Protecting a PBX used to mean locking it in a closet and controlling access to the keys and any attached modems. If you were really security conscious you might go so far as to make sure incoming lines couldn't be tapped, short of using shovels and jackhammers, but times have changed: While concerns over physical security and toll bypass are still relevant, a whole new set of issues comes into play when your PBX is part of and accessible through your IP network.
Don't Be the Weakest Link
The relationship between the network people and the telecom group can be rocky enough without having your PBX be the route a cracker takes to get to the main corporate network. In some cases, the very reason you bought your IP PBX--to have a full feature set--can turn around and bite you. Turn off unneeded services, such as forwarding, call distribution and override, and grant administrative access carefully, with an eye toward physical security of maintenance and attendant consoles. The PBX should not let traffic pass through it. Many IP PBXs ship with two NICs; make sure traffic cannot travel from one NIC to the other. In addition, if your vendor performs updates and maintenance of your PBX remotely, closely watch external access control.
Many fundamentals of securing your IP PBX parallel the basics common to safeguarding your data networks:
• Password-protect everything. A password should be required for users to access their phones every morning, regardless of whether those phones are physical devices on desks or a software package on computers. Open access to an account could allow tampering with the user database. Some vendors, such as AltiGen Communications and Siemens, are looking to help here. AltiGen's IP PBX systems won't let common strings, like 123456, be used, and they don't accept extension numbers as part of passwords. With its HiPath line, Siemens goes a step beyond passwords for authentication, enabling the use of biometrics and smartcards (see w4.siemens.de/networks/hipath/index.htm). While biometric devices aren't invulnerable to attack, the technology is improving, whereas a password will always be a password.
Tough Love
Users should be forced to change their passwords often, and your IP PBX should be configured to deny access to a mailbox after a certain number of incorrect tries.
• Make sure users log off when they leave. Getting employees to comply is tough, but they must log off their desktop IP phones. For software-based IP phones, that's as simple as making sure computers are turned off every night. Remind users that if they don't log off and a member of the cleaning crew decides to make a long-distance call to South America, that call will be billed to the employee's departmental account. If, despite your best efforts, your users forget to log off their phones, outgoing call blocks can be set up from the PBX during evening hours or on weekends. Most vendors don't build systems to automatically log users out because, beyond being seen as a nuisance by workers, in case of an emergency you want employees to have easy access to outside assistance.
• Guard against DoS attacks. The denial-of-service attacks that have hit corporate data networks over the past few years can also affect your IP PBX. The first line of defense should be your corporate firewall, but you should also stay on top of vendor patches for the IP PBX's underlying OS.
• Virus protection is not just for the desktop. Any IP PBX that runs an off-the-shelf OS, such as Microsoft Windows NT and 2000, should be loaded with the virus protection software of your choice. Although some PBX vendors, such as AltiGen, ship complete turnkey systems, they often leave virus protection software to the users' discretion.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
REPORTS
ANALYTICS
Follow 
