for the platform you are installing. Each step has supporting documentation links that will take you from Network Planning to the start of configuration.
Items Unique to a U.S. Federal and DoD Deployment
Once the SBC hardware or virtual machine is up and running and the SBC application code is installed, configure the SBC application.
You can configure the SBC application through any of the following methods:
1.The Command Line Interface (CLI). For more information, refer to the CLI Reference Guide.
2.The GUI-based Embedded Management Application (EMA). For more information, refer to the EMA User Guide.
Any configuration accomplished in one format can also be accomplished in the other. For experienced individuals familiar with the system, the CLI is often faster but less intuitive. The following items have specific parameters and requirements for the US Federal and DoD configurations.
These specific parameters come from a variety of sources such as the DoD UCR, Security Technical Implementation Guides (STIGs), and Security Requirements Guides (SRGs).
For brevity, the examples are provided in the CLI format. However, you can also perform all the example commands through the EMA UI.
After the unit is commissioned and turned over to the customer, CLI is no longer available.
SWe Deployments
esxi Guest tags
The SWe is a VMware compatible and as such, relies on certain VM tags being configured within the ESXi environment.
Please ensure these tags are applied to your Guests vmx file to be compliant with the ESXi VMGuest STiG.
vmci0.unrestricted = "FALSE" isolation.monitor.control.disable = "TRUE" isolation.bios.bbs.disable = "TRUE" isolation.ghi.host.shellAction.disable = "TRUE" log.rotateSize = "100000" log.keepOld = "10" isolation.device.connectable.disable = "TRUE" isolation.device.edit.disable = "TRUE“ RemoteDisplay.maxConnection = "1" vmsafe.enable = "FALSE" isolation.tools.autoInstall.disable = "TRUE" isolation.tools.copy.disable = "TRUE" isolation.tools.dnd.disable = "TRUE" isolation.tools.setGUIOptions.enable = "FALSE" isolation.tools.paste.disable = "TRUE” isolation.tools.diskShrink.disable = "TRUE" isolation.tools.diskWiper.disable = "TRUE" isolation.tools.hgfsServerSet.disable = "TRUE" isolation.tools.getCreds.disable = "TRUE" isolation.tools.memSchedFakeSampleStats.disable = "TRUE" isolation.tools.ghi.protocolhandler.info.disable = "TRUE“ isolation.tools.dispTopoRequest.disable = "TRUE” isolation.tools.trashFolderState.disable = "TRUE” isolation.tools.ghi.trayicon.disable = “TRUE” isolation.tools.unity.disable = "TRUE“ isolation.tools.unityInterlockOperation.disable = "TRUE" isolation.tools.unity.push.update.disable = "TRUE“ isolation.tools.unity.taskbar.disable = "TRUE" isolation.tools.unityActive.disable = "TRUE" isolation.tools.unity.windowContents.disable = "TRUE" isolation.tools.vmxDnDVersionGet.disable = "TRUE" isolation.tools.guestDnDVersionSet.disable = "TRUE" isolation.tools.vixMessage.disable = "TRUE" tools.setinfo.sizeLimit = "1048576" tools.guestlib.enableHostInfo = "FALSE“ isolation.tools.ghi.autologon.disable = "TRUE" isolation.tools.ghi.launchmenu.change = "TRUE" floppy0.present = “FALSE” logging = “FALSE isolation.ghi.host.shellAction.disable = “TRUE”
Login Banner
The Federal Government requires a user warning and acknowledgement prior to logging into any security controlled system. The following
instructions accomplish this task:
- Modify Pre-Login Banner to DoD Warning
- Require Banner acknowledgment prior to login
From the EMA
Application Management is a new tool that provides the capability to manage many security-related system settings.
On SBC main screen, navigate to Administration > Users and Application Management > Application Management.
The "Application Management" window displays.
- Enable Show Login Banner option to display all fields.
- Enable Require User to Acknowledge Banner before Logging in option to receive acknowledgement from the users every time they try to login.
- Enter your text that should be displayed as Banner in the text box next to Banner Text option.
Once the changes are saved, the Banner text will displays on the login screen.
From the CLI
config set system admin USNASMSWe01 banner bannerText "<DoD Login Warning>" set system admin USNASMSWe01 banner ackBanner enable commit
CAC/RADIUS
From the CLI
1. Configure the SBC EMA for local Password Authentication and/or Remote (RADIUS).
Login as admin and enter the following:
#config #set oam ema clientAuthMethod usernamePasswordOrPkiCert #commit
2. Configure the OAM administrative User(s) ‘Access Type’ for password or PKI/CAC authentication:
[can this be done cli?]
