Cyber-attack — malicious users gaining unauthorized access to Internet-based systems — is not a new phenomenon. However, the rate that it is spreading, especially to the world of Internet Telephony (VoIP and SIP trunking), cannot be ignored. Check out this recent post which details some of the disturbing facts that face enterprises today.
What Can You Do to Avoid the Risk of Cyber-Attack on Your Phone System?
Xorcom’s CompletePBX™ maximum-security business telephony system can keep your communications network safe against all these types of cyber-attack. We believe that the best IP-PBX protection policy is the one in place from day one. As a result, CompletePBX comes preconfigured with multiple safeguards against abuse on four different levels:
- Camouflage – Our CompletePBX systems disguise themselves to avoid the attention of malicious users who know how to identify VoIP systems on the Internet.
- Vigilance – Our intrusion detection feature is constantly on the watch, recognizing potential threats and diverting them before they reach the PBX.
- Defense – If any unauthorized entity does manage to get to the PBX, our integrated session border controller software will block it before it can do any damage.
- Alert –Any attack in progress generates an immediate e-mail message directly to your system administrator.
CompletePBX Operates in Stealth Mode
Secure SIP Settings
By default, CompletePBX will reject unwanted SIP requests without disclosing the reason for rejection. This greatly hampers brute-force attackers from guessing the SIP username and passwords.
Intrusion Detection and Prevention
CompletePBX features built-in detection of unauthorized attempts to access the system based on permission parameters set up by the system administrator. A potential intrusion is defined as a user-defined number of unsuccessful attempts to access the system within a specific timeframe.
After a potential intruder has been detected, the intruder’s IP address will be blocked from further access to the system for the defined ban period, and an email alert will be sent to the administrator.
CompleteSBC™: Integrated Session Border Controller (SBC) Application
Carriers and customers alike will appreciate the ability of CompleteSBC, a software-based Session Border Controller (SBC) that effectively seals off the IP-PBX, to protect and defend the CompletePBX IP-PBX from misuse.
A sophisticated set of predefined yet customizable rules, supported by an intuitive GUI interface, enables easy configuration of its many features. CompleteSBC acts as a “SIP firewall” for access control.
A trial version of the CompleteSBC, supporting multiple calls with limited call duration, is integrated into every CompletePBX system. Purchasing an electronic license will activate additional channels, and remove the call duration limitation.
The point at which a system is opened up so it can be remotely administered is almost always the point of compromise in an intrusion. Our recommendation (and the system’s default configuration) is to lock down the system from the outside world, installing CompletePBX on a LAN protected by a firewall/NAT router. As an additional means of protection, CompletePBX features its own built-in firewall. The default rules in the built-in firewall can be modified to accommodate specific applications relevant to your business.
Initial Configuration Is Locked by Default
CompletePBX is preconfigured to use restrictive security policies. For example, in the default configuration CompletePBX does not accept SIP calls from endpoints not located on the LAN. Customers who want the PBX to be able to receive inbound calls from Internet sources must explicitly enable this behavior in the CompleteSBC/firewall configuration.
Password Strength Assessment
Setting strong passwords is imperative for SIP and IAX2 extensions, as well as for Direct Inward System Access (DISA) and call-back functions. In addition, defining passwords for all outbound routes used for international calls significantly deters intruders from making malicious calls. In CompletePBX, a special algorithm detects potentially problematic passwords and issues a warning to the administrator.
Secure Remote Access via Rapid Tunneling™
Allowing remote access to authorized users such as system administrators or technical support staff working offsite is a challenge met via Xorcom’s Rapid Tunneling feature. Secure Shell (SSH) tunneling is used to access the CompletePBX Web interface in a secure and controlled fashion.
Administrator Accounts for Employee Turnover Protection
CompletePBX features different levels of user-configurable administrator access; administrator accounts can have their access restricted to a specific extension range or a specific set of features in the PBX. By creating separate administrator accounts for all CompletePBX system administrators, staffing changes simply require user account removal to ensure they no longer have access.