PBX Adjunct Servers | Traditional PBX Systems

Most PBX systems have an adjunct server or two, providing voice messaging or call center functionality that isn’t part of the core PBX switching capabilities. The larger and more complex a network gets, the more demanding traffic becomes to the underlying hardware. Given the modularity of voice networks, we can offload some of this functionality to other hardware that can be set to handle a specific task, rather than attempt to do everything itself. Of course, this also complicates the overall security model, so make sure you know how this offloading impacts security.

Voice Messaging

It’s hard to remember that voicemail was once a completely optional capability for PBX systems, but it’s still implemented as a separate server by most vendors using analog, digital, or IP trunks to integrate with the PBX. Some settings on that voice messaging server can open the door to fraud and abuse, so be sure to follow manufacturer recommendations for security—especially when it comes to changing default administrator passwords! Are mailboxes using strong enough PINs? Are old mailboxes closed down? Make sure you can answer these questions.

Notes from the Underground…—Voice Messaging: Swiss Army Knife for Hackers?

Voice messaging is not without its share of security considerations, though. Many vendors ship voice mail systems with default passwords installed, which some users opt to never change. These passwords are often as simple as the number of the voice mailbox itself, or a simple string of numbers like 12345. Hackers love it when it’s this easy to get in. But that’s only the beginning when it comes to security attacks you may need to protect against within your voice messaging systems, Here are a few other scenarios:

• When attackers gain control over a compromised PBX system that supports DID and voice-mail, they might change the outbound greeting to something like “Hello? Yes, yes, that’s fine.” Or just “Yes (pause) yes (pause) yes…” They then call that number collect and the operator hears what appears to be someone more than willing to accept charges! Some PBX and voice-mail systems send a special tone when a line is forwarded to voice-mail that may discourage this tactic since a savvy operator would recognize the tone. Does your organization know what’s happening with old or unused mailboxes?
• Another security issue can arise when mobile phone providers offer voicemail to their subscribers, but don’t require a password to access messages when the voicemail server receives the subscriber ANI (indicating that subscriber is calling from the mobile phone associated with that extension). But by offering their users the “convenience” of quick access to their messages, these carriers may be opening the door to eavesdropping through ANI spoofing ] unless they have other means of verifying the origin of a given call.
• Eavesdropping on potentially confidential messages is certainly a threat, but an attacker may potentially hijack phone calls intended for a victim as well. This can be done by changing their outbound message greeting to say “Hi, this is Corey. Please call me at my new number at…” and leave a number that they control, performing a man-in-the-middle attack on the intended recipient.
• Another successful social engineering technique involves leaving messages within a voicemail system requesting passwords (for “testing” or “administrative purposes”) on another internal extension, lulling the victim into believing that the attacker is a legitimate employee at the target company.
• The latest voice-messaging systems can be used to read e-mail using text-to-speech. Attackers know that a PIN for the voice messaging system is easy to guess, and this may be the easiest way for them to get to an email system.
• And don’t forget toll fraud that can happen through out-dial capabilities on voicemail systems. Consider turning off this feature if it isn’t needed in your organization. Associated risks can also be mitigated through carefully crafted PBX dial policy.

Interactive Voice Response Servers

Perhaps you first can into an IVR when you noticed an incorrect charge on your phone bill, and you decide to speak with a customer service representative to clear things up. But when you dial the toll-free number on the bill, you’re greeted with a labyrinth of options allegedly to help you self-navigate to the appropriate agent. This maze of menus is brought to you through an Interactive Voice Response (IVR) system. An IVR is a series of recorded greetings and logic flows that provide a caller with a way to route through the phone system as a means of convenience. Personal feelings about speaking with a recorded voice aside, IVRs are actually a pretty clever way of providing a caller with speedy call placement, taking much of the burden away from agents or operators.

Today’s latest-generation IVR systems are built on VoiceXML interpreters, and may have sophisticated development environments. IVR security is a largely unexplored topic since each IVR system is like a unique application, but we occasionally hear about poorly written IVR applications that are insecure or not sufficiently robust.

PBX Features | Traditional PBX Systems

PBX systems provide a plethora of features typically offered by a telephone provider, such as call waiting, three-way calling, conference calling, voicemail, additional call appearances, and many other routing features. Some vendors count 600 or more separate features among their capabilities, far more than is offered by any carrier on a central office switch as subscriber services. But often overlooked in this list are those used for access control. The PBX is effectively the firewall to the PSTN and because voice access has per-minute and geographic costs associated with each call, this aspect of PBX capability should be a critical consideration for product selection, configuration, and ongoing operations. Yet at the same time, the data security community is rarely concerned with this characteristic because it’s not a ppure data security issue, yet even in a VoIP system there will be PSTN connectivity; why gamble with this?

