Increasing the Security of the FVE Unit


The growing popularity of Voice over IP technology has lead to an increase in threats targeting the quickly growing technology. This recipe guides you through the process of ensuring the safety of your FortiVoice Enterprise unit (FVE).

 This recipe will protect you from the most common threats such as DoS attacks, service fraud, and unauthorized access attempts. The three primary methods to protecting your FVE is to protect the system with a firewall, harden the configuration of the system to take advantage of the existing security features and monitor the day to day operation of the system.

Using a Firewall

The first line of security is to place your FVE behind a firewall, such as the FortiGate unit, which supports a lot of VoIP features like SIP message rate limit, content inspection, and intrusion detection. 

Do not open static ports for media on the firewall. The firewall should only open ports that are needed for each conversation or demand. The firewall will open the single port for the FVE when needed and will close it when the VoIP call is terminated.

Restrict all non-administrative access to the FVE unit on the firewall. All unneeded services such as SSH, HTTP, HTTPS, SNMP, ICMP, and TELNET should be disable if possible. The less exposure to the internet, the less chance of a breach in security.

Hardening the FVE Configuration

The FVE features a variety of built-in security features.

Disable unnecessary access

  1. Go to System > Network > Routing.
  2. Double-click any public-facing interface.
  3. Deselect all check-boxes in the Access section of the Edit Interface panel.
  4. Select OK

Restrict administrative access and remove unused accounts

  1. Go to System > Admin > Administrator.
  2. Create a new account or edit an existing account.
  3. Restrict all trusted host entries to administrative hosts on your trusted private network. For example, if your FVE administrators log in only from the subnet, to prevent possibly fraudulent login attempts from unauthorized locations, you could configure that subnet in the Trusted Host #1, Trusted Host #2, and Trusted Host #3 fields.
  4. Enter a strong password and select OK.
  5. Remove any unused accounts.

Enforce stronger passwords by enabling all of the password options under System > Configuration > Options.

Configure trusted host extensions by going to PBX > User Privileged > User Privileged  and entering your internal network.

Monitoring the System Operation

Monitoring the system for anomalies on a regular basis helps prevent unwanted intrusions and keeps the system safe.

  1. Monitor call records, system, and voice related event logs. Pay close attention to system login attempts in the system event log, CDR and call reports and SIP register attempts.
  2. Audit your password strength regularly. A weak password is the most common security vulnerability.
  3. Enable alert email by going to Log Settings > Alert Email > Configuration and creating a new email account to send alerts to.
  4. Back up configuration regularly.