3. Configure the SBC for RADIUS Server access and connectivity:
set oam radiusAuthentication radiusServer <Server Name> priority <Value> set oam radiusAuthentication radiusServer <Server Name> state <enabled/Disabled> set oam radiusAuthentication radiusServer <Server Name> radiusServerIp <IP addr> set oam radiusAuthentication radiusServer <Server Name> radiusServerPort <Port> set oam radiusAuthentication radiusServer <Server Name> radiusNasIp <Source IP> set oam radiusAuthentication radiusServer <Server Name> radiusSharedSecret <Password> set oam radiusAuthentication radiusServer <Server Name> mgmtInterfaceGroup <Interface Name> set oam radiusAuthentication radiusServer <Server Name> authenticationMethod <pap|peapmschapv2>
From the EMA
1. Configure the SBC EMA for local Password Authentication and/or Remote (RADIUS):
a. On the SBC main screen, navigate to administration > Users and Application Management > EMA
b. Click the Client Auth Method dropdown list and then select username or PKI cert and click Save.
2. Configure OAM administrative User(s) ‘Access Type’ for password or PKI/CAC authentication:
a. On the SBC main screen, navigate to Administration > Users and Application Management > User and Session Management.
b. Select your user and scroll down to Account type and then select Password or Public Key/CAC Card Only and Save.
c. Navigate to Administration > User and Application Management > User and then Session Management > Public Key Authentication.
d. Complete the page with your public key information.
The RSA public key must be at least 2048 bit strength in one of the following formats: PEM, PKCS8, RFC4716, OpenSSH
3. Configure the SBC for RADIUS Server access and connectivity.
a. From the SBC main screen, go to administration > Users and Application Management > Radius Authentication > Radius server
b. Select a new server and configure for your RADIUS server.
You can configure up to three RADIUS servers per SBC. The new Radius server option is not available once three servers are configured.
FIPS Mode
The SBC deployments in the US Federal Government require Federally complied encryption methods. FIPS-140-3 is the most current version and devices complied by the National Institute of Standards and Technology (NIST) are referred to as “FIPS Complied.” When FIPS Mode is enabled on the system it means that any protocol or encrypted data within a system will use the FIPS complied Encryption Module. FIPS mode is a requirement for the SBC to connect to any DoD network. The "FIPS Mode" will force certain parameter requirements in order to be compliant. For example, when TLS and SRTP are selected, TLS version 1.2 is only allowed. 1.0, and 1.1 are no longer available. Only a sub-set of SRTP cipher suites is available under FIPS Mode.
For more details on FIPS and the processes to enable: Users and Application Management - Fips-140-2.
- If SNMPv3 was configured prior to switching to FIPS mode, you must disable it prior to switching to FIPS mode and then reconfigure it again after enabling the FIPS mode.
- SBC Core 10.1.x supports FIPS 140-2.
From the CLI
Enter the following command:
set system admin <systemName> fips-140-3 mode <Disable | Enable>
From the EMA
- From the SBC home screen, go to All> System > Admin > fips-140-3.
- Choose the state of FIPS on your SBC.
Disabling FIPS will default the unit, erasing configuration information as well as certificates.
SNMPv3
2.1 Disable SNMPv2:
set oam snmp trapTarget emaTarget ipAddress 127.0.0.1 set oam snmp trapTarget emaTarget port 8162 set oam snmp trapTarget emaTarget trapType v2 set oam snmp trapTarget emaTarget targetUsername admin set oam snmp trapTarget emaTarget targetSecurityLevel noAuthNoPriv set oam snmp trapTarget emaTarget state disable commit
2.2 Reconfigure SNMP v3:
set oam snmp communityString admin snmpCommunityName admin set oam snmp communityString guest snmpCommunityName guest set oam snmp communityString operator snmpCommunityName operator set oam snmp version v3 set oam snmp localEngineId 80:00:0b:3f:03:00:0c:29:16:f8:9a set oam snmp securityLevel authPriv set oam snmp users admin group admin set oam snmp users admin authProtocol hmacsha set oam snmp users admin authKey 00:00:00:00:00:00:00:00 set oam snmp users admin privProtocol aes128 set oam snmp users admin privKey 00:00:00:00:00:00:00:00 set oam snmp users guest group guest set oam snmp users guest authProtocol hmacsha set oam snmp users guest authKey 00:00:00:00:00:00:00:00 set oam snmp users guest privProtocol aes128 set oam snmp users guest privKey 00:00:00:00:00:00:00:00 set oam snmp users operator group operator set oam snmp users operator authProtocol hmacsha set oam snmp users operator authKey 00:00:00:00:00:00:00:00 set oam snmp users operator privProtocol aes128 set oam snmp users operator privKey 00:00:00:00:00:00:00:00 commit
DoD Mode
DoD mode increases the security posture of the system by disabling certain accessibilities to the system, namely the CLI command access and Platform Manager on the Active system. Platform Manager is still available on the standby component of an HA pair. For troubleshooting purposes, you can enable CLI and PM from within the EMA, but as noted above and within the documentation, this reduces the security posture of the system.
