SEARCH
Knowledgebase
Security and Firewall Practices
Posted by on 14 May 2011 07:47 PM

ESI Hosted Services Specific recommendations

Allow SIP and ICMP access from our two ESI Hosted Services datacenters:

  • Los Angeles: 64.94.105.128/25
  • New York: 75.98.35.128/25

SIP will allow basic services, and ICMP will allow the customer to take advantage of basic circuit monitoring quality testing.

General SIP Recommendations

DO

  • Firewall your PBX.
  • Block access to SIP (TCP/UDP port 5060) from the internet except from trusted locations.
  • Set your IP‐PBX so that it accepts connections ONLY from on‐site phones and specific IP addresses.
  • Use strong passwords and MD5 authentication or public/private keys.
  • Passwords should be eight characters in length and include letters, at least one capital letter, at least one number, and at least one of these special characters: ! @ # | $ % ^ & * ( ) _ ‐ ? . ,
  • Configure SIP proxies and firewalls with access lists to prevent access from unauthorized IP address blocks.
  • If you connect other SIP devices through your switch, change usernames and passwords for those connected devices when the user leaves or becomes de‐authorized.
  • Change passwords routinely on these remote connected accounts.
  • Review your call records to be sure that your traffic is what you expect from your normal business use.
  • Contact your PBX vendor to discuss the security of your system. We are happy to work with them and answer any questions you or they may have.
  • Check with your insurance providers to make sure you will be covered in case of fraud.

DON’T

  • Share SIP account passwords and device configuration passwords with anyone.
  • Let external users redial from your PBX. This is a common exploit that has been used on phone systems for many years.
  • Allow external access to the management portal of your phone system.
  • It is also important to secure other services on your IP‐PBX system. Services like HTTP, FTP, and SSH are commonly exploited and should be tightly restricted. Phone systems should be behind firewalls, and SIP proxy services should be used to pass traffic between external and internal systems.


(2 votes)
This article was helpful
This article was not helpful
Comments (1)
rloftis@twlakes.coop
16 May 2014 04:38 PM
good advice
Help Desk Software by Kayako support.esi-estech.com/index.php?