Versions Compared

Old Version 12

changes.mady.by.user Ksenia Babych

Saved on

compared with

New Version 13

changes.mady.by.user Ksenia Babych

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Html
<div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11';
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

...

Info

This document provides information on built-in security features of the Wildix system, ISO compliance and GDPR.

Updated: April 2018October  2020

Permalink: https://confluence.wildix.com/x/QgBuAQ

Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.

...

  • the system is running with valid certificates (this means that all the customers are communicating without the risk of their communications being intercepted)
  • the system has not been duplicated (this prevents the risk of a man-in-the-middle attack)
  • the software version running on the system is not known for security issues, otherwise an alert informs the system administrator that the system must be upgraded (failing to do so can lead to the system to disable certain features that were detected as the ones that could expose the system to risk)
  • the system is running within acceptable performance parameters (memory and CPU), otherwise an alert informs the system administrator that the underlying HW or Virtual environment must be improved.

Technical details:

  • The check is executed daily at a random time, this can be modified to run at a regular time or day of the week.
  • The connection is made to the server api.wildix.com; optionally via an http proxy (to the server wmp.wildix.com, in case WMS version is lower than 3.86)
  • The protocol used is based on HTTPS with high level encryption, no incoming connection is needed for the system check to work; the protocol can also work through a customer’s web proxy
  • The average data size exchanged on the connection is 2 Kb daily
  • The system ignores a failed connection attempt for up to 14 days; it is possible to keep the system offline and reconnect it to the Internet at least once every two weeks.
  • After 14 days offline the system limits available features to guarantee the customer safety. An alert is given to the users of the system. To restore a full operational system it is sufficient to permit the outbound connection and sync licenses in WMS (Refresh via Internet option on the page Activation / Licenses).

WebRTC Security

Wildix Wizyconf videoconference, same as Wildix WebRTC phone in Collaboration use WebRTC for audio and video communications. WebRTC was born as open source project and is still under active development, however security measures were in place from the very beginning. WebRTC offers security "out-of-the-box" and in fact, this is one of the reasons why Wildix opted for WebRTC back in 2012 when we launched the Kite project and then, in 2015, we made it our technological choice, when we released the first WebRTC phone available directly in Collaboration web interface.

...

Vulnerabilities and questions about privacy must be communicated using the following email security@wildix.com, we have a Vulnerability Reward Program in place. The reward will depend on the importance of the problem found.

Reasons to contact us at security@wildix.com:

  • I’m experiencing a security problem with my Wildix account

  • I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, Wizyconf, WP, iOS / Android Wildix apps)

  • I have a privacy doubt or a privacy-related question about Wildix products and services.

Wildix Cloud and ISO 27001

...

compliance 
Anchor
ISO27001
ISO27001

Wildix Cloud services are located in data centers that undergo ISO 27001 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.

...

  • Added an option to auto-delete CDR, chats / Kite chats, voicemails and call recordings in WMS Settings -> PBX -> Call and chat history after a period of time (WMS-4090; WMS-4084)

    • GDPR - Right to be forgotten

  • Added the possibility to delete all contacts from the phonebook in WMS -> Users -> Phonebooks (WMS-3901)

    • GDPR - Right to be forgotten

...

  • Added CSRF attack protection via domain whitelist added in WMS Settings - PBX - Security: any WebAPI / PBX API integration will stop working if the domain is not added to the list (WMS-3985)

Frequently Asked Questions

High-level details

QuestionsAnswers

What are the information flows within the system and between it and other services?

  • Data flows from a PBX to remote customer sites and flows to the operator if you have a SIP trunk.
  • Interconnection with other services: Ports used by Wildix services

What are the principle methods of transporting information? 

  • HTTP:80
  • HTTPS:443

Note: 80 and 443 ports can be changed.

Are the data shared with any other third parties?

No.

What firewalls or network control  measures are used to  protect thesystem/data?

