Published on January 27th, 2014 | by Alexis Argent1
VoIPon Discuss Network and IP PBX Security
The PBX today is no longer an island but another IP based device sitting on the local network and connected to the rest of the world via all manner of IP based connections.
Security for the PBX is often an overlooked issue for many resellers and users and we have to say that rarely do vendor put the topic anywhere near the top of their agendas. Yet PBX hacking is big business and the hard facts of life are that network operators do just not want to know when the big bill arrives following a ‘break in’ at the user premises – often by a third party located in some untraceable part of the world.
IP PBX security is indeed a very serious issue because an IP PBX can make a practically unlimited amount of chargeable calls in short space of time, and so is a valuable potential target for organised crime and professional hackers. Arguably, managing this issue is the resellers responsibility, especially if you’re selling to SMEs who often won’t be large enough businesses to warrant the hiring of a dedicated network administrator. This is an area resellers should know more about in any case, because VoIP hacking attempts have become more widespread and common, so the customer will expect resellers to leave them with a secure VoIP implementation and network. However, there are positives to this, after all – the broader a service you can provide, the more value you can add, and the wider range of services, such as IP PBX security consultation and maintenance, you can charge for.”
What should resellers be doing to protect their customers from being hacked?
The bottom line is that routers & switches, IP PBXs, IP gateways and IP phones should all be as locked down as possible. In practice, this means having as few ports open in your firewall as possible, and only the ones that are absolutely necessary. Your network is like a house: just as you need to open a port SIP traffic, so do you need a front door for getting in and out. Aside from that, you want to keep the windows and back door locked. This is a simplification, but the principle holds true. It’s essential to use strong passwords and install the latest security patches across your IP PBX, IP gateways and IP phones. These are the three main VoIP devices that can be hacked – and through which the credentials of your VoIP provider can be stolen. Other key issues to address, in order to ensure your IP PBX is VoIP Ready, include ‘hardening’ the server your IP PBX is deployed on, which means disabling unnecessary services and root access and changing all default ports. Resellers should also ensure the servers operating system and all associated software are up to date with the latest security patches, as well as making sure you’ve changed all default passwords and extension passwords. External access should be limited to known IPs only, and the maximum number of trunk calls, as well as the maximum number of calls per extension should also be limited – depending of course on what the customer’s requirements are. You can also ask your internet telephone services provider to limit the amount that can be spent in any given period.”
What products are on the market to maximise security and minimise financial risk?
The most essential part of your network security is your firewall. And there are lots of them available from a range of manufacturers, usually built in to the router. However, not many of these specialise in preventing VoIP intrusion. One that is designed to manage VoIP is the Pika µWARP Firewall which sits between the IP PBX and the router, and exemplifies many of the best-defence features currently available. For example, the Pika prevents the most common fraudulent activities before they happen, by analysing SIP packets through deep packet inspection, stopping abnormal SIP protocol usage based on parameters the reseller or end user can define. Thus preventing SIP denial-of-service attacks. Ultimately, resellers should approach the issue of security with the understanding that there are a lot of bases to cover, and it only takes one tiny vulnerability to render an entire network insecure. It’s also a rapidly evolving field with new vulnerabilities and threats discovered every day. So as with all network security, which extends to IP PBXs, resellers should commit to staying on the ball and up to date on the technology and methods available to keep customers’ networks as secure as possible.”
The IP PBX also represents one small step for man when it comes to hopping on to the company LAN and access to all that company data. How can reseller reduce this risk?
You should definitely separate data and voice using virtual LANs, otherwise known as VLANs. At present, this is the best way of restricting the damage that can be done in the event of unauthorised LAN access. All good quality contemporary routers and switches support VLANs, with higher tier Cisco products being an obvious example. More and more manufacturers are supporting VLANs on their higher-end equipment, so this should be a standard part of any secure configuration.
Has anyone got a practical checklist for resellers and their customers to secure the PBX?
VoIPon is a member of ITSPA, the Internet Telephony Services Providers’ Association, which published it’s ‘Recommendations for secure deployment of an IP-PBX, version 2’ paper in November 2013. I’d recommend people seek this out, as it’s a very thorough set of guidelines. If you’re interested you should contact the organisation via [email protected]
Share this story with your friends or work colleagues. If you want to stay up to date with our latest products, industry news and offers you can sign up to our monthly newsletters, keep up to date with us on Facebook or follow us on twitter @VoIPon.