IT Employment

General discussion


PBX a breach of perimiter security

By mlayton ·
I was at a conference discussing perimiter security recently, and was amazed at what little information there was for securing a PBX. Now I know, traditionally the voice and data have been separate departments, but with the convergence of technologies, I thought the blending would be farther along then it appeared to be. So I wonder, if you are responsible for securing a network:
a) do you know where all the analog ports (something necessary for a modem) within your building?
b) do you know what it takes to enable/disable those ports? Do they allow incoming calls? Do you know?
c)Do you know what is happening on your PBX? How it can be used for reconnaissance to get access to company information? Have you taken steps to prevent it? Do you review logs and records and would you be able to tell if such activity was happening?
d) Do you apply patches to your PBX with the same zealousness of patches to your operating systems, or is it in the same configuration/firmware/software as when it was installed?
e)Do you have control enough to make sure that exiting employees have their mailboxes not just terminated but removed from the system?

Just wondering what the territory is like out there - is this still a big gaping hole in a network's security? Or because hacking via phone doesn't get the press, does nobody worry about it?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by Gigelul In reply to PBX a breach of perimiter ...

Nobody can install/use a modem on networked PC's.

Collapse -

Is that your policy?

by mlayton In reply to Modems do you tell if someone in your building brings in an external modem, hooks it up to the external port and uses it to dial out?

...and do you have laptops in the building with modems built in?

Collapse -

It works

by Gigelul In reply to Is that your policy?

To use a modem you must have rights to install it and to define a dialup conection. They don't have!

Regarding laptops: generaly they are used for traveling purpose and not for daily works on company network.
Another restriction is the hardware incompatibility configurations: modems require anologue line and the PBX have "digital terminals" (of course that in my office I have the posibility to test/configure these modems).

Collapse -

But can be

by Gigelul In reply to It works

a breach of perimeter security.

I'm curious too to hear what are doing others regarding this "issue".

Collapse -

Patching a PBX?

by Oz_Media In reply to PBX a breach of perimiter ...

Well having been in the telecom/switching industry for nearly 10 years now I have never actually seen a PBX be 'patched'.
Any proprietary PBX has a software level upgrade isued to authorixed techs only, it is usually in the form of a hardware upgrade yet SOME softwaer upgrades are available but usually only from a secured page on the manufacturer's website, where authorized techs are given access for field repair. I have never seen an end user patch a PBX and it would instantly void any warranty provided.

As for security, the whole idea of a DECENT PBX, is that it is in NO WAY whatsoever connected to your LAN. A good PBX is completely independent, offers it's own DHCP or static addressing, full encryption, access reporting and SMDR doesn't miss too much.

Stop thinking network, a lot of net admins will consider a PBX part of the network because the integration is so tight. As it is, MOST proprietary PBX's are FAR more secure than any network. Now router traffic, DOS atacks and QOS "IS" a network issue that needs to be addressed before installing ANY PBX or VoIP system.

These are the leading systems in VoIP and PBX technology:

Collapse -

Patching was probably the wrong term...

by mlayton In reply to Patching a PBX?

...but I was trying to put it in relative terms. Especially where voice mail systems or operator console systems are concerned, since a lot of those are based on old technology (I've seen operator consoles still running on Windows 95) - and do your technicians call you and tell you they need to come if there is a software upgrade, or do you have to call them for something else and then they mention, "by the way, you are running an old version of the software."

...and while you and I know it shouldn't be connected to the LAN, would you know if it was? What systems do you have in place to audit the analog connections? and how many people jumped on the "send my voice mail to my e-mail" or vice versa bandwagon years back and still have some of those connections open?

and don't you think a certain amount of reconnaissance can still be done just by calling most PBXs? I know many years ago, I could identify the vendor of the voicemail system just by the talent on the recording, which meant I knew the default passwords right away, exactly how many numbers would be in an extension, and on some vendors I could get to config commands quickly. Those "directories" which identify employees by name are a goldmine for anyone looking to do some social engineering. Do most IT Departments at this point have a say in that configuration which could in the end affect the security of their networks? I know in my company, the communications department handles voice, IT Department handles Data network, and maybe one can recommend to the other, but they really have no control on the implementations outside their respective alignments. Which I think is dangerous. Hence the question!

Collapse -

not an issue but wireless is

by Deadly Ernest In reply to PBX a breach of perimiter ...

One of the difficulties with many a PBX has been the problem with getting them to allow non voice transmission to pass through them. Not sure about the latest ones but when I had to buy PBX equipment in the 1980's and 1990's if you wanted to have a modem signal able to pass through system you had to buy special modules and place them on the specific lines otherwise the general PBX equipment would detect the modem signal as a faulty line and close it down.

What is a bigger concern is wireless connections both within your network, and someone attaching one, without approval, to a computer in your system.

Related Discussions

Related Forums