Say a company has 200 employees, each with a phone on their desk. Without a PBX, each employee would require their own pair of copper wires from the CO, each with their own phone number that routes to their desk. However, it’s a safe bet that not all 200 employees will be on the phone all the time, and it’s likely that most of those calls will be to other employees. This is where a PBX really pays off. A business or campus will need many fewer lines from the Local Exchange Carrier (LEC); in the previous example, the company might require only 40 outside lines, routing those calls onto the PSTN trunk lines as necessary on a per call basis. They also could rent 200 Direct Inward Dial (DID) numbers from the LEC, which terminate though those trunk lines. The PBX will then route the inbound call based upon which DID number was dialed to reach it.

Tools & Traps…—Asterisk: The Open-Source PBXPBX servers were notoriously expensive to justify when an organization wasn’t ready for a major capital outlay, plus they tended to rely on closed or proprietary architecture, which made PBX systems more expensive than they might otherwise have been. Then along came Asterisk, from the mind of Mark Spencer. Asterisk is an open-source PBX software package that runs on many operating systems, including linux, BSD, Mac, and even Windows. Asterisk requires very little in the way of hardware, with old Pentium 100MHz boxes with 64MB of RAM still ample enough to power a small business. Aside from the relatively low hardware horsepower requirements, Asterisk doesn’t necessarily need any additional hardware, aside form what’s already in your computer, Utilizing the popular Session Initiation Protocol (SIP) and the Inter-Asterisk Exchange Protocol (IAX), two increasingly ubiquitous VoIP technologies, Asterisk can make and take calls completely over the Internet or operate with special hardware like PCI T1/E1 cards for PSTN connectivity. Users may purchase DIDs from the VoIP provider to dial in to their PBX from their normal phones, or they may dial in using a special software phone.

The appeal of a PBX system is obvious to not only businesses and campuses but also attackers, who have taken an increased interest in them as well, since most PBX systems can support trunk-to-trunk transfer (i.e., dial-out again from the PBX after coming in on another line). PBX security often is overlooked by enterprises until a big phone bill arrives, and oftentimes the hackers have no challenge at all when settings are never changed from the manufacturers default. Try a Google search for “default password” and a PBX vendor and you’ll see just how easy this information can be to obtain. It is important to note that because PBX vendors typically have provided detailed instructions on how to secure the PBX, the remaining security responsibility lies completely on the operator of the PBX system, and any toll charges that may be obtained by fraud are left to be paid by the PBX owner. Attackers who have compromised a PBX system may set up their own private conference room, a “party-line” where they may hang out and exchange illicit information on your dime.

Other features can be a double-edged sword as well. Many PBX systems also provide a call-monitoring feature for managers to supervise their agents (or to record calls). You know those recordings that go, “Your call may be monitored for quality assurance and training purposes”? Well, if you’re not careful, they might also be monitored for humorous or larcenous purposes. And it may not be just calls to your call center that get monitored; if your monitoring system wasn’t properly designed or an intruder gets access to PBX administration at a high enough level, any call can be monitored.

The bottom line when it comes to PBX features is that you need to read the associated security recommendations carefully. Some vendors have assembled detailed security guides for addressing toll fraud and feature access that are well over 100 pages, and you would be wise to find out what kind of documentation exists. And don’t forget to back up your PBX regularly so that you don’t lose the security policy you create! More critically, if a VoIP vendor does not have these kinds of capabilities, you would be wise to find out what can be done to reduce exposure to toll fraud. In some cases, the lack of feature-functionality in many VoIP solutions is a blessing because it reduces the opportunities for security-affecting misconfiguration. Yet at best this is a temporary benefit since VoIP solutions are becoming more sophisticated each and every year.

Notes from the Underground…—Toll Fraud

Attackers have discovered a myriad of ways to make all the long distance calls they want from your PBX system, leaving you with the hefty collect-call charges, Here are a few:

• Even with good security elsewhere, a caller can ask to transfer to extension to 9011 on a system where dialing 9 goes to an outside line and 011 is the international direct dial access code. Make sure your employees (particularly those that answer many external calls) know about this ruse and consider using your PBX’s trace feature to track down the source of such calls (you can even have the call transferred to your security department as part of the trace feature).
  
