History: Tiki Suite Security
Preview of version: 28
Notes about security.
Beyond making sure each component is secure and updated, we need to make sure integrations are secure. For some groups there might also be further interest in SIP TLS and SRTP/zRTP for securing VoIP communications (FreeSwitch, Jitsi, Qutecom, Blink, SFL Phone support this). Likewise, LDAPS will definitely be needed when VPNs or NAT aren't possible between servers. Perhaps a challenge will be to manage keys and certificates for the organisation; ClearOS does provide such management interface for example.
User training
Physical security
Data loss
- https://securityinabox.org/en/chapter-5
- See also "Backup-FileSync" section on Tiki Suite brainstorming
Passwords
Encryption
Brute-force attacks
- http://tracyreed.org/blog/2010/12/26/sip-brute-force-attacks
- http://code.google.com/p/sipvicious/
- http://www.clearcenter.com/support/documentation/user_guide/intrusion_protection_updates/ssh_brute_force_attack
- http://www.clearcenter.com/Services/clearsdn-intrusion-protection-4.html
SMS
https://securityinabox.org/en/textsecure_main
Of just use CyanogenMod:
http://www.cyanogenmod.org/blog/whisperpush-secure-messaging-integration
Security of the components
ClearOS
- http://www.clearcenter.com/support/documentation/user_guide/incoming_firewall
- http://www.clearcenter.com/support/documentation/user_guide/openvpn
- http://www.clearcenter.com/support/documentation/user_guide/mail_antivirus
- http://www.clearcenter.com/support/documentation/user_guide/gateway_antiphishing
- http://www.clearcenter.com/support/documentation/security_metrics
- http://www.clearcenter.com/Services/clearsdn-remote-security-audit-5.html
- ClearOS supports encrypting the filesystem. If your ClearOS system is not in a secure location and you are concerned about protecting the data in the scenario where the ClearOS system is physically stolen, then you may want to consider this option. Please keep in mind, encrypting the filesystem also means that a decryption password is required on every reboot! In other words, unattended reboots and headless operations are not supported.
- http://www.clearcenter.com/support/documentation/user_guide/start#intrusion_protection
- http://www.clearcenter.com/support/documentation/user_guide/certificate_manager
- http://www.clearcenter.com/marketplace/system/User_Certificates_Plugin.html
- http://www.clearcenter.com/support/documentation/user_guide/mail_antispam
Zarafa
- http://www.zarafa.com/blog/post/2013/05/smime-z-push-signing-and-en-decrypting-emails-mobile-devices
- http://www.zarafa.com/integrations/zarafa-webaccess-smime-plugin
Thunderbird
Jitsi
Tiki
Related links
- https://www.dnssec-tools.org/
- http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec
- http://www.internetsociety.org/deploy360/blog/2013/12/want-to-quickly-create-a-tlsa-record-for-dane-dnssec/
- http://www.dwheeler.com/essays/easy-email-sec.html
- https://www.mailpile.is
- https://leap.se/en/home