The PBX today is just another IP based device sitting on the local network and connected to the rest of the world via a series of IP based connections. Yet PBX security is often overlooked, despite PBX hacking being a rather lucrative business – in effect, an easy way to illegally gain access to a corporate network. Last year telecoms regulator ComReg alerted businesses to an outbreak of cases in Europe, which had cost some organisations around €30,000 in calls.
There can be three parties involved in the IP enabled PBX deployment: the PBX resellers; the network maintainer/network manager; the SIP trunking provider.
If the PBX reseller doesn’t appreciate or understand the security requirements, and these are not requested of the network maintainer (who has no experience of VoIP security requirements), there is a risk of poor security being implemented.
When the PBX is hacked, or toll fraud occurs – who is at fault?
Is it the PBX reseller or the network maintainer?
Dealing with an experienced network provider who understands the end-to-end solution and its associated security requirements can prevent costly errors.
SIP Trunking and SIP Endpoints
In the case of SIP trunking, security must be applied to the edge firewall to restrict SIP traffic to and from the IP enabled PBX. Rules should be defined to permit SIP traffic from the source IP address(es) of the SIP trunking provider(s) to the PBX. All other SIP traffic to the PBX should be dropped.
IP addresses are constantly being scanned for open ports, so failure to restrict SIP traffic to the PBX from the Internet will inevitably result in the PBX being compromised. When bad practice occurs, the first a customer knows of this is when their SIP trunking provider contacts them to discuss their premium rate international calls, and asks them to pay a huge bill.
Many IP enabled PBXs now support mobile SIP clients, which need to connect to the PBX over the internet. As these clients don’t use fixed IP addresses, it’s no longer possible to restrict SIP traffic to the PBX to known source IP addresses. In this case more intelligence in the edge firewall is required. Deploying a SIP aware Intrusion Prevention System (IPS) is one solution. Another approach is to use either pre-defined, or more often customer defined, policies to look for suspicious or malicious traffic and to drop this traffic. Recommended policies include looking for failed authentication attempts, number of registrations per second, call setups per second and malformed SIP packets.
We have seen many DDoS attacks against IP Enabled PBX’s, with thousands of calls set up or registration attempts per minute resulting in the PBX becoming unavailable. Without IPS in place it can be very challenging to prevent these attacks.
The other nuts and bolts
Remote management of the PBX is often enabled over the internet so that the PBX reseller can support the system off-site. It’s important to secure and limit access to the PBX from known source IP addresses.
Monitoring and reporting on SIP call usage can be used to get an early indication of something untoward. Monitoring registration attempts, failed calls and calls per second are all good indicators once a baseline is established. Many IP enabled PBXs support Simple Network Management Protocol (SNMP), and therefore thresholds and alerting for these indicators can be set.
Internet security should be tested on a regular basis as well as when the system is installed and when changes/updates are made. Hackers use port scanning to identify and then attack open ports. With the correct security configurations, SIP ports should not be open. IPS should be tested to ensure that the policies work as expected and drop appropriate traffic.
At Node4, we fully support SIP and communications requirements and bring the necessary elements under one roof – managed by our expert in-house team and monitored 24/7 in one of our four state-of-the-art, fully secure data centres. For resellers and businesses looking to avoid the headaches involved working with the multiple parties required to secure your IP network – we’re here to help!
Chris Pagel, Network Services Manager