7 Best Practices for Securing VoIP PBX Phone System

VoIP PBX systems offer a number of business benefits including cost reduction, system flexibility and advanced features that can support your business as it grows. But they aren’t without risk. VoIP hacking and attacks can come from the internet or telephone lines, trying to exploit any number of different vulnerabilities, and eventually expose your organizations to toll fraud, theft of confidential information, and loss of revenue. PBX and VoIP security are without doubts under the core concern.

So how can you secure VoIP network and protect your business-crucial VoIP phone system from potential net threats and internal malfeasance? Here are some basic practices that you can perform.

PBX and VoIP Security Checklist

1. Use Strong Passwords

A weak password can leave a potential security gap which hackers can easily exploit. To that end, strong passwords should be used for every password required in your PBX. In general, a typical system will have passwords for: extension registrations, administration web interface, user web interfaces, and voicemails. It’s recommended that strong passwords of at least 8 characters, including a mix of the upper and lower case along with digits, be applied to wherever possible, and be changed periodically every 2-3 months at most.

2. Keep Your PBX Updated

A regular review and updating of your PBX firmware/software should be kept at the first line of your PBX security checklist. Typically, the most recent version is often the most secure with bugs and other potential vulnerabilities being found and fixed. In addition, certain critical security features or layers of protection are sometimes only supported by the latest version with technology evolving over time.

3. Separate Voice and Data Traffic

Separating voice and data traffic is commonly recognized as an effective method to counter VoIP security risks. For some VoIP ISPs, they provide dedicated SIP trunks that support NGN ports (Next Generation Network), which can separate data networks, voice networks and video networks or any combination of the three to form a converged network. But in case you lack the access of it, setting up VLAN (Virtual Local Networks) on your PBX system can be an alternative.

The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secure. Also, limiting the rate of traffic to IP telephony, VLANs can slow down an outside attack.

4. Avoid Port Forwarding

In an attempt to offer remote access for mobile workers, some on-premises IP-PBX vendors will recommend doing port forwarding. But this is not a good idea at all. Port forwarding/port mapping risks potential attacks by opening a hole in your firewall. To do instead, deploying a VPN device at both ends or utilizing a secure cloud service can be a smart choice. The connected devices from both ends can form an encrypted secure “tunnel” over the public internet, keeping all of your traffic safe.

5. Secure the Trunks on PBX

One of the most noticeable purposes of PBX hacking is to kidnap the POTS lines or SIP trunks for expensive international calls. To prevent this, the easiest VoIP security practice is to restrict the use of outbound call from each vulnerable end-point and disallow anonymous incoming calls. This can be performed in the following 3 ways.

• Set up outbound route permission: your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Considering setting different outbound routes for different trunks: local, long-distance and international, and assign outbound route permission only to the users that require the use of it. Limited access would bring a securer system.
• Disallow anonymous incoming calls: the unknown calls may be charged to the bill of your trunks. Attackers can dial into a PBX system with anonymous numbers, then use the functionality of the PBX to generate an outbound call, and incur call charge. To prevent such attack in the first place, you can choose to disallow anonymous incoming calls through advanced SIP setting options of your PBX phone system.
• Configure outbound restriction: if your PBX allows you to limit how many times a user can make outbound calls during a certain time period, remember to configure the settings. This will help minimize the losses caused by toll fraud if there is any.

6. Block Unauthorized Access with Firewall

Firewall rules are pre-configured rules to control and filter traffic that is sent to the PBX. You can create firewall rules on your PBX to filter specific source IP address/domain, ports, MAC address, and block dangerous (or suspicious) access that might contribute to attack fraud or calls loss. For example, you can manually add a rule to block untrusted web access with a specific range of IP addresses (IP Blocklisting), or define a few Accept Rules, or Allowlists, and drop all the packets and connections from other hosts to ensure system access.

To prevent massive connection attempts or brute force attacks, you can also utilize the incorporated anti-hacking auto-detection mechanisms (IP Auto Defense) of your PBX system. It can help you identify attackers per second, based on the packets sent within a specific time interval, and automatically block them.

7. Make Contingency Plan

Though anti-hacking measures can be taken to best protected your phone system, there is no absolute safety. If an attacker successfully infiltrated your PBX or forced your PBX to fail, you should have a contingency plan. Here are 3 tips you can perform.

• Firstly, if your PBX has Event Notification feature, make sure to set it up properly to get informed of important happenings on your PBX system (i.e. the change of administrator password) just in time.
• Secondly, schedule auto backup on your PBX. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure a fast recovery.
• Thirdly, consider implementing a redundancy solution, which will help to keep your business’s phone system running as usual even when encountered with unexpected server failure.

Yeastar PBX: Revamped Security to Safeguard Your Phone System

Yeastar P-Series PBX System, S-Series VoIP PBX and Cloud PBX have strong built-in anti-hacking mechanisms and are kept revamped with new firmware releases. The robust incorporated firewall and IP Auto Defense system can block untrusted network access. Also, the advanced PBX setting options, for instance, SRTP, outbound call restriction, and event notification, provide ways to double layer your system and VoIP security.

Important: to upgrade your PBX security to next level, we recommend that you update your PBX firmware to the latest version where some system-critical potential vulnerabilities are found and fixed. You can download the latest firmware here or check for the update on your PBX web interface.

For more specific operations on how to secure your Yeastar PBX, please refer to our PBX security guide for P-Series PBX System here, S-Series VoIP PBX here, or for Yeastar Cloud PBX here.