Yeastar Blog | How to Secure Your VoIP PBX System

VoIP PBX systems offer a number of business benefits including cost reduction, system flexibility and advanced features that can support your business as it grows. But they aren’t without risk. Hacking and attacks can come from the internet or telephone lines, trying to exploit any number of different vulnerabilities, and eventually expose your organizations to toll fraud, theft of confidential information, and loss of revenue.

So how can you minimize the risks and protect your business-crucial VoIP PBX system from potential net threats and internal malfeasance? Here are some basic practices that you can perform.

Use Strong Passwords

A weak password can leave a potential security gap which hackers can easily exploit. To that end, strong passwords should be used for every password required in your PBX. In general, a typical system will have passwords for: extension registrations, administration web interface, user web interfaces and voicemails. It’s recommended that strong passwords of at least 8 characters, including a mix of upper and lower case along with digits, be applied to wherever possible, and be changed periodically every 2-3 months at most.

Keep Your PBX Updated

A regular review and updating of your PBX firmware/software is a standard security practice to keep your phone system safe. Typically, the most recent version is often the most secure with bugs and other potential vulnerabilities are found and fixed. And sometimes some critical security features or layers of protection are only supported by the latest version with technology evolving over time.

Separate Voice and Data Traffic

Separating voice and data traffic is commonly recognized as an effective method to counter VoIP security risks. For some VoIP ISPs, they provide dedicated SIP trunks that support NGN ports (Next Generation Network), which can separate data, voice and video networks or any combination of the three to form a converged network. But in case you lack the access of it, setting up VLAN (Virtual Local Networks) on the PBX can be an alternative. The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secured. Also, limiting the rate of traffic to IP telephony VLANs can slow down an outside attack.

Avoid Port Forwarding

In an attempt to offer remote access for mobile workers, some on-premises IP-PBX vendors will recommend to do port forwarding. But this is not a good idea at all, as it risks potential attacks by opening a hole in your firewall. To do instead, deploying a VPN device at both ends can be a smart choice. The connected devices from both ends can form an encrypted secure “tunnel” over the public internet, keeping all of your traffic safe.

Secure the Trunks on PBX

One of the most noticeable purposes of PBX hacking is to kidnap the POTS lines or SIP trunks for expensive international calls. To prevent this, the most basic precautionary practice you can do is to restrict the use of outbound call from each vulnerable end-point and disallow anonymous incoming calls, which can be performed in the following 3 ways.

  • Set up outbound route permission: your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Considering setting different outbound routes for different trunks: local, long-distance and international, and assign outbound route permission only to the users that require the use of it. A limited access would bring a securer system.
  • Disallow anonymous incoming calls: the unknown calls may be charged to the bill of your trunks. Attackers can dial into a PBX system with anonymous numbers, then use the functionality of the PBX to generate an outbound call, and incur call charge. To prevent such attack in the first place, you can choose to disallow anonymous incoming calls through advanced SIP setting options of your PBX.
  • Configure outbound restriction: if your PBX allows you to limit how many times a user can make outbound calls during a certain time period, remember to configure the settings. This will help minimize the losses caused by toll fraud if there is any.

Block Unauthorized Access with Firewall

Firewall rules are pre-configured rules to control and filter traffic that are sent to the PBX. You can create firewall rules on your PBX to filter specific source IP address/domain, ports, MAC address, and block dangerous (or suspicious) access that might contribute to attack fraud or calls loss. For example, you can manually add a rule to block untrusted web access with a specific range of IP addresses (IP blacklisting), or define a few Accept Rules, or Whitelists, and drop all the packets and connections from other hosts to ensure system access.

To prevent massive connection attempts or brute force attacks, you can also utilize the incorporated anti-hacking auto-detection mechanisms (IP Auto Defense) of your PBX system, which helps you to identify attackers per second based on the packets sent within a specific time interval and automatically block them.

Make Contingency Plan

Though anti-hacking measures can be taken to best protected your phone system, there is no absolute safety. If an attacker successfully infiltrated your PBX or forced your PBX to fail, you should have a contingency plan. Here are 3 tips you can perform.

  • Firstly, if your PBX has Event Notification feature, make sure to set it up properly to get informed of important happenings on your PBX system (i.e. the change of administrator password) just in time.
  • Secondly, schedule auto backup on your PBX. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure fast recovery.
  • Thirdly, consider implementing a redundancy solution, which will help to keep your business’s phone system running as usual even when encountered with unexpected server failure.

Yeastar PBX: Revamped Security to Safeguard Your Phone System

Yeastar S-Series VoIP PBX and Cloud PBX have strong built-in anti-hacking mechanisms and are kept revamped with new firmware releases. The robust incorporated firewall and IP Auto Defense system can block untrusted network access. Also, the advanced PBX setting options, for instance, SRTP, outbound call restriction and event notification, provide ways to double layer your system security.

Important: to upgrade your PBX security to next level, we recommend that you update your PBX firmware to the latest version where some system-critical potential vulnerabilities are found and fixed.

For more specific operations on how to your secure your Yeastar PBX, please refer to our PBX security guide for S-Series VoIP PBX here, or for Yeastar Cloud PBX here.