From the CLI
set system admin <SYSTEM NAME> dod mode <disabled | enabled> set system admin <SYSTEM NAME> cliAccess <disabled | enabled> set system admin <SYSTEM NAME> pmAccess <disabled | enabled> commit
From the EMA
On the SBC main screen, navigate to All > System > Admin > Dod.
From here you can enable dod mode, pm access and CLI access as desired.
DoD PKI Certificates
DoD has its own global Certificate Authority and therefore is the only issuer of certificates for all DoD PKI enabled devices. You can use most of the devices that support PKI certs to generate Certificate Requests (CSRs), but you must submit all CSRs to the DoD CA for certificate issue. The DoD CA will issue the certificates in base-64 encoding. Since most devices use a PEM format and a private key, the certificates will need to be converted to either PEM, DER or P12 (with embedded private key). There are a number of tools for doing the conversion. The most common tool is openssl and the x509 commands. DoD mode can affect how certs are applied. For additional details on importing certificates into the SBC, refer to Generating PKI Certificates.
DISA SIP Trunk
There are three primary areas of SIP Trunking configuration for connecting to a DISA SIP Trunk. These areas are Policy, Signaling, and Media.
There are additional Packet Service Profile elements for Media handling and IP Signaling Profiles.
From the CLI
The following CLI commands are for the non-Default values for SIP Trunking to DISA.
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>state enabled set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>mode inService set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy sipDomain UC.MIL set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy callRouting elementRoutingPriority Default_IP set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy media packetServiceProfile BLK_PSP set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy signaling ipSignalingProfile <Site Specific IPSP> set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>signaling messageManipulation outputAdapterProfile <Site Specific SMM> set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media lateMediaSupport passthru set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaIpInterfaceGroupName <Site specific Interface Group Name> set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaPortRange baseUdpPort 16384 set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaPortRange maxUdpPort 32764 set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>ingressIpPrefix <DISA SBC Peer IP> set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>ingressIpPrefix <Alt DISA SBC Peer IP>
From the EMA
- Navigate to Configuration > System Provisioning > Trunk Group > Sip Trunk Group.
- Select or create your site specific trunk group, both enabled and in service.
- Navigate to Configuration > System Provisioning > Trunk Group > Sip Trunk Group > Policy.
- Complete the sip domain field and then click Save.
- Navigate to Call Routing and then select Default_ip and Save.
- Within the Policy subfolder, navigate to Media, select your site specific Packet Service Profile and then click Save.
- Under Media is Signaling, assign your site specific IPSP.
- From the home screen, navigate to Configuration > System Provisioning >Trunk Group > Sip Trunk Group > Signaling > Message Manipulation.
- Assign your site specific SMM profiles.
- Navigate to Configuration > System Provisioning > Trunk Group > Sip Trunk Group > Media.
- Set late media support to passthru.
- Assign a media ip interface group name.
- Navigate to Configuration > System Provisioning > Trunk Group > Sip Trunk Group > Media > Media Port Range.
- Assign base UDP port to 16384, and max UDP port to 32764.
- Navigate to Configuration > System Provisioning > Trunk Group > Sip Trunk Group > Ingress ip prefix.
- Assign a DISA SBC ip peer address, and an alt DIS SBC peer IP.
Packet Service Profile (PSP)
The Ribbon SBC Packet Service Profile is used to adjust the commonly known media and media policy elements that vary between the SIP
protocol vendors.
