Security Policy and Posture: Difference between revisions

From VoIPmonitor.org
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 2: Line 2:
{{DISPLAYTITLE:Security Policy and Posture}}
{{DISPLAYTITLE:Security Policy and Posture}}


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls. This information is intended for security departments conducting assessments, audits, or compliance reviews.
This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.


== Data Protection and Encryption ==
== Data Protection ==


=== Database Encryption ===
=== Database Encryption ===


* User data in the database (CDRs, call metadata, configuration settings) is stored in plain text and is NOT encrypted
{| class="wikitable"
* Only user passwords are encrypted (see Password Storage below)
|-
* For encryption of data in transit between components, see [[SSL/TLS_connection_to_the_Mysql/MariaDB]]
! Data Type !! Encryption Status !! Notes
|-
| CDRs, call metadata || '''Not encrypted''' at rest || Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
|-
| User passwords || SHA-256 hashed || LDAP offloads credential storage externally
|-
| Data in transit || Optional TLS || See [[SSL/TLS_connection_to_the_Mysql/MariaDB]]
|}


=== Password Storage ===
{{Tip|1=For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).}}


* User credentials (passwords) are stored using sha256 hashing
=== Privacy Features ===
* An option for LDAP authentication is available, which offloads credential storage to an external LDAP server
* For more details on authentication methods, see [[Shibboleth_and_other_auth_modules]]


=== Data Privacy Features ===
* '''IP Anonymization''' - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
* '''Two-Factor Authentication (2FA)''' - Enhanced account security
* '''Audit Logging''' - File-based logging via <code>AUDIT_LOG_FILE</code> in [[GUI_Configuration_PHP|configuration.php]]
* '''Regulatory Compliance''' - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), [[CALEA_compliance|CALEA]] export


VoIPmonitor includes several features to assist with privacy compliance:
== Authentication ==


* [[Data_Privacy_and_Data_Masking|IP Address Anonymization]] - Database-level anonymization of IP addresses
=== Supported Methods ===
* [[2FA]] - Two-Factor Authentication for enhanced user account security
* Various compliance integrations ([[SIPREC]], CALEA support, PCI-DSS features)


== Authentication and Session Management ==
{| class="wikitable"
|-
! Method !! Status !! Documentation
|-
| Local accounts || Supported || Built-in username/password
|-
| Two-Factor Authentication || Supported || Settings > System Configuration
|-
| LDAP (password verification) || Supported || [[WEB_API#Custom_Login|Custom Login]] - username/password only
|-
| Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage|Google Sign-In]]
|-
| Microsoft Sign-In (Entra ID) || Supported  || [[Microsoft_Sign_in_usage|Microsoft Sign-In]]
|-
| REMOTE_USER Authentication || Supported || [[REMOTE_USER_Authentication]]
|-
| Custom login scripts || Supported || [[WEB_API#Custom_Login|Custom Login]]
|}


=== Supported Authentication Methods ===
=== Session Management ===


VoIPmonitor supports multiple authentication approaches:
* PHP sessions with '''automatic session ID regeneration on login''' (prevents session fixation)
* Configurable timeout via <code>session.gc_maxlifetime</code> in php.ini
* Manual session invalidation available for administrators


* Local user accounts with username/password
{{Note|1=Automatic session ID regeneration is a built-in security feature requiring no additional configuration.}}
* Two-Factor Authentication (2FA) - see [[2FA]]
* LDAP authentication (username/password verification) - see [[Shibboleth_and_other_auth_modules|LDAP Authentication]]
* Google Sign-In (OAuth 2.0) - see [[Shibboleth_and_other_auth_modules]]
* Microsoft Sign-In (Azure AD/Entra ID) - scheduled for upcoming stable release
* Custom login scripts for integration with external authentication systems - see [[WEB_API#Custom_Login]]


=== Authentication Methods NOT Supported ===
== Network Security ==


The following methods are NOT currently supported:
=== Architecture Overview ===
 
* Shibboleth SSO - not supported
* SAML-based SSO (including JumpCloud, Okta, OneLogin) - not supported
* LDAP SSO (click-through login without credentials) - only LDAP username/password is supported
* Generic OIDC providers other than Google
 
For complete details, see [[Shibboleth_and_other_auth_modules|SSO Authentication Support]]
 
=== Session Management ===
 
* User sessions are managed using PHP sessions
* Session inactivity timeout is configurable
* For specific timeout configuration, review your PHP configuration (php.ini) and web server settings
 
== Architecture and Network Security ==
 
The VoIPmonitor system architecture includes multiple security layers:


<kroki lang="mermaid">
<kroki lang="mermaid">
flowchart TB
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 35}}}%%
     subgraph Users["User Access"]
flowchart LR
         Admin["Admin/User"]
     subgraph Users["Access"]
         Admin["Admin"]
     end
     end


     subgraph Auth["Authentication Layer"]
     subgraph Auth["Auth Layer"]
         Local["Local Auth<br/>(SHA256)"]
         Local["Local/LDAP"]
        OAuth["OAuth"]
         TwoFA["2FA"]
         TwoFA["2FA"]
        LDAP["LDAP<br/>(user/pass)"]
        Google["Google<br/>OAuth 2.0"]
        MS["Microsoft<br/>(upcoming)"]
     end
     end


     subgraph WebLayer["Web Layer"]
     subgraph Web["Web Layer"]
         HTTPS["HTTPS/TLS"]
         HTTPS["HTTPS"]
         BasicAuth["HTTP Basic Auth"]
         GUI["Web GUI"]
        PHP["PHP Sessions"]
     end
     end


     subgraph Core["VoIPmonitor Core"]
     subgraph Core["Core"]
        GUI["Web GUI"]
         DB[(MySQL)]
         DB["MySQL/MariaDB<br/>(unencrypted data)"]
         Sensor["Sensors"]
         Sensor["Sensors"]
     end
     end


     subgraph Network["Network Security"]
     Admin --> Auth --> HTTPS --> GUI
        SensorComm["Encrypted TCP<br/>(server_password)"]
    GUI --> DB
        TLSDecrypt["TLS/SRTP<br/>Decryption"]
    GUI -->|TCP 5029| Sensor
    end
    Sensor -->|Encrypted TCP 60024| Sensor
</kroki>
 
=== Firewall Ports ===
 
{| class="wikitable"
|-
! Port !! Protocol !! Service !! Security Notes
|-
| 80, 443 || TCP || Web GUI || '''HTTPS strongly recommended'''
|-
| 5029 || TCP || Manager API || '''Restrict to internal IPs only''' - never expose publicly
|-
| 60024 || TCP || Sensor-to-server || Encrypted with <code>server_password</code>
|-
| 5060 || UDP/TCP || SIP monitoring || Default SIP port
|}
 
{{Warning|1=The Manager API port (5029) should NEVER be exposed to the public internet.}}
 
=== Key Security Features ===
 
* '''[[Tls|TLS/SRTP Decryption]]''' - Decrypt encrypted VoIP traffic for monitoring
* '''[[Sniffer_distributed_architecture|Encrypted sensor communication]]''' - Secure TCP with <code>server_password</code>
* '''[[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS/Basic Auth]]''' - Secure web GUI access
 
== Security Assessment Checklist ==
 
=== Configuration Review ===
 
* SSL/TLS configuration (certificate validity, cipher suites)
* Database connection encryption ([[SSL/TLS_connection_to_the_Mysql/MariaDB|MySQL SSL]])
* Firewall rules for all VoIPmonitor ports
* File permissions on <code>/etc/voipmonitor.conf</code> (should be 600 or 640)
 
=== Authentication Review ===
 
* Validate 2FA and LDAP configuration
* Review user permissions in GUI (Users & Audit > Users)
* Check IP restrictions (Users > Secure users tab)
 
=== Compliance Review ===
 
* Privacy features for GDPR/HIPAA requirements
* Audit logging enabled if required ([[GUI_Configuration_PHP#Audit_Log|AUDIT_LOG_FILE]])
* Data retention policies (<code>cleandatabase</code> settings in [[Data_Cleaning|Data Cleaning]])
 
== System Hardening ==
 
VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.
 
=== Services NOT Required ===
 
{| class="wikitable"
|-
! Service !! Risk !! Action
|-
| CUPS (printing) || CUPS_Evilsocket and similar vulnerabilities || Remove
|-
| Desktop environments || Large attack surface || Remove from production
|-
| FTP servers || Insecure protocol || Remove if unused
|-
| Development tools || Compiler exploits || Remove from production
|}
 
=== Removing CUPS ===
 
<syntaxhighlight lang="bash">
# Check if installed
dpkg -l cups 2>/dev/null || rpm -qa cups


    subgraph Compliance["Compliance"]
# Stop and disable
        SIPREC["SIPREC WORM"]
systemctl stop cups && systemctl disable cups
        CALEA["CALEA Export"]
        IPAnon["IP Anonymization"]
    end


    Admin --> Auth
# Remove (Debian/Ubuntu)
    Auth --> WebLayer
apt remove --purge cups cups-browsed
    WebLayer --> GUI
    GUI --> DB
    GUI --> Sensor
    Sensor --> SensorComm
    Sensor --> TLSDecrypt
    GUI --> Compliance
</kroki>


* [[Tls|TLS/SRTP Decryption]] - Support for decrypting encrypted VoIP traffic for monitoring and analysis
# Remove (RHEL/CentOS/AlmaLinux)
* [[Sniffer_distributed_architecture|Secure communication between sensors and central server]] (encrypted TCP connections with server_password)
yum remove cups
* [[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS and Basic Authentication]] for securing the web GUI
</syntaxhighlight>
* [[SIPREC|SIPREC recording with WORM storage]] for regulatory compliance (SEC 17a-4, CFTC 1.31)
* CALEA integration support for law enforcement data export requests


== Recommendations for Security Assessments ==
{{Warning|1=Before removing any service, verify it is not required by other applications on the server.}}


When conducting a security assessment of VoIPmonitor, consider the following:
== See Also ==


* Focus the review on deployment-specific configurations (web server SSL, database connection encryption, firewall rules)
* [[Sniffer_configuration|Sniffer Configuration]] - Security-related parameters
* Validate that required authentication methods (LDAP, SSO) are available for your environment
* [[User_Management|User Management]] - Permissions and access control
* Review the [[Data_Privacy_and_Data_Masking|privacy features]] to ensure they meet your compliance requirements
* [[GUI_Configuration_PHP|GUI Configuration]] - Audit logging setup
* Implement additional security layers at the infrastructure level (intrusion detection, network segmentation, etc.) as no automated vulnerability scanning is performed by the vendor


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' This page documents VoIPmonitor's security posture and development practices. No automated vulnerability scanning or formal penetration testing is conducted. Development followed general security best practices without a specific formalized SDLC. User data in the database is NOT encrypted (only passwords are encrypted using sha256). Authentication options include local accounts, 2FA, LDAP (username/password only, not SSO), Google Sign-In, Microsoft Sign-In (upcoming stable release), and custom login scripts. Shibboleth, SAML-based SSO, and LDAP SSO are NOT supported. Sessions use PHP with configurable inactivity timeout. Security features include TLS/SRTP decryption, encrypted sensor communication, HTTPS support, SIPREC WORM storage for compliance, and CALEA integration. For security assessments, focus on deployment-specific security configurations and implement additional infrastructure-level security measures.
'''Summary:''' VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.


'''Keywords:''' security posture, vulnerability assessment, penetration testing, encryption, database encryption, password hashing, sha256, authentication, session management, PHP sessions, LDAP, SSO, Shibboleth, SAML, 2FA, compliance, development methodology, security audit
'''Keywords:''' security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS


'''Key Questions:'''
'''Key Questions:'''
* Does VoIPmonitor conduct automated vulnerability scanning?
* Is user data encrypted in the VoIPmonitor database?
* Is penetration testing performed on VoIPmonitor?
* Is user data encrypted in the database?
* How are passwords stored in VoIPmonitor?
* How are passwords stored in VoIPmonitor?
* What authentication methods does VoIPmonitor support?
* What authentication methods does VoIPmonitor support?
* Does VoIPmonitor support Shibboleth or LDAP SSO?
* Does VoIPmonitor support Shibboleth or SAML SSO?
* How are user sessions managed in VoIPmonitor?
* Does VoIPmonitor support LDAP SSO?
* What is the session inactivity timeout?
* What network ports does VoIPmonitor use?
* Is VoIPmonitor data compliant with security standards?
* Should the Manager API port (5029) be exposed to the internet?
* What security methodology was used to develop VoIPmonitor?
* How do I secure VoIPmonitor for compliance?
* What security features does VoIPmonitor have for regulatory compliance?
* Is CUPS required for VoIPmonitor?
* Does VoIPmonitor prevent session fixation attacks?

Latest revision as of 17:16, 8 January 2026


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.

Data Protection

Database Encryption

Data Type Encryption Status Notes
CDRs, call metadata Not encrypted at rest Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
User passwords SHA-256 hashed LDAP offloads credential storage externally
Data in transit Optional TLS See SSL/TLS_connection_to_the_Mysql/MariaDB

💡 Tip: For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).

Privacy Features

  • IP Anonymization - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
  • Two-Factor Authentication (2FA) - Enhanced account security
  • Audit Logging - File-based logging via AUDIT_LOG_FILE in configuration.php
  • Regulatory Compliance - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), CALEA export

Authentication

Supported Methods

Method Status Documentation
Local accounts Supported Built-in username/password
Two-Factor Authentication Supported Settings > System Configuration
LDAP (password verification) Supported Custom Login - username/password only
Google Sign-In (OAuth 2.0) Supported Google Sign-In
Microsoft Sign-In (Entra ID) Supported Microsoft Sign-In
REMOTE_USER Authentication Supported REMOTE_USER_Authentication
Custom login scripts Supported Custom Login

Session Management

  • PHP sessions with automatic session ID regeneration on login (prevents session fixation)
  • Configurable timeout via session.gc_maxlifetime in php.ini
  • Manual session invalidation available for administrators

ℹ️ Note: Automatic session ID regeneration is a built-in security feature requiring no additional configuration.

Network Security

Architecture Overview

Firewall Ports

Port Protocol Service Security Notes
80, 443 TCP Web GUI HTTPS strongly recommended
5029 TCP Manager API Restrict to internal IPs only - never expose publicly
60024 TCP Sensor-to-server Encrypted with server_password
5060 UDP/TCP SIP monitoring Default SIP port

⚠️ Warning: The Manager API port (5029) should NEVER be exposed to the public internet.

Key Security Features

Security Assessment Checklist

Configuration Review

  • SSL/TLS configuration (certificate validity, cipher suites)
  • Database connection encryption (MySQL SSL)
  • Firewall rules for all VoIPmonitor ports
  • File permissions on /etc/voipmonitor.conf (should be 600 or 640)

Authentication Review

  • Validate 2FA and LDAP configuration
  • Review user permissions in GUI (Users & Audit > Users)
  • Check IP restrictions (Users > Secure users tab)

Compliance Review

  • Privacy features for GDPR/HIPAA requirements
  • Audit logging enabled if required (AUDIT_LOG_FILE)
  • Data retention policies (cleandatabase settings in Data Cleaning)

System Hardening

VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.

Services NOT Required

Service Risk Action
CUPS (printing) CUPS_Evilsocket and similar vulnerabilities Remove
Desktop environments Large attack surface Remove from production
FTP servers Insecure protocol Remove if unused
Development tools Compiler exploits Remove from production

Removing CUPS

# Check if installed
dpkg -l cups 2>/dev/null || rpm -qa cups

# Stop and disable
systemctl stop cups && systemctl disable cups

# Remove (Debian/Ubuntu)
apt remove --purge cups cups-browsed

# Remove (RHEL/CentOS/AlmaLinux)
yum remove cups

⚠️ Warning: Before removing any service, verify it is not required by other applications on the server.

See Also

AI Summary for RAG

Summary: VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.

Keywords: security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS

Key Questions:

  • Is user data encrypted in the VoIPmonitor database?
  • How are passwords stored in VoIPmonitor?
  • What authentication methods does VoIPmonitor support?
  • Does VoIPmonitor support Shibboleth or SAML SSO?
  • Does VoIPmonitor support LDAP SSO?
  • What network ports does VoIPmonitor use?
  • Should the Manager API port (5029) be exposed to the internet?
  • How do I secure VoIPmonitor for compliance?
  • What security features does VoIPmonitor have for regulatory compliance?
  • Is CUPS required for VoIPmonitor?
  • Does VoIPmonitor prevent session fixation attacks?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Security_Policy_and_Posture&oldid=10231"