Securing your VoIP telephone system

Secure-VoIPIs your VoIP phone system secure? Due to recent attacks on prominent IT systems, we are aware that we should protect our; Servers, computers, laptops, smart-phones and tablets. However, if not protected, VoIP phone systems may also be vulnerable to on-line attack that could allow them to be ‘hacked’ and used by somebody else, at your expense!

Hackers use automated tools (bot’s) that cruise the Internet ‘phishing’ for VoIP phone systems that react to queries on SIP communications port 5060. When they find an Internet address that responds, they will bombard that address with other tools designed to look like the registration of a VoIP extension. If an extension or SIP Trunk registration can be hacked, then it can be used to create a call route using the trunk-lines of that phone system to connect calls to anywhere in the world. If your system gets hacked, it’s you that gets the phone bill!

This is how we secure your 3CX phone system :

Foxhall Solutions install Draytek routers to connect 3CX systems to SIP Trunk services provided by different ‘Telephony Internet Service Providers’ [TISP’s]. We create a Firewall filter rule that blocks port 5060 enquiries from any Internet address other than our TISP partners (and from valid extensions at remote home or branch offices). This helps make your 3CX system ‘invisible’ to those phishing bot’s and puts an effective barrier in place to stop most attacks. Without filtering, the hackers are still bashing at the door and trying to pick the lock, with the filtering in place, they just can’t find the door!

3CX extensions are created with registration passwords and voicemail PIN numbers that are by default, randomly generated alphanumeric characters. Both can be manually replaced by longer and more complex passwords if necessary. This means any hacking tool must make a lot of registration attempts to get anywhere near a valid registration password – making it easy to block after e.g. 5 failed attempts.

Part of a 3CX install, is to determine which International countries you need to call. Those ISD country codes can be white-listed and allowed, while calls to any non-selected countries will be blocked.

We also determine what local and public network IP addresses that calls will come from, and white-list those. For this reason, we recommend that remote extensions are on broadband services with static Public IP addresses (or connect in via Virtual Private Networks). 3CX will automatically black-list and prevent access from Public Internet IP addresses that meet the criteria set up in the Security module.

Anti-hacking timeouts are configured; We specify the number of failed Authentication attempts allowed, before the offending Internet address is locked out (and specify how long that lock-out is maintained). This module also includes protection against Denial of Service type attacks (excessive packets of data per second), and has timers to ensure lockout after a minimal amount of fraudulent traffic is detected.

It’s also notable that our carrier partners do some basic traffic ‘quantity’ and ‘routing’ monitoring to detect unusual usage. It’s possible to have SIP Trunk channels blocked for outbound calls, based on detection of excessive or unusual usage.

It’s also important to have a comprehensive error message library that can push e-mail alerts out to system administration and support. These messages will provide information if hacking attempts are made, and if calls to unauthorised numbers or countries are attempted from an extension.

In the past, we have seen ‘phantom calls’ arriving on remote extensions due to the phones themselves reacting to ‘fishing’ on port 5060 ‘. Our phone-set partner – Yealink – has removed this problem with a feature to allow us to instruct the phone to react to SIP protocol from your 3CX server only. And, if you are really worried about calls to remote extensions (e.g. in another country), being intercepted and monitored, we can apply Secure SIP (TLS encryption), to and from those extensions.

As a final layer of protection, even though it is not exposed to web-browsing and e-mail, we also install an anti-malware product (e.g. Avast!) on your 3CX server.

Due to their nature, VoIP phone systems must be open to the Internet. However, there are a lot of security facilities that can be built into these systems by responsible software developers. When choosing a new phone system, or, if you’re already using VoIP – you shouldn’t hesitate to ask your system supplier how your phone system is being protected so that you won’t experience outage  – or even ‘outrage!’ due to hackers attacking it and creating an eye-watering call bill! With 3CX, we have you covered …

Contact Foxhall Solutions – 01787 228 402 – to find out more about securing your telephone systems.

Case Study: ICT for Lindacre Land Rover Service Centre

Lindacre Landrover Service

Greg Rashbrook, Managing Director of the Lindacre Land Rover Service Centre, was faced with a challenge that has caused problems for many businesses. He needed to move his entire operation from the Farthing Road Industrial Estate to a new home at 1a Olympus Close, IP1 5LJ. And he was very well aware of the potential difficulties.

‘I’ve had experience with this with previous companies,’ said Greg. ‘You worry most about maintaining contact with customers and ensuring they can get hold of you without changing numbers – so the most important thing is continuity.’

Lindacre’s day-to-day operation is totally reliant on its internet-based management and accounting systems, so it was vital to ensure a smooth transfer between the two premises. ‘We needed immediate broadband access at the new address – and we had to be sure the various different access programs were set up on individual computers.’

