S 4.291 Secure configuration of VoIP middleware

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The functionality and the security of the VoIP middleware are determined primarily by the settings of the configuration parameters. In very many cases, several independent VoIP components such as gatekeepers and gateways are needed. Changes to a configuration parameter on just one component but not on the others can therefore lead to malfunctions when it is operated together with the other components.

The administrators responsible for the VoIP components must be able to make numerous additional changes after initial operation. When an employee leaves the government agency or company or a new employee is hired, changes will need to be made. Changes will also need to be made even if only switching to a different network segment, for example due to relocation to a different building. For this reason, a configuration interface should be selected that allows the administrators to make these changes efficiently.

In general, the employees are each assigned a user name and password to use VoIP. When using voice mails, an e-mail address can be entered instead. It must be ensured that the users select passwords that are not too short and are difficult to guess. Settings that only allow the system to accept secure passwords should be enabled. Users only provided with stationary devices and a permanent IP address should only be permitted to log in from the device assigned to this IP address.

When assigning telephone numbers to user names, all existing internal rules must be followed. Telephone numbers which are not assigned to any user also play a role. An example of such telephone numbers are those for the publicly accessible telephones provided for visitors in conference rooms. In general, these telephone connections should be granted as few privileges as possible. As a rule, restricting calls from these telephones to in-house numbers only is acceptable and adequate.

It is often possible to specify which users are allowed to use which signalling protocols. If possible, the users should only be allowed to use one protocol since this reduces the amount of administration required. If the end devices support encrypted signalling protocols, then it must be ensured that it is impossible to log in using an unencrypted protocol.

The users of the PBX system can be granted or denied certain rights (privileges). For example, the right to call a telephone number in a foreign country or a fee-based service number can be restricted. When setting the parameters in the configuration, the goal should be to ensure that every user is only granted those privileges he/she really needs.

Small macros developed in-house and adapted to the environment present can make configuration easier for the administrators. These macros must be thoroughly documented. When macros are used, it must be ensured that they are subjected to thorough quality control and are thoroughly tested. Otherwise, there is a risk that such macros will open up vulnerabilities in the configuration that are hard to detect or entail undesired side effects, for example.

When specifying the configuration, it must be ensured that all additional, unneeded services are disabled since they will still be available otherwise. When the unneeded services are not disabled, there is a risk that these services will be exploited for attacks.

Numerous events can be logged. Using the signalling information, for example, it can be determined which user called whom and for how long. If the media information is not exchanged directly between the end devices but over the middleware instead, then it is generally possible to evaluate the contents of the calls centrally. On the one hand, the logging functions can contribute to the ability to track the VoIP operations. On the other hand, though, the ability to abuse the logging functions to violate the IT security or data protection must be eliminated.

For this reason, it must be systematically specified which information must be logged and how the log data will be regularly evaluated. In any case, the Data Protection Officer and the Personnel Board or Supervisory Board must also be allowed to participate in the evaluation. If discrepancies are found during an evaluation, then they must be examined in more detail and the causes eliminated, if necessary.

All settings are to be checked by regular audits.

Review questions:

• Does an adequate configuration interface exist that allows administrators to make changes and settings efficiently?
• Is there a rule governing the use of passwords of a recognised quality?
• When using stationary devices with a defined IP address: Is there a rule governing the restricted login of devices and users?
• Is there a rule governing the restricted use of signalling protocols?
• Is every user only granted the privileges necessary?
• Is there a rule governing the use of security mechanisms and logs?
• Are unneeded services of the VoIP middleware disabled?
• Is there a rule governing the logging and evaluation of information in accordance with data protection regulations?
• Evaluation of logs: Is there a rule governing verification and elimination of abnormalities?