Firewall for VoIP PBX

The Importance of Securing Your Network and Your PBX

The term firewall refers to a security system for networks. It controls and filters traffic between two or more networks in order to protect private data and access. For safe IP telecommunication, it is not enough to secure the network, but you should also pay attention to the security measures of the IP PBX itself. While analog and ISDN phones were not in danger of cyber-attacks, simply because they were not connected to the Internet, VoIP systems are. Since all the parts of the IP telephone system and the network are interconnected, security threats can easily affect every device linked to the system.

Why use a Firewall?

For most people the term “cyber-attack” or “hacking” sounds very abstract. They can’t really picture how an attack would look like and often underestimate the consequences. However, attacks on your networks are neither carried out by some genius masterminds with access to high-end equipment, nor are they rare. If someone knows how, it is quite easy to find weaknesses in networks, especially if they are not well protected. There are a variety of dangers, users of a network should be aware of.
One of them are Brute Force Attacks, where attackers (bots) find out passwords and take control over your server through automated trial-and-error. In DDoS attacks bot nets flood a system with requests, rendering it inoperative. The communication protocol SIP, which is used for telecommunication, is not itself encrypted, which means that everyone can possibly look in on your conversations as a “Man-in-the-middle”, up to a point of excerpting the audio itself. Of course, only if the network administrator was inattentive to network security.

Consequences of Cyber-Attacks against IP PBXs

  • High phone bills, because others use your system and let you pay for their calls
  • System gets “taken over”
  • Passwords get sold (for example for provider & e-mail accounts)
  • Call-through and fax devices are used for spam
  • System is used as a spam distributor
  • Calls get recorded as a method of espionage
  • Trojans/Viruses are installed
  • Additional IT systems get infected (for example the internal network)
  • Negative impact on your customer relations
  • What You can do for Your Network Security

    One of the most important conditions to prevent your systems from getting hacked is picking safe passwords. Of course, this does not substitute a firewall, but is just one of the basic steps you can take. Pick a password that contains letters, numbers and special characters. For example, AskoziaPBX automatically generates secure passwords for each account that is created. It is also advised to use a VPN (Virtual Private Network) as a way of connecting external devices to the network. This avoids the need for port forwarding and hosting on home routers, both of which pose serious security threats.
    Firewalls are the first line of defense for your network, protecting it from incoming traffic of outside networks (usually the Internet). However, a firewall with a packet filter does not just restrict incoming, but also outgoing data traffic. That is important to prevent your network devices from becoming part of a bot network. Naturally, there are different varieties of firewalls, depending on individual requirements and likelihood of threats.

    Internal iptables Firewall

    IP phone systems that run on Asterisk usually have a built in iptables firewall, since that is included in most Linux distributions (and Asterisk runs on Linux). The general function of this type of firewall is comparing the network traffic to a set of rules and carrying out actions depending on that. The decision what to do with a packet can be due to different criteria, like source or destination address, its protocol type or how it relates to previous packets (state tracking). Each packet is checked against each rule until one matches. For the case of no match, a default policy is put into place.
    The use of this process is simplified by Askozia’s web interface that allows a comprehensive overview of all functions and offers a range of templates that have proven to be useful. It allows the distinction between three different networks. First, the PBX’s local subnet, second an optionally definable intranet and third the Internet (basically everything else). Traffic can be blocked individually for a variety of services like SSH (allowing remote shell access to the PBX), RTP (used for transmitting voice and video), SIP (which establishes connections between VoIP phones) and many more.

    Webinar: Internal iptables Firewall

    “We’ve been running Askozia for the last year, and I have to say that this software rocks! I am genuinely impressed with features, ease of use, and most important stability. Your entire team should be commended for an outstanding product.”

    Jim McKenna, Redzonewireless, USA

    Security Measures Built into AskoziaPBX

    We at Askozia take the security of our phone systems very seriously. Our PBX has an internal firewall, which can be activated to support our customers in securing their telecommunication. However, it does not substitute a network firewall. While changing Asterisk’s default port 5060 is definitely a good idea, it does not really increase security, as the changed SIP port is found eventually. It is much more efficient to ensure that only the server and address range of the ISP can communicate with the PBX through the Internet.
    Another part of AskoziaPBX’s firewall is the Fail2Ban feature which automatically blocks IP addresses after a certain amount of unsuccessful log-in attempts. This is a useful security measure to keep externals from guessing internal numbers. Our PBX also allows their user to define restrictive dial patterns, basically limiting and controlling calls that go to countries which are unlikely to be called, as well as numbers that charge high fees.