The StarBox has multiple levels of security, including packet filtering on all available interfaces. In addition to only allowing specific traffic to specific services, the StarBox only allows inbound traffic from Star2Star's range of IP addresses.
If the packets are destined for the telephony network, we verify that they are in-fact telephony packets. Also, since the phones are not given a publicly reachable ip address (being behind our StarBox), they are protected. Without having a world-reachable ip address, they are protected from attacks originating off the customers network.
If the packets are destined for the data network, the StarBox allows the traffic to pass untouched to the customer defined DMZ host. The customer must configure a firewall or similar device to apply security measures to inbound data traffic.
If the customer has not defined a DMZ host in the StarBox configuration, the StarBox will simply drop any packets that are not of the voice classification or Star2Star administration classification.
All of the administration services running on a StarBox are encrypted. The connection between the StarBox and the Datacenter is encrypted and protected by 2048 bit public/private key exchange.
The StarBox software image is read only on disk and is cryptographically signed using SHA1. On every startup, this signature is verified before the image is booted. If the verification fails the bootloader can attempt to download a new image. If this also fails the StarBox will refuse to boot. In the event of any boot errors, there are multiple rescue options available from the bootloader.
The StarSystem VLAN architecture separates the voice and data networks, thereby providing another buffer between the "untrusted" internet link and the customers data network.
Click below image to access the StarBox Security Features guide.