October 30, 2006, 10:15 AM —
(WINDOWSNETWORKING.COM)
This article discusses management of the VoIP PBX, and proposes that it be treated as another service which should be comprehensively managed by the network administrator. It will demonstrate how Voice connectivity relates to data networks and how to effectively and securely implement a PBX within the context of a network infrastructure.
Convergence
Network administrators now have multiple, varied methods of communication running on their network. Whilst protocols and services such as web and email, SMTP and HTTP, are well understood and the techniques for securing these are widely known and discussed, VoIP understanding is often lacking. With the convergence of voice and data networks comes the convergence of roles within an organisation. IT and Telecoms staff are not distinctly separate and there can be an overlap in roles. This can often lead to misunderstandings by staff who make assumptions about systems that they are not familiar with, in environments they are not used to.
This however does not mean that handling voice and data communications need to be complex and hard to understand. In fact, due to the convergence and the fact that VoIP necessarily uses IP, which is also the basis for our data network, we need not treat VoIP infrastructure any differently than our data infrastructure. By looking at common network setups we will see how easy it is to design a secure and stable VoIP infrastructure by using similar principles to those employed in the design of data networks. The principle example we will discuss here is that of Front End and Back End servers, common in the use of e-mail amongst many other applications.
The entry points
When discussing the security and accessibility of a service within a network, a lot of our focus is on the entry points. Questions we should be asking ourselves include:
Where are our users?
- They are on the Internet, PSTN, Internal Voice and Internal Data networks
Where are our threats?
- Every connection point could pose a threat to the others
What connectivity between servers and services are there?
- Incoming and outgoing VoIP over the Internet from/to the PBX (SIP/H.323/IAX/RTP/etc..)
- Incoming and outgoing calls over the PSTN, via ISDN/T1/E1/POTS
- VoIP clients on the internal data network using the VoIP protocls listed above
- Analogue and digital telephones on the internal voice network
There are other points to consider, but generally we are worried about connectivity, ways in/out of our network and who might be using them. The ideas and techniques employed in the pursuit of data security on IP networks relate directly to a VoIP PBX. Our major added complexity is the fact that the PBX may be the terminating equipment on a telephone line. The consequence of this is that we must treat this device as we would any other such device (such as our border router) exposed to a public network. Therefore, we must not trust traffic at this point and would want to have a firewall and/or intrusion detection system between the device and the rest of our network.
The PBX placement problem
It's very common for a PBX system to be installed directly on the corporate LAN and plugged into the PSTN, and when IP communications are set up these are often allowed directly to the the PBX. See figure 1.
Figure 1: Common (bad) PBX placement
This could present a significant threat to the internal network as the network is not protected from a compromise of the PBX from someone accessing it over the PSTN and has limited protection from the Internet. A vulnerability in our front end (or indeed, only) PBX gives attackers free reign over our internal network, with the only obstacle being the single gateway and firewall/IDS system at the Internet interface.
Facing a similar topology involving mail servers exposed directly to the internet and also connected to our corporate LAN, we would likely be very concerned about the lack of layered protection. We have to ask, therefore, how we can add layers to protect a VoIP PBX, which has connections not only to the Internet but also the various PSTN providers.
A solution which works with other services
