PBX systems provide a plethora of features typically offered by a telephone provider, such as call waiting, three-way calling, conference calling, voicemail, additional call appearances, and many other routing features. Some vendors count 600 or more separate features among their capabilities, far more than is offered by any carrier on a central office switch as subscriber services. But often overlooked in this list are those used for access control. The PBX is effectively the firewall to the PSTN and because voice access has per-minute and geographic costs associated with each call, this aspect of PBX capability should be a critical consideration for product selection, configuration, and ongoing operations. Yet at the same time, the data security community is rarely concerned with this characteristic because it’s not a ppure data security issue, yet even in a VoIP system there will be PSTN connectivity; why gamble with this?
Say a company has 200 employees, each with a phone on their desk. Without a PBX, each employee would require their own pair of copper wires from the CO, each with their own phone number that routes to their desk. However, it’s a safe bet that not all 200 employees will be on the phone all the time, and it’s likely that most of those calls will be to other employees. This is where a PBX really pays off. A business or campus will need many fewer lines from the Local Exchange Carrier (LEC); in the previous example, the company might require only 40 outside lines, routing those calls onto the PSTN trunk lines as necessary on a per call basis. They also could rent 200 Direct Inward Dial (DID) numbers from the LEC, which terminate though those trunk lines. The PBX will then route the inbound call based upon which DID number was dialed to reach it.
The appeal of a PBX system is obvious to not only businesses and campuses but also attackers, who have taken an increased interest in them as well, since most PBX systems can support trunk-to-trunk transfer (i.e., dial-out again from the PBX after coming in on another line). PBX security often is overlooked by enterprises until a big phone bill arrives, and oftentimes the hackers have no challenge at all when settings are never changed from the manufacturers default. Try a Google search for “default password” and a PBX vendor and you’ll see just how easy this information can be to obtain. It is important to note that because PBX vendors typically have provided detailed instructions on how to secure the PBX, the remaining security responsibility lies completely on the operator of the PBX system, and any toll charges that may be obtained by fraud are left to be paid by the PBX owner. Attackers who have compromised a PBX system may set up their own private conference room, a “party-line” where they may hang out and exchange illicit information on your dime.
Other features can be a double-edged sword as well. Many PBX systems also provide a call-monitoring feature for managers to supervise their agents (or to record calls). You know those recordings that go, “Your call may be monitored for quality assurance and training purposes”? Well, if you’re not careful, they might also be monitored for humorous or larcenous purposes. And it may not be just calls to your call center that get monitored; if your monitoring system wasn’t properly designed or an intruder gets access to PBX administration at a high enough level, any call can be monitored.
The bottom line when it comes to PBX features is that you need to read the associated security recommendations carefully. Some vendors have assembled detailed security guides for addressing toll fraud and feature access that are well over 100 pages, and you would be wise to find out what kind of documentation exists. And don’t forget to back up your PBX regularly so that you don’t lose the security policy you create! More critically, if a VoIP vendor does not have these kinds of capabilities, you would be wise to find out what can be done to reduce exposure to toll fraud. In some cases, the lack of feature-functionality in many VoIP solutions is a blessing because it reduces the opportunities for security-affecting misconfiguration. Yet at best this is a temporary benefit since VoIP solutions are becoming more sophisticated each and every year.
Notes from the Underground…—Toll Fraud
Attackers have discovered a myriad of ways to make all the long distance calls they want from your PBX system, leaving you with the hefty collect-call charges, Here are a few:
- Even with good security elsewhere, a caller can ask to transfer to extension to 9011 on a system where dialing 9 goes to an outside line and 011 is the international direct dial access code. Make sure your employees (particularly those that answer many external calls) know about this ruse and consider using your PBX’s trace feature to track down the source of such calls (you can even have the call transferred to your security department as part of the trace feature).
- Attackers can read the same manuals online that your systems administrators can, and the smart ones will figure out how to get around the obvious restrictions, For instance, if trunk access codes aren’t restricted, it really won’t matter how well you’ve locked out other dial restrictions. And just because you don’t use your local trunks for long distance doesn’t mean an attacker won’t.
- Adding support for IP softphones or WiFi phones to a PBX means that a softphone or wireless phone could be used by a remote attacker who can get onto your IP network (by wire or wireless) for toll fraud or other nefarious purposes, In this case, defense of your IP network overall is what will minimize exposure to the PBX, but it’s important that the PBX not weaken overall IP security (by allowing WEP-based security on wireless networks shared by voice and data, for instance).
1 comment:
Today many companies have multiple office locations in their surroundings or around the world. So, companies install their own PBX systems and employees do intra and inter- office calls through these PBX extensions.
pbx system
Post a Comment