Introduction
In the increasingly fast-paced landscape of Voice-over-IP (VoIP) it is more important than ever for ESI partners to help defend customer networks against unauthorized access and internet threats. The freedom of VoIP lets you have remote employees, remote maintenance and even remote systems, but the internet is awash with possible dangers. The business goals of allowing flexibility and ease of use can overwhelm the discussion at the time of implementation as excited managers pummel you over possibilities while you’re still trying to set the system’s IP address. With another three installs lined up behind you it’s very easy to lose sight of security.
The security goal – allowing connections to necessary services remotely while limiting access to only those who need it – is simple in theory, but can be challenging to implement on-the-fly. From unbalanced Quality of Service (QoS) settings to improperly configured firewalls and distributed denial-of-service (DDoS) attacks there are dozens, if not hundreds, of chances to miss something and leave a customer network open to attack or, worse, unauthorized entry through compromised services.
The intent of this Technical Update is to provide you with a checklist of items you need to watch for and explain why you need to watch for them. Failing to account for these threats not only risks the security of your customer’s business, but in some cases can even lead to warranty-voiding hardware damage.
Because most devices log activity, and write that activity to disk, large-scale assaults against a device can actually cause physical wear to the disk leading to premature failure. This has been observed in the field by ESI customers in the form of IP Server 900 systems that crash then won’t boot or ASC cards that stop working and require a new memory module.
Effective immediately, ESI Technical Support will now enforce the presence of proper network security. If a system is found to be unsecured the ESI technician will recommend actions to rectify the exposure. If the recommendations are not followed, any hardware damage that occurs as a result will be billed as out-of-warranty repair. The importance of taking this information to heart cannot be overstated!
Checkpoint: Managing security
Not surprisingly, the equipment you choose to build and deploy a data network matters greatly to the success of deploying any service or device on that network. Routers, switches and firewalls are not created equally, and knowing the capabilities and weaknesses of the devices you are interfacing to is critically important.
The first place most techs get tangled up is in the difference between a router, a switch and a firewall. A switch simply allows multiple IP devices on the same network to talk to each other. A router allows IP devices from different networks to talk to each other. Firewalls, however, live on a different playing field and are responsible for choosing what types of traffic are allowed to pass through the router. Many routers have firewalling capabilities and built-in switches, but the functions are quite distinct and the differences are important. You need to know what devices you are dealing with and what functions they do or do not serve.
It is critical not only to be familiar with the types of equipment in a network and what they do, but also to be familiar with the various brands and models in the market. It isn’t possible to know all aspects of every device, but it is important to know basic facts such as: Linksys is the consumer brand for Cisco, which means that any Linksys router is designed for home and very small office use and may not support the full range of security options a business requires. The ESI Voice Router is a strong asset in your toolbox and knowing a small number of devices very well can be the difference between a clean install and a series of repeat truck rolls and lost revenue troubleshooting issues.
Checkpoint: Maintaining equipment
The other common stumbling block to successfully secured network equipment is failure to maintain it. Every day a new breed of hackers takes to the internet with new tools and new methods leading not only to an increase in attacks, but an increase in their effectiveness. Core software bugs, such as the Heartbleed discovered in spring of 2014, are a perfect example of the ever-changing vulnerabilities of the internet; hundreds of thousands of devices and servers powering business across the globe were rendered wide open overnight. The Sony data leak scandal in winter of 2014 is a high-profile display of how lack of network security can cause tangible harm to a business.
As new services are brought online, older ones are taken offline, employees are hired and fired or given new privileges it is important to update network rules accordingly. Firewall rules, access lists, router firmware and firewall software all require observation and maintenance to ensure customers are protected.
Checkpoint: Assessing internet threats
The obvious question after coming to understand the importance of network security is: how do I find out what I need to protect against? The answer starts with doing an inventory of services that need remote access. If your customer hosts a web server that needs internet access that lets you know that the firewall will need to grant web access to external visitors to that server and block non-web services.
Armed with the comprehensive services list you can create a chart of which ports, traffic types and connection types each service uses. Does the web server allow HTTP (port 80) and secure HTTPS (port 443) connections? This chart of who connects and how is not only useful for setting up protections, but for deciphering them later.
Network security blogs and news sites, like Naked Security (http://nakedsecurity.sophos.com) or Securosis (http://securosis.com/blog), are another incredibly useful tool in setting up protections as they keep you up-to-date on the latest trends and vulnerabilities and how to protect against them.
Also useful are vendor web pages. ESI, for example, posts bulletins like Technical Update #334 (ESI #0450-1397) that detail firewall settings needed to protect users of ESI SIP trunking services and technical manuals that list the ports used by ESI equipment. Most application, equipment and service vendors will publish similar documents and recommendations on how to protect their users.
Checkpoint: Protecting ESI users
The best practices for firewall configuration for ESI SIP services users as well as ESI PBX systems using ESI SIP services are discussed below, and are discussed in more detail in Technical Update #334 (ESI #0450-1397).
ESI SIP services use the following IP addresses to send traffic to your PBX:
- ESI SIP trunks (Los Angeles, lasas.vintalk.com) — 64.94.105.128 through 64.94.105.255, netmask 255.255.255.128
- hosts 64.94.105.129 - 64.94.105.254
- ESI SIP trunks (New York, nysas.vintalk.com) — 75.98.35.128 through 75.98.35.255, netmask 255.255.255.128
- hosts 75.98.35.129 - 75.98.35.254
- ESI SIP trunks (New York, nysas.vintalk.com) — 75.98.65.0 through 75.98.65.255, netmask 255.255.255.0
- hosts 75.98.65.1 - 75.98.65.254
Additionally, the following address is used to connect to your ESI PBX, ESI Voice Router, or other supported equipment during troubleshooting:
- ESI Technical Support — 209.163.177.128, netmask 255.255.255.224
- hosts 209.163.177.129 - 209.163.177.158
- ESI Technical Support — 192.64.95.0, netmask 255.255.255.0
- hosts 192.64.95.1 - 192.64.95.254
- hosts 72.172.86.35 and 64.250.180.42
These addresses should be opened for the following ESI SIP services:
- Allow ICMP from both NY and LA ranges and the Technical Support IP
- Allow UDP and TCP on port 5060 for both NY and LA ranges
- Allow UDP on port range 10000 to 11000 for both NY and LA
- Allow TCP on ports 22, 80, 443, 2222, 8080, 8443, 59002 for both NY and LA ranges and the Support Center IP
- Please note that ports 2222, 8080 and 8443 are alternate ports for 22, 80 and 443.
The following services must be forwarded for ESI SIP services to function:
- Port 5060 must be forwarded to PBX’s SIP IP address both for inbound and outbound
- Ports 10000 to 11000 must be forwarded to the PBX’s Media (RTP) IP address
- Port 22 should forward to the ASC or SIP card for Technical Support access (ESI PBX systems only)
- Port 443 should forward to the NSP for Technical Support access (ESI IP Server 900 systems only)
These URL’s should be opened for Fax to Fax and Virtual Fax using ports 443 and 8090:
- https://nsps02.faxsipit.com
- https://ata1.pangea-comm.com
- https://faxata.com
Finally, the following global rules must be observed in the firewall:
- SIP ALG must be disabled
- NAT Transversal must be enabled in the PBX if the system is used behind the firewall