IP-PBX Security – Ring Ring!

Old 1 Comment on IP-PBX Security – Ring Ring! 25

If you have any interaction with telecommunications, then you know that IP-PBXs are quickly moving into every organization left, right and center. But, have you considered the security implications of IP-PBX systems ?

For those that don’t know, PBX stands for Private Branch Exchange, or an on-premise office telephone system. To explain it very briefly, PBXs allow internal extensions to share external phone lines. So while you may have, say, 20 internal extensions (physical phones on employee’s desks), you may only have 3 or 4 external phone lines where people outside the organization can call in or people inside the organization can call out. The reason for this is because it’s very rare in the typical office environment for everyone to be on the phone at the exact same time. This way, you can save money on your monthly phone line costs, yet everyone can still have a dedicated phone on their desk. There are also features like auto attendants (press 1 for sales, press 2 for support), and integrated voicemail boxes.

In the past, these PBXs were analog or digital. They travelled over 2 or 6 pair copper wires, and they interfaced only with the host system. In the modern day, we now have IP based PBX systems. The difference in features is astonishing. We can control phone calls from our computer workstations, we can get caller ID notifications on our workstations, we can get voicemails delivered right to our e-mail, we can take physical phones off our desks and plug them in anywhere in the world (with an internet connection) and connect to the PBX remotely. There are so many features out there that are available now, it has transformed how we think about doing business using our telephones.

Of course, these enhancements in telecommunications technology don’t come without increased risks. You see, IP-PBXs deliver their voice communications using VoIP, or Voice over IP technology. Data packets are sent back and forth between the phones and the system. These packets consist of RTP (Real-time Transport Protocol) and SIP (Session Initiation Protocol). Generally these packets are contained within a LAN, but in the scenarios of remote extensions (phones that are part of the system but are physically located somewhere else in the world), they are coming and going over the general internet. The same is true for VoIP telephone lines, but we’ll leave that for another discussion. Because these communications are happening over the IP network, they can be compromised.

Imagine for a minute, a malicious user breaks into your network. They’re at the base LAN level, and through some scanning they realize there’s an IP-PBX on the network. They break into the IP-PBX (or the web interface of one of the IP phones for that matter). Using the information they can now easily obtain, they could theoretically deploy an extension that they can access, either via a softphone (software based phone that sits on your computer as an installed program and uses a headset as your ‘telephone set receiver’) or a hardware IP phone if they have one. Now they can make calls using your phone lines, receive calls, etc. Using packet capturing techniques, they could even intercept and record the phone calls of other IP phone users within the network. All these things present a HUGE challenge for administrators.

More than ever, it is imperative that system administrators ensure that their networks are secure and protected by firewalls and other security measures. As more and more technologies start interacting with computer networks, and the internet at large, the more important it is to understand the implications of this, and prepare for it as best we can.


Martin Lehner

Martin Lehner is an technology professional working for an IT services firm in Whitehorse, Yukon (Canada). He has been working in the technology field for over a decade. With a degree in Business Admin and numerous industry certifications, Martin leads a team of IT professionals that provide third party support for clients. Originally starting a company to offer web development services, Martin quickly realized that clients wanted the entire spectrum of technology services. When Martin is not at work (which is not often, since his company offers 24/7 support), he is busy at home spending time with his family.

Related Articles

1 Comment

  1. Yurisbel Jimenez September 27, 2014 at 8:35 pm

    Within an IP based communication system; there are many options you can implement to avoid external user interference specially if some of your co-workers are in the other side of the world or just work in remote offices.

    I’m not going to say that you could. You have to implement an L2TP IPSec Virtual Private Network preferably not the PSK method between all the computers in the network to ensure that all the traffic stay inside the corporate network and only people allowed to pull information can be able to reach the same; that way you avoid the possible intrusion of an unauthorized party to the system in the case they could reach your LAN.

    At the same time you have to implement SRTP for the security of the RTP stream sessions and a TLS certificate between the peers and the PBX so all the packets stay secure. At that point even when you are in the other side of the world is going to be three layers protecting your information and I’m going to enumerate them even when I know most of you guys knows this if you read carefully this reply: VPN, TLS and finally the SRTP.

    I think implement all those security methods is going to steal a pretty good amount of your time IT people, but it works for you and your company that at the end is the one that provide the stability and the wellness of your loved family.

Leave a comment

Back to Top