This document describes ways of security improvement and how to protect your system from some kind of fraud.
Listed is an overview of Sippy's current security features:
- Complicated passwords - default password template is a minimum of 7 alphanumeric digits. Password templates are customized by on a per-account basis by our support team.
- Password Strength indicator - Password strength is shown to users when user passwords expire or are created for the first time.
- Encrypted passwords - passwords are encrypted from save, without an ability to retrieve saved passwords from DB.
- Separate VoIP credentials for Digest Authentication - different web and SIP traffic credentials Accounts for accessibility and user security.
- Sophisticated VoIP traffic Authentication - Combined Remote IP, Incoming CLI and Incoming CLD authentication to authenticate traffic to an Account.
- Account session limits - Total session limits (inbound/outbound combined) protect an Account from traffic flooding resulting from hacked Account.
- Account CPS limits - CPS limits protect an Account from traffic flooding resulting from hacked Account.
- Account Balance token system - Real-time Account's Balances apply logic to incoming call attempts referencing remaining Balance/Credit, calls cost/rate, and calls in progress to allow additional calls to pass.
- Built-in Firewall for additional network security layer - Web, SSH, DB, and SIP traffic firewall rules.
- Web Access Control restriction - restrict staff web login to specified IP addresses/location.
- User Audit logs - Monitor changes made by staff.
- Connection channel and CPS limits - restrictive routing and capping of calls to specified upstream locations.
- Adjust a default password_policy template - ask support team to provide you the default parameters that your system use and adjust them if needed.
- In-house framework (Sippy B2BUA & RTPproxy) ensures Sippy is not remotely vulnerable to industry-wide security and fraud attacks.
- Proper ACD value set in tariff, with the ACD=Max session time system will never drain account's/customer's balance below zero, but it could result in some calls being dropped as a result.
- Transparent external firewall is recommended for handling complicated rules and to protect an overload of network card from any fraud traffic/packets or any DDOS attack.
- Use PINs for vouchers if they are used.
- Use PINs for accounts if the calling cards are used.
- Avoid using authentication rules with only CLI/CLD mentioned, the IP adds extra security to the authentication
- Use authentication by Vendor/Connection in the DID authentication rules if DIDs are used in the scenario.
- Mask topology of your network using the media relay feature that proxies the rtp and hiding the original IP of a device.
- Use your own VPN server if your staff is seating on a dynamic IPs. Such an approach would make the connection to the Sippy server more secure and would allow you to configure a web firewall and restrict any suspicious attempts to access to the web/db/ssh from all unknown IPs.
framework (Sippy B2BUA & RTPproxy) ensures Sippy is not remotely
vulnerable to industry-wide security and fraud attack
Steps to take to secure your Sippy switch:
Web access control
Web access control feature allows Sippy switch owner to specify the exact list of IPs for web access for particular web-user, that could be specified in the "My Preferences" menu of the customer/web user. Thus only mentioned IPs would be able to login to the web with credentials of that user.
By default owner will see value "Any" in the "Allowed Hosts" field. Any means that anyone can access to the web interface with proper login and password. Also you can specify the comma separated list of IPs instead of value "Any" and with such configuration only clients from that list of IPs would be able to login to the web interface with proper login and password: