Security Policy and Posture: Difference between revisions

From VoIPmonitor.org
(Add documentation about automatic session ID regeneration on login to prevent session fixation attacks)
 
(2 intermediate revisions by 2 users not shown)
Line 2: Line 2:
{{DISPLAYTITLE:Security Policy and Posture}}
{{DISPLAYTITLE:Security Policy and Posture}}


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls. This information is intended for security departments conducting assessments, audits, or compliance reviews.
This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.


== Data Protection and Encryption ==
== Data Protection ==


=== Database Encryption ===
=== Database Encryption ===


* User data in the database (CDRs, call metadata, configuration settings) is stored in plain text and is NOT encrypted at rest
{| class="wikitable"
* Only user passwords are hashed (see Password Storage below)
|-
* For encryption of data in transit between components, see [[SSL/TLS_connection_to_the_Mysql/MariaDB]]
! Data Type !! Encryption Status !! Notes
|-
| CDRs, call metadata || '''Not encrypted''' at rest || Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
|-
| User passwords || SHA-256 hashed || LDAP offloads credential storage externally
|-
| Data in transit || Optional TLS || See [[SSL/TLS_connection_to_the_Mysql/MariaDB]]
|}


{{Tip|1=For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).}}
{{Tip|1=For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).}}


=== Password Storage ===
=== Privacy Features ===


* User credentials (passwords) are stored using SHA-256 hashing
* '''IP Anonymization''' - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
* LDAP authentication is available, which offloads credential storage to an external LDAP server
* '''Two-Factor Authentication (2FA)''' - Enhanced account security
* For more details on authentication methods, see [[WEB_API#Custom_Login|Custom Login]] documentation
* '''Audit Logging''' - File-based logging via <code>AUDIT_LOG_FILE</code> in [[GUI_Configuration_PHP|configuration.php]]
* '''Regulatory Compliance''' - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), [[CALEA_compliance|CALEA]] export


=== Data Privacy Features ===
== Authentication ==


VoIPmonitor includes several features to assist with privacy compliance:
=== Supported Methods ===


* [[Data_Privacy_and_Data_Masking|IP Address Anonymization]] - Database-level anonymization of IP addresses
{| class="wikitable"
* Two-Factor Authentication (2FA) for enhanced user account security
|-
* Various compliance integrations (SIPREC, [[CALEA_compliance|CALEA]] support, PCI-DSS features)
! Method !! Status !! Documentation
 
|-
== Authentication and Session Management ==
| Local accounts || Supported || Built-in username/password
 
|-
=== Supported Authentication Methods ===
| Two-Factor Authentication || Supported || Settings > System Configuration
 
|-
VoIPmonitor supports multiple authentication approaches:
| LDAP (password verification) || Supported || [[WEB_API#Custom_Login|Custom Login]] - username/password only
 
|-
* Local user accounts with username/password
| Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage|Google Sign-In]]
* Two-Factor Authentication (2FA)
|-
* LDAP authentication (username/password verification) - see [[WEB_API#Custom_Login|Custom Login]]
| Microsoft Sign-In (Entra ID) || Supported  || [[Microsoft_Sign_in_usage|Microsoft Sign-In]]
* Google Sign-In (OAuth 2.0)
|-
* [[Microsoft_Sign_in_usage|Microsoft Sign-In]] (Azure AD/Entra ID) - scheduled for upcoming stable release
| REMOTE_USER Authentication || Supported || [[REMOTE_USER_Authentication]]
* Custom login scripts for integration with external authentication systems - see [[WEB_API#Custom_Login|Custom Login]]
|-
 
| Custom login scripts || Supported || [[WEB_API#Custom_Login|Custom Login]]
=== Authentication Methods NOT Supported ===
|}
 
The following methods are NOT currently supported:
 
* Shibboleth SSO - not supported
* SAML-based SSO (including JumpCloud, Okta, OneLogin) - not supported
* LDAP SSO (click-through login without credentials) - only LDAP username/password verification is supported
* Generic OIDC providers other than Google


