The flexibility offered by VoIP phone systems can be a security risk if they are not properly secured. Frequently we read about businesses losing tens of thousands of dollars over a weekend due to toll fraud where a hacker gains entry to their phone system and then makes multiple calls overseas.
So how can you minimise the risks and protect your phone system from potential external and internal threats? Here are the current best practices:
Use Strong Passwords
A weak password can leave a potential security gap which hackers can easily exploit. Strong passwords should be used for every password required in your phone system. In an Avaya IP Office 500v2 there are passwords for base extension, user, login if hot desking, voicemail, administration, root and security. There are also other internal passwords that can be changed for increased security. It’s recommended that strong passwords of at least 8 characters, including a mix of upper and lower case along with digits and special characters, be applied and changed periodically. In many cases we find that multiple items in a customer network still have the default password on them.
Keep Your PBX Updated
A regular review and updating of your PBX firmware/software is a standard security practice to keep your phone system safe. Typically, the most recent version is often the most secure with bugs and other potential vulnerabilities are found and fixed. And sometimes some critical security features or layers of protection are only supported by the latest version with technology evolving over time. Again, using the Avaya IP 500v2 as an example, under the current Release 11, changes were made to introduce more security, higher default complexity and for the newer phones passwords are mandatory on the base extensions.
Separate Voice and Data Traffic
Separating voice and data traffic is commonly recognised as an effective method to counter VoIP security risks. For some VSPs, they provide SIP trunks delivered over VLANed WAN connections. But if you are just running over the pubic Internet internal VLANs can be used. The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secured. Also, limiting the rate of traffic to IP telephony VLANs can slow down an outside attack. If using the public Internet then a Session Border Controller provides for both improved security and easier penetration of firewalls by wanted SIP traffic.
Avoid Port Forwarding
In an attempt to offer remote access for mobile workers, some on-premises IP-PBX vendors will recommend to do port forwarding. But this is not a good idea at all, as it risks potential attacks by opening a hole in your firewall. To do instead, deploying a VPN device at both ends can be a smart choice. The connected devices from both ends can form an encrypted secure “tunnel” over the public internet, keeping all of your traffic safe.
Secure the Trunks on PBX
One of the most noticeable purposes of PBX hacking is to kidnap the POTS lines or SIP trunks for expensive international calls. To prevent this, the most basic precautionary practice you can do is to restrict the use of outbound call from each vulnerable end-point and disallow anonymous incoming calls, which can be performed in the following 3 ways.
• Set up outbound route permission: your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Considering setting different outbound routes for different trunks: local, long-distance and international, and assign outbound route permission only to the users that require the use of it. A limited access would bring a securer system.
• Disallow anonymous incoming calls: the unknown calls may be charged to the bill of your trunks. Attackers can dial into a PBX system with anonymous numbers, then use the functionality of the PBX to generate an outbound call, and incur call charge. To prevent such attack in the first place, you can choose to disallow anonymous incoming calls through advanced SIP setting options of your PBX.
• Configure outbound restriction: if your PBX allows you to limit how many times a user can make outbound calls during a certain time period, remember to configure the settings. This will help minimize the losses caused by toll fraud if there is any.
Block Unauthorized Access with Firewall
Firewall rules are pre-configured rules to control and filter traffic that are sent to the PBX. You can create firewall rules on your PBX to filter specific source IP address/domain, ports, MAC address, and block dangerous (or suspicious) access that might contribute to attack fraud or calls loss. For example, you can manually add a rule to block untrusted web access with a specific range of IP addresses (IP blacklisting), or define a few Accept Rules, or Whitelists, and drop all the packets and connections from other hosts to ensure system access.
To prevent massive connection attempts or brute force attacks, you can also utilize the incorporated anti-hacking auto-detection mechanisms (IP Auto Defense) of your PBX system, which helps you to identify attackers per second based on the packets sent within a specific time interval and automatically block them.
Make Contingency Plan
Though anti-hacking measures can be taken to best protected your phone system, there is no absolute safety. If an attacker successfully infiltrated your PBX or forced your PBX to fail, you should have a contingency plan. Here are 3 tips you can perform.
• Firstly, if your PBX has Event Notification feature, make sure to set it up properly to get informed of important happenings on your PBX system (i.e. the change of administrator password) just in time.
• Secondly, schedule auto backup on your PBX. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure fast recovery.
• Thirdly, consider implementing a redundancy solution, which will help to keep your business’s phone system running as usual even when encountered with unexpected server failure.
