Course Content - Advanced 4.2
Security and Anti-Fraud
Welcome to the online training series from 3CX. This module will take you through the security aspects of 3CX.
In this module we will see the different vulnerabilities which are out there, and see what countermeasures 3CX has and how they are applied.
We will see the various security options 3CX has, to protect the VoIP resources.
Finishing off, we will talk about how to maximise security with 3CX, and in general.
3CX protects itself from any fraudulent actions, either based on certain rules, where restrictions may be put into effect, to control who access to certain resources. Or via certain thresholds, where if these are exceeded, the PBX will take actions to prevent further abuse.
Here we can see some of the more common VoIP attacks, hacks or exploits.
Brute force attacks are attempts to guess their way into your network and PBX. In order to access the PBX, they will need to know the extension number, SIP username and SIP Password. They will try to guess the extension numbers and login credentials
A Denial of Service, or DOS attack is aimed at preventing the rightful owner of a resource from using said resource.
Dictionary attacks are attempts to use default passwords or simple word passwords to login to a system.
Password crackers are special software packages aimed to methodically attempt to login to a system using various password combinations
Attacks don't necessarily need to be from the outside, but could be from within the network, where anyone with access to a switch could possibly take a capture from the network, taking in valuable information, for example, the audio traffic.
Man in the middle attacks are also a possibility where an attacker could spoof their identity to fool a system, to think that they are talking to a legitimate peer, while in the meantime, the attacker is copying the information, while relaying this information to the legitimate peer.
In addition to the possibility of VoIP Attacks, being an internet connected system, 3CX may also be susceptible to HTTP attacks, in the form of man in the middle attacks or attempts to have the management console or RPS system attacked.
Let’s start with the most common method of security breaches. The authentication credentials of the SIP Endpoints.
This is the most common form of breach, as admins may define easy, common, or predictable passwords.
By default 3CX will create a random lowercase alphanumeric Username, or SIP ID and SIP Password.
Security can be further enhanced by increasing the character length to 50 characters and/or adding uppercase characters into the mix as well.
The voicemail system is enabled by default on the extensions and the PIN authentication is, by default, a 4 digit random numeric PIN. This can be increased to 10 characters, to make it more difficult to guess. After 3 failed attempts to log in to the voicemail system, access will be blocked for a period of 2 minutes.
If not needed, the voicemail functionality can be disabled for an extension, to prevent abuse of the system, as voicemail can, if configured, be used for making outgoing calls.
3CX provides various rules sets and thresholds to control and secure its environment.
We will look at these now, and see how the PBX can be configured to protect itself, and its users from malicious attacks and activities.
In addition to the outbound rules, which can restrict who is allowed to make calls, the allowed country codes are a nice feature, where the PBX can limit to which countries, it is able to make outgoing calls to.
It will use the E164 settings of the PBX to detect the international dialling codes of the countries it is allowed to make calls to.
The dialled number will be matched after being processed, and possibly reformatted by the outbound rule.
Secure SIP can be used to secure the SIP communications between the configured extension end points. TLS certificates will be needed in this case, to be applied to the PBX and the deskphones.
If you are using a 3CX FQDN and certificate, the Secure SIP configuration will automatically be set up, and enabled in the Security section of the PBX.
If you use your own FQDN and SSL certificate, then, you will need to enable Secure SIP in 3CX and enter your certificate and key into the management console.
The IP Phones will need to be configured to communicate over TCP port 5061, which is the default secure SIP port. Provisioning via Secure SIP is expected to be available in a future service pack.
To secure the communications between the PBX and any 3CX clients for Windows, you will need to go to the extension’s “Phone Provisioning” tab, choose the 3CX Client SIP Transport mode to be TLS.
In addition to the SIP traffic, the audio stream between the configured extensions can also be secured.
Secure RTP, or SRTP can be configured from within the IP Phones themselves,
For 3CX clients, you will need to change the RTP mode from the Phone provisioning tab of the 3CX client extension to “Only Secure”.
Moving on to the Anti-hacking module of 3CX which defines the thresholds the PBX will adhere to, in order to protect itself.
The first parameter is the failed authentication attempts, which will define how many failed requests the PBX will accept from a particular IP before placing it into the blacklist. By default this is 25, but can be increased or decreased according to the network load. Just don't reduce it too much, so as not to blacklist even legitimate traffic.
When a host tries to register on to the PBX, the PBX will send it a challenge that needs to be responded to. The PBX will then wait for a response. A bogus host will not respond to these challenges. The PBX will then subsequently ignore any bogus Register attempts from a particular IP if it exceeds 1000 by default.
You can further secure the PBX by decreasing the number to a recommended minimum of 100.
Let's also have a look at the various security barriers of the PBX. These are designed to protect the PBX against packet floods.
When the PBX detects a packet coming in from a particular IP Address, it will start taking a sampling for the duration of the Green security barrier. By default this is 200 ms.
Depending on the number of packets received within that sampling period, the PBX will take the necessary action.
It will throttle the traffic from this IP Address for 5 seconds, if the amount of received packets exceeds what is defined in the Amber Security barrier configuration.
If the number of packet received within the sampling period exceed what is defined in the Red Security barrier, then the PBX will place this IP Address into the blacklist, for the defined blacklist interval.
The blacklist time interval, by default is 86400 seconds, or 24 hours.
This can be raised to a maximum value of 999,999,999 seconds, which is about 11574 days or 31.7 years. That will give the admin plenty of time to investigate and take action. In the meantime, the PBX will be ignoring requests from this IP Address.
The IP blacklist will be populated when the Anti Hacking criteria have been met and any IPs added here, will remain for the duration of the Global Blacklist time interval.
In addition to automatically populating the IP Blacklist, you can also add IPs or IP ranges manually. When adding IP Ranges, this will be based on network addresses and subnets.
You may also use the IP Blacklist to add IPs that will not be blacklisted, no matter what requests they may be sending. You will need to set the action to Allow, in order for this to take effect.
While it is recommended to whitelist your trusted static IPs, and we do stress the fact that these will need to be static, dont whitelist IPs blindly, as the whitelisted IPs are exempt from all anti-hacking filters.
Also, while it is a good practice to place malicious IPs into the blacklist, avoid blacklisting large IP ranges. It would be preferred to placed these into the Access Control List of the firewall, so that this malicious traffic is not even entering your network.
The Management Console login screen will be exposed to the internet, as it works on the same port as the web provisioning ports of the PBX.
An IP address will be blacklisted if the authentication has failed after 3 attempts. The anti-hacking parameter for failed authentications will not be used in this case.
If the administrator enters the admin username/password incorrectly, the forgot password prompt will show after the 2nd failed login attempt. This will send the admin login password to the first specified admin email address. This link will only be shown when the password is entered incorrectly for the ADMIN account, not any other account.
Logging in from the local host will not blacklist the IP as it is always exempt.
As with all passwords, not just with 3CX, it is recommended to change passwords regularly, and keep them complex.
When a remote extension attempts to log in from the internet, the PBX will request a Username and Password. This will be matched with the MAC address of the configured extension and if all 3 authentication parameters match, the PBX will allow the extension to be configured.
This will also be subjected to a 3 attempt limit before being blacklisted, for the duration of the global blacklist interval.
The 3CX Certificates issued by Let’s Encrypt are trusted certificates and therefore on your browser you will see that a secure connection is established.
Avoid using self signed certificates. 3CX certificates are provided at no additional cost, so self signed certificates are no longer required.
If you opt to use your own SSL certificates, ensure that they are trusted and that they are supported by the IP Phone manufacturer of your choice.
If the phone manufacturer does not support them, a secure connection will not be possible, and the phones will not download a configuration file from the PBX.
Attempting to connect to a PBX with an invalid certificate will give a warning in your browser alerting to an insecure connection. Any browser warnings should be investigated. It may be a matter of your certificate having just expired, but it is always good to be vigilant.
Finishing off, let's talk about security in general.
I mentioned earlier that it is recommended to use your firewall’s access control list for filtering malicious traffic into the network. Always attempt to block attacks from as close to the source as possible, possibly even engaging your ISP to filter these from their network as well.
Use the 3CX tunnel to achieve your communications as much as possible and leave communication over the SIP port, solely from your VoIP Providers network. This can even be defined in your firewall as well, thus blocking any malicious scans on the SIP port, especially if this is on 5060.
Therefore all your remote extensions could be through the SBC and your 3CX clients could be coming in through the tunnel port.
Some companies already have VPN infrastructure in place, and if this is the case we do encourage you to use your VPN capabilities. VoIP traffic will not be exposed to the internet and since the 2 networks will be communicating on a private IP basis, this will allow for your remote phones to be provisioned as local extensions.
Thank you, and goodbye!