FortiVoice Best Practices: Securing Your Phone System

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

As the world of communications expands, so to do the potential risks administrators must handle. Customers are continuously warned about criminal activity targeting phone systems of all brands for fraudulent usage. Thankfully, FortiVoice systems have always included a number of built-in security features that prevent fraudulent and unauthorized use.

The following recipe provides an extensive list of best practices to maximize the safety of your system. 

As with network security, this should always be managed by a FortiGate. For best practices on configuring your FortiGate for voice please see the Configuring FortiGate for FortiVoice Best Practice

The first step is always ensuring you have the latest software running on your FortiVoice system to take advantage of the latest features and enhancements that are available to you.  

Changing the Default Ports

Many of the system defaults are there in order to make life easy for you, however if you are supporting external extensions, VoIP trunk or Office Peers over the Internet it is recommended to change the default external ports.

To change these ports:

  1. Go to Phone System > Advanced Settings > SIP and expand the Networks tab.
  2. External SIP UDP port – this is the default signalling port used for external extensions, VoIP trunking, Office Peer. Choose a 5 digit number, avoid 4 digit numbers such as 5065 or 5070 as those are used by other brands and is the commonly scanned port number.
  3. External SIP TCP port – this is the default signalling port used for the FortiFone softclient. Choose a 5 digit number.
  4. External HTTPS port – this port is used to access the user portal and used by the FortiFone softlicent for access to voicemail and features. Choose a 5 digit number, again avoiding simple ones such as 1443.

 

 

Changing the Default Passwords

Many of the default passwords are too simple and can therefore more susceptible to compromise. Let’s take the time now to change the passwords to something more secure.

Admin Password

Establish a more secure admin password on the system:

  1. Go to System > Admin > Administrators.
  2. Select admin and then select Edit.
  3. Select Change password.

Administrator PIN 

The Administrator PIN allows the owner of the PIN to change extension assignments and modes from any phone or auto attendant. To change the default PIN:

  1. Go to Phone System > Advanced Setting > Miscellaneous.
  2. Enter a new Administrator PIN in the PBX Setting section.

Call Bridge (DISA)

The Call Bridge feature allows callers to make outgoing calls from the auto attendant. If enabled, this feature should be configured to require an account code. To set an account code:

  1. Go to Call Features > Auto Attendant.
  2. Select Advanced.
  3. Select the Account code to use for Call Bridge (DISA) or create a new one by selecting New.

Default user PIN 

The default user PIN is 123123 and should be changed:

  1. Go to Phone System > Settings > Options.
  2. Enter a new Default user PIN in the Default Setting section. Either select “Specified” and enter your own PIN or “Generated” to generate a random PIN. 

Password Policy 

Set a password policy that requires upper and lower case characters and alphanumerical characters for admin passwords and SIP passwords to avoid passwords that are easy to guess.  To configure the password policy:

  1. Go to System > Configuration > Options.
  2. Expand the Password / PIN policy. 
  3. Select Enable and configure accordingly.

PIN Policy

Set a PIN policy enabling PIN special, which allows the use of *and #. To configure a PIN Policy: 

  1. Go to System > Configuration > Options.
  2. Under Password / PIN policy select PIN special.

Office Peers 

Authentication for inbound and outbound calls on office peer trunks can be set by:

  1. Go to Trunks > Office Peers > Office Peers.
  2. Select the office peer location and then select Edit.
  3. Enable Incoming and Outgoing authentication in the Authentication Setting.

 

 

 

 

 

 

 

 

Disabling Recommended Features

Many features are enabled by default to assist with the initial setup. After setup, however, we recommend disabling any features that you feel are unnecessary.

Generate default configuration 

After the initial setup, disable the “Generate default configuration” option. By disabling this feature, any request for a new phone will not have an automatic configuration file created for it:

  1. Go to Phone System > Advanced Setting > Auto Provisioning.
  2. Disable “Generate default configuration for unassigned” in the Auto Provisioning Setting section.

