VoIP security recommendations for beroNet Gateways

VoIP security recommendations for beroNet Gateways

Here are our advice for a secure and well functioning configuration of beroNet VoIP Gateways:

Secure password

beroNet VoIP Gateways come with default credentials which are “admin / admin”. This information is well-known and written on our documentation which is available online. It is therefore very important to change the password and to set a secure one.

To setup strong passwords, you can use this tool: http://passwordsgenerator.net/

Deactivate bfdetect

bfdetect enables you to find and manage the IP settings of beroNet VoIP Gateways on your network. It should be used once and then deactivated in order to prevent somebody from messing with it. To deactivate it, navigate to “network settings” under “preferences+” and click on the option “Disable bfdetect”.

Use https connection

HTTPS is an important part of VoIP security. In order to have an encrypted connection on your gateway, also from LAN, we advise you to use https. It is a self-signed certificate so you need to add it to the exceptions of your browser. HTTPS should be used whenever it is possible for more VoIP security. Amongst others, it prevents hackers from stealing your credentials when you log in.

Gateway behind a firewall

A VoIP Gateway is more secure when it is configured behind a firewall and only accessible from the LAN. NAT and firewall rules should then be set in order to make sure it works properly. In an all-IP scenario for example, port forwarding for ports 5060 and RTP range ports should be configured in the router. Port forwarding should be done securely: the ports used by the gateway, 5060 for SIP for example, should not be the same set on the WAN.

With such a configuration, possible attacks could only come from LAN. In order to prevent them, ACL can be configured (see below). If the gateway needs to be accessible via the Internet, ACL must be configured.

ACL configuration

ACL is an important part of VoIP security. Access on the gateway can be limited to certain IP addresses via this tool. To configure the ACL, navigate to “Preferences+ → ACL”. The configuration of this VoIP security system changes if the gateway is behind a firewall or not.

Gateway behind a firewall

If the gateway is behind a firewall, it is already quite safe and ACL are not always necessary. They can still be used to prevent attacks coming from the LAN.

ACL can be used to prevent anybody but the administrator to access the gateway. Per default, anybody can access the beroNet VoIP Gateways from the LAN. To change this, simply deactivate the option available on the bottom of the page.

You can then allow only specific IPs to access the services of the gateways.

Example:

Gateway on the Internet

If your beroNet VoIP Gateway is directly accessible from the Internet, we strongly advise you to set ACL to limit the access on your device. The rule should be: only open to the outside what needs to be opened.

Theoretically, only the SIP port, or SIP-TLS, should be opened and all the rest not. The ACL configuration could then look as such:

SSH deactivated

Per default, SSH is not activated. beroNet Support might ask for a SSH access on the gateway. Once our help has been received, the access needs to be deactivated again. This can be done under “Preferences+ → Security”.

Change default SIP bind port

For even more security, we also advise to change the default bind SIP port of the beroNet VoIP Gateway from 5060 to another one. For this, navigate to “SIP+ → SIP General” and change the “Bind Port”:

Do not forget you made this change when configuring the NAT rules on your router.

Source: http://www.beronet.com/recommendations-for-voip-security/

Do you want to know more?

sales@sitec.ae

+971 4 440 5966