Security Policy and Posture: Difference between revisions

From VoIPmonitor.org
(Review: oprava syntaxe nadpisů (chybějící uzavírací =), přidán diagram bezpečnostní architektury)
 
(6 intermediate revisions by 2 users not shown)
Line 2: Line 2:
{{DISPLAYTITLE:Security Policy and Posture}}
{{DISPLAYTITLE:Security Policy and Posture}}


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls. This information is intended for security departments conducting assessments, audits, or compliance reviews.
This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.


== Security Assessment and Analysis ==
== Data Protection ==


=== Vulnerability Testing ===
=== Database Encryption ===


* No automated vulnerability scanning is performed as part of the standard development or release process
{| class="wikitable"
* No manual penetration testing or third-party security audits are regularly conducted
|-
* Bug reports and security issues are addressed as they are identified by users or researchers
! Data Type !! Encryption Status !! Notes
|-
| CDRs, call metadata || '''Not encrypted''' at rest || Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
|-
| User passwords || SHA-256 hashed || LDAP offloads credential storage externally
|-
| Data in transit || Optional TLS || See [[SSL/TLS_connection_to_the_Mysql/MariaDB]]
|}


=== Development Methodology ===
{{Tip|1=For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).}}


* The application was developed following general security best practices
=== Privacy Features ===
* No specific formalized secure development methodology (SDLC) has been documented or systematically applied
* Security improvements are implemented incrementally based on industry standards and customer requirements


== Data Protection and Encryption ==
* '''IP Anonymization''' - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
* '''Two-Factor Authentication (2FA)''' - Enhanced account security
* '''Audit Logging''' - File-based logging via <code>AUDIT_LOG_FILE</code> in [[GUI_Configuration_PHP|configuration.php]]
* '''Regulatory Compliance''' - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), [[CALEA_compliance|CALEA]] export


=== Database Encryption ===
== Authentication ==


* User data in the database (CDRs, call metadata, configuration settings) is stored in plain text and is NOT encrypted
=== Supported Methods ===
* Only user passwords are encrypted (see Password Storage below)
* For encryption of data in transit between components, see [[SSL/TLS_connection_to_the_Mysql/MariaDB]]


=== Password Storage ===
{| class="wikitable"
|-
! Method !! Status !! Documentation
|-
| Local accounts || Supported || Built-in username/password
|-
| Two-Factor Authentication || Supported || Settings > System Configuration
|-
| LDAP (password verification) || Supported || [[WEB_API#Custom_Login|Custom Login]] - username/password only
|-
| Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage|Google Sign-In]]
|-
| Microsoft Sign-In (Entra ID) || Supported  || [[Microsoft_Sign_in_usage|Microsoft Sign-In]]
|-
| REMOTE_USER Authentication || Supported || [[REMOTE_USER_Authentication]]
|-
| Custom login scripts || Supported || [[WEB_API#Custom_Login|Custom Login]]
|}


* User credentials (passwords) are stored using sha256 hashing
=== Session Management ===
* An option for LDAP authentication is available, which offloads credential storage to an external LDAP server
* For more details on authentication methods, see [[Shibboleth_and_other_auth_modules]]


=== Data Privacy Features ===
* PHP sessions with '''automatic session ID regeneration on login''' (prevents session fixation)
* Configurable timeout via <code>session.gc_maxlifetime</code> in php.ini
* Manual session invalidation available for administrators


VoIPmonitor includes several features to assist with privacy compliance:
{{Note|1=Automatic session ID regeneration is a built-in security feature requiring no additional configuration.}}


* [[Data_Privacy_and_Data_Masking|IP Address Anonymization]] - Database-level anonymization of IP addresses
== Network Security ==
* [[2FA]] - Two-Factor Authentication for enhanced user account security
* Various compliance integrations ([[SIPREC]], CALEA support, PCI-DSS features)


== Authentication and Session Management ==
=== Architecture Overview ===


=== Supported Authentication Methods ===
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 35}}}%%
flowchart LR
    subgraph Users["Access"]
        Admin["Admin"]
    end


VoIPmonitor supports multiple authentication approaches:
    subgraph Auth["Auth Layer"]
        Local["Local/LDAP"]
        OAuth["OAuth"]
        TwoFA["2FA"]
    end


