Collapsing dominos - Disaster Recovery PlanThroughout the world, very sophisticated methods are used to bring companies and governments to a grinding halt. This is achieved by hacking networks and distributed denial of service (DDoS) attacks. As highlighted by the recent DDoS attack on several VoIP providers, including Bandwidth.com, it brings an opportunity and a reminder to reflect on your current PBX setup(s). We will outline some steps that will help you secure and lock down your 3CX from malicious assaults. Then we will cover some features you should consider implementing so that your business can continue to function.

Recent attack on Bandwidth.com

A DDoS attack is an attempt to interfere with the normal operations of an online service, such as a website, network, or app. This is achieved by overwhelming it with repeated automated requests for data from multiple sources. Bandwidth’s reason for the outage report stated:

This is not over. These attacks are continuing across the industry, targeting enterprises and providers alike as the move to the cloud continues.

The time to act is now! You must put a disaster recovery (DR) plan in place so that you are prepared in the event of your provider (hosting or SIP) going down/offline for many reasons.

Step 1: Secure your 3CX

One of the very first steps to take is to look inwards. How is your current 3CX application hosted and secured?

Hosting/Operating System

3CX can be placed in a wide range of locations, including; on-premise, hosted with 3CX, other cloud providers and even using a Raspberry Pi. Due to this, we cannot cover every element but the key is to:

  1. Choose your provider wisely - consider whether your cloud provider has a good SLA record in addition to providing information on how the network is built and maintained.
  2. Keep the OS up to date - this is one of the most important elements. It can be time-consuming but keeping the operating system up to date will mean that you are as secure as possible whilst mitigating any potential backdoors that have been found. To ease this process, enable auto-updates in the 3CX management console and the OS will be kept up to date automatically.

Lock it down

Wherever possible, your 3CX should be locked down. Some areas to consider are:

  • Start by implementing VoIP security during the design stage
  • Ensure a suitable firewall is in place and configured correctly. Read more on our firewall config guide
  • Implement OAuth flows for best practice security
  • Choose strong and unique passwords for IP phones, admin interface and web clients
  • Segregate voice and data networks where possible and reduce exposure to non-trusted networks
  • Make use of an intrusion detection system
  • Monitor network usage
  • Harden the OS and keep it up to date
  • Keep your phone firmware up to date
  • Use the 3CX Global Blacklist

Each of these steps is explained in more detail in our VoIP Security Guide.

Use the 3CX Academy

We recommend you take a moment to review the Security & Anti-Fraud pre-recorded webinar hosted by 3CX Technical Trainer, Nicholas Paras.

Step 2: Make a Disaster Recovery Plan

Now that the PBX has been secured where possible, the next step is to create a DR plan. We will not create your DR plan for you as every business is different, but here we will list some steps and features that can be considered to put into action.

The 3-2-1 rule

Keeping a regular backup of your 3CX configuration data is a must. But how far do you go with it? The 3-2-1 rule is a good start.

  • You should always have 3 copies of your data
  • On 2 different media (i.e Cloud storage & local disk/tape)
  • With 1 copy off-site

Alternative SIP carrier

Much like putting all your eggs in one basket, if you rely on a single SIP carrier, you immediately have a single point of failure. Consider purchasing a SIP trunk from a different carrier that can be used in the event of an issue. Many carriers have a customer portal that allows diverts to be set. Use the outbound rules on 3CX to present the correct number when dialling out.

Alternative connectivity

Like the SIP carrier, if you host your PBX on-site, you need to think about your internet service provider as they are also subject to malicious attacks. Consider an alternative WAN connection method with a different carrier and, where possible, a completely different medium. For example, if your primary WAN connection is a fibre to the cabinet (FTTC), you could consider adding a 3, 4 or 5G WAN connection for failover.

Communicate with your customers

If you do not have a 2nd SIP trunk carrier or have decided that the additional cost is not feasible to you, then you can still make use of other communication mediums. All of the below are included with the 3CX subscription so it’s a complete no-brainer to get set up well in advance of any future issues, plus they will help the business now, and not just in the event of an emergency.

Live Chat - No matter the nature of your business, this tool can be a massive asset. By incorporating Live Chat into your website, you can instantly offer customers and suppliers direct communication with their desired department or team. With the new release of version 18, Live Chat now offers an instant Live Call facility meaning that visitors to your site can call you directly from their browser. This has the added bonus that it does not touch the SIP trunk network so would remain unaffected in a supplier attack.

Click2Talk - Switch on Click2Talk to provide callers to contact your extension or queue directly. In the event of a SIP carrier outage, you can always email your customer with a C2T link which will allow them to call you directly, again via their browser and with no extra software requirements.

Click2Meet - Much like Click2Talk, C2M authorises someone to set up a direct ad-hoc video conference with you.

Facebook Messenger - Facebook is a great way to communicate directly with your customers en masse, in real-time. You can post updates about the situation and advise they can still contact your agents directly via the messenger facility. This will bring visitor chats directly into your configured destination, whether it be an individual or a queue of agents.

Business SMS - OK, so this is the only one that is going to cost extra. You will need to get set up with one of the supported business SMS carriers. However, implementing SMS into your 3CX platform is going to offer yet another medium of communication into and out of your business.

Not every peg fits

As with all suggestions, they are exactly that…suggestions. A square peg does not fit a round hole, therefore, not every part of this article will be suitable for every instance. Administrators should always apply all common IT-related security tasks to mitigate access to the system.

It is of paramount importance to take the time, before an issue, to sit down and work through logically what disaster plan needs to be written. If you already have one (Well Done!) there could be some elements or features covered which can be used to update yours.

Now is the time to make sure your 3CX is as secure as possible and you have a solid and well documented DR plan.