StarBox® Voice Optimized SD-WAN Security FAQ’s

Edited: 11/12/2019
Access: Everyone
Supports: Business Voice+

Q: How does the StarBox® Voice Optimized SD-WAN authenticate with the call center or the remote station in which it communicates?

A: All administrative traffic from Star2Star's Constellation Network to the StarBox® Voice Optimized SD-WAN appliance is done via Secure Shell / SCP.

Q:  Does it use mutual authentication and is the authentication hardware token or soft cert based?

A: We use software certificates. When Star2Star provisions a site we automatically generate a 2048-bit x.509 certificate for the site's StarBox® Voice Optimized SD-WAN appliance.

Q: Is the channel encrypted in some manner?

A: Administrative traffic such as updates to underlying config files are encrypted, however voice communication is not.

Q: I realize the StarBox® Voice Optimized SD-WAN pulls voice packets out of the data stream, but it is still connected to our network. Are there measures within the StarBox® Voice Optimized SD-WAN to prevent dual homing so that an attacker cannot gain access to the network?

A: Customers who run a converged LAN, (i.e. with each workstation connecting to the PC port on the IP phone) have their traffic segregated with VLAN's. Star2Star uses static VLAN Assignments as opposed to CDP or LLDP and all IP phones ship configured to use a voice VLAN of 41 and to get DHCP from the StarBox® Voice Optimized SD-WAN's sub interface on that VLAN. That setup is adequate for most organizations, however it's certainly true that a malicious user could configure their network card to run on that VLAN and follow the same path as the IP phones. That would require knowledge of the voice VLAN, a dot1q-enabled NIC, and admin rights on the workstation.

Most customers we work with are comfortable with VLAN segregation as being adequate, although we have some who for regulatory or administrative reasons run separate physical networks. We do also have an enterprise customer with an 802.1x authentication, where the organization's Radius server assigns a voice VLAN attribute based on the certificate that's presented by the phone. We could certainly discuss such a setup, but going down the dot1x rabbit hole is not exactly a trivial setup.

Q: Regarding upgrades to the StarBox® Voice Optimized SD-WAN and phones (software, firmware, etc.), are the updates stored or loaded onto the StarBox® Voice Optimized SD-WAN and then installed or pushed to the handsets? If not, how do updates get installed on all hardware?

A: That's exactly how Star2Star manages endpoint firmware and configs. It's a push from our provisioning servers in Constellation to the StarBox® Voice Optimized SD-WAN, and a pull from the phones to the StarBox® Voice Optimized SD-WAN. We are also dabbling with cloud storage in some isolated firmware cases, but the majority of endpoint firmware files and config files are stored on the StarBox® Voice Optimized SD-WAN appliance and served from the StarBox® Voice Optimized SD-WAN via TFTP and HTTP over the voice VLAN.

Q: Can we expect to reach a point to where the system or hardware reaches an end of life situation such that upgrades will be mandatory. If so, what happens then?

A: The StarBox® Voice Optimized SD-WAN appliance is both managed and supported by Star2Star. There's never a point where we would force a customer to upgrade, although a customer who eventually grows beyond the capacity of their current appliance would want to consider an upgrade. For reference, the device capacities are 45 extensions and 15 concurrent calls for our smallest device, 250/50 for our mid-range appliance, and 500/250 for our largest one. The hardware is specified to have a 7-year lifespan, but the majority of appliances we fielded seven years ago are still in service. Next-day hardware replacement is covered under maintenance for any type of failure including fire, electricity, acts of God etc., but there has never been a point where a StarBox® Voice Optimized SD-WAN has been RMA'd for an actual hardware failure on its own. We certainly have RMA'd devices to rule out a hardware problem, but when we've tested such devices we've found the hardware to be sound.

up
107 users have voted.

Technical Support

If you have any technical questions or need to get in touch with Tech Support, please email us at support@sangoma.com to open a ticket.

Customers With Disabilities

Sangoma values its customers with disabilities. If you are in need of assistance with a Sangoma service or feature, please email Support@Sangoma.com.

Website Suggestion

Do you have a suggestion about our Knowledge Base website, let us know?