Monday

Limitations of PBX Control and Reporting

Virtually all large-scale PBXs come equipped with the capability to report and control traffic to some degree. This capability is needed for capacity planning, day-to-day operations, and security (toll fraud prevention). Some voice network controls over unauthorized use of modems can be established with existing capabilities:

  • Report origination and termination of calls. Using a call accounting package, calls can be summarized in various ways (by specific number, area code, country, etc.). Call details must be collected for this reporting to be available.
  • Set the class of service on selected analog lines to outbound only.
  • Block all calls to and from specific area codes (e.g., 900) or countries.
  • Identify calls of long duration, such as those more than three hours.
  • Identify calls under ten seconds, an indicator of possible war-dialing activity.
EXHIBIT 1: Smart card for two-factor authentication. (Courtesy of Aladdin, Arlington Heights, IL.)

  • Consolidate all dial-up lines to use a centrally controlled modem bank or RAS server.
  • Enforce physical security (wiring closets, demarc, etc.).
  • Assign dial-up lines to numbers that are outside the range of normal business activity for the location. For example, if the published business voice numbers range from 281-345-1000 to 281-345-2999, then analog circuits might be in a range such as 281-654-2500 to 281-654-3500.
  • Disable banner information that provides a hacker with useful information.
  • Perform a self-audit using war-dialing software. Independent consultants and audit staff are best used for this effort.
  • Use dial-back systems such as CLI identification for a Shiva device.
  • Strengthen procedures for provisioning analog lines and charging for their use. Perform periodic inventories.
  • Use two-factor authentication systems where practicals. Exhibit 1 shows Aladdin's eToken Pro smart card, which has on-board RSA 1024-bit key operations, enabling integration into publickey infrastructure (PKI) architectures.
According to an Intel support Web site (http://support.intel.com/support/si/library/bi0706.htm), "If the Shiva device is configured for general CLI Authentication (AuthFor DialbackOnly=False), and the remote client's phone number is not in an authorized list of numbers, the call is rejected. As the call never gets answered, unauthorized users are never presented with a username and password prompt".

No comments:

Related Posts with Thumbnails

Link Exchange