TeleDynamics Think Tank

Fortify your telephony with Yeastar's security measures

Written by Daniel Noworatzky | Mar 6, 2024 7:11:31 PM

Security is an indispensable element of business communications systems, and Yeastar's telephony security features meet the elevated standards established by industry leaders. 

In this article, we delve into various common attack vectors that now target telephony systems and showcase the significant security capabilities of Yeastar's P-Series IP PBX and P-Series Cloud Edition to deal with such issues.

Does telephony need security?

As with all modern network services, security is necessary for telephony system deployments. In the past, we've seen how important it is for an organization to have a security policy for networks in general, security's role in protecting VoIP systems and networks, and methods to keep conversations confidential.

Telephony systems can become the target of malicious attackers from both inside and outside your organization. Toll fraud, denial of service (DoS), spoofing, and man-in-the-middle (MitM) attacks can devastate your telephone system, cost you money, and result in lost business. Additional attack vectors may also target users themselves, with tactics including phishing and vishing (voice phishing).

Regardless of the type of attack, Yeastar has the appropriate security features to ensure that your system remains safe and available.

Yeastar's appliance-based systems

Best practices for security depend on the type of system being used. For appliance-based systems, such as the P-Series IP PBXs, the telephony controller is physically located within the enterprise data center. Thus, the security measures Yeastar has implemented deal with protecting this system and the communications channels it creates with client devices. These security measures include the following:

  • Static defense rules: These rules control and filter traffic sent to the PBX based on IP addresses, domains, or MAC addresses. The P-Series has default static defense rules that accept connections from local network devices, auto-provisioned devices, and Yeastar servers. Administrators can set up additional rules to manage and fine-tune access policies.

  • Auto defense rules: These rules dynamically control and filter traffic based on the frequency of packets sent, preventing massive connection attempts (DoS attacks) or brute-force attacks.

  • IP blocking: The PBX system allows for blocking specific IP addresses known to be sources of malicious attacks, which can be managed through the system settings.

  • Outbound call frequency restriction: This feature limits the number of outbound calls over a specified period to prevent abuse of the phone system for unauthorized calls, helping minimize the damage incurred by toll fraud attempts.

  • Additional security options: These include fine-tuning auto defense, extension registration defense, and the ability to drop all but accepted IPs in static defense. There's also an option to drop IP ping requests and to download a continually updated global anti-hacking IP blocklist.

  • Certificates: The P-Series supports the TLS and HTTPS protocols for secure SIP messaging, with the ability to upload relevant certificates to the PBX.

  • Allowed country IPs and codes: These settings restrict access or calling to specific countries, which is helpful in preventing unauthorized international calls.

  • Separation of voice and data traffic: Using VLANs to separate voice and data traffic can enhance security by isolating different types of network traffic.

  • Voice trunk security parameters: These are settings to set up outbound route permissions, disallow anonymous incoming calls, and configure outbound restrictions to protect against unauthorized use.

Remember that any appliance-based system hosted on an enterprise's network is also subject to the security parameters set for the network in general. This includes firewall rules, contingency plans, and the data center's physical security and access control.

Yeastar's cloud-based systems

The approach to security changes somewhat when employing cloud-based UCaaS systems. Although the philosophy for a particular level of security remains the same, much of the general network security responsibilities are transferred from the enterprise to the vendor that hosts the service.

The P-Series Cloud Edition is Yeastar's subscription-based UCaaS product and is built on rock-solid AWS services with certifications that include ISO 27001 and SOC2. Servers are globally distributed, with server clusters in different world regions, each containing a set of IP PBX clusters and session border controller (SBC) clusters. This arrangement results in the following capabilities:

  • Guaranteed 99.99% uptime: The P-Series achieves this uptime using multiple carrier-grade redundant servers across numerous global data centers.
  • N+1 high availability: Every data center is prepared with active-active SBC high availability and load balancing.
  • Hot standby failover: Full dual-server redundancy is implemented for each cloud PBX instance, with real-time mirroring and instantaneous failover.
  • 24/7/365 monitoring: Yeastar engineers monitor the network at all times, allowing issues to be immediately flagged and resolved.
  • Secure communications: TLS encryption and Secure RTP are two of the protocols used to ensure secure voice, video, and control channel communications.
  • Access and identity management: Features in this area include single sign-on, two-factor authentication, enforced strong password policies, and robust user role and permission management.

The enterprise's responsibilities

While Yealink's arsenal of high-tech, state-of-the-art security features is impressive, it can become ineffective if the enterprise does not take the appropriate security measures. This involves verifying that IP PBXs, phones, and software clients are consistently updated with the latest firmware and software published by Yeastar. It also includes addressing bugs and fixing discovered vulnerabilities.

Enterprises should also train their users to be security-conscious. This includes developing a set of behaviors and habits that mitigate against the human factor and training users to craft strong passwords, securely manage credentials, and be aware of attack vectors involving social engineering. These typically include UCaaS scams and other similar activities, requiring frequent user training and periodic employee updates to be part of an enterprise's network security strategy.

Conclusion

The security-conscious and robust design of both the appliance-based and cloud-based telephony systems Yeastar offers demonstrates the company's commitment to providing a secure, multi-layered defense system.

All P-Series IP PBX services and systems safeguard business communications against various types of threats. When combined with a sound network security policy and periodic employee training, Yeastar's security features provide exceptional defense against virtually all attack vectors.

You may also like:

How Yeastar is pioneering unified communications in schools

Zero trust security model: a paradigm shift in network security

Voice network security and troubleshooting