General


This document describes ways of security improvement and how to protect your system from some kind of fraud.


Listed is an overview of Sippy's current security features:


  • Complicated passwords - default password template is a minimum of 7 alphanumeric digits. Password templates are customized by on a per-account basis by our support team.
  • Password Strength indicator - Password strength is shown to users when user passwords expire or are created for the first time. (Starting in 5.2)
  • Encrypted passwords - passwords are encrypted from save, without an ability to retrieve saved passwords from DB.
  • Separate VoIP credentials for Digest Authentication - different web and SIP traffic credentials Accounts for accessibility and user security.
  • Sophisticated VoIP traffic Authentication - Combined Remote IP, Incoming CLI and Incoming CLD authentication to authenticate traffic to an Account.
  • Account session limits - Total session limits (inbound/outbound combined) protect an Account from traffic flooding resulting from hacked Account.
  • Account CPS limits - CPS limits protect an Account from traffic flooding resulting from hacked Account.
  • Account Balance token system - Real-time Account's Balances apply logic to incoming call attempts referencing remaining Balance/Credit, calls cost/rate, and calls in progress to allow additional calls to pass.
  • Built-in Firewall for additional network security layer - Web, SSH, DB, and SIP traffic firewall rules.
  • Web Access Control restriction - restrict staff web login to specified IP addresses/location.
  • User Audit logs - Monitor changes made by staff.
  • Connection channel and CPS limits - restrictive routing and capping of calls to specified upstream locations.
  • Adjust a default password_policy template - ask support team to provide you the default parameters that your system use and adjust them if needed.
  • In-house framework (Sippy B2BUA & RTPproxy) ensures Sippy is not remotely vulnerable to industry-wide security and fraud attacks.
  • Proper ACD value set in tariff, with the ACD=Max session time system will never drain account's/customer's balance below zero, but it could result in some calls being dropped as a result.
  • Transparent external firewall is recommended for handling complicated rules and to protect an overload of network card from any fraud traffic/packets or any DDOS attack.
  • Use PINs for vouchers if they are used.
  • Use PINs for accounts if the calling cards are used.
  • Avoid using authentication rules with only CLI/CLD mentioned, the IP adds extra security to the authentication
  • Use authentication by Vendor/Connection in the DID authentication rules if DIDs are used in the scenario.
  • Mask topology of your network using the media relay feature that proxies the rtp and hiding the original IP of a device.
  • Use your own VPN server if your staff is seating on a dynamic IPs. Such an approach would make the connection to the Sippy server more secure and would allow you to configure a web firewall and restrict any suspicious attempts to access to the web/db/ssh from all unknown IPs.
  • In-house framework (Sippy B2BUA & RTPproxy) ensures Sippy is not remotely vulnerable to industry-wide security and fraud attack
    Steps to take to secure your Sippy Softswitch:



    Feature
    Location
    Note
    Document
    1.
    Complicated passwords
    My Preferences > Web Password
    My Staff > Users > User's parameters
    User password leaking is the number 1 cause of fraud on a Sippy Softswitch. Set significantly complicated passwords for your users to prevent unauthorized access.

    2.
    IP Firewall
    System Management > Tools > Ip Firewall
    Prevent unwanted traffic or hacking attempts through SSH, SIP, Web, and DB firewall configuration.
    See below for simple configuration guidelines.
    3.
    External Firewall (if required)
    External service.
    Configure an external firewall in front of Sippy to help prevent DDoS attacks, port scanning etc.
    This is a network application.
    External Firewall setup for use with Sippy Softswitch
    4.
    Web Access Control
    Profile > My Preferences
    My Staff > Users > User's parameters
    Restrict access to the Sippy Softswitch through User accounts by configuring your IP's into the web access control field. Only operators from the specified IP will gain access to your switch.
    See below for simple configuration guidelines.
    5.
    Overdraft protection
    Billing > Tariff > Average Call Duration
    Sippy passes calls based on a balance token system that is governed by the Average Call Duration on Tariff. Longer Average call Duration will result in fewer calls passing when an Account's balance is low.

    6.
    SNMP monitoring traffic flagging.
    External service.
    Configure an SNMP application as an external service to monitor and alert to traffic spikes and unwanted access attempts.
    Using SNMP to monitor Sippy Softswitch statistics


    The Sippy Softswitch has been developed with security features that are in line with our goal of producing the most


    Web access control


    Web access control feature allows Sippy Softswitch owner to specify the exact list of IPs for web access for particular web-user, that could be specified in the "My Preferences" menu of the customer/web user. Thus only mentioned IPs would be able to login to the web with credentials of that user.
    By default owner will see value "Any" in the "Allowed Hosts" field. Any means that anyone can access to the web interface with proper login and password. Also you can specify the comma separated list of IPs instead of value "Any" and with such configuration only clients from that list of IPs would be able to login to the web interface with proper login and password:



    IP Firewall tool

    IP firewall tool allows you to restrict access for a database, web interface, ssh or sip traffic from static IPs. You can add rule to the firewall list in the following menu: "Tools" > "IP Firewall" (see screen-shot for your reference).


    IP firewall can be configured only for static IP addresses. Also please note that netmask should be 255.255.255.255 if you want to block/allow only one particular IP address. In case of dynamic IP, we suggest to use a trusted VPN server for access to the switch web.

In our 5.1 (or greater) version of our software we have added a feature to present a warnings to Switch operators with permissions to edit the firewall rules to remind them to allow access to the switch to known IP addresses, and deny access for any unknown IP address. The warnings are controlled from Security Alerts section in IP Firewall Tool, based on the type of firewall (DB, SIP, SSH or Web). In case external firewall is used the warning could be disabled by removing the selection from checkbox:



Audit log tool
Audit log feature available only for a root customer user.

How to setup external firewall with Sippy Software:

External Firewall setup for use with Sippy Softswitch