  
• Attackers can read the same manuals online that your systems administrators can, and the smart ones will figure out how to get around the obvious restrictions, For instance, if trunk access codes aren’t restricted, it really won’t matter how well you’ve locked out other dial restrictions. And just because you don’t use your local trunks for long distance doesn’t mean an attacker won’t.
  
  
• Adding support for IP softphones or WiFi phones to a PBX means that a softphone or wireless phone could be used by a remote attacker who can get onto your IP network (by wire or wireless) for toll fraud or other nefarious purposes, In this case, defense of your IP network overall is what will minimize exposure to the PBX, but it’s important that the PBX not weaken overall IP security (by allowing WEP-based security on wireless networks shared by voice and data, for instance).

PBX Trunks | Traditional PBX Systems

A trunk is a special kind of line that connects two telephone switches. If one of the two switches is the PBX, the other could be a local or long-distance switch for PSTN access, in which case we would call these local trunks or long-distance trunks, respectively (though it’s worth pointing out that even if you don’t have dedicated long-distance trunks you likely are able to get long distance services through local trunks). On the other hand, if the other end of the trunk is another privately owned PBX, we would call these private trunks or tie lines, even if they happen to be routed through the PSTN (since the telephone numbers they can reach can only be dialed from within the private network). There are also trunks that can act like both types through the use of Centrex or something called a Virtual Private Network (VPN—but it’s not the remote access VPN you may be familiar with from the data world— this VPN is created by a carrier to let you keep a private dial plan across many sites on the same trunks that you use for regular PSTN access).

Some say trunks are so named because in the old days, Ma Bell saw fit to use thick, lead-covered cables to connect the switches. These cables resembled an elephant’s trunk. Others claim the word’s origin is derived from the way the local loop network resembles the branches of a tree, with the trunks having similarity to…well, a tree trunk. Regardless, trunks are the main lines of the communications system, and the only case where a trunk is not connecting to a switch is when an adjunct server is involved (like a voice messaging server, an Automatic Call Distribution (ACD) server, an Interactive Voice Response (IVR) system, or similar system). In some cases, these servers may use station emulation instead of trunking, so you’ll need to verify what actually is being used.

Trunks can be analog, digital, or VoIP-based,just like station lines. Analog trunks can be as simple as a regular 2-wire POTS line to the local CO switch, or a 4-wire analog E&M trunk that provides improved signaling response (less glare). Channelized digital T1 trunks come in two main flavors. The first and oldest type of T1 can have 24 channels of 64 kilobit per second voice with robbed-bit signaling (signaling bits are stolen from the voice stream in a way that’s not noticeable to the ear). This type of T1 sends much less signaling data but cannot be used with 64 kbps switched data because of the robbed bits used for signaling, but can pass 56kbps switched data. ISDN T1 trunks have 23 channels of voice (bearer, or B channels) and a separate 64 kbps channel for signaling (the data, or D channel) that can support ISDN User Part (ISUP) messages, including Automatic Number Identification, which allows calling and called number information to be sent (although it can be spoofed. In Europe and internationally, the E1 is the typical digital interface, with an ISDN BRI carrying 30 bearer channels (30B+D) as opposed to the 23 channels supported by ISDN over T1 (23B+D).

VoIP trunks also come in various flavors, including H.323, SIP, and proprietary protocols like Inter-Asterisk eXchange (IAX). In some cases, IP-enabled PBX systems also use gateway control protocols with VoIP trunks, such as Simple Gateway Control Protocol (SGCP), H.248/Megaco/Media Gateway Control Protocol (MGCP), Skinny Gateway Control Protocol. One of the difficult problems with VoIP trunks, however, is feature transparency between vendors. ISUP/Q.931 or its private line equivalent (QSIG) has the most complete feature interworking capability, and standards for mapping these onto H.323 and SIP exist, but these are not evenly supported by PBX vendors at this point. Robust, reliable inter-working between different PBX vendors over VoIP is not easy to find today (and is still a challenge over private tie lines).

PBX Lines | Traditional PBX Systems

In telephony, a line (or station line) connects endpoint equipment (digital terminals, analog phones, fax machines, modems, or even an IP phone through an IP network) to the PBX (or central office) for switching. An analog line is the private equivalent of a local loop or loop transmission facility.