=== Session Management ===
=== Session Management ===


* User sessions are managed using PHP sessions
* PHP sessions with '''automatic session ID regeneration on login''' (prevents session fixation)
* '''The VoIPmonitor GUI automatically changes the session ID on every user login''' - This built-in behavior prevents session fixation attacks and does not require manual configuration
* Configurable timeout via <code>session.gc_maxlifetime</code> in php.ini
* Session inactivity timeout is configurable via PHP configuration (<code>session.gc_maxlifetime</code> in php.ini)
* Manual session invalidation available for administrators
* Sessions can be invalidated manually by administrators


{{Note|1=The automatic session ID regeneration on login is a built-in security feature of the VoIPmonitor GUI that mitigates session fixation vulnerabilities. No additional PHP configuration changes are required for this protection.}}
{{Note|1=Automatic session ID regeneration is a built-in security feature requiring no additional configuration.}}


== Architecture and Network Security ==
== Network Security ==


The VoIPmonitor system architecture includes multiple security layers:
=== Architecture Overview ===


<kroki lang="mermaid">
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 35, 'curve': 'basis'}}}%%
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 35}}}%%
flowchart TB
flowchart LR
     subgraph Users["User Access"]
     subgraph Users["Access"]
         Admin["Admin/User"]
         Admin["Admin"]
     end
     end


     subgraph Auth["Authentication Layer"]
     subgraph Auth["Auth Layer"]
         Local["Local Auth"]
         Local["Local/LDAP"]
        OAuth["OAuth"]
         TwoFA["2FA"]
         TwoFA["2FA"]
        LDAP["LDAP"]
        Google["Google OAuth"]
     end
     end


     subgraph WebLayer["Web Layer"]
     subgraph Web["Web Layer"]
         HTTPS["HTTPS/TLS"]
         HTTPS["HTTPS"]
         BasicAuth["Basic Auth"]
         GUI["Web GUI"]
        PHP["PHP Sessions"]
     end
     end


     subgraph Core["VoIPmonitor Core"]
     subgraph Core["Core"]
        GUI["Web GUI"]
         DB[(MySQL)]
         DB["MySQL/MariaDB"]
         Sensor["Sensors"]
         Sensor["Sensors"]
     end
     end


    subgraph Network["Network Security"]
     Admin --> Auth --> HTTPS --> GUI
        SensorComm["Encrypted TCP"]
        TLSDecrypt["TLS/SRTP Decryption"]
    end
 
     Admin --> Auth
    Auth --> WebLayer
    WebLayer --> GUI
     GUI --> DB
     GUI --> DB
     GUI --> Sensor
     GUI -->|TCP 5029| Sensor
     Sensor --> SensorComm
     Sensor -->|Encrypted TCP 60024| Sensor
    Sensor --> TLSDecrypt
</kroki>
</kroki>


=== Key Security Features ===
=== Firewall Ports ===
 
* [[Tls|TLS/SRTP Decryption]] - Support for decrypting encrypted VoIP traffic for monitoring and analysis
* [[Sniffer_distributed_architecture|Secure sensor communication]] - Encrypted TCP connections using <code>server_password</code>
* [[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS and Basic Authentication]] for securing the web GUI
* SIPREC recording with WORM storage for regulatory compliance (SEC 17a-4, CFTC 1.31)
* [[CALEA_compliance|CALEA integration]] support for law enforcement data export requests
 
=== Network Ports and Firewall ===
 
The following ports should be considered when configuring firewalls:


{| class="wikitable"
{| class="wikitable"
|-
|-
! Port !! Protocol !! Service !! Notes
! Port !! Protocol !! Service !! Security Notes
|-
|-
| 80, 443 || TCP || Web GUI || HTTPS strongly recommended
| 80, 443 || TCP || Web GUI || '''HTTPS strongly recommended'''
|-
|-
| 5029 || TCP || Manager API || Restrict to trusted internal IPs only
| 5029 || TCP || Manager API || '''Restrict to internal IPs only''' - never expose publicly
|-
|-
| 60024 || TCP || Sensor communication || Used for distributed architecture
| 60024 || TCP || Sensor-to-server || Encrypted with <code>server_password</code>
|-
|-
| 5060 || UDP/TCP || SIP monitoring || Default SIP port
| 5060 || UDP/TCP || SIP monitoring || Default SIP port
|}
|}


{{Warning|1=The Manager API port (5029) should NEVER be exposed to the public internet. Restrict access to trusted internal networks only.}}
{{Warning|1=The Manager API port (5029) should NEVER be exposed to the public internet.}}
 
