Appliance Security Overview

Fonolo is compatible with all major call center platform vendors and can connect to your call center through a hybrid SIP connection that includes placing virtual appliances within your network or your cloud hosting environment.

The Fonolo Appliances are fully managed, monitored, and secured remotely by Fonolo, and once installed, do not require any attention by the customer.

Monitoring / Security Updates

Appliances are remotely monitored in real-time by the Fonolo SIEM platform, and triggered events are handled by the Fonolo Engineering teams. Monitoring includes general systems stats (CPU, memory, etc.), as well as real-time audit logs, and application logs.

Fonolo also performs monthly penetration testing against all customer appliances, as well as daily software audits to identify any known software vulnerabilities (CVE’s, etc.). Software updates are done at least quarterly, depending on any identified software vulnerabilities and their severity.

Remote Access

Fonolo requires remote access via SSH (TCP/22) to all Fonolo Appliances for maintenance, monitoring, and troubleshooting. Access from Fonolo is limited to a small IP range, owned by Fonolo.

More information about remote access requirements and which network ports are used is available here: Fonolo Virtual Appliance Deployment Configuration Guide

Access to Fonolo Appliances is limited to the Fonolo Engineering team, and requires multi-factor authentication, including both an individual private key and individual password. Elevated (root) access on the Appliances is limited (via PAM wheel group) to a handful of individuals, which requires an additional password.


A firewall is in place on the Fonolo appliances to ensure only expected network traffic is allowed to pass through the appliance devices, and to reduce the attack surface area by limiting unnecessary ICMP and other network traffic.

Encryption / Authentication

All services between the Fonolo data center and the Fonolo Appliances, including SIPS (secure SIP), HTTPS, and SSH are encrypted, and use high security standards and ciphers. Since Fonolo controls both sides of the connection, compatibility with older standards and ciphers is not required.

All HTTPS and SIPS communication uses TLS 1.2 or higher, and requires an individually signed certificate, signed by an internal Fonolo CA. Both inbound and outbound communication channels over HTTPS and SIPS will fail if the certificate does not validate against the Fonolo CA, or if the certificate is identified in our internally managed Certificate Revocation List.

In addition to dedicated certificates, each appliance is automatically assigned a security token, which is validated on each request, along with its IP address, to ensure it’s a well-known device.


The Fonolo Appliance runs a combination of open-source and custom software, running on top of AlmaLinux 9.x, which is an Enterprise Linux distribution, downstream and binary compatible with Redhat Linux.

All open-source applications used are well-known, well-supported applications, such as Nginx, PostgreSQL, etc. All applications are configured to run as their own dedicated un-privileged user, to avoid any possible cross-contamination in the unlikely event an application is compromised.

Related Articles

Fonolo’s Status Page
Check to see the status of Fonolo's core services. Any incidents that may occur will be reported here.
Check Status