SIP firewall in PBX and high  security by design withpasswords and 2factors protection. Data  firewall remains important on  remotesite.

Is the system ISO 27001 compliant?

Yes. See this chapter.


Access Control

QuestionsAnswers

Which access methods are available to access the system?

  • One super admin access
  • One strong password by user

Note: Details can be found in WMS Start Guide.

What system enforced password settings are active for users?  

  • Password Minimum length/ Complexity 
  • Password Change Interval
  • Lockout (after incorrect password entries)
  • Encrypted passwords
  • Recommended 12 characters, at least one capital letter, one special character, one number. Change every 6 months.
  • For the lockout, 3 attempts banned for 1 hour to start over. There is two-factor authentication on top of that


What additional measures are in place to secure administrator accounts. (e.g. stronger passwords or crypto keys required to access systems)

  • 1 unique access
  • Recommended 12 characters, at least one capital letter, one special character, one number

Is two-factor auth mandatory?

It can be mandatory, managed by ACL rules.

How are security incidents managed and reported?

Wildix NOC Engineers perform continuous system monitoring 24/7, investigate crash reports, and intervene in case a problem with any client PBX has been revealed by the monitoring system. In case a problem has been revealed, the following actions are undertaken:

  • Identify the CoS of the issue; issues which have been identified as Critical are immediately taken into analysis, even if revealed outside Support Hours
  • Find all the information related to the PBX, including Serial, Country, Partner, information about the issue
  • Partner is contacted by creating a ticket or by phone

How does the system hand out the necessary privileges for users to gain the correct access to information? How does it prevent access to the wrong material?

Admin can limit/ allow access to certain PBX services and features by ACL rules.

How can unauthorised access be detected?

  • Visible in logs
  • Protection by automatic backups
  • Protection by ACL groups

What logs are kept of successful/ unsuccessful usage attempts?


System logs (including all attempts).


Disaster recovery, backups and data erasure

QuestionsAnswers

What method is used to secure archive historic material and data?

Automatic backups configuration.

Note: Consult WMS Start Guide for details.

How the system is restored (either from backup or a rebuild  from scratch) to a known working  state?

  • Possible restoration in other system with backup file
  • Possible failover 

How do you secureagainst:

  • Poweroutage
  • Single points offailure
  • Unavailability ofcritical staff
  • Unsatisfactory maintenance ofequipment
  • Failure ofequipment/  software

Wildix advices to activate 5 years  warranty.

Details: https://www.wildix.com/warranty-activation/.

How the data is destroyed when no longer needed and what data retention periods areobserved?

  • Data can be destroyed whenneeded
  • Possible to remove data every months...  

System Web Security

QuestionsAnswers

What data does the system store?

Chat history and calls stats inCDR-View.

What User Generated Content does the system collect and/ or host?

  • Chat and calls history
  • Possibility for user to add contacts in phonebooks

Note: Chat, calls or phonebooksmodification can be forbidden by ACLrules.

Are users required to login? Is this login over a secure link?

Yes, users are required to login, login via HTTPS.

What are other data transfers/ connections between users' browsers and the system?

Check the doc Ports used by Wildix services.

What Collaboration solution stack ?

Check the doc Legal Notice PBX.

What is your approach for identifying applicable security patches and applying the system? 

Full security package with recurrent licences: Wildix Technical Support - Service Level Agreement.

What processes do you have in place to minimise the risk of these issues according tOWASP list:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

The processes are present in Wildix Technical Support - Service Level Agreement.

Are any vulnerability scanning or penetration testing carried out?

Penetration tests are performed yearly and security reports summaries are released on request after signing an NDA to existing customers.

How have you ensured the data links to the web server are adequate for traffic volumes anticipated? Have you tested under anticipated load?

  • Test with 5000 users / 600 concurrent calls
  • Wildix recommend 100 kb symmetric per call


Html
<div class="fb-like" data-href="https://confluence.wildix.com/x/QgBuAQ" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div>

...