Unified communications creates unique security issues as it brings together various technologies, including VoIP, video, chat and presence. While it provides productivity gains it also increases security risks. Securing a voice network is different than the process of securing a data network. This piece explains best practices for securing the modern PBX.
PBX Security Practices
Managing security for a small business offers unique challenges when compared to larger enterprises. While large businesses can often dedicate substantial resources toward securing their communications, those in the SMB space need security solutions that are both cost-effective and simple. This actually works in favor of the SMBs since security and simplicity can work hand-in-hand. Implementing an expensive and complex solution to secure your network can work against you. Complex equipment heightens the risk of configuration errors that can effect your call quality and potentially stop your PBX system from operating correctly.
Most data traffic is over TCP, so security in networking devices such as routers and firewalls are built around TCP data-centric transport. VoIP is UDP-based and is very time sensitive. Dropping a few packets while downloading an email attachment or browsing the web is no big deal – the packets are simply re-transmitted. However, voice streams are more sensitive to network issues. Dropping too many UPD packets in a voice stream can cause major call quality issues. As such, securing your unified communications requires a balanced approach. You must mitigate security threats but also maintain quality of service for the end-user.
Six Suggestions for establishing good PBX Security
Implement a quality current firewall that was designed to be “voice aware”.
Use VPN for remote users
Update your PBX software on a regular basis
Turn off any unused features and services (why have them on if you don’t use them?)
Use the built-in security features in your PBX.
Your PBX should unconditionally be sequestered behind your firewall. Crazy enough, many small, and even medium-sized businesses do not deploy a firewall. Or, they deploy a firewall, but then open ports to all networks to allow remote users. This is almost the same as having no firewall at all.
Although some PBXes like our Digium Switchvox, have built-in attack mitigation mechanisms, these should not be solely relied upon. Your firewall is designed to filter traffic, your PBX is not. Using each device for its intended purpose will keep your network the most secure.
Best practices are to block all unknown traffic into your network and then only allow traffic from trusted sources. In most cases, you should only allow internet traffic from your SIP trunk provider. Allow access only on the ports necessary and only to the IP or block of IPs that your SIP trunk provider uses.
Some firewalls have the SIP ALG (Application Level Gateway) feature. Although SIP ALG is described as a security feature for VoIP, there are many instances where it creates problems. ALG’s have a tendency to mangle SIP packets or change headers. The best practice is to do extensive testing prior to deployment to confirm that SIP ALG works as advertised in your environment.
Utilize a VPN for remote users
For remote users, the simplest option is to deploy a VPN device at both ends. Today, many small business routers and firewalls come with built-in VPN capability at affordable prices. The connected devices form an encrypted secure “tunnel” over the public internet, keeping all of your traffic safe.
VPN’s have the following features:
1. In addition to VoIP, remote users can also access the company’s data network.
2. The traffic is encrypted to maintain privacy.
3. NAT issues are eliminated or diminished.
Use Strong PBX Passwords
Using strong passwords is an extremely effective and simple security measure. Strong passwords should be used for every password required in your PBX, both users, and administrators. Phones also need to be protected with unique strong SIP passwords. Do not re-use passwords. If a hacker gets authenticated with a SIP account, they can make calls as though they were using that phone – including international calls that could result in huge phone bills.
If your PBX requires a user login, then you will want to require strong passwords for this application also.
Update Software Regularly
A standard security best practice is to keep your PBX, software up to date. As well as providing bug fixes, keeping your software updated helps improve security. As potential exploits are found, security patches are then released as software updates. The most recent version of software is typically the most secure. It’s a matter of staying one step ahead of the bad guys.
Whenever you update your PBX you will want to follow the best practices for updating. First, do a complete backup of your system. Perform the software update during a scheduled maintenance window, notifying end users of the expected PBX downtime. If you wish, this is something we can complete for you as a TeleDynamic customer.
Turn Off Unused PBX Services
Another standard security hardening practice is to shut off any unused features. This lessens the potential PBX attack points. Not only does this improve security, but this will also improve network and PBX performance as you will have less protocol traffic on the network, and your PBX will be less taxed.
Use built-in PBX security tools
The best way to secure your PBX is to use the proper security equipment. Such as VPNs, firewalls, and routers. However, don’t stop there. You should take advantage of any built-in PBX security tools to add yet another level of protection. For example, the Digium Switchvox has security tools such as Access Control Rules and automatic IP blocking. Access Control Rules only allow recognized devices to connect to the PBX. The block IP tool will block IP addresses that fail multiple registration attempts. In theory, a properly configured firewall should prevent hackers from being able to reach your PBX, but again, it’s best to have the extra layer of security.
Your PBX is another device on your data network. You need to set up security on this device as well as account for it in your overall security planning and implementation. It is impacted by your firewall, router, and VPN settings. If you are a TeleDynamic customer please contact us, and we’ll be glad to talk security!