| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Panel | ||
|---|---|---|
| ||
Disclaimer: Switchvox is not a security appliance. While Switchvox does provide tools such as Access Control and the ability to block IPs after multiple failed logins, the main function of Switchvox is as a PBX. Therefore, we recommend that you implement a firewall or another intruder protection and detection system to restrict access to Switchvox. |
Switchvox offers a set of tools to help protect Switchvox from unwanted access, and we offer the following recommendations for network teams to help protect the Switchvox server:
...
Please review the Access Control Rules on your firewall and on Switchvox. We recommend that you limit external access to Switchvox, allowing only the required ports and services listed in here.
Access Control rules should only allow services that are needed by that particular network. For example, your VoIP provider does not need Web Portal services at all, so those services should not be enabled if you setup an Access Control Rule for the provider.
If you are using the Sangoma Connect Mobile app, you will require SIP traffic for the All Networks rule. In this scenario, we recommend that you install an SSL certificate from a trusted authority, and use the SIP Transport TLS/SRTP. Encryption not only increases your security but also bypasses any connection issues created by routers with improper SIP ALG implementations. (Your extension's phone settings do not default to Transport TLS/SRTP, so this requires a change to the default.) Encrypted calls use more hardware resources, so be sure that you have the resources available. Encrypting your calls could use up to 20% more of your hardware resources than unencrypted calling.
...
Rather than set up Switchvox in a DMZ, please review How do I set up my network for Switchvox and only enable the ports that your Switchvox requires to operate.
...
In Phone-Extension Fields > click on Profile Information tab > Field to modify > click and select: Force Change of password on next login > click Next
Save Modifications.
| Info |
|---|
NOTE: If the users never login to their extension using a web browser, the admin should change the password on each extension manually (web password cannot be Bulk Modified for security reasons). It is still necessary to have password security in place on the extensions to secure the extensions. |
Setup > Extensions: Manage to view a list of all extensions:
Confirm that there are no yellow or red triangles next to the extension numbers. These alerts let you know that a weak password is used.
Consider deleting unused extensions.
Setup > Admins: Manage: Confirm that all admin accounts are necessary and delete any old, unused accounts.
...
Restrict (deny) Outgoing Call Rules such as international call rules and allow only those users who would need to call internationally. You can do this by going to Setup > Manage > click on the pencil icon for an extension and go to the Outgoing Call Rules tab. To deny a call rule highlight it and select the red circle icon on the right of the rule, to deny access on that extension. Save SIP Extension. You can alos use Bulk Modify to Set up the Outgoing Call Rules for multiple extensions at once.
An extra security measure would be to password-protect all outbound calls, or international calls only, through the Outgoing Call Rules. Follow the steps described in this article: How to Password Protect All Outbound Calls.
Consider Changes to the Extension Numbers
...
In IVRs, limit extension dialing to only necessary extensions. Please refer to this article for more information. If extension dialing within an IVR is not necessary, then disable extension dialing completely from the IVR.
...
Contact your provider to see what security they can implement to prevent toll fraud.
There are resources online such as Countryipblocks.net that you could use in order to create access control rules for your firewall or router (not the Switchvox server). We suggest that you explore more than one tool and create access control rules that fit your needs.
There are third-party software programs available with network monitoring tools that may find useful.
...