Why choose Foxhall?

In Greg’s words: ‘I’ve worked with Graham in the past and built up a good and trusting relationship where his advice has been very helpful. I wanted to make sure that whoever handled this process sat down with me and discussed it in detail, well in advance of the move.’

‘There were two things we had to consider. Obviously we wanted to keep the budget as tight as possible, but we had to be sure we had robust equipment that could do the job, and keep on doing it. Graham understood the business, our level of usage, and the capacity we required – so he put together a package at what we saw as a reasonable and affordable price. It gives us what we need now, but with the capacity to expand both our phone and our IT systems if we want to.’

How were the new systems chosen?

At their old premises Lindacre had kept a number of computers on the Windows XP operating system, mainly because that was necessary for connection to some of their cloud-based systems. Since XP is no longer supported by Microsoft, an upgrade was essential – but there were some challenges to delivering it. ‘Most of the companies we tend to do business with use software that was originally set up on an XP base. That includes; Land Rover, Car Care (who deal with our registered warranties), our Dealer Management System and our Parts system. And most of them have only just caught up with Windows 7!’

Even so, many of the team were using Windows Vista, which Foxhall had set up for them in 2009. On Graham’s advice Greg took the opportunity to upgrade from Windows Vista and Windows XP (which is no longer supported by Microsoft) to Windows 7. The choice was carefully considered, as he felt Windows 8 was not a suitable operating system for his team and there were issues around connecting it to the internet-based dealer management system. ‘We had mainly new hardware, with the exception of one or two people who were using laptops, but we needed to replace a lot of POS terminals and desktop computers so we thought it best to start with everything new.’

What was in the package?

The package agreed with Foxhall included the provision of three phone lines and three broadband services to carry both voice and data to and from Lindacre’s new offices. One broadband service would be reserved and isolated for exclusive use by the workshop. ‘This line isn’t just for normal business use – many vehicles have on-board modules that need software upgrades, which we take directly from Land Rover via broadband. And our diagnostic systems are updated regularly overnight via wireless upgrades, so that broadband line must be exclusive to our system-driven diagnostics.”

Using the remaining two broadband services Foxhall would provide SIP trunk channels, creating virtual telephone lines at a fraction of the cost of ISDN services and allowing Lindacre to have several new contact numbers. The existing telephone numbers would simply be ported across to the new premises, ensuring complete continuity of service for Lindacre’s growing customer base.

Much of the new equipment would be housed in a central cabinet. It was designed to accommodate the ICT cabling, routing and switching equipment providing the hub for Lindacre’s phone and computer systems, with a 4TB data server providing safe storage for Lindacre’s common-access company data. This cabinet would also incorporate an Uninterruptible Power Supply (UPS) which would keep the company’s phones and WiFi systems up and running during short mains power outages.

Before the move

The ‘new’ premises were, in fact, in an 8-year-old building which needed complete re-cabling. However, the offices had been built, so Foxhall were able to come in ahead of time to get everything set up. The cabling runs had already been pulled in by the electrical contractor, so Foxhall were able to terminate some 50 cat.5e cabling runs at the users’ desks and at the cabinet, ready to support computers, printers, wireless access points and telephones.

At the heart of the new system was a Draytek V2820 IPPBX, a multi-role unit that provides a fully featured VoIP telephone system and broadband routing for e-mail and web-browsing services. The IPPBX component supports 15 Yealink T41P desk phones and W52H DECT cordless phones, catering for both fixed and roaming needs on the site.

An important element in preparing for the move was to decide how incoming calls would be routed. As configured, when ‘reception’ phones are busy incoming calls are allowed to ‘overflow’ to secondary groups of extensions. As the business grows it will be possible to set up new direct dial numbers for particular departments and individuals, as required.

In the offices, Foxhall supplied and installed ten new core-i5 PCs running Windows 7 and Office 2013. The PCs were then configured to access existing e-mail accounts. Foxhall transferred all necessary email and company data from the old Windows XP and Vista computers used by each member of staff.

The team also installed WiFi services for the service bays, making sure that a separate WiFi connection was available to staff and visitors in every part of the site.

The plan was to eliminate any interruption to the business – Greg and his team would be able to come in on the Monday morning and simply pick up where they’d left off on the Friday.

What was your experience when the move actually came?

‘Foxhall arranged for the phone numbers to be moved during the weekend – and we needed someone with Graham’s skill set to ensure that everything happened at the right time. The important thing with Foxhall is that they keep you in touch with what’s going on. That’s essential – after all, I had a million other things to worry about. I was quietly confident that they had it all under control, despite knowing from experience how things can go wrong – and my confidence was entirely justified by the outcome.’

