Is your VoIP phone system secure? Due to recent attacks on prominent IT systems, we are aware that we should protect our; Servers, computers, laptops, smart-phones and tablets. However, if not protected, VoIP phone systems may also be vulnerable to on-line attack that could allow them to be ‘hacked’ and used by somebody else, at your expense!
Hackers use automated tools (bot’s) that cruise the Internet ‘phishing’ for VoIP phone systems that react to queries on SIP communications port 5060. When they find an Internet address that responds, they will bombard that address with other tools designed to look like the valid registration of a VoIP phone extension. If an extension or SIP Trunk registration can be hacked, then it can be used to create a call route using the trunk-lines of that phone system to connect calls to anywhere in the world. If your system gets hacked, it’s you that gets the phone bill!
This is how we secure your 3CX and Yeastar phone systems:
Foxhall Solutions install Draytek routers to connect 3CX systems to SIP Trunk services provided by different ‘Telephony Internet Service Providers’ [TISP’s]. We create a Firewall filter rule that blocks port 5060 enquiries from any Internet address other than our TISP partners (and from valid extensions at remote home or branch offices). This helps make your phone system ‘invisible’ to those phishing bot’s and puts an effective barrier in place to stop most attacks. Without filtering, the hackers are still bashing at the door and trying to pick the lock, with the filtering in place, they just can’t find the door!
3CX & Yeastar extensions are created with registration passwords and voicemail PIN numbers that are by default, randomly generated alphanumeric characters. Both can be manually replaced by longer and more complex passwords if necessary. This means any hacking tool must make a lot of registration attempts to get anywhere near a valid registration password – making it easy to block after e.g. 5 failed attempts.
Part of a 3CX install, is to determine which International countries you need to call. Those ISD country codes can be white-listed and allowed, while calls to any non-selected countries will be blocked.
We also determine what local and public network IP addresses that calls will come from, and white-list those. For this reason, we recommend that remote extensions are on broadband services with static Public IP addresses (or connect in via Virtual Private Networks). 3CX will automatically black-list and prevent access from Public Internet IP addresses that meet the criteria set up in the Security module.
Anti-hacking timeouts are configured; We specify the number of failed Authentication attempts allowed, before the offending Internet address is locked out (and specify how long that lock-out is maintained). This module also includes protection against Denial of Service type attacks (excessive packets of data per second), and has timers to ensure lockout after a minimal amount of fraudulent traffic is detected.
It’s also notable that our carrier partners do some basic traffic ‘quantity’ and ‘routing’ monitoring to detect unusual usage. It’s possible to have SIP Trunk channels blocked for outbound calls, based on detection of excessive or unusual usage.
It’s also important to have a comprehensive error message library that can push e-mail alerts out to system administration and support. These messages will provide information if hacking attempts are made, and if calls to unauthorised numbers or countries are attempted from an extension.
In the past, we have seen ‘phantom calls’ arriving on remote extensions due to the phones themselves reacting to ‘fishing’ on port 5060 ‘. Our phone-set partners – Yealink & Fanvil have removed this problem with a feature to allow us to instruct the phone to react to SIP protocol from your phone server only. And, if you are really worried about calls to remote extensions (e.g. in another country), being intercepted and monitored, we can apply Secure SIP (TLS encryption), to and from those extensions.
As a final layer of protection, even though it is not exposed to web-browsing and e-mail, we also install an anti-malware product (e.g. Avast!) on your 3CX server.
Due to their nature, VoIP phone systems must have access to the Internet. However, there are a lot of security facilities that can be built into these systems by responsible software developers. When choosing a new phone system, or, if you’re already using VoIP – you shouldn’t hesitate to ask your system supplier how your phone system is being protected so that you won’t experience outage – or even ‘outrage!’ due to hackers attacking it and creating an eye-watering call bill! With 3CX & Yeastar, we have you covered …
Contact Foxhall Solutions – 01787 228 402 – to find out more about securing your telephone systems.