Note

A PBX is more likely than your phone company to support ground start phones and trunks on analog interfaces. Your phone at home seizes control of the line by using loop start, which involves shorting the two ends of the line together to activate the circuit. Ground start sends one of the leads to ground (typically ring) to seize the line, which is much less likely to cause glare (a condition that arises when both sides on a line or trunk simultaneously seize control of the line).

Typically, a PBX supports analog lines (and trunks) through a line card with 8, 12, 16, 24, or more lines per card, which are then wired to a patch panel for interconnection through a structured cabling system to the analog phone or device. Most of the security concerns around analog lines center on how well protected the equipment and cabling systems are from eavesdropping and tampering. Ground start loops will make theft of service less likely because a special phone is required, but otherwise the same basic rules for protecting a PSTN line from tampering apply.

Of course, line is also a generic term that may apply to power lines providing electricity to homes and businesses. But when we talk about an analog telephone line, we are talking specifically about the two wires involved: the tip (the first wire in a pair of phone wires, connected to the + side of the battery at the central office or PBX; it is named tip because it was the at the tip of an operator’s plug) and the ring (connected to the − side of the switch battery and named because it was connected to the slip ring around the jack). Any equipment that works with Plain Old Telephone Service (POTS) lines will work with a PBX analog line configured for loop start. From a PBX, an analog line will nearly always be 2-wire although 4-wire lines with Earth & Magnet (E&M, sometimes also called Ear and Mouth) interfaces are supported from the same card for analog trunks.

Tip

If you’ve ever taken a peek behind the phone jacks that litter the walls of your home, you are likely to see two (or three) pairs of wires, one Green/Red, the next Yellow /Black, then White/Blue, but for our purposes only the first pair is important. The Green wire, referred to as the Tip, is the positively charged terminal. The Red terminal, the Ring, is the neutral, which completes the circuit, enabling electrical signals to flow freely. Note that newer homes may use a more recent color scheme that is also used for Ethernet cabling. The first pair is White/Blue, then White/Orange, then White/Green and finally White/Brown. This scheme is what you’re most likely to see in structured cabling systems within buildings.

Analog PBX systems supported only analog lines, but with the introduction of digital switching, a new class of line was developed: the digital line. In most PBX systems, a proprietary format for digital line signaling (and media) was created that requires the use of digital phones manufactured by that vendor. Some vendors, however, also support Integrated Services Digital Network (ISDN) standard phones directly (or through the PSTN) via the ITU-standardized ISDN BRI. Most proprietary digital formats use a 2-wire system with 8wire plugs and jacks, although some are 4-wire systems. ISDN uses a 2-wire system from the CO switch, but is 8-wire to the interface used by a phone terminal, so the actual number of wires used will depend on several factors (such as whether the phone has a built-in NT-1 interface). Also, many proprietary switch features will not be supported on ISDN phones, particularly when the phone is manufactured by a different vendor. And even within a vendor product line, you may discover that newer features are supported only on newer phones or phone firmware. In any case, digital lines for proprietary digital terminals typically are supported by digital line cards with 8, 12, 16, 24, or more lines per card, and ISDN lines for ISDN phones are supported by either ISDN trunk cards or special ISDN BRI line cards, which may come in several flavors depending on the ISDN BRI type.

In the case of the modern hybrid PBX or IP-PBX, there is an equivalent concept for IP lines to IP phones, but unlike analog or digital lines the IP line isn’t necessarily tied down to a single electrical interface on the PBX. In fact, the PBX can use multiple Ethernet ports to support an IP line, and IP phones can fail over to multiple IP-enabled PBX systems. The first IP line support built into most PBX systems leveraged the H.323 suite of protocols or proprietary protocols like Cisco “skinny,” but almost all new development on PBX systems today uses Session Initiation Protocol (SIP). The bottom line is that the concept of an IP line exists in virtually every VoIP system out there, and understanding how the line concept is expressed in a specific VoIP system will give you an important handle with which to analyze its architecture and security.

This flexibility and versatility are a huge advantage to VoIP, but it does come at a price. Because the phones are now sharing infrastructure and bandwidth with other devices (and perhaps the entire data network), quality-of-service (QoS) guarantees for packet loss, latency (how long each packet takes to arrive from the phone to the PBX), and jitter (variability of latency across packets in a stream) now become the responsibility of the party providing the network infrastructure. Additional vectors for Denial-of-Service attacks on IP lines (either to the phone or the PBX) and Man-In-The-Middle (MITM) attacks must be considered. In my experience, the resulting loss of accountability from a single organization or vendor to multiple entities rarely is included in planning (or ROI calculations) for VoIP deployments.