* Local user accounts with username/password
    subgraph Web["Web Layer"]
* Two-Factor Authentication (2FA) - see [[2FA]]
        HTTPS["HTTPS"]
* LDAP authentication (username/password verification) - see [[Shibboleth_and_other_auth_modules|LDAP Authentication]]
        GUI["Web GUI"]
* Google Sign-In (OAuth 2.0) - see [[Shibboleth_and_other_auth_modules]]
    end
* Microsoft Sign-In (Azure AD/Entra ID) - scheduled for upcoming stable release
* Custom login scripts for integration with external authentication systems - see [[WEB_API#Custom_Login]]


=== Authentication Methods NOT Supported ===
    subgraph Core["Core"]
        DB[(MySQL)]
        Sensor["Sensors"]
    end
 
    Admin --> Auth --> HTTPS --> GUI
    GUI --> DB
    GUI -->|TCP 5029| Sensor
    Sensor -->|Encrypted TCP 60024| Sensor
</kroki>
 
=== Firewall Ports ===
 
{| class="wikitable"
|-
! Port !! Protocol !! Service !! Security Notes
|-
| 80, 443 || TCP || Web GUI || '''HTTPS strongly recommended'''
|-
| 5029 || TCP || Manager API || '''Restrict to internal IPs only''' - never expose publicly
|-
| 60024 || TCP || Sensor-to-server || Encrypted with <code>server_password</code>
|-
| 5060 || UDP/TCP || SIP monitoring || Default SIP port
|}


The following methods are NOT currently supported:
{{Warning|1=The Manager API port (5029) should NEVER be exposed to the public internet.}}


* Shibboleth SSO - not supported
=== Key Security Features ===
* SAML-based SSO (including JumpCloud, Okta, OneLogin) - not supported
* LDAP SSO (click-through login without credentials) - only LDAP username/password is supported
* Generic OIDC providers other than Google


For complete details, see [[Shibboleth_and_other_auth_modules|SSO Authentication Support]]
* '''[[Tls|TLS/SRTP Decryption]]''' - Decrypt encrypted VoIP traffic for monitoring
* '''[[Sniffer_distributed_architecture|Encrypted sensor communication]]''' - Secure TCP with <code>server_password</code>
* '''[[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS/Basic Auth]]''' - Secure web GUI access


=== Session Management ===
== Security Assessment Checklist ==
 
=== Configuration Review ===
 
* SSL/TLS configuration (certificate validity, cipher suites)
* Database connection encryption ([[SSL/TLS_connection_to_the_Mysql/MariaDB|MySQL SSL]])
* Firewall rules for all VoIPmonitor ports
* File permissions on <code>/etc/voipmonitor.conf</code> (should be 600 or 640)
 
=== Authentication Review ===
 
* Validate 2FA and LDAP configuration
* Review user permissions in GUI (Users & Audit > Users)
* Check IP restrictions (Users > Secure users tab)


* User sessions are managed using PHP sessions
=== Compliance Review ===
* Session inactivity timeout is configurable
* For specific timeout configuration, review your PHP configuration (php.ini) and web server settings


== Architecture and Network Security ==
* Privacy features for GDPR/HIPAA requirements
* Audit logging enabled if required ([[GUI_Configuration_PHP#Audit_Log|AUDIT_LOG_FILE]])
* Data retention policies (<code>cleandatabase</code> settings in [[Data_Cleaning|Data Cleaning]])


The VoIPmonitor system architecture includes multiple security layers:
== System Hardening ==


<kroki lang="mermaid">
VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.
flowchart TB
    subgraph Users["User Access"]
        Admin["Admin/User"]
    end


    subgraph Auth["Authentication Layer"]
=== Services NOT Required ===
        Local["Local Auth<br/>(SHA256)"]
        TwoFA["2FA"]
        LDAP["LDAP<br/>(user/pass)"]
        Google["Google<br/>OAuth 2.0"]
        MS["Microsoft<br/>(upcoming)"]
    end


    subgraph WebLayer["Web Layer"]
{| class="wikitable"
        HTTPS["HTTPS/TLS"]
|-
        BasicAuth["HTTP Basic Auth"]
! Service !! Risk !! Action
        PHP["PHP Sessions"]
|-
    end
| CUPS (printing) || CUPS_Evilsocket and similar vulnerabilities || Remove
|-
| Desktop environments || Large attack surface || Remove from production
|-
| FTP servers || Insecure protocol || Remove if unused
|-
| Development tools || Compiler exploits || Remove from production
|}


