How 3CX solves security problems (part 2)

Part 1

Passive safety The
passive protection module, we will conventionally assume that those components that simply close some possibilities and if you do not touch these settings, then everything will be fine.
So, the first is that by default passwords are generated complex - 8 characters, such as 96q1d4h2. If you are not lazy and prescribe them, then the probability of selection (especially if Antihacking described in the first part works) is almost zero. By the way, for those who are too lazy to write passwords there is Autoprovisioning.

Second - all new subscribers, by default, cannot connect outside the local network. Connection via 3CX Tunnel is also blocked.



Subnets from which you can connect without additional permission are configured.



Now as for the IP phones themselves, on every second login / password is admin-admin. In a situation when this device sticks out to the open Internet as a web interface, you can easily go to the webcam, download the phone config, get the password from there and you can make a call. By the way, this is a real life example of 2 years ago, the phone was Yealink and stood on a remote site alone. Yealink now encrypts configuration files, but I'm not sure if all manufacturers do this.
So, if you go around the mind and configure the devices through Autoprovisioning, then the password for the webcam will also be generated complex.



Fool Protection
Displays weak passwords.



If, after all, someone thought of putting a login password of 100-100, 3CX will warn about this, a number with potentially dangerous settings will appear in red. There are no locks.



The indication will also appear if the number and SIP ID settings match.



Working hours can also be regarded as protection, a simple example, at night many offices have cleaning companies with employees from neighboring countries. Calling home from the office machine is quite a temptation. In NOT working hours, calls to the city can be turned off altogether. For special cases there is a cancellation code, in addition there is a list of emergency numbers, where you can add any numbers.



About calls from IVR
Another way to catch up with left traffic is to call an IVR and dial an extension number instead of an extension. In 3CX, there is a forced lock on transferring a call to numbers that do not exist as internal numbers.



Third-party funds
This is the last barrier, if you have already been broken. Internal billing with AntiFraud system and the ability to block numbers. For 3CX, Tariscope 3.5 is able to do such things . In addition to the usual calculation of funds spent on calls, Tariscope analyzes traffic in real time (and not after unloading the CDR) and can forcefully disconnect the connection when the balance of a particular subscriber is reset, and then force it to disconnect.

What can not be protected
In my practice, once there was a case from which it was impossible to defend, at least on our own. Apparently at the peak of competition, one company that provides auto registration services set a dialer via Skype on its competitor. Every 3-5 seconds a call came in and hammered the lines, in theory you could put the number on the black list and forget it, but the numbers were determined different each time.



The problem was solved only through the intervention of a telecom operator.

If all the recommendations are followed, the probability of losing all the money in the personal account of the telecom operator is reduced to zero. Good luck

Also popular now: