Disaster Recovery

Disaster Recovery

Disaster Recovery for VoIP Businesses

Disaster recovery options are vital when implementing business communications.  IPComms provides safeguards to your SIP and VoIP services such as automatic fail-over routing and dynamic load-balancing to ensure your business remains operational even in the event of a disaster or network failure.  These services are provided at no additional cost, and can be the difference between success and failure when it comes to operating a business.

 

Basic Routing

Most IPComms services are based on basic SIP/VoIP call delivery.  We can deliver calls using a SIP URI or directly to an IP Address (with authentication). 

basicrouting2

PSTN Forwarding

All of our inbound phone numbers can be forwarded to a standard mobile or land-line phone. You can forward your calls to any of your existing phone number (mobile, landline, or PBX). Change your forwarding settings anytime with our online account management system. 

pstnforwarding2

Load-Balancing

With dynamic load-balancing, calls are routed evenly between two endpoints automatically. VoIP calls can be distributed between multiple call centers via SIP trunks or alternatively calls can be routed to a PSTN destination (forwarded to another phone number). Load balancing alleviates calling traffic congestion on a single phone system by automatically routing calls between multiple VoIP endpoints.  Load-balancing is an effective way to manage your call volume and distribution during peak operation times.  

SIP Trunking Load Balancing

Automatic Fail-Over Routing

In the event of a service disruption on the network, our dynamic fail-over solution is designed to redirect voice traffic to a separate business destination automatically. If your primary data connection (such as the Internet or wide area network) fails, traffic is automatically rerouted through to an alternate location that you specify. We can also re-route your calls to a PSTN destination (e.g. mobile phone, P.O.T.S line, home phone etc...) if you wish.  Dynamic fail-over trunking ensures your business communications will continue even if your primary SIP gateway goes down (IP outage, power loss etc...).  

SIP Trunking Fail-Over Routing

VoIP Fail-over Protection

VoIP Fail-over Protection

Route your calls to a secondary location in case of an emergency.

You never know when disaster will strike. Power failures and internet outages due to weather, construction or natural emergencies are always a possibility.  You hope these events will never occur, but as a business operator, it's important that you make preparations just in case they do.

Putting your business phone system in the Cloud gives your business communications the security it needs.  Unlike traditional phone systems, with PBX fail-over protection, you have the ability to route calls to alternate phones in any location,  in the event of any type of service interruption (e.g. internet outage, power failure, weather, etc.). You can route calls to your mobile phones, phone lines in remote offices, or directly to employee home phones  So rest assured, with MyOffice PBX, your business communications is in good hands.

What is Telecom Fraud?

What is Telecom Fraud?

Plain and Simple.  Telecom fraud is theft!

So, you just received your monthly phone bill from your phone service provider.  What you expect to see is a total somewhere around 30 or 40 bucks.  However, to your amusement, you read "Total Due: $84,534.00" at the bottom of the bill.   After a lengthy conversation with a department that you didn't even know existed until now "The Fraud Management Department" you are informed that the bill is accurate your IP PBX has placed more than 100,000 minutes of outbound calls to Cuba and North Korea.  Furthermore, they want to know when and how you plan to pay.

Unfortunately, the scenario described above is not fictional and in no way exaggerated; more understated if anything.   As with anything connected to the public Internet these days, VoIP-based phone systems

are the ultimate find for internet thieves.  Actually, it is probably more accurate to label this activity as Organized Crime due to the amount of sophistication and organization that is needed to carry out these big hits with so much damage, so quickly.  Telecom fraud has become increasingly more common due to the growing popularity of IP PBXs.  

Unfortunately, this problem is only getting worse and continues to greatly impact VoIP service providers as well as individual businesses that operate through IPPBXs or Hosted Phone Systems. As the cost of ownership of IP PBXs decreases or even becomes free in the case of systems like Asterisk and 3CX, the number of systems being placed on the public Internet also increases.  

How does it happen?

Most commonly, hackers find holes in IPPBXs that are connected to the public internet by using SIP scanners and exploiting system weaknesses.  Typically these are default passwords being left in place, extensions being left unsecured, open SIP ports or incorrectly managed or non-existent of firewalls.  All of which are relatively easy to fix and usually free.  However, security is usually the last thing on the mind of your system integrator or that part-time PBX-Guru/buddy of yours that installed a free version of Asterisk for you (absolutely nothing wrong with Asterisk by the way!).  Once these hackers enter your system, they move quickly.  They operate undetected and terminate as many calls to the most expensive locations possible for as long as it takes for you or your service provider to recognize that your system just passed over a million calls to Cuba and North Korea. Never mind your issues with the State Department, you now have a  $90K+ phone bill on your hands.  And yes, your service provider will expect payment in full!