    subgraph Core["VoIPmonitor Core"]
=== Removing CUPS ===
        GUI["Web GUI"]
        DB["MySQL/MariaDB<br/>(unencrypted data)"]
        Sensor["Sensors"]
    end


    subgraph Network["Network Security"]
<syntaxhighlight lang="bash">
        SensorComm["Encrypted TCP<br/>(server_password)"]
# Check if installed
        TLSDecrypt["TLS/SRTP<br/>Decryption"]
dpkg -l cups 2>/dev/null || rpm -qa cups
    end


    subgraph Compliance["Compliance"]
# Stop and disable
        SIPREC["SIPREC WORM"]
systemctl stop cups && systemctl disable cups
        CALEA["CALEA Export"]
        IPAnon["IP Anonymization"]
    end


    Admin --> Auth
# Remove (Debian/Ubuntu)
    Auth --> WebLayer
apt remove --purge cups cups-browsed
    WebLayer --> GUI
    GUI --> DB
    GUI --> Sensor
    Sensor --> SensorComm
    Sensor --> TLSDecrypt
    GUI --> Compliance
</kroki>


* [[Tls|TLS/SRTP Decryption]] - Support for decrypting encrypted VoIP traffic for monitoring and analysis
# Remove (RHEL/CentOS/AlmaLinux)
* [[Sniffer_distributed_architecture|Secure communication between sensors and central server]] (encrypted TCP connections with server_password)
yum remove cups
* [[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS and Basic Authentication]] for securing the web GUI
</syntaxhighlight>
* [[SIPREC|SIPREC recording with WORM storage]] for regulatory compliance (SEC 17a-4, CFTC 1.31)
* CALEA integration support for law enforcement data export requests


== Recommendations for Security Assessments ==
{{Warning|1=Before removing any service, verify it is not required by other applications on the server.}}


When conducting a security assessment of VoIPmonitor, consider the following:
== See Also ==


* Focus the review on deployment-specific configurations (web server SSL, database connection encryption, firewall rules)
* [[Sniffer_configuration|Sniffer Configuration]] - Security-related parameters
* Validate that required authentication methods (LDAP, SSO) are available for your environment
* [[User_Management|User Management]] - Permissions and access control
* Review the [[Data_Privacy_and_Data_Masking|privacy features]] to ensure they meet your compliance requirements
* [[GUI_Configuration_PHP|GUI Configuration]] - Audit logging setup
* Implement additional security layers at the infrastructure level (intrusion detection, network segmentation, etc.) as no automated vulnerability scanning is performed by the vendor


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' This page documents VoIPmonitor's security posture and development practices. No automated vulnerability scanning or formal penetration testing is conducted. Development followed general security best practices without a specific formalized SDLC. User data in the database is NOT encrypted (only passwords are encrypted using sha256). Authentication options include local accounts, 2FA, LDAP (username/password only, not SSO), Google Sign-In, Microsoft Sign-In (upcoming stable release), and custom login scripts. Shibboleth, SAML-based SSO, and LDAP SSO are NOT supported. Sessions use PHP with configurable inactivity timeout. Security features include TLS/SRTP decryption, encrypted sensor communication, HTTPS support, SIPREC WORM storage for compliance, and CALEA integration. For security assessments, focus on deployment-specific security configurations and implement additional infrastructure-level security measures.
'''Summary:''' VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.


'''Keywords:''' security posture, vulnerability assessment, penetration testing, encryption, database encryption, password hashing, sha256, authentication, session management, PHP sessions, LDAP, SSO, Shibboleth, SAML, 2FA, compliance, development methodology, security audit
'''Keywords:''' security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS


'''Key Questions:'''
'''Key Questions:'''
* Does VoIPmonitor conduct automated vulnerability scanning?
* Is user data encrypted in the VoIPmonitor database?
* Is penetration testing performed on VoIPmonitor?
* Is user data encrypted in the database?
* How are passwords stored in VoIPmonitor?
* How are passwords stored in VoIPmonitor?
* What authentication methods does VoIPmonitor support?
* What authentication methods does VoIPmonitor support?
* Does VoIPmonitor support Shibboleth or LDAP SSO?
* Does VoIPmonitor support Shibboleth or SAML SSO?
* How are user sessions managed in VoIPmonitor?
* Does VoIPmonitor support LDAP SSO?
* What is the session inactivity timeout?
* What network ports does VoIPmonitor use?
* Is VoIPmonitor data compliant with security standards?
* Should the Manager API port (5029) be exposed to the internet?
* What security methodology was used to develop VoIPmonitor?
* How do I secure VoIPmonitor for compliance?
* What security features does VoIPmonitor have for regulatory compliance?
* Is CUPS required for VoIPmonitor?
* Does VoIPmonitor prevent session fixation attacks?

Latest revision as of 17:16, 8 January 2026


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.

Data Protection

Database Encryption

Data Type Encryption Status Notes
CDRs, call metadata Not encrypted at rest Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
User passwords SHA-256 hashed LDAP offloads credential storage externally
Data in transit Optional TLS See SSL/TLS_connection_to_the_Mysql/MariaDB

💡 Tip: For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).

Privacy Features

  • IP Anonymization - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
  • Two-Factor Authentication (2FA) - Enhanced account security
  • Audit Logging - File-based logging via AUDIT_LOG_FILE in configuration.php
  • Regulatory Compliance - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), CALEA export

Authentication

Supported Methods

Method Status Documentation
Local accounts Supported Built-in username/password
Two-Factor Authentication Supported Settings > System Configuration
LDAP (password verification) Supported Custom Login - username/password only
Google Sign-In (OAuth 2.0) Supported Google Sign-In
Microsoft Sign-In (Entra ID) Supported Microsoft Sign-In
REMOTE_USER Authentication Supported REMOTE_USER_Authentication
Custom login scripts Supported Custom Login

Session Management

  • PHP sessions with automatic session ID regeneration on login (prevents session fixation)
  • Configurable timeout via session.gc_maxlifetime in php.ini
  • Manual session invalidation available for administrators

ℹ️ Note: Automatic session ID regeneration is a built-in security feature requiring no additional configuration.

Network Security

Architecture Overview

Firewall Ports

Port Protocol Service Security Notes
80, 443 TCP Web GUI HTTPS strongly recommended
5029 TCP Manager API Restrict to internal IPs only - never expose publicly
60024 TCP Sensor-to-server Encrypted with server_password
5060 UDP/TCP SIP monitoring Default SIP port

⚠️ Warning: The Manager API port (5029) should NEVER be exposed to the public internet.

Key Security Features

Security Assessment Checklist

Configuration Review

  • SSL/TLS configuration (certificate validity, cipher suites)
  • Database connection encryption (MySQL SSL)
  • Firewall rules for all VoIPmonitor ports
  • File permissions on /etc/voipmonitor.conf (should be 600 or 640)

Authentication Review

  • Validate 2FA and LDAP configuration
  • Review user permissions in GUI (Users & Audit > Users)
  • Check IP restrictions (Users > Secure users tab)

Compliance Review

  • Privacy features for GDPR/HIPAA requirements
  • Audit logging enabled if required (AUDIT_LOG_FILE)
  • Data retention policies (cleandatabase settings in Data Cleaning)

System Hardening

VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.

Services NOT Required

Service Risk Action
CUPS (printing) CUPS_Evilsocket and similar vulnerabilities Remove
Desktop environments Large attack surface Remove from production
FTP servers Insecure protocol Remove if unused
Development tools Compiler exploits Remove from production

Removing CUPS

# Check if installed
dpkg -l cups 2>/dev/null || rpm -qa cups

# Stop and disable
systemctl stop cups && systemctl disable cups

# Remove (Debian/Ubuntu)
apt remove --purge cups cups-browsed

# Remove (RHEL/CentOS/AlmaLinux)
yum remove cups

⚠️ Warning: Before removing any service, verify it is not required by other applications on the server.

See Also

AI Summary for RAG

Summary: VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.

Keywords: security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS

Key Questions:

  • Is user data encrypted in the VoIPmonitor database?
  • How are passwords stored in VoIPmonitor?
  • What authentication methods does VoIPmonitor support?
  • Does VoIPmonitor support Shibboleth or SAML SSO?
  • Does VoIPmonitor support LDAP SSO?
  • What network ports does VoIPmonitor use?
  • Should the Manager API port (5029) be exposed to the internet?
  • How do I secure VoIPmonitor for compliance?
  • What security features does VoIPmonitor have for regulatory compliance?
  • Is CUPS required for VoIPmonitor?
  • Does VoIPmonitor prevent session fixation attacks?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Security_Policy_and_Posture&oldid=10231"