Useful Tips on IP PBX Security

Hosted VoIP is gradually becoming more widely accepted by many small to medium-sized businesses as an alternative to costly telephony infrastructures.  As PBX systems increase in popularity so do the concerns that surround VoIP security. When your PBX is hosted, these concerns are addressed with the help of your VoIP service provider. If, however, you opt for a premise based solution, you are going to be very much on your own. Most “big box” carriers will do little to nothing to help you secure your IP PBX.

If you decided not to go hosted and are thinking about implementing a premise-based VoIP solution or you already have a system in place, here are some of the methods which are used to secure PBX systems.

PBX System Monitoring

Monitoring network traffic during peak usage times helps to identify any unauthorized users or network attacks.  By becoming familiar with normal network usage at its busiest time, IT administrators are able to obtain information on network users and the applications being used.  Any network intrusion usually shows a surge in traffic which will send up red flags if you are familiar with activities during peak usage times. If your system offers monitoring of call volumes, CPU performance, memory utilization, lock activity and other items, carefully set your thresholds to trigger warnings to your support staff.

Deploy Dedicated Servers

Servers that have unrelated services running on them are more vulnerable to network intrusions.  For example, if you are using a PBX server which is also used for a web server, then the server may become open to attacks by hackers that use web applications to gain access to the PBX system.  By deploying a dedicated server, you can work around this concern while increasing the security for the PBX system.

Implement Network Intrusion Detection System

By implementing intrusion detection systems host administrators are able to discover a network security breach before it gets out of control. PBX systems typically use host-based intrusion detection systems which provide analysis logs and other information associated with network activity.

Tighten the Base Operating System

By disabling unnecessary services on the PBX system, this improves security for the base operating system.  This process is also known as hardening the operating system.  For example, if you are using Windows and have no need for backwards compatibility, you can disable this service to reduce the chances of an intrusion via an unused component on the PBX system.

Patch Management

Regardless of how secure you try to make a PBX system there are always unknown vulnerabilities once the hardware and software is released on the market.  For this reason, the manufacturers perform continual testing and release security patches and firmware updates periodically as vulnerabilities are discovered.  This requires PBX administrators to stay on top of patch management to ensure the PBX system stays secure and up to date.

Use Strong Passwords

Passwords that are hard to guess will improve the security for the PBX system administrator interface as well as the IP phones on the network.  Using strong passwords and changing them often will discourage brute force attacks by hackers who use password cracking software to steal passwords and gain access to the network.  This means avoiding passwords that are easy to guess such as the phone extension name or a word such as “pass.”  Instead, the password should contain upper and lower case letters, symbols, and numbers, which makes it difficult for the cracking software to identify. Reuse of passwords must be disallowed.

Employ Break-In Evasion

Some PBX systems support break-in evasion mechanism by locking out extension or user accounts when they fail authentication repeatedly. Break-In evasion algorithms generally vary from complex lockouts to simple ones. Break-In evasion is highly effective against password dictionary attacks.

Use Firewalls

Although VoIP stands for Voice over Internet Protocol, this does not mean that you are required to expose an IP phone directly to the Internet.  Instead, a secure PBX system will place IP phones behind a firewall and then implement safety controls to provide protection against networks that may not be trustworthy.  It also helps to prevent deliberate attacks that are designed for IP telephony and protects IP phones on the network against spam.

Disable Web Interface on VoIP Handsets

Web Interface of the IP handsets often gets exploited by perpetrators of toll fraud attacks. Modern VoIP handsets offer convenient HTML-based configuration interface. Unfortunately the drawback of such interface lies is that it allows easy access to your PBX extension login credentials. This opens a possibility for another SIP device log in to the PBX system with the same extension credentials posing as a legitimate device and place many calls to unauthorized sources.  This attack may cost you dearly as your business will be responsible for paying (international in most cases) toll charges. To best protect your phones – try using automatic provisioning or better yet, completely disable web interface once your handset has been manually provisioned.

Use Private IP Numbering Scheme for Handsets and IP PBX

Make your phones and PBX inaccessible from outside. Make use of IP tunneling without dealing with the Network Address Translation (NAT). This will allow you not to deal with the NAT traversal issues that commonly cripple SIP sessions and make your handsets and PBX inaccessible from the world of public Internet unless you utilize VPN or GRE tunneling.

Limit Number Of Active Sessions Per Extension

When your 4-line SIP phone opens 20 SIP sessions, you most likely have a security problem. The impact of that security breach on your phone bill, however, may be reduced and hackers (even successful ones) may be discouraged from using your extension to route 3-rd party calls if they can only open few concurrent sessions

Keep Your Voice Traffic Encrypted

Encrypting internal and external SIP trunks is the best way to defend against eavesdropping. Even if the network is compromised and voice traffic is captured – it will not be readable. Be sure to encrypt both: SIP signaling and RTP payload. Consider the negative performance impact of encryption resulting in increased latency and processor overhead applicable to every hop encrypted traffic takes. Remember, that when it comes to SIP trunking – a lot depends on your carrier’s ability to keep traffic encrypted, not to mention numerous interoperability concerns. There are several ways to keep your PBX sessions encrypted with either SRTP or handset VPN sessions. Your premise-based system may only support one of them.

Along with the benefits, VoIP technology brings many more security threats than traditional circuit-switched telephony. IP PBX systems could be exploited from thousands of miles away without the perpetrator actually physically tapping into your circuits. Because of that, many IP PBX systems offer a broad range of complex configurable PBX security features. PBX system security can be customized to suit the individual needs of a business. For this reason, the security should be designed and integrated with the specific telephony services you need to keep your business secure and productive.