Best Practices to Protect your Switchvox PBX

Owned by Kelli Higdon
Last updated: Dec 16, 2024
6 min read

Disclaimer: Switchvox is not a security appliance. While Switchvox does provide tools such as Access Control and the ability to block IPs after multiple failed logins, the main function of Switchvox is as a PBX. Therefore, we recommend that you implement a firewall or another intruder protection and detection system to restrict access to Switchvox. 

Switchvox offers a set of tools to help protect Switchvox from unwanted access, and we offer the following recommendations for network teams to help protect the Switchvox server:  

Do Not Allow Unnecessary Access in Switchvox

Switchvox offers Access Control Rules that let you define a 'whitelist' of network addresses that can access Switchvox. You define some, or all, of the services that can be accessed for a specified network. You can also change the setting for a specific network to enable Never Block IPs (set to YES), which can help prevent blocked IPs due to repeated registration attempts from phones on that network. Failed web user login attempts will still get blocked, if a user repeatedly attempts to login with an incorrect username or password.

Please review the Access Control Rules on your firewall and on Switchvox. We recommend that you limit external access to Switchvox, allowing only the required ports and services listed in here.

Access Control rules should only allow services that are needed by that particular network. For example, your VoIP provider does not need Web Portal services at all, so those services should not be enabled if you setup an Access Control Rule for the provider.

If you are using the Sangoma Connect Mobile app, you will require SIP traffic for the All Networks rule. In this scenario, we recommend that you install an SSL certificate from a trusted authority, and use the SIP Transport TLS/SRTP. Encryption not only increases your security but also bypasses any connection issues created by routers with improper SIP ALG implementations. (Your extension's phone settings do not default to Transport TLS/SRTP, so this requires a change to the default.) Encrypted calls use more hardware resources, so be sure that you have the resources available. Encrypting your calls could use up to 20% more of your hardware resources than unencrypted calling.

If you are using the Switchvox Desktop Softphone app, you will require User Portal access.

Or, you can use a VPN and remote devices can enable the VPN setting to connect in a more secure manner. 

You can turn Off SIP on All Networks on the Access Control List, if you're not using the Sangoma Connect Mobile app. For any remote networks that need to register phones, you will require separate Access Control Rules.

Restrict Admin Services on the All Networks Rule, Access Control Rules

The Web Admin Portal and Admin API services control most of the access to Switchvox and how it behaves. Access to these services should be limited to well-known IP addresses only. We recommend that you disable these services in the All Networks rule, if you do not absolutely require access from a mobile device or other unpredictable IP address (e.g., the Switchvox Admin App for mobile).

In version 7.2, an alert in the admin portal will notify you if you the All Networks rule allows Admin Portal, Admin API, or User Portal services. 

Network settings to increase security:

  1. Server > Networking: Access Control > IP blocking Options: Confirm that it has not been disabled.

  2. Server > Networking: Access Control: Confirm that the network addresses defined here are correct, with the correct level of access. The option Never Block IPs should only be enabled for well-known networks. 

  3. Server > Networking > Blocked IPs: Review to see if there is a specific subnet or IP range that is constantly being blocked. You may want to consider blocking these at your firewall.

Only Allow Access to the Ports Switchvox Uses

Rather than set up Switchvox in a DMZ, please review How do I set up my network for Switchvox and only enable the ports that your Switchvox requires to operate. 

Keep Switchvox Software Up-to-Date

Switchvox updates include security improvements. The latest version can contain patches that minimize the risk of a breach or offer new features to help you protect Switchvox. At the time of this writing, Switchvox 7.6.1 is the last security update released we highly recommend updating your Switchvox to this version and keep the server updated as releases are made available. Go to Server > Updates to see what updates are available. For example, in v. 6.6.x and above secure SSL has been added as a security feature. 

Turn on Alerts for Security-Related Issues

In version 7.3, the Alerts Manager includes a new Security category. Various events trigger an email to you, including an admin login from an external IP address; the access control rules change; phone-user requests a password reset; phone-registration password changes. To enable this feature, go to Tools > Alerts Manager > Create Alerts Subscription.

Change Passwords

At regular intervals, review the following areas of Switchvox to help protect Switchvox from unwanted access.
Passwords and Accounts

  1. Create complex passwords and change the password on all extensions and admin accounts periodically (every month or few months).  Under Setup > Manage > Bulk Modify Extensions  > Profile tab. If users log in to their extension's web page (/main), you can force a change of passwords, the users will then be forced to change the password upon next login:

  • In Phone-Extension Fields > click on Profile Information tab > Field to modify > click and select: Force Change of password on next login > click Next
    Save Modifications.

NOTE: If the users never login to their extension using a web browser, the admin should change the password on each extension manually (web password cannot be Bulk Modified for security reasons). It is still necessary to have password security in place on the extensions to secure the extensions.

  1. Setup > Extensions: Manage to view a list of all extensions:

    • Confirm that there are no yellow or red triangles next to the extension numbers. These alerts let you know that a weak password is used.

    • Consider deleting unused extensions. 

  2. Setup > Admins: Manage: Confirm that all admin accounts are necessary and delete any old, unused accounts.

Review the Outgoing Call Rules

Restrict (deny) Outgoing Call Rules such as international call rules and allow only those users who would need to call internationally. You can do this by going to Setup > Manage > click on the pencil icon for an extension and go to the Outgoing Call Rules tab. To deny a call rule highlight it and select the red circle icon on the right of the rule, to deny access on that extension. Save SIP Extension. You can alos use Bulk Modify to Set up the Outgoing Call Rules for multiple extensions at once.
An extra security measure would be to password-protect all outbound calls, or international calls only, through the Outgoing Call Rules. Follow the steps described in this article: How to Password Protect All Outbound Calls.

Consider Changes to the Extension Numbers

  • Make extension numbers at least 4 or 5 digits in length.

  • Make the extension numbers non-sequential.

Decide on Voicemail Security

  • During a voicemail greeting, callers may push the "*" key to log into the current voicemail box. Change this setting to NO. Select Tools > PBX Features > Voicemail > Voicemail Routing.

  • The Voicemail Access extension, by default x899, requires a password always, even when calling from own extension was set to NO, change it to YES. Select Setup > Extensions > Manage > Voicemail Access extension (by default x899) > click on the yellow pencil for an extension.

IVR Extension Dialing Options

  • In IVRs, limit extension dialing to only necessary extensions. Please refer to this article for more information. If extension dialing within an IVR is not necessary, then disable extension dialing completely from the IVR.

Review the Call Reports Regularly

Monitor Reporting:Call Reports > Call Logs on a regular basis. Check for calls at odd hours or calls to international numbers, especially if users don't frequently place international calls. You can run Call Reports by hour of the day, or review the Call Logs daily to see what time calls were going out. YOu can set up a Scheduled Report to automate a Call Report and send it by email. 

For example, go to Reporting: Custom Reports > Scheduled Reports > Create Scheduled Call Report > Run it Daily and set the Report Parameters to Hour of the Day, select all phones and Total Number of Calls, Total Number of Incoming Calls & Total Number of Outgoing Calls. You can review this report to see if there is an unusual call activity during off-hours. That can be a red flag!

Additional Considerations

  • Contact your provider to see what security they can implement to prevent toll fraud.

  • There are resources online such as Countryipblocks.net that you could use in order to create access control rules for your firewall or router (not the Switchvox server). We suggest that you explore more than one tool and create access control rules that fit your needs.

  • There are third-party software programs available with network monitoring tools that may find useful.

 

Affected Version(s)

7.3;7.0;6.7;6.6.0.1

Unable to render {include} The included page could not be found.