Centrex

For companies that do not want to invest in their own communications infrastructure and get bogged down with management complexities, Centrex can provide a viable alternative to obtaining telephone services and advanced calling features. This service is intended as an alternative to buying a PBX—in fact, Centrex can be considered a remote PBX. Not only does Centrex free up a company’s scarce capital for other purchases, it puts responsibility for maintenance and management on the telephone company. Today’s Centrex services boast 100 percent feature parity with the most advanced digital PBXs currently available—including support for wireless communications and LANs.

The switches that implement Centrex services use computer-controlled time-division switching and have distributed architectures consisting of a host module and multiple microprocessor-controlled switching modules. These switches can directly interface with T-carrier systems to provide 24 digitized voice channels over twisted-pair wire at 1.544 Mbps. These capabilities enable Centrex offerings to include interfaces to the Digital Access and Cross-Connect System (DACS), thereby providing gateways to a variety of services over the public telephone network.

Centrex services offer a wealth of call processing and management features. Many Centrex offices routinely offer automatic route selection, local area networking, facilities management and control, message center services, and voice mail capabilities. In addition to basic rate Integrated Services Digital Network (ISDN), Centrex exchanges are in the process of being upgraded to provide primary rate ISDN service.

Centrex offers a variety of options to help communications managers monitor usage and control costs. Among these cost-management features is Station Message Detail Recording to Premises (SMDR-P), which transmits call records directly to the customer premises from the central office. SMDR-P arrangements provide virtually immediate access to call record data.

Centrex also provides on-line management features. With an on-premises terminal and an interactive software program, users can control the numbers, features, services, and billing codes assigned to each line within their systems. Not only can users review the status of their current Centrex configurations; they can also plan ahead to meet future communications demands by determining what changes need to be made and controlling the date of implementation. All such changes are input to a central management system on the carrier’s network; individual Centrex exchanges poll the system daily for any customer changes and automatically update the telephone company’s internal records.

Wireless communications is supported by some Centrex systems. The service enables employees in a building to send and receive telephone calls on low-power wireless telephones while moving around their offices. The system is based on a network of small, low-power transmission cells distributed strategically around the building and linked to a local exchange carrier by a central controller. This controller coordinates the handoff of calls from one cell to the next as the user moves about the workplace.

Despite the many advantages of subscribing to Centrex services, it does have its share of liabilities. In addition to being dependent on the local phone company for service and support, the contracts usually run from 5 to 10 years—the longer the commitment, the better the pricing. However, this can lock you, as a network manager, out of any new technologies that may come along and prevent your company from taking advantage of efficiencies and economies they may offer.

Operations | PBX Firewalls

Capacity planning for the voice network is demanding. For the data network, packet congestion slows but does not stop traffic. In contrast, when the voice trunks get full, the user gets a busy signal. There is little forgiveness when the voice network does not work perfectly. Hence, telecom managers—the ones who stay employed—become conservative, tending to maintain excess capacity. There is some justification for this wariness because of the exponential increase in blockage when capacity has been reached.

PBX reports can provide indications of trunking blockage (percent busy) for local and longdistance trunks; however, some effort is required to monitor the trunks and communications links. Typically, line commands such as "list all trunks busy" are used on an ad hoc basis if problems arise. Some telecom groups use both call accounting packages and manual methods to identify trends and capacity bottlenecks. Also, unusual patterns of usage may indicate toll fraud or hacking.

Although there is overlap between the reporting offered by traditional call accounting/line commands on the PBX, the firewall provides a more convenient source of real-time and summarized information. Some functions include:

• Real-time notification of availability. Line errors, 100 percent busy trunks, frame slippage, D channel problems, and other potential disruptive events can be sent to pagers or to a console.
  
  
• Monitoring of trunk spans over multiple locations. If the PBX firewalls are linked via a management system, the entire telecommunications enterprise can be viewed from a central console. Security rules can be administered centrally as well.
  
  
• History of usage. Usage of all trunks can be recorded over time and plotted. This is a convenient method of identifying excess capacity.

The real-time capability of the firewall also provides some unique security capabilities. For example, in organizations where security requirements are high, calls can be monitored in real time and suspect calls can be manually terminated. Obviously, all the legal issues must be addressed for such a practice to be implemented.