World Class – Carrier Grade

Symmetry Networks Solution Architecture

Symmetry CloudPBX is a cloud-based, hosted infrastructure solution providing a fully managed, end-to-end service that enables customers to take advantage of a Hosted telephony solution with a full suite of Unified Communications features and capabilities.

Symmetry CloudPBX is supported by equipment deployed in geographically redundant configurations across two physical Datacentre. The design of the network ensures that if there is a loss of connectivity to one Datacentre location, the other location will automatically handle the traffic generated by the subscriber base. The Datacentres are fully redundant with regard to infrastructure and network connectivity.

Symmetry CloudPBX supports a variety of data interconnection methods for access to customer premise equipment (Network Access). The methodologies supported include Internet-based connectivity, connectivity via Managed Internet, or connectivity via Cellular 3G/4G Networks.

OUR INFRASTRUCTURE

The Symmetry CloudPBX platform is at the centre of the network and provides the sophisticated hosted telephony and Unified Communications services.

Session Border Controllers (SBC’s) are deployed in each data centre in high availability mode, meaning there is full redundancy built into each deployed SBC cluster. On the Access side of the network, SBC’s are used to provide security for the Symmetry CloudPBX platform and SIP connectivity to IP endpoints including NAT traversal and VPN connectivity. SBC’s are also used on the Network side for interconnection to partner carrier networks via SIP trunks.

The routing and switching infrastructure consists of IP routers and switches manufactured by Juniper Networks and IBM. There are multiple connections within each data switch to servers, SBCs, and other networking equipment to ensure that no single physical port failure will result in complete loss of connectivity to the network.

The supported IP endpoints rely on the resolution of DNS SRV records to signal to the SBCs. The DNS SRV records control the preferred order and signalling ports for the IP to signal towards. If connectivity to the primary SBC fails, the phones are configured to failover to the secondary address.

\

Survivability / Redundancy

Symmetry CloudPBX utilizes world-class Datacentre vendors to provide the space and power required for the network and services to function. All vendors are Tier 3 compliant with the Datacentre SLA providing greater than 99.999% uptime and 24 hour Datacentre monitoring.

Security Considerations

Symmetry CloudPBX is dedicated to investigating and correcting security vulnerabilities and preventing fraud relating to the Symmetry CloudPBX services. There are multiple levels of security built into Symmetry CloudPBX. These can be broken down into the following areas:

  • Network Security
  • Intrusion Detection
  • Network Protection
  • Call Processing
  • Device Configuration

A number of security strategies are employed (see following sections) that work in tandem to minimize opportunities to intercept, spoof, or hijack VoIP services.

Network Security

The following Network Security measures are used to prevent unauthorized access to user media and control traffic as well as the use of intrusion detection and prevention mechanisms.

  • Firewalls are configured in multiple zones for tiered security. All public access to SymmetryCloud applications and services traverse a demilitarized zone (DMZ) for added security.
  • Firewalls are configured to only allow traffic specific to SymmetryCloud applications and services. All other traffic is restricted.
  • Network protection from policy violations, vulnerability exploitations, and anomalous activity is achieved through detailed inspection of traffic in ISO Layers 2 through 7.

Intrusion Detection

Intrusion detection mechanisms include inline prevention technologies that take preventive action on a broad range of threats including Denial of Service (DoS), without dropping legitimate traffic.

Network Protection

Network protection from policy violations, vulnerability exploitations, and anomalous activity is achieved through detailed inspection of traffic in ISO Layers 2 through 7

Call Processing

Call processing measures restrict communications to only authorized end users, and help prevent spoofing. SymmetryCloud provides the following measures;

  • SIP authentication for Registrations,
  • SBC’s enforce source IP and port matching so that calls cannot be placed from any IP/port combination other than the one associated with the Registration.
  • Very long device specific alphanumeric SIP Authentication passwords. This password is system generated by the Rialto system at the time devices are assigned to users.
  • SIP authentication for Invites.
  • Security features configured in the SBCs that will block calls if the source IP and port don’t match the IP and port associated with the registration, or blacklist IP addresses sending in too many failed attempts in a short period of time

Privileged-based Account and Access Control

SymmetryCloud Account and Access Privileges are based off a hierarchical system with Permissions granularity ranging from Site Administrators through End-Users.

Configuration and administration portals are restricted based on specific business functions and permissions assigned to each user, for example, end users can only access their own information.

Administrators are also limited to managing information for specific sites and data types for which they have been authorized.

Each account has distinct credentials, authentication vectors, and permission sets. Business directory information is made available to users that have been properly authenticated to a management or client portal.

Data Centre Security

Symmetry partners with Tier 3 Datacentre operators with years of experience in design, implementation, and operation of large-scale, secure datacentres. These facilities provide physical, environmental and access security, protecting Symmetry Networks’s physical and virtual application environments.

Facility

  • 24×7 On-site security personnel
  • Nondescript and unmarked facilities with natural boundary protection
  • Silent alarm system with automatic notification to local law enforcement
  • Building code compliance to local governmental standards

Environmental Safeguards

  • Fully redundant HVAC facilities
  • Automatic Fire suppression systems, dual alarmed (heat/smoke), dual interlock with cross-linked event management
  • N+1 redundant UPS power system supporting entire Datacentre capacity, with redundant backup generators
  • Where appropriate, localized disaster compliance (seismic, flood control)

Access

  • Biometric scanning and/or 2-factor authentication for access
  • All ingress/egress through vestibules (man-traps)
  • Access requires valid government issued photo ID, and all access history is recorded for audit purposes
  • Authorisation required prior to access and is only provided for legitimate business need
  • Shipping and receiving are walled off from co-location areas
  • For both ingress and egress, all material is inspected upon arrival by on-site security staff.

Fraud Prevention

SymmetryCloud solution specific fraud prevention and detection mechanisms include:

  • Detailed reporting mechanisms that can be used to track service and network utilization. This information is regularly analysed to identify suspect usage patterns for further investigation. For example, the CDR feed provided to service provider could be used for offline fraud analysis.
  • Portals which limit access to information based on specific business functions and permissions assigned to each user.
  • Strengthened admin password policy management on all phones. This increases the strength of the password and to address a potential security vulnerability, which could lead to user spoofing and ultimately generating fraudulent call activity.
  • Disabling HTTP/HTTPS interfaces on the IP Phones to lock them down and prevent unauthorized access.
  • Additional security features configured in the SBCs that will block calls if the source IP and port don’t match the IP and port associated with the registration, or blacklist IP addresses sending in too many failed attempts in a short period of time.
Close Bitnami banner
Bitnami