Security
Server
Components used
The backend part of UCS is programmed in Python3. Communication with the frontend part is strictly separated by an XML-RPC API interface that is accessible via NGINX reverse proxy. Asterisk is used to connect calls, which communicates protocol SIP (signaling) and RTP (voice streams).
| Component | Purpose |
|---|---|
| asterisk | Call processing, SIP signaling, RTP streams |
| isc-dhcp-server | Providing IP addresses to phones |
| nginx | Input reverse proxy for UCS components |
| ntp | Time synchronization |
| openssl | Encryption |
| openvpn | VPN for remote user access and IP phones |
| postgresql | Database (configuration, calls, statistics, etc. |
| python3-bleach | Sanitization of incoming emails to UCS |
| python3-cryptography | Internal UCS Certification Authority |
| python3-gnupg | Licensing |
| python3-gssapi | SSO for Microsoft Active Directory |
| python3-ldap | SSO for MSAD and contact lookup for calls |
| python3-messaging | Processing of SMS messages |
| python3-mysqldb | Driver for MySQL database |
| python3-openpyxl | Creating XLSX reports |
| python3-pygresql | Driver for PostgreSQL satabase |
| python3-pymssql | Driver for MSSQL database |
| python3-serial | Communication with SMS gateway |
| python3-watchdog | Internal monitoring of log files |
| sox | Mixing recordings and converting to MP3 |
| stuntman-server | STUN/ICE for Web Softphones |
| tftpd-hpa | Providing configuration for IP phones |
SIP
The PBX contains a Session Border Controller (SBC). Calls from trunks (public telephone networks) are terminated at the SIP level and into the private network, in where IP phones are located, a new SIP dialog is established. SIP messages from public networks are therefore terminated at the PBX and cannot reach the IP phones. The internal topology is not visible from external networks.
Trunk security between the ITSP and the PBX is based on resource constraints and destination IP addresses and/or SIP registration and authentication using the SIP algorithm Digest authentication (RFC-2617).
Only the listed audio codecs and na The PBX performs an RTP integrity check. Repackaging is done, it is only preserved voice payload.
All IP phones are registered to the PBX using a unique name and password. Names do not contain a line number, passwords are strong, randomly generated, and users they don't know them. Authentication is required for both registration and call setup SIP Digest authentication algorithm.