Vertical Service codes

disable any service code that you do not use by going to Call Features >Feature Code > Vertical Service Code. 

  • ** – Call Bridge
  • *15 – reset phone to unassigned by admin
  • *16 – reset phone to unassigned by user
  • *17 – assign phone to extension by admin
  • *18 – assign phone to extension by user

 

 

Configuring Settings

In order to provide another level of protection beyond external abuse, there are a number of settings you can enable to protect you from internal abuse.

Call Restrictions 

Set restrictions based upon types of calls, such as blocking international and toll calls.  

  1. Go to Call Features > User Privileges >Call Restriction.
  2. Select the user privilege and select Edit.
  3. Select Call Restriction and configure accordingly.

Common phones 

Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls. 

  1. Going to Call Features > User Privileges > User Privileges.
  2. Select the user privilege and select Edit.
  3. Expand the Call Restriction section.
  4. To enable the use of PIN codes for calls, click on the rule for the call type and select either allow with account code or allow with personal code.

Interface Access 

Any access methods that are not being used on the FortiVoice should be disabled. 

  1. Go to System > Network > Network.
  2. Select interface and select Edit.
  3. Disable any unused Access.

Phone provision protocol

Using HTTPS to provision FortiFones with the FortiVoice is recommended. To configure the phone provision protocol:

  1. Go to Phone System > Profiles > Location.
  2. Select the location profile and select Edit.
  3. Select HTTPS from the Phone provision protocol dropdown menu.

Prohibited Prefixes

Set which prefixes are blocked outright by the system, such as 900, 976 numbers, etc. 

  1. Go to Phone System > Settings > Options.
  2. Configure System prohibited prefix.

Trusted Hosts for admin 

You can set the IP subnets that are allowed for administrators to log into the FortiVoice, locking down to only the local networks and restricting remote access to the system.  

  1. Go to System > Admin > Administrators.
  2. Select the admin and select Edit.
  3. Configure Trusted hosts

Trusted Hosts for extensions 

You can set the IP subnets that are allowed for extensions to register to FortiVoice, locking down to only the local networks and restricting remote connection to the system.  

  1. Going to Call Features > User Privileges > User Privileges.
  2. Select the user privilege and select Edit.
  3. Expand the Advanced section and configure Trusted hosts

Unused Administrators

Administrator profiles that are not in use should be removed. These can be found by going to System > Admin > Administrators. Select whichever administrator is not active and then select the Delete button.

Unused extensions 

Extensions that are no longer in use should be set to disabled to avoid unintentional use. This is managed on Extensions > Extensions > IP Extensions and Disabling whichever IP extension is not in use. 

Verify SIP user agent

You can restrict phone registration to only allow phone requests that match the system configured phone type.   

  1. Go to Status > Dashboard > Console.
  2. Enter config system sip-setting <enter>.
  3. Enter set verify-user-agent enable <enter>.
  4. Type end.

 

 

 

 

 

Monitoring and Reporting

There are many tools within the FortiVoice system to help manage your security settings and help protect your system.

Admin alerts 

Administrators can be notified by email of system alerts that have detected suspicious activity, such as a SIP attack. 

  1. Go to Log & Report > Alerts > Configuration.
  2. Select New and add the administrator email address.
  3. Select Create.
  4. Go to Log & Report > Alerts > Categories.
  5. Select Massive SIP authentication failure.

Call Detail Reports

Run reports for blocked or denied call attempts.  

  1. Go to Log & Report > Call Report > Call Report.
  2. Select Extension Report or Blocked calls.
  3. Select Generate.
  4. Use a Number search to check for 011 (International) calls.

SIP Password Auditor 

Run the SIP password auditor frequently to ensure SIP passwords for extensions are secure. This can be run by going to Phone System > Review > Password Auditor

 

 

 

 

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin