[VOIPSEC] Need recommendations on voip pbx's

[Dan York]

John,

I expect you'll see a range of responses from folks here, either on- 
list or directly. Most all of the various IP-PBX vendors have someone  
subscribed to this list.

Since this list is focused on VoIP security, I don't know that it's  
really the right place to have an all-out "PBX faceoff". I can say  
that from a *security* point of view, if *I* personally were looking  
to by an IP-PBX, I would probably ask questions like:

1. Can the system support encryption of voice (typically Secure RTP  
(SRTP)) and signaling (typically some form of TLS)?
2. Is encryption enabled by default?  What has to be done to enable  
it?  Is there a performance impact?
3. Is encryption available for all supported IP phones?  Or is it  
limited to specific handsets?
4. How do the IP phones authenticate to the IP-PBX? Do they use  
certificates?
5. What services do the IP phones have running on them?  (Some have  
web servers, SSH servers) Are those services necessary?
6. Can the IP phones be centrally managed and provisioned?
7. How are the software loads for the IP phones stored? Are they in  
the phones? Downloaded via TFTP? Encrypted?
8. How is the security of wireless IP handsets addressed?
9. How are management interfaces secured?  APIs?
10. Do the IP phones have default passwords?  Are they forced to be  
changed?
11. What kind of traditional PSTN security is available? i.e toll  
fraud prevention, call restrictions, feature access restrictions
12. What operating systems do the IP-PBX and associated applications  
use?  How up-to-date are they with patches? How do they handle that?  
etc.

And the list can go on (and others on the list are welcome to add to  
what I listed).  If a certain someone whose last name is York would  
get the Best Practices project re-started, we would have a nice  
document you could use to assess the security of various vendors.   
(Hoping to kick that off next week...)

Hmmm... maybe in addition to the Best Practices document we should  
have a "VoIP Security Buyer's Guide: Questions to ask your vendor"  
that is a page or two (and points to the Threat Taxonomy, Best  
Practices, etc.).  What do people think?

Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,  
Alcatel - all have systems that meet those questions to various degrees.

My 2 cents,
Dan

P.S. And I say all this realizing that the security considerations  
may all be thrown out the window at some customers if an executive  
happens to like a particularly sleek-looking phone.... :-)

On Jan 17, 2008, at 8:52 PM, John Richards wrote:

> Hello VoIPsec Mailing List,
>
>    The company I work for is thinking about getting rid of our  
> current PBX
> system(Meridian PBX) and are thinking about deploying a Voice over IP
> system. Our company has some small branches scattered around and we  
> either
> want to deploy smaller PBX systems within each branch or setup the  
> employees
> at each branch to somehow be remote workers.  We are looking for a
> well-defined system with a good consumer base and a good support
> team.Ourbudget for this project has not yet been defined, but we are
> willing to
> spend the extra money to get a good and reliable system. I'm open to
> suggestions as I have been assigned the task of doing the research and
> giving my recommendation back to our management. I've done a bit of  
> research
> already hence why I am asking this group for any recommendations and
> suggestions on vendors and technologies to use.
>
> Cheers,
> John Richards
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com