What is my responsibility?

While your service provider may actively monitor its network for suspicious activity and traffic patterns, it is ultimately the responsibility of the customer to protect their own network.  Customers are responsible for all charges associated with their account whether fraudulent or not. It is the customer’s sole responsibility to take immediate action to prevent or block any fraudulent use.  As the IP PBX owner, you are responsible for the security and administration of your phone system.  This includes both physical security of the system and phones, as well as passwords, pins, remote users and network security.  Your service provider may have systems in place to help detect and notify you of hacking attempts and fraud as a courtesy, but you are responsible for any charges incurred.

What can I do to protect my business?

It is not an impossible task to secure your IP PBX from the top 99.9% of all intrusion attempts and minimize the damage done by any intruder that sneaks past your security.  Remember, Hackers are lazy (otherwise they'd have a real Job!), they are not going to spend hours trying to hack a system when they can just move on to another that is wide-open.

 

Summary:

Here are some easy to implement procedures to help protect your IP IPBX from intruders:

Be sure that your IP PBX and your network is secure and limited only to those with appropriate access permissions.

Never, never, never use the default passwords on any system.

Never use the same Username and password on your extensions.

Place your PBX behind a firewall

Make it private – Nat is your friend!

Keep inbound and outbound routing separate (asterisk)

Limit registration by extensions to your local subnet.

Disable channels and services that are not in use

Make it harder for SIP scanners

Limit and restrict routing and phone number dial plans

Audit your system security regularly

For a complete list of security steps, please see (11 steps to secure your IP PBX).

 

11 Steps to Secure your PBX

11 Steps to Secure your PBX

 

Don't be a victim of telecom theft

If you are reading this, you're probably like most of us... after many hours, or even several days of downloading software, setting up servers, configuring trunks, and cracking open firewall ports, you finally achieve success - your PBX is working, and calls are passing.   So, you wipe the sweat from your forehead, push away your ergonomic mesh-backed office chair (with lumbar support), and walk away pleased - not giving a second thought to security.  Until one day, you log into your PBX and see the skull-and-boned call sign of a hacker that has decided to pay you’re perfectly running PBX a visit. 

 

As a SIP trunking provider, our support team at IPComms sees this very scenario much more than we’d like to.  For those PBX owners who are lucky, they’re only faced with hours of downtime and a complete system rebuild.  However, unlike getting your personal computer hacked, getting hacked into your business PBX, gives the unscrupulous instant access into your virtual wallet via what is known as toll fraud.

Using toll fraud, a well-informed hacker can siphon thousands of dollars in as little as one night while you sleep blissfully.  With heavy volumes of wholesale phone traffic at the ready, a single hacked PBX can transmit thousands of minutes worth of phone calls to destinations with calling rates as high as five bucks a minute or more!  

Scared yet?  Well, you should be, especially, if you have just downloaded, installed and SIP "trunked" your new Asterisk PBX server without implementing even basic Asterisk PBX security.  Trust us, it's not a question of if your PBX will be hacked, it's just a matter of how long it will be before it happens!  So, why not take a few minutes and finish your Asterisk PBX installation by performing some relatively simple PBX security; that could pay off big in the long run? Ever heard the old adage, "An ounce of prevention is worth a pound of cure"?  Well, that author was undoubtedly referring to PBX security! 

PBX security - is not rocket science

Hopefully, you’re here proactively, and not after the damage has been done.  But, if not, at least you have learned your lesson and plan to do things right this time.

While PBX security, like most other security, requires constant attention and is a continuous work-in-progress, there are some basic common-sense steps that you can perform that will safeguard your system from the most common of attacks. 

As mentioned in our “What is Telecom Fraud” blog, most hackers are not looking for a long drawn out hack and would much rather move on to easier targets if you would only put up a little fight.  So we’ve put together a list of “11 steps to secure your Asterisk® PBX”.  While this list speaks directly to Asterisk PBX owners, many of the steps can easily be carried over to most other IP PBX (VoIP) manufacturers.

 

Here are the 11 Steps to Secure your Asterisk PBX

  1. Physically secure your IP PBX and network hardware.
    Physical security is critical and commonly overlooked. Be sure access to your hardware is limited to only those with appropriate access permissions, actually require access, and most importantly, know what they are doing!  We tech's like to play around with stuff, but that's why we have labs.

