Enterprise Security Documentation

This document provides comprehensive security documentation for VoIPmonitor, intended for Chief Information Security Officers (CISOs), security teams, and compliance auditors conducting security assessments.

Executive Summary

VoIPmonitor is an open-source network packet sniffer and call analyzer for SIP VoIP traffic. This document outlines security controls, architecture, compliance capabilities, and best practices for secure deployment.

Category	Summary
Deployment Model	On-premises software (self-hosted)
Data Location	Customer-controlled infrastructure
Encryption	TLS for web GUI, optional database encryption, encrypted sensor communication
Authentication	Local accounts, LDAP, OAuth 2.0 (Google/Microsoft), 2FA

Security Architecture

System Components

Network Ports

Port	Protocol	Component	Security Recommendation
80	TCP	Web GUI (HTTP)	Redirect to HTTPS
443	TCP	Web GUI (HTTPS)	Required - Use valid TLS certificate
3306	TCP	MySQL Database	Internal only - Never expose publicly
5029	TCP	Manager API	Internal only - Restrict via firewall
60024	TCP	Sensor-to-Server	Encrypted with shared secret
5060/5061	UDP/TCP	SIP Monitoring	Passive monitoring interface

⚠️ Warning: Ports 3306 (MySQL) and 5029 (Manager API) must NEVER be exposed to the public internet.

Authentication & Access Control

Supported Authentication Methods

Method	Description	Documentation
Local Accounts	Built-in username/password with SHA-256 hashing	Default method
Two-Factor Authentication (2FA)	TOTP-based second factor	Settings > System Configuration
LDAP Integration	Authenticate against Active Directory/LDAP	Custom Login
Google Sign-In (OAuth 2.0)	Google Workspace SSO	Google_Sign_in_usage
Microsoft Sign-In (Entra ID)	Microsoft 365/Azure AD SSO	Microsoft_Sign_in_usage
REMOTE_USER	External authentication (SSO, Kerberos)	REMOTE_USER_Authentication

Session Security

Session ID Regeneration - Automatic regeneration on login (prevents session fixation attacks)
Configurable Timeout - Set via PHP session.gc_maxlifetime
Session IP Validation - Optional binding to client IP address
Manual Invalidation - Administrators can terminate sessions

Role-Based Access Control

VoIPmonitor supports granular permissions:

User-level access restrictions
IP-based access restrictions (Users > Secure users tab)
Group-based permissions
Read-only vs. administrative access

Data Protection

Data Classification

Data Type	Sensitivity	Storage	Protection Options
Call metadata (CDRs)	Medium-High	MySQL database	TDE, filesystem encryption
User credentials	High	MySQL database	SHA-256 hashed (or LDAP offload)
Call recordings	High	Filesystem	Filesystem encryption (LUKS)
Configuration files	Medium	Filesystem (`/etc/voipmonitor.conf`)	File permissions (600)
Session data	Medium	PHP session storage	Secure session configuration

Encryption Capabilities

Data in Transit:

HTTPS/TLS for web GUI access
Optional TLS for MySQL connections (SSL/TLS_connection_to_the_Mysql/MariaDB)
Encrypted sensor-to-server communication (server_password)

Data at Rest:

Database: MySQL/MariaDB Transparent Data Encryption (TDE)
Filesystem: LUKS, dm-crypt, or hardware encryption
Note: VoIPmonitor does not encrypt data at rest natively - use infrastructure-level encryption

Privacy Features

Data Retention Policies - Automated cleanup via cleandatabase settings
Audit Logging - File-based logging via AUDIT_LOG_FILE in configuration.php

Compliance Framework

Audit Logging

Enable comprehensive audit logging:

// In /var/www/html/config/configuration.php
define('AUDIT_LOG_FILE', '/var/log/voipmonitor/audit.log');

Logged events include:

User logins/logouts
Configuration changes
Data access
Administrative actions

Vulnerability Management

Software Updates

Regular update schedule recommended

Security Hardening Checklist

Web Server:

[ ] HTTPS enabled with valid certificate
[ ] HTTP redirected to HTTPS
[ ] TLS 1.2+ only (disable older protocols)
[ ] Strong cipher suites configured
[ ] HTTP security headers (HSTS, X-Frame-Options, CSP)

Application:

[ ] 2FA enabled for administrative accounts
[ ] Strong password policy enforced
[ ] Unused accounts disabled/removed
[ ] IP restrictions configured where possible
[ ] Audit logging enabled

Infrastructure:

[ ] Firewall rules restricting access to management ports
[ ] Database not exposed to public internet
[ ] File permissions properly set (/etc/voipmonitor.conf = 600)
[ ] Unnecessary services disabled
[ ] Regular security updates applied

Monitoring:

[ ] Log aggregation configured
[ ] Alerting for failed login attempts
[ ] Regular access reviews

System Hardening

File Permissions

# Configuration file
chmod 600 /etc/voipmonitor.conf
chown root:root /etc/voipmonitor.conf

# Web files
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

# Recordings directory
chmod 750 /var/spool/voipmonitor

Incident Response

Log Locations

Log Type	Location
VoIPmonitor sniffer	`/var/log/voipmonitor.log`
Web server (Apache)	`/var/log/apache2/`
Web server (Nginx)	`/var/log/nginx/`
PHP errors	`/var/log/php*.log`
MySQL	`/var/log/mysql/`
Audit log	Configurable via `AUDIT_LOG_FILE`
System authentication	`/var/log/auth.log`

Security Event Investigation

# Check recent failed logins
grep "Failed" /var/log/auth.log | tail -50

# Check web access logs for suspicious activity
grep -E "(POST|401|403)" /var/log/apache2/access.log | tail -100

# Review audit log
tail -100 /var/log/voipmonitor/audit.log

Vendor Security Information

Security Contact

For security vulnerabilities, contact VoIPmonitor support through official channels.

Third-Party Components

VoIPmonitor uses standard open-source components:

Linux operating system
Apache/Nginx web server
PHP runtime
MySQL/MariaDB database
OpenSSL for encryption