Multiple Levels of Security
The following security strategies are employed together to minimize opportunities to intercept, spoof, or hijack VoIP services. While the media stream is not encrypted, you may also choose to employ a VPN peering architecture to extend network security to your business to deliver a fully HIPAA compliant phone system.
Network Security
Firewalls are configured in multiple zones for tiered security. All public access to PeachComm CloudPBX applications and services traverses a demilitarized zone (DMZ) for added security.
Firewalls are also configured to only allow traffic specific to PeachComm CloudPBX applications and services. All other traffic is restricted.
Intrusion detection mechanisms: Inline prevention technologies take preventive action on a broad range of threats including Denial of Service DoS, without the risk of dropping legitimate traffic.
Network protection from policy violations, vulnerability exploitations, and anomalous activity is achieved through detailed inspection of traffic in Layers 2 through 7.
Multiple Firewalls
Intrusion Detection
Traffic Inspection
Device Configuration
We use HTTPS for configuration management which provides a method for encrypting file transmission.
For all device models that support it, we use dual certificate exchange. This means the client (phone) validates the servers certificate AND the server validates the client's (phone's) certificate. Each client (phone) is loaded with a vendor provided certificate.
For all devices using DMS, the configuration server requires user authentication to obtain configuration file information
Call Processing
We use SIP authentication for Registrations, and our SBC's enforce source IP and port matching so that calls cannot be placed from any IP/port combination other than the one associated with the Registration. This greatly reduces the possibility of spoofing.
We use very long device specific alphanumeric SIP Authentication passwords. This password is system generated at the time devices are assigned to users.
We use SIP authentication for Invites.
Authorized Access
When phones are ported onto our service, they are flashed so that the default administrative password is changed. Passwords are not given to anyone outside of Engineering. This ensures the configuration on the phone is properly maintained.
We explicitly disable the HTTP server on the phones making it impossible for someone to exploit this interface to obtain sensitive configuration information.