How to secure your IP PBX when you have teleworking staff using IP handsets at home

This tutorial explains how a Fortinet FortiGate product can be used to lock down a VoIP implemenation to secure voice for teleworkers.

How to secure your IP PBX when you have teleworking staff using IP handsets at home

Voice over IP and unified communications technologies add complexity to network security management. Many of the cost reductions that can be achieved by deploying VoIP assume that voice traffic will be sent securely across the Internet.

In addition, many businesses need to allow staff to regularly telework from home. From the perspective of setting up the SIP Server (IP PBX), it possible to locate a handset anywhere that has IP connectivity.

To deliver reliable phone services, network security considerations need to include issues such as protecting the SIP Server and phone handsets from Internet based attacks, prioritising and shaping bandwidth usage to ensure voice call quality, while allowing remote telephone handsets to initiate secure sessions.

This example configuration shows how to securely connect an IP phone handset being used at home to a business phone system.

In this situation, most businesses are likely to want the remote phone handset to act as a seamless part of the corporate phone system, so we are assuming the remote handset is fully managed by a corporate SIP server.

Example Configuration

  • The FortiGate unit is operating in NAT/Route mode with NAT enabled.
  • Phone A (CounterPath X-lite 3.0 build 41150) is on the internal network and needs to register to the SIP server.
  • Phone B (CounterPath X-lite 3.0 build 41150) is on the DMZ network and needs to register to the SIP server.
  • The SIP server (sip.server.net.au) is on the internet network.

There are four steps required to provide a secure configuration:

  1. Create a protection profile and enable the SIP proxy

  2. Create a Firewall Address object for the SIP Server.

  3. Configure the firewall policy to allow Phone A to register to the SIP server

  4. Configure the firewall policy to allow Phone B to register to the SIP server

To create a protection profile and enable the SIP proxy

  1. 1. Go to Firewall > Protection Profile.

  2. 2. Select Create New.

  3. 3. Enter SIP as the profile name.

  4. 4. Select VoIP.

  5. 5. Select the SIP checkbox.

  6. 6. Select OK.

Defining the Protection profile with SIP and SCCP checked will enable you to monitor how many VoIP calls are being placed on your network. This protection profile also helps protect your network from getting flooded with fake Register and Invite requests. This comes in handy for preventing denial of services (DoS) against your VoIP server and/or provider.

Click image to zoom

To create a Firewall address object for the SIP Server

  1. Go to Firewall > Address.

  2. Select Create New.

  3. Enter SIP Server as the address name.

  4. Select Type FQDN

  5. Enter sip.server.net.au as the FQDN.

  6. Select OK.

The FortiGate firewall supports FQDN (Fully Qualified Domain Name) objects so you do not have to rely on IP addresses in your policies as IP addresses will possible change.

To configure the firewall policy for Phone B to register to the SIP server

  1. Go to Firewall > Policy and select Create New.

  2. Configure the policy as follows:

  3. Select OK

Click image to zoom

By defining the SIP service in the policy, the FortiGate will automatically open and close ports that are necessary to operate a secure SIP channel and voice communications. In addition, the Protection Profile SIP will provide the security for SIP based communications.

To configure the firewall policy for Phone A to register to the SIP server

  1. Go to Firewall > Policy and select Create New.

  2. Configure the policy as follows:

    Click image to zoom

  3. 3. Select OK

Dig deeper on Network security

-ADS BY GOOGLE

SearchStorage.com.au

SearchSecurity.com.au

SearchCIO

SearchCIOMidmarket

SearchCompliance

Close