S 5.15 Shielding of external remote accesses of PBX systems

Initiation responsibility: IT Security Officer, PBX System Manager

Implementation responsibility: Administrator

In this safeguard, every access using the maintenance interface of the PBX system via public switching systems and data networks, such as the Internet, is referred to as external remote access. This may become necessary due to the fact that either the individual systems of the cluster are not or not only (see comment) connected via dedicated lines or that quick support of the manufacturer in emergencies is absolutely necessary. In these cases, the maintenance port (modem) must be fully entitled to direct outward dialling.

State-of-the-art PBX systems can often be configured using data networks. Depending on the network structure, the PBX system is connect to a LAN or to a separate management network. Direct access to the PBX system connected to the internal network from public networks must be prevented. If the PBX system is nevertheless to be accessed from a public data network, a virtual private network (VPN, see S 4.4 VPN) should be used. Here, a protected data link to the VPN end point, normally located in the demilitarised zone (DMZ), is generated. From there, a connection can be established taking into consideration the recommendations in S 5.14 Shielding of internal remote accesses of PBX systems.

The following figure represents a typical scenario of an external remote access port to a remote administration port using a modem. The PBX system is administrated from the external maintenance location using modem 1 - public network - PBX - modem 2 - V.24 maintenance interface.

Figure: Establishing external remote administration via modem

For security reasons, it makes sense to avoid external remote maintenance. If this is not possible, additional shielding safeguards are absolutely necessary in addition to the safeguards for internal remote accesses.

Comment: Some systems provide the option of only processing a basic traffic load using dedicated lines and automatically routing load peaks over the public network. The user is not informed about this.

PC gateway (see comment)

A PC gateway should be installed between maintenance port and modem. This gateway must provide the following security functions:

• identification and authentication of the user,
• cancellation of the connection in the event of security-critical events,
• automatic callback, and
• logging of all activities.

Furthermore, additional functions can be implemented:

• activation of a lock-out period in the event of failed access attempts,
• blocking remote maintenance in normal operations and express approval for an precisely defined period; this makes sense in order to allow the manufacturer or another maintenance company to intervene in cases of emergency,
• restriction of the maintenance personnel's rights; additional software installed on the maintenance PC may be used in order to restrict the scope of action of the user in order to implement graduated rights administration,
• "forced logout" in case of line interruption; if the connection between the remote maintenance station and the PC gateway is interrupted in any way, access to the system must be terminated by "forced logout".

Physical shut-down of the remote maintenance access port

If no remote maintenance is normally required and if it should only be allowed for when required, it is recommendable to physically shut down the access port. If required, this port may possibly be enabled on short notice upon telephone consultation with the manufacturer or the maintenance company.

Closed user groups (CUGs)

In public ISDN and X.25 networks, the feature of forming CUGs is offered. This way, a virtual "network within the network" is made available by the network operator to a user. The closed user groups can be requested from the network operator for corresponding fees.

Alternatively, it may be considered to implement the closed user groups independently by using the ISDN auxiliary services Calling Line Identification and Presentation (CLIP) and Connected Line Identification and Presentation (COLP). If possible, this may be performed by correspondingly configuring the organisation's own PBX system or by designing the PC gateway accordingly.

Comment: This safeguard should also be applied to internal remote maintenance using virtual private networks.

Avoiding and/or controlling direct dial-in options

A direct dial-in option, e.g. from other networks using overlap dialling in multi-frequency dialling procedures, to the PBX system should be prevented as far as possible. Such procedures are often used for accessing server services. If this cannot be prevented for organisational reasons, it is recommendable to completely enable the available protection mechanisms and to regularly control for potential misuse.

Review questions:

• Is administration access using public networks required for the PBX system?
• Have all unneeded administration access ports been disabled?
• Has the administration access of PBX systems been protected against unauthorised access?