1. EAGLE Security Guide
  2. EAGLE Security Overview

2 EAGLE Security Overview

This chapter describes basic security considerations and provides an overview of EAGLE security.

2.1 Basic Security Considerations

The following principles are fundamental to using any application securely:

  • Keep software up to date. This includes the latest product release and any patches that apply to it.
  • Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
  • Monitor system activity. Establish who should access which system components, and how often, and monitor the security log.
  • Install software securely. For example, use firewalls, secure protocols using TLS (SSL), and strong passwords. See Performing a Secure EAGLE Installation for more information.
  • Learn about and use the EAGLE security features. See Implementing EAGLE Security for more information.
  • Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the "Critical Patch Updates and Security Alerts" Web site: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

When planning your EAGLE implementation, consider the following questions:

  • Which resources need to be protected?
    • You need to protect customer data, such as routing data and network traffic.
    • You need to protect internal data, such as proprietary source code.
    • You need to protect system components from being disabled by external attacks or intentional system overloads.
  • Who are you protecting data from?

    For example, you need to protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your work flows to determine who needs access to the data; for example, it is possible that a system administrator can manage your system components without needing to access the system data.

  • What happens if protections on strategic resources fail?

    In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.

2.2 Overview of EAGLE Security

EAGLE is a secure and reliable signaling platform that provides SS7-focused signal transfer point (STP) and signaling gateway (SG) services that help manage intelligent routing, screening services, number portability (NP), equipment identity register, and integrated performance/service management.

Secure Database Access Credentials

Only authorized personnel are allowed to access the database/admin commands, and a user ID and password are required. Provide minimum database access privileges to the operators so that unauthorized modifications can be avoided. For more information, see Implementing EAGLE Security.

SSH and SFTP

The Secure Shell (SSH) protocol and SSH File Transfer Protocol (SFTP) are used by default for all IP connections, providing secure data transmission through encryption. These secure protocols can be disabled, but this is not recommended. The feature ON or OFF will not disable or enable the SSH or the SFTP.

For Release 46.5 and later. the EAGLE OA&M IP Security feature is enabled by default and the feature entry is used to control only the alarming if the SSH for terminals or Security of FTP Server entries is OFF. SSH for terminals and Security of FTP Server entries are controlled via the SECU-DFLT: SSH parameter and SECUIRTY parameter against the FTP servers entries, respectively. The following is expected after upgrade to release 46.5 or later from release 46.4 or earlier:

  1. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF, then it will remain OFF after the upgrade to R46.5.
  2. If the OA&M IP Security feature is currently (R46.4 or earlier) ON, and all the FTP Servers have Security ON and the Telnet terminals are using SSH, then it will remain ON after the upgrade to R46.5.
  3. If the OA&M IP Security feature is currently (R46.4 or earlier) ON, and there was 1 or more FTP Servers or Telnet terminals not using SSH, then it will be turned OFF after upgrade to R46.5, so that no new alarms will be generated after the upgrade.
  4. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF and SECU-DFLT-SSH parameter is ON, then the SECU-DFLT-SSH parameter will be turned OFF after the upgrade to R46.5, so that the access protocol used will not be changed after the upgrade.
  5. If the OA&M IP Security feature is currently (R46.4 or earlier) OFF and the SECURITY parameter is ON for the FTP server entry in the FTP server table, then the SECURITY parameter for the FTP server entry (except for the SFLOG FTP server entry) will be turned OFF after the upgrade to R46.5, so that the file transfer protocol used will not be changed after the upgrade.

Use the SS7 Firewall Feature

The SS7 Firewall feature provides an additional set of capabilities to monitor, throttle, and validate messages:

  • Logging capability on the SCCP card

    The logging engine logs events from an SCCP card, primarily containing the MTP, SCCP, TCAP, and MAP portions of a message. The SCCP card transfers all log events for the MSUs that trigger the SFLOG GTT action. Two IPS cards act as the primary and secondary logging cards.

  • Egress throttling

    For each SFTHROT GTT action, a threshold can be provisioned to limit the number of MSUs triggering the GTT action in a 30 second period, throttling such messages if the number of messages crosses the provisioned threshold.

  • Map-Based Routing

    Map-based routing provides enhancements to the existing FLOBR/TOBR/GTT Actions framework to allow additional MAP components to be used in the selection process.

  • MAP SCCP validation

    In certain MAP operations, some MAP parameters are expected to be the same as either the SCCP CdPA or CgPA. With SS7 Firewall, GTT Action SCPVAL will be used for this validation. This validation will be done only on MO-FSM and MT-FSM messages coming to the EAGLE.

  • SS7 Firewall Stateless Enhancement

    This enhancement is comprised of a combination of SS7 Firewall Enhancement features, including Support for MAPv1 in MAP Based Routing, Support for Additional MAP Opcodes, Support for IMSI in MO-FSM, Support for Segmented XUDT, TCAP Decoding, GTTSET Measurements, and others.

  • Support for CAT2 SS7 Security
    The CAT2 SS7 Security functionality allows Eagle to detect anomalies on inbound packets through bulk upload of customer IR.21 documents using CAT2 Utility. The CAT2 Utility runs outside EAGLE and can be downloaded from Oracle Softeware Delivery Cloud along with the other components. This is supported through EAGLE Category 2 security feature.

    Note:

    The IR.21 document contains operator wise network information such as, MCC-MNC, Node GT (HLR/VLR/MSC), and CC-NDC. RAEX IR.21 provides the means of exchanging the IR.21 using a pre-defined data format and according to a standardized business process.
    The CAT2 functionality is divided into three parts:
    • Conversion of IR.21 XML file: The IR.21 XML file data is parsed on a linux machine and extracted in specific database tables.
    • Bulk upload after conversion: The data from the tables is uploaded to Eagle along with the Network card, supporting SCCP functionality.
    • Data Validation: Based on the data available in tables, the SCPVAL GTT action validates that CgPA and IMSI of MSU belongs to same operator. For more details, refer Database Administration - GTT User's Guide.
    For more details related to CAT2 SS7 Security functianality, refer Database Administration - GTT User's Guide.

For more information on the SS7 Firewall feature, see Database Administration - GTT User's Guide.

It is possible to use EAGLE Visualization with the SS7 security features for data visualization purposes. Visualized data allows understanding the current state of the network, which provides important insights for taking the security measures required to secure the network. For more information on the EAGLE Visualization feature, see Logging and Visualization Feature User's Guide.

Do Not Use Default Community Strings for SNMP Agent Implementation

SNMP is an industry-wide standard protocol used for network management. SNMP agents interact with Network Management Systems (NMSs) that are used to monitor and control the network. Community Names are used to validate commands sent from an NMS and traps sent to an NMS. You should not use the well-known default community strings, and instead use unique community strings (for example, for requests and traps). Unique community strings lessen the impact if a community string is compromised.