Detailed Question:

How secure is the Sonictel PBX solution?


Answer:

Q: How secure is the Sonictel PBX solution?

A: The Sonictel PBX solution employs significant measures to minimize and prevent unauthorized use and access to your business communications. There are multiple levels of security built into the cPBX service. These can be broken down into the following areas: Network Security, Device Configuration, and Call Processing. Network Security measures include those taken to prevent unauthorized access to user media and control traffic as well the employment of intrusion detection and prevention mechanisms. Device Configuration measures minimize opportunities for the misuse or hijacking of end user devices. Call Processing measures restrict communications to authorized end users and help prevent spoofing. These strategies are employed together to minimize opportunities to intercept, spoof, or hijack VoIP services. While the media stream is not encrypted, SPs may also choose to employ a VPN peering architecture to extend network security to the user’s site.


Firewalls are configured in multiple zones for tiered security. All public access to Sonictel PBX applications and services traverses a demilitarized zone (DMZ) for added security.

  • Firewalls are configured to only allow traffic specific to Sonictel PBX applications and services. All other traffic is restricted.
  • Intrusion detection mechanisms include inline prevention technologies take preventive action on a broad range of threats including Denial of Service DoS, without the risk of dropping legitimate traffic.
  • Network protection from policy violations, vulnerability exploitation's, and anomalous activity is achieved through detailed inspection of traffic in Layers 2 through 7.

For Device Configuration:

  • We use HTTPS for configuration management which provides a method for encrypting file transmission.
  • For all device models that support it, we use dual certificate exchange. This means the client (phone) validates the servers certificate AND the server validates the client's (phone's) certificate. Each client (phone) is loaded with a vendor provided certificate.
  • For all devices using DMS, the configuration server requires user authentication to obtain configuration file information

For Call Processing:

  • We use SIP authentication for Registrations, and our SBC's enforce source IP and port matching so that calls cannot be placed from any IP/port combination other than the one associated with the Registration. This greatly reduces the possibility of spoofing.
  • We use very long device specific alphanumeric SIP Authentication passwords. This password is system generated by our servers at the time devices are assigned to users.
  • We use SIP authentication for Invites.

Other:

  • When phones are on ported onto our service, they are flashed so that the default administrative password is changed and we do not give out the password to anyone outside of Sonictel Engineering. This ensures that the configuration we want on the phone is properly maintained.
  • We explicitly disable the HTTP server on the phones so that it is not possible for someone to exploit this interface to obtain sensitive configuration information.