=== Key Security Features ===


== Recommendations for Security Assessments ==
* '''[[Tls|TLS/SRTP Decryption]]''' - Decrypt encrypted VoIP traffic for monitoring
* '''[[Sniffer_distributed_architecture|Encrypted sensor communication]]''' - Secure TCP with <code>server_password</code>
* '''[[Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth|HTTPS/Basic Auth]]''' - Secure web GUI access


When conducting a security assessment of VoIPmonitor, consider the following:
== Security Assessment Checklist ==


=== Configuration Review ===
=== Configuration Review ===


* Web server SSL/TLS configuration (certificate validity, cipher suites)
* SSL/TLS configuration (certificate validity, cipher suites)
* Database connection encryption ([[SSL/TLS_connection_to_the_Mysql/MariaDB|MySQL/MariaDB SSL]])
* Database connection encryption ([[SSL/TLS_connection_to_the_Mysql/MariaDB|MySQL SSL]])
* Firewall rules for all VoIPmonitor ports
* Firewall rules for all VoIPmonitor ports
* File permissions on configuration files (<code>/etc/voipmonitor.conf</code>)
* File permissions on <code>/etc/voipmonitor.conf</code> (should be 600 or 640)


=== Authentication Assessment ===
=== Authentication Review ===


* Validate that required authentication methods (LDAP, 2FA) are properly configured
* Validate 2FA and LDAP configuration
* Review user permissions and role assignments in GUI
* Review user permissions in GUI (Users & Audit > Users)
* Check IP restriction settings (Settings > Users & Audit > Users > Secure users)
* Check IP restrictions (Users > Secure users tab)


=== Compliance Review ===
=== Compliance Review ===


* Review [[Data_Privacy_and_Data_Masking|privacy features]] to ensure they meet your compliance requirements
* Privacy features for GDPR/HIPAA requirements
* Verify audit logging is enabled if required ([[GUI_Configuration_PHP#Audit_Log|AUDIT_LOG_FILE]])
* Audit logging enabled if required ([[GUI_Configuration_PHP#Audit_Log|AUDIT_LOG_FILE]])
* Check data retention policies (<code>cleandatabase</code> settings)
* Data retention policies (<code>cleandatabase</code> settings in [[Data_Cleaning|Data Cleaning]])


=== Infrastructure Security ===
== System Hardening ==


* Implement additional security layers (intrusion detection, network segmentation)
VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.
* Consider deploying VoIPmonitor in an isolated network segment
* Regular backup verification and disaster recovery testing


=== System Hardening and Service Minimization ===
=== Services NOT Required ===


{{Tip|A fundamental security practice is to minimize the attack surface by removing unnecessary services and software that are not required for VoIPmonitor operation.}}
{| class="wikitable"
 
|-
VoIPmonitor requires only the software components explicitly listed in the installation guides:
! Service !! Risk !! Action
 
|-
* '''Sniffer dependencies''': See [[Sniffer_installation|Sniffer Installation]]
| CUPS (printing) || CUPS_Evilsocket and similar vulnerabilities || Remove
* '''GUI dependencies''': Database (MySQL/MariaDB), web server, PHP, tshark - see [[GUI_installation|GUI Installation]]
|-
* '''Optional utilities''': libpcap, netmap, DPDK, napatech drivers (for specific capture modes)
| Desktop environments || Large attack surface || Remove from production
 
|-
The following services are NOT required and should be removed if present:
| FTP servers || Insecure protocol || Remove if unused
|-
| Development tools || Compiler exploits || Remove from production
|}


* '''CUPS (Common Unix Printing System)''' - Not used by VoIPmonitor and presents a security risk if vulnerable (e.g., CUPS_Evilsocket vulnerability)
=== Removing CUPS ===
* Unnecessary desktop environments (GNOME, KDE) on production servers
* Unused network services (FTP, SMTP servers not used for monitoring)
* Development tools and compilers on production systems


{{Warning|Before removing any service, ensure it is not required by other applications running on the server or by your organizational policies.}}
To check for and remove CUPS:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# Check if CUPS is installed
# Check if installed
dpkg -l cups 2>/dev/null || rpm -qa cups
dpkg -l cups 2>/dev/null || rpm -qa cups


