ConnexCS considers Security its top priority. We incorporate industry best practices into all our policies and procedures.
We use proven technology and the latest ideas to keep your systems safe from external and internal threats.
Below, we've compiled a top-level, abstract list of how we secure our systems.
The document is brief on limiting exposure to our underlying systems in a public forum.
Feel free to contact us with specific questions.
Secure Sockets Layer Certificates¶
Our HTTPS traffic uses short-lived SHA256bit certificates with 2048bit keys. It rejects downgrade attacks like SSL2,3.
We use HSTS (HTTP Strict Transport Security), Perfect Forward Secrecy, and OCSP Stapling (Online Certificate Status Protocol).
You can see our server's SSL test results here.
All internal traffic travelling between zones traverses our mesh Virtual private network (VPN). It's protected by 4096-bit keys and managed by internal CA Servers.
Our system uses an exponentially increasing delay on failed attempts and centralised reporting.
Our system hashes every password. Argon2 encrypts the ones needed for HTTP login. It's the winner of the Password Hashing Competition (PHC).
On every hash we use:
- Random Per Password Salt (With email hashed seasoning).
- Off-database site-pepper.
- High Time, Memory Cost, Parallelism Cost.
All admins must use two-factor authentication (2FA / TFA) when signing into the system.
Two-Factor Authentication is also available for any user accounts using RFC 6238-style TOTP (Time Based One-time Passwords).
Using applications such as Google Authenticator or Microsoft Authenticator.
Using SSH Keys is necessary for any user with direct access to any servers.
In all systems where keys aren't possible, you must use long, multi-symbol passwords.
We don't consider the following items insecure.
We understand the consequences of enabling these systems. But we believe their benefits outweigh the security implications.
This doesn't mean we don't observe activity on either of these. Also, we've automatically reactive systems to ensure uptime in the event of an attack.
Internet Control Message Protocol Pings¶
ICMP (Internet Control Message Protocol) pings messages (for example, ping www.connexcs.com).
ICMP Ping attacks were once common (packet size versus available bandwidth). They still happen, but it's more useful to enable ICMP replies to efficiently establish the status of a server.
Session Initiation Protocol / Real-time Transport Protocol Firewall Block on Default¶
Our Session Initiation Protocol (SIP) Servers only run SIP and nothing else.
Our Real-time Transport Protocol (RTP) Servers run RTP and nothing else.
5060 isn't fire-walled, nor are any of our RTP Ports on our RTP Servers.
This means that you will most likely see unauthorized traffic hitting your switch. Also, you will observe unauthorized calls getting blocked for failing authentication. This is normal, as it's still important to see failed traffic. It's done to make sure the authentication isn't blocking authorized callers.
Intrusion Detection System / Intrusion Prevention System¶
We've application-level logic that identifies malicious activity.
It helps escalate issues with our Intrusion Detection System (IDS) systems.
It will further enforce feedback firewall rules in return.
Connex Carrier Services Worldwide, LTD is an independent company.
ConnexCS servers retain All data and are never passed on third parties.
All employees must adhere to non-disclosure agreements that protect user data.
Also, it's made clear that we would take any data breach with severity.
Secure Sockets Layer Certificates Deployment¶
One-click is all it takes to put the SSL certificates on your customer portal.
- Click Setup Integrations.
- Click Domains.
- Click Deploy Certificate.
User Enhanced Security¶
Besides the above ConnexCS security, we also recommend the following practices to protect your ConnexCS account.
Passwords (we recommend following the NIST guidelines):
- 8 character minimum when a human sets it.
- 6 character minimum when set by a system/service.
- Support at least 64 characters maximum length.
- It should support All the ASCII characters (including space).
- When processing, it's not recommended to truncate the secret (password).
- Check the chosen password with known password dictionaries.
- Allow at least 10 password attempts before the lockout.
- No complexity requirements.
- No password expiration period.
- No password hints.
- No knowledge-based authentication (for example: who was your best friend in high school?).
- No SMS for 2FA (use a one-time password from an app like Google Authenticator).
Hardware Security Tokens: Yubikey is an example of a hardware security token. It can never be digitally stolen or used for logins to ConnexCS.
Duo Security or Google / Microsoft Authenticator: According to the NIST recommendations, you shouldn't trust the above SMS for second-factor authentication.
We apply both Duo Security and TOTP; specified in RFC 6238.You can use them by Google Authenticator or Microsoft Authenticator.