EMA | Packet Service Profile - Video Calls |
CLI: Packet Service Profile - CLI | |
Packet Service Profile Video Calls - CLI | set profiles media packetServiceProfile <unique_profile_name> videoCalls audioOnlyIfVideoIsPrevented <disable | enable> Default = Enable |
codecListProfile <name> Default = Blank | |
ieee8021QVLanCos <0-7> Default = 0 | |
ipv4Tos <0-255> Default = 0 | |
ipv6TrafficClass <0-255> Default = 0 | |
maxVideoBandwith <0-50000 kbps> Default = 0 | recommend 6000 |
videoBandwidthReductionFactor <0-100> Default = 0 | Recommend 10 |
From the EMA
Navigate to All> Profiles > Media > Packet Service Profile > Video Calls.
All of the fields in the above commands are present and configurable here.
IP Access Control/Access Control List(ACL) Implementation
The purpose of the ACL Feature is to first, Deny and then Allow users and Services(NTP, Radius, syslog, ect) to secure the Management ports of the SBCs via IP Address. This is done by first, assigning the Allow address/protocols/ports then locking down the overall system by assigning the DENY action to the system. In this manner, we DENY anything not in the ALLOW list.
From the EMA
1. Navigating the SBC EMA for IP Access Control:
a. Login to the SBC EMA screen and navigate to Configuration > Security Configuration and IP Access Control List(open pulldown) > Rule
b. Select the correct Address Context from the system.
The screen will show existing rules and from here New Rules can be added.
2. Adding a New Access Rule:
a. Navigate to the IP Access Control List(open pulldown) > Rule section of the EMA,
b. Select the correct Address Context from the system.
c. Click on the + New Rule button.
f. Scroll down to the Create New Rule
g. Proceed to configure the New Rule
d. Scroll down to the Create New Rule
Example of New Rule Screen:
2b. Access Rule fields
a. Name (up to 23 characters)
b. The characters #%^&(){}<>,/\;`[]=!$"*?|~ and SPACE are not allowed.
c. Precedence*(1 - 65535)
d. The precedence of this access control list rule.
e. Protocol (icmp or tcp or udp or icmpv6 or ospf or any or 0 - 255)
f. The IP protocol type.
b. IP Interface Group
c. The name of a IP interface group(IPIG) to match.
d. IP Interface
e. The name of an IP interface to match
f. Mgmt IP Interface Group (Normally used: Covers all Mgmt interfaces)
g. The name of a MGMT IP interface group to match.
b. Mgmt IP Interface (can be used for individual Mgmt interfaces)
c. The name of a MGMT IP interface to match.
d. Source IP Address
e. The source IP address to match.
f. Source Address Prefix Length(0 - 128)
g. The length of source IP address prefix which must match.
b. Destination IP Address
c. The destination IP address prefix to match.
d. Destination Address Prefix Length (0 - 128)
e. The length of destination IP address prefix which must match.
f. Source Port(any or 0 - 65535)
g. The source port to match.
b. Destination Port(any or 0 - 65535)
c. The destination port to match.
d. Action
e. Accept/Discard/Unconditional Deny
f. The action to take when this rule is matched.
g. Fill Rate
b. (unlimited or 1 - 32000)
c. The policing fill rate (in pkts/sec) set to 50 pkt/sec as default value
d. Bucket Size
e. (unlimited or 1 - 255)
f. The policing bucket size (in pkts). Set to 50 pkt if not specified by operator.
g. State
b. Disabled/Enabled
c. Administrative state of the IP access control list rule.
d. Aggregate Policer
e. name of aggregate policer associated with.
f. Min TTL
g. (0 - 255)
b. The minimum TTL for BFD Support
Example of completed 'Allow' rule
Example of Deny-All rule (required)
Zone Block Direction
The blocking function restricts sending out SIP requests outside an existing dialog from your network to an opposite network, but does not restrict sending in-dialog requests to the opposite network. Incoming SIP requests are not restricted, and test calls are sent to the opposite network even when the blocking state is OUTGOING.
Command Syntax
Use this command to block incoming /outgoing calls based on the selected direction.
Unless annotated otherwise, the parameter values in this section apply to the SBC Core.
% set addressContext <adddress context name> zone <zone name> ipPeer <ippeer name> blockDirection <bothways | incoming | none | outgoing>
Command Parameters
Parameter | Description |
---|---|
| The Block Direction options include:
|