# Stop CUPS service
# Stop and disable
systemctl stop cups
systemctl stop cups && systemctl disable cups
 
# Disable CUPS from starting on boot
systemctl disable cups


# Remove CUPS (Debian/Ubuntu)
# Remove (Debian/Ubuntu)
apt remove --purge cups cups-browsed
apt remove --purge cups cups-browsed


# Remove CUPS (RHEL/CentOS/AlmaLinux)
# Remove (RHEL/CentOS/AlmaLinux)
yum remove cups
yum remove cups
</syntaxhighlight>
</syntaxhighlight>


This principle applies broadly: security vulnerabilities in any unnecessary software can compromise the overall security posture, even if the vulnerable software is not directly related to VoIPmonitor functionality.
{{Warning|1=Before removing any service, verify it is not required by other applications on the server.}}
 
== See Also ==
 
* [[Sniffer_configuration|Sniffer Configuration]] - Security-related parameters
* [[User_Management|User Management]] - Permissions and access control
* [[GUI_Configuration_PHP|GUI Configuration]] - Audit logging setup


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR and call metadata stored unencrypted at rest; passwords hashed with SHA-256. Authentication: local accounts, 2FA, LDAP (username/password only - NOT SSO), Google OAuth, Microsoft Sign-In (upcoming). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (built-in feature prevents session fixation), configurable timeout. Network security: encrypted sensor communication (server_password on port 60024), TLS/SRTP decryption support, HTTPS for GUI. Critical ports: 80/443 (GUI), 5029 (Manager API - restrict to internal), 60024 (sensors), 5060 (SIP). Compliance features: SIPREC WORM storage, CALEA export, IP anonymization. Security assessment recommendations: review SSL/TLS config, database encryption, firewall rules, authentication setup, audit logging, data retention policies.
'''Summary:''' VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.
 
System hardening: Remove unnecessary services to minimize attack surface. CUPS (printing system) is NOT required by VoIPmonitor and should be removed due to security risks. Unnecessary services include CUPS, desktop environments, unused network services, development tools. Always verify other applications do not depend on a service before removal. Check and remove CUPS with: dpkg -l cups or rpm -qa cups; systemctl stop/disable cups; apt remove cups or yum remove cups. Security vulnerabilities in any unnecessary software compromise overall security posture even if unrelated to VoIPmonitor functionality.


'''Keywords:''' security posture, security assessment, compliance, encryption, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, unnecessary services, CUPS, CUPS_Evilsocket, remove CUPS, security best practice, attack surface
'''Keywords:''' security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS


'''Key Questions:'''
'''Key Questions:'''
Line 216: Line 195:
* How do I secure VoIPmonitor for compliance?
* How do I secure VoIPmonitor for compliance?
* What security features does VoIPmonitor have for regulatory compliance?
* What security features does VoIPmonitor have for regulatory compliance?
* How do I enable audit logging in VoIPmonitor?
* Is CUPS required for VoIPmonitor?
* Is CUPS required for VoIPmonitor?
* Should I remove CUPS from VoIPmonitor servers?
* Does VoIPmonitor prevent session fixation attacks?
* What unnecessary services should be removed for system hardening?
* How do I remove CUPS from Linux for security?
* What security risk does CUPS_Evilsocket pose to VoIPmonitor?
* Does VoIPmonitor session ID change on login?
* Is VoIPmonitor vulnerable to session fixation attacks?
* How does VoIPmonitor prevent session fixation?

Latest revision as of 17:16, 8 January 2026


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls for security departments conducting assessments, audits, or compliance reviews.

Data Protection

Database Encryption

Data Type Encryption Status Notes
CDRs, call metadata Not encrypted at rest Use MySQL/MariaDB TDE or filesystem encryption (LUKS) if required
User passwords SHA-256 hashed LDAP offloads credential storage externally
Data in transit Optional TLS See SSL/TLS_connection_to_the_Mysql/MariaDB

💡 Tip: For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).