‘The wonderful thing was that we finished business on a Friday, moved most of the bits and pieces across over the weekend, we were live on Monday – and everything worked, with no break in customer service. It was all very well planned.’

‘The phone connection is spot on. Our old phone system should have been on Antiques Roadshow – it was hugely limiting in terms of the number of lines we could have available. Now we have the ability to add more lines, and the move has given us more lines, more handsets, more extensions, and greater capacity. And the digital system is so much better!’

‘We prefer dealing with smaller businesses like Foxhall, where you can talk to the people who make the decisions. We’ve been very fortunate that all the people we’ve dealt with during the move have been first class – it’s been a real pleasure to work with them, and they’ve all worked well together. So it went well for us.’

How long did it take your staff to get to grips with the new systems?

‘We didn’t have any issues with this. Most of our people had experience with Windows 7, all the terminals had been set up with their familiar icons, and all the passwords stayed the same. There were one or two small issues where people had to advise a change of IP address, but that was it. In the workshop we had vehicles in from day one, one, and most of them needed minor software upgrades direct from the provider. Foxhall were aware of the importance of that, and ensured the service could meet our very stringent requirements.’

Briefly, how would you describe your experience with Foxhall?

‘Good planning and advice plus good execution led to a trouble-free delivery. We’d happily recommend Foxhall to any other business.’

Is VoIP as reliable as analogue and ISDN?

VoIP telephone systems are capable of using analogue and ISDN lines just like other telephone systems. But – it’s when they use Internet that their cost savings and flexibility become apparent, with lower line and call costs, and their ability to support a phone located anywhere in the world, as a ‘local’ extension.

Internet connections have become more sophisticated and reliable, with Service Level Agreements (SLA’s) on some business grade services, matching those of ISDN phone lines. Even so – people are still cautious about putting telephone calls across the Internet …

There are a couple of basic rules that we follow; first – we make sure that the ISP supplying your Internet trunk lines, is the same company that’s providing your Broadband service. This is so that your calls don’t have to go into the server-farm at one Internet provider and then transit the web to find the telecom’s server at another. Following this rule ensures a nice clean connection between your phones and the carrier’s central switch system designed to onward connect you to local, national, international & mobile calls.

The second rule is to be careful about your choice of Internet / line provider. VoIP provides huge savings over ISDN or analogue lines – so it doesn’t make sense to choose your ISP partner purely on price. In general, business-to-business ISP’s are more expensive because they CAN provide some assurances that ‘when the kids get in from school’ their servers and bandwidth won’t be pushed to the limit! For example – working with an ISP that guarantees a 30% reserve on bandwidth – and provides automatic call fall-back to alternate land-line or mobile numbers is going to give you that warm & fuzzy feeling … Where an ISP you sign-up to out of a shopping trolley may not!

With the right service in place, you will experience VoIP connection that is pretty much as you’d get from an ISDN service – without the cost! However, that’s not the end of it! To provide additional security, we can use the analogue lines used to deliver broadband services into the business, as alternates in case of a broadband problem. We could even use mobile gateways to carry calls and by-pass land-lines completely.

VoIP systems are typically running on [non-proprietary] PC’s or servers, and therefore, even if the fault is due to failed computer hardware, it is possible to quickly and easily load the system application and a configuration back-up onto another PC and get service restored fast.

So – in a lot of cases, VoIP systems are actually becoming more reliable than ‘traditional’ land-line based systems – simply because there are so many safe-guards and alternates built into them.

Making phone system upgrades easier with Yealink …

Out with the old! – and in with the new! … is the cry – But it’s often accompanied by groans from people who need to get to grips with something quite different and to change procedures they have been used to for many years. We often see users struggling with phone systems – just because they are different – even when the new systems are actually easier to use!

But, with careful planning and understanding your existing ways of working, a phone like the Yealink T26P [illustrated], can be set up so that it operates in the same sort of way that old key systems do … “Pick up the call on line 1” may have been yelled across the room in the past – so telling somebody how to do a call transfer, just sounds strange to them. The T26P can have its keys programmed to work in the same sort of way as the key system. You want to transfer a call? … Just press a key labelled ‘Line 1’ and tell your colleague to pick it up there. They will see a flashing Line 1 key, press it, and be connected to the caller. It happens in a completely different way than it did on your old system, but the process is so similar that the new system seems like an enhancement of the old.

So while lots of new and automated features guide the calls in the background, and lines & calls cost loads less – your staff don’t have to forget everything they ever knew about handling calls for your business.

Foxhall Solutions are pleased to offer Yealink product, as they have been recognised for their growth by Frost & Sullivan – after achieving a Compound Annual Growth Rate of 83% during 2009 to 2011. Call us at 01787 228 402 to discuss how a 3CX phone system can reduce your operating costs, and increase business flexibility.