[VOIPSEC] Need recommendations on voip pbx's

Muhammad Ali Syed muhammad.ali.syed at ericsson.com
Fri Jan 18 09:37:49 CST 2008 

I agree with Dan , let's  leave this list clean from the vendors marketing gimmicks  :)
Probably we are better off by having only technology specific questions here

Best Regards
S. Muhammad Ali

Systems Manager 
PDU IP PBX Mobility Solutions
Ericsson Enterprise AB
Business Unit Multimedia, Unit Enterprise
LM Ericssons väg 30
SE-126 25 Stockholm, Sweden
www.ericsson.com	Office: : +46  568 67 697
Fax: +46 8 719 5688
Mobile: +46   761263861 
muhammad.ali.syed at ericsson.com	


This communication is confidential and intended solely for the addressee(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you believe this message has been sent to you in error, please notify the sender by replying to this transmission and delete the message without disclosing it. Thank you. E-mail including attachments is susceptible to data corruption, interception, unauthorized amendment, tampering and viruses, and we only send and receive emails on the basis that we are not liable for any such corruption, interception, amendment, tampering or viruses or any consequences thereof.


-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On Behalf Of Dan York
Sent: den 18 januari 2008 16:24
To: John Richards
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's

John,

I expect you'll see a range of responses from folks here, either on- list or directly. Most all of the various IP-PBX vendors have someone subscribed to this list.

Since this list is focused on VoIP security, I don't know that it's really the right place to have an all-out "PBX faceoff". I can say that from a *security* point of view, if *I* personally were looking to by an IP-PBX, I would probably ask questions like:

1. Can the system support encryption of voice (typically Secure RTP
(SRTP)) and signaling (typically some form of TLS)?
2. Is encryption enabled by default?  What has to be done to enable it?  Is there a performance impact?
3. Is encryption available for all supported IP phones?  Or is it limited to specific handsets?
4. How do the IP phones authenticate to the IP-PBX? Do they use certificates?
5. What services do the IP phones have running on them?  (Some have web servers, SSH servers) Are those services necessary?
6. Can the IP phones be centrally managed and provisioned?
7. How are the software loads for the IP phones stored? Are they in the phones? Downloaded via TFTP? Encrypted?
8. How is the security of wireless IP handsets addressed?
9. How are management interfaces secured?  APIs?
10. Do the IP phones have default passwords?  Are they forced to be changed?
11. What kind of traditional PSTN security is available? i.e toll fraud prevention, call restrictions, feature access restrictions 12. What operating systems do the IP-PBX and associated applications use?  How up-to-date are they with patches? How do they handle that?  
etc.

And the list can go on (and others on the list are welcome to add to what I listed).  If a certain someone whose last name is York would get the Best Practices project re-started, we would have a nice  
document you could use to assess the security of various vendors.   
(Hoping to kick that off next week...)

Hmmm... maybe in addition to the Best Practices document we should have a "VoIP Security Buyer's Guide: Questions to ask your vendor"  
that is a page or two (and points to the Threat Taxonomy, Best Practices, etc.).  What do people think?

Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel, Alcatel - all have systems that meet those questions to various degrees.

My 2 cents,
Dan

P.S. And I say all this realizing that the security considerations may all be thrown out the window at some customers if an executive happens to like a particularly sleek-looking phone.... :-)

On Jan 17, 2008, at 8:52 PM, John Richards wrote:

> Hello VoIPsec Mailing List,
>
>    The company I work for is thinking about getting rid of our current 
> PBX system(Meridian PBX) and are thinking about deploying a Voice over 
> IP system. Our company has some small branches scattered around and we 
> either want to deploy smaller PBX systems within each branch or setup 
> the employees at each branch to somehow be remote workers.  We are 
> looking for a well-defined system with a good consumer base and a good 
> support team.Ourbudget for this project has not yet been defined, but 
> we are willing to spend the extra money to get a good and reliable 
> system. I'm open to suggestions as I have been assigned the task of 
> doing the research and giving my recommendation back to our 
> management. I've done a bit of research already hence why I am asking 
> this group for any recommendations and suggestions on vendors and 
> technologies to use.
>
> Cheers,
> John Richards
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com




_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list