  2. Never, Never, Never use the default passwords on any system. (Use Strong Passwords)
    If you are truly concerned about PBX security, you will take this one piece of advice seriously!  Password security is easy and by far the best way to stop the top 99% of all hacks as it is easily the most common way hackers enter IP PBX systems.

    When installing your IP PBX, the very first step should be to replace both the username and passwords of any account with administrator access. Secondly, when creating user accounts, be sure not to use or allow easy to guess passwords like “1234”, “password”, “companyname1” etc.  

    Also, be sure to use a strong and unique password.  This can't be stressed enough.  As tempting and simple as it may be to use your business name with a single digit added to the end of it, don't do it.  You would be surprised what these password detectors can figure out with just a little information. 

  3. Never use the same username and password on your extensions.
    This is another VERY common issue, especially within the Asterisk community.  Using password 101 for extension 101 is asking for big trouble.  DON’T DO IT!

    An example of what NOT to do on your extensions: 
    ; sip.conf  
    [101] 
    username=101 
    secret=101
    host=dynamic 

  4. Place your PBX behind a firewall
    Lets’s face it, working on your PBX from home or allowing co-workers access to the system remotely is necessary and often unavoidable.  However, doing it correctly can be the difference between security success and total and utter failure.  VPNs are a good way to limit access and enable co-worker remote management. Placing your PBX behind a firewall and Restrict remote access to your IP PBX to specific IP Address will greatly discourage even the most determined hacker.  While hardware firewalls typically provide the most security, software firewalls can be just as effective and much cheaper (many are free).   

    Firewalls, of course, are only as good as the rules defined within them.  So be sure to only activate ports that are absolutely essential to run your PBX. Block anonymous WAN requests (P-I-N-G).  Let's face it; if they can find you, they can hack you.

    When possible, place your IP PBX on a LAN with Network Address Translation (NAT).  NAT basically gives your IP PBX a private IP Address and makes it much more difficult to gain access to from the internet.  While it may be easy to simply disable NAT for simplicity (especially when you run into that pesky one-way audio issue, don't do it.  Take the time to set it up correctly, and you'll be glad you did.

  5. Use the “permit=” and “deny=” lines in sip.conf
    Use the “permit=” and “deny=” lines in sip.conf to only allow a small range of IP addresses access to extension/user in your sip.conf file. This is true even if you decide to allow inbound calls from “anywhere” (default), it won't let those users reach any authenticated elements!

  6. Keep inbound and outbound routing separate (asterisk)
    This is probably the biggest cause and source of toll fraud.  By keeping your inbound call routing in a different context than your outbound routing, if an intruder does happen to make it into your system, he can’t get back out again.  

  7. Limit registration by extensions to your local subnet.
    Restrict the IP addresses your extensions can register onto the local subnet.  Asterisk PBXs can use the ACL (permit/deny) in SIP.conf to block IP addresses.  This can fend of brute force registration attempts.


  8. Disable channels and services that are not in use
    Disable channels that you aren’t using like skinny and MGCP.  For Asterisk PBXs, you can “unload” these modules in the /etc/modules.conf file like this:

    noload => chan_mgcp.so
    noload => chan_skinny.so 
    noload => chan_oss.so

  9. Make it harder for sip scanners (Set “alwaysauthreject=yes” )
    Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which extensions are valid by rejecting authentication requests on existing usernames with the same rejection details as with nonexistent usernames.  If they can't find you they can't hack you!

    Another way to make it hard for SIP scanners is to install a SIP port firewall.  This will block “scanning” of port 5060 and 5061 and can disable the attempting endpoint for a specific time when it detects a violation.


  10. Limit and restrict routing and phone number dial plans
    Restrict calling to high-cost calling destination and don’t allow calling to 0900 + Premium numbers)

  11. Audit your system security regularly
    Once you’ve reached this point, it's not a bad idea to put your Hacker hat on, and have a try at your own system.  Think like a hacker and try to look for weaknesses or holes in your system security.  It is a good idea to review your system security regularly.  Don’t sleep on security… you can guaranty that thieves aren’t.

The above steps mainly focus on PBX calling and traffic security and do not cover topics related to software protection (e.g. protection against Spyware, Trojans or viruses).   These are also very important and should also be taken into consideration when securing & protecting your PBX.

Did you know...

By switching to a cloud-based PBX service, you can make the 11 steps to secure your IP PBX someone else's responsibility.  Learn more about cloud-based PBX services.

 

Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames,