Security scans against the StarLeaf platform
Managing Troubleshooting StarLeafLast updated January 19, 2021
StarLeaf takes security very seriously. The StarLeaf platform architecture ensure the highest level of security. We continually work to improve the security of the StarLeaf platform. However, security scans are confused by StarLeaf in respect to activity on port 443.
This article is about the StarLeaf Border Controllers that are present in the StarLeaf platform and provide the nodes for [your organization name].call.sl through which every StarLeaf endpoint connects to the StarLeaf platform. This article is not about the StarLeaf Session Border Controller (SBC 6350) product.
StarLeaf Border Controllers listen on port 443. However, they are not standard web servers. The only traffic allowed to that port is the connections from StarLeaf endpoints. Every connection is verified using the StarLeaf certificate included in the software or hardware installation. Any other traffic is rejected.
StarLeaf Border Controllers use port 443 as this ensures our traffic can traverse most firewalls, however, this makes StarLeaf Border Controllers appear to be a web server.
StarLeaf Border Controllers are very different to standard web servers, which accept connections from any web browser with no trust relationship in place. In that case, the client authenticates the remote server using the server’s Certificate and extracts the Public Key in the Certificate to establish the secure connection.The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority. StarLeaf endpoints only accept server responses from a StarLeaf Border Controller that has a StarLeaf certificate; no mutually trusted third party is needed because the both sides of the connection are produced by StarLeaf.
In the case of a public web server, it is possible for a client to choose a poor quality cipher if one is advertised. Because StarLeaf controls both the client and the server sides of all connections to this port, we can guarantee a high quality cipher is used, in this case AES256-SHA.
For more information about security and the StarLeaf platform, refer to the Security Whitepaper available at StarLeaf Resources .