Privacy Features

  • IP Anonymization - Database-level anonymization via Groups > IPs > Anonymize Rewrite Rules
  • Two-Factor Authentication (2FA) - Enhanced account security
  • Audit Logging - File-based logging via AUDIT_LOG_FILE in configuration.php
  • Regulatory Compliance - SIPREC WORM storage (SEC 17a-4, CFTC 1.31), CALEA export

Authentication

Supported Methods

Method Status Documentation
Local accounts Supported Built-in username/password
Two-Factor Authentication Supported Settings > System Configuration
LDAP (password verification) Supported Custom Login - username/password only
Google Sign-In (OAuth 2.0) Supported Google Sign-In
Microsoft Sign-In (Entra ID) Supported Microsoft Sign-In
REMOTE_USER Authentication Supported REMOTE_USER_Authentication
Custom login scripts Supported Custom Login

Session Management

  • PHP sessions with automatic session ID regeneration on login (prevents session fixation)
  • Configurable timeout via session.gc_maxlifetime in php.ini
  • Manual session invalidation available for administrators

ℹ️ Note: Automatic session ID regeneration is a built-in security feature requiring no additional configuration.

Network Security

Architecture Overview

Firewall Ports

Port Protocol Service Security Notes
80, 443 TCP Web GUI HTTPS strongly recommended
5029 TCP Manager API Restrict to internal IPs only - never expose publicly
60024 TCP Sensor-to-server Encrypted with server_password
5060 UDP/TCP SIP monitoring Default SIP port

⚠️ Warning: The Manager API port (5029) should NEVER be exposed to the public internet.

Key Security Features

Security Assessment Checklist

Configuration Review

  • SSL/TLS configuration (certificate validity, cipher suites)
  • Database connection encryption (MySQL SSL)
  • Firewall rules for all VoIPmonitor ports
  • File permissions on /etc/voipmonitor.conf (should be 600 or 640)

Authentication Review

  • Validate 2FA and LDAP configuration
  • Review user permissions in GUI (Users & Audit > Users)
  • Check IP restrictions (Users > Secure users tab)

Compliance Review

  • Privacy features for GDPR/HIPAA requirements
  • Audit logging enabled if required (AUDIT_LOG_FILE)
  • Data retention policies (cleandatabase settings in Data Cleaning)

System Hardening

VoIPmonitor requires only components listed in installation guides. Remove unnecessary services to minimize attack surface.

Services NOT Required

Service Risk Action
CUPS (printing) CUPS_Evilsocket and similar vulnerabilities Remove
Desktop environments Large attack surface Remove from production
FTP servers Insecure protocol Remove if unused
Development tools Compiler exploits Remove from production

Removing CUPS

# Check if installed
dpkg -l cups 2>/dev/null || rpm -qa cups

# Stop and disable
systemctl stop cups && systemctl disable cups

# Remove (Debian/Ubuntu)
apt remove --purge cups cups-browsed

# Remove (RHEL/CentOS/AlmaLinux)
yum remove cups

⚠️ Warning: Before removing any service, verify it is not required by other applications on the server.

See Also

AI Summary for RAG

Summary: VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR/metadata stored unencrypted at rest (use MySQL TDE or LUKS if required); passwords SHA-256 hashed. Authentication: local accounts, 2FA, LDAP (password verification only - NOT SSO), Google OAuth, Microsoft Sign-In (in development). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (prevents session fixation). Network: encrypted sensor communication (port 60024 with server_password), Manager API (port 5029 - restrict to internal only), HTTPS for GUI. Compliance: SIPREC WORM storage, CALEA export, IP anonymization, audit logging. System hardening: remove CUPS and other unnecessary services to minimize attack surface.

Keywords: security posture, security assessment, compliance, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, CUPS, attack surface, TDE, LUKS

Key Questions:

  • Is user data encrypted in the VoIPmonitor database?
  • How are passwords stored in VoIPmonitor?
  • What authentication methods does VoIPmonitor support?
  • Does VoIPmonitor support Shibboleth or SAML SSO?
  • Does VoIPmonitor support LDAP SSO?
  • What network ports does VoIPmonitor use?
  • Should the Manager API port (5029) be exposed to the internet?
  • How do I secure VoIPmonitor for compliance?
  • What security features does VoIPmonitor have for regulatory compliance?
  • Is CUPS required for VoIPmonitor?
  • Does VoIPmonitor prevent session fixation attacks?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Security_Policy_and_Posture&oldid=10231"