In today's world, security risks are a concern when administering any phone system. Here are some common key phrases from end
users that may be an indication of a serious security problem:
"Our long distance carrier has informed us we made several international calls in a short period of time."
"We noticed our lines going off hook when no one appeared to be on the phone."
"Sometimes our system moves very slowly when connected to our computer network."
Toll Fraud is a common problem that may be avoided by following best practices. These include securing voice mailboxes and VoIP
extensions, as well as programming toll restriction. The following steps are suggested to help keep your DSX system secure.
- Set the voice mail mailbox type to “None” for extensions that are not being used.
Even if an extension does not physically exist, it can be programmed to have a mailbox. If the mailbox is active, features such
as External Notification can be used to compromise the system. The mailbox type is programmed as follows:
Stations > Config > IntraMail > Mailbox Type (2141).
- Make sure all users program their voice mail security code.
This is especially important for System Administrator mailboxes (extension 301 by default), since other mailbox security codes
can be erased from the System Admin Menu. For those users who do not want to have to enter their security code when accessing
their mailbox from their own phone, there is an option to only require it for outside calls. Mailbox security codes are set
Press the voice mail key, then from the mailbox main menu dial 67 (OP) for Mail Box Options, then 7 (S) for security code.
- Toll restrict unused extensions and voice mail ports from making international calls.
Since most hackers attempt international calls, it is important to apply toll restriction to all extensions, whether the system
physically has these extensions or not. If toll restriction is correctly applied, their calls will fail even if they have successfully
accessed your system.
- Set a toll level to only block international calls as follows:
Lines > Toll Restriction > (Choose a Toll Level between 1-7) > Options > US/Domestic Options (3512)
Uncheck Allow 011+XXXX Dialing.
- Apply this level to station ports as follows:
Station > Config > Setup > Access (2102)
Set the Day & Night Toll Level to what you set in step 1 above. (Default is 0 that allows all calls.)
- Apply this level to voice mail ports (to block international calls from voice mail) as follows:
System > Voice Mail > Setup > Options (4111)
Set the Day & Night Toll Level to what you set in step 1 above.
- Do not have a password set on VoIP extensions you are not using or that are no longer in use.
By default the VoIP password field is blank, which disables VoIP for that station. This helps prevent unauthorized extensions
from registering with the system. To allow an IP phone to register with the system, a VoIP password must be programmed. VoIP
extension passwords are set as follows:
Stations > Config > Setup > VoIP (2106).
- Have a strong password for the VoIP Extensions you are using.
Even though another phone cannot connect to an extension when one is already registered to it, this will help keep someone
from registering to it if the phone loses its connection to the system. Do not use easy passwords such as 1111, 1234, or the
extension number of the phone such as 401. Use a mixture of numbers and upper/lower case letters.
When using remote VoIP phones:
- One of the most secure types of connections is a hardware VPN.
VPNs are encrypted authenticated IP connections established between each site's routers. Data traffic between each site, including
VoIP traffic, traverses through a secure tunnel. When a VPN is used, port forwarding is not required and should be disabled.
- If VPN tunnels are not an option, use port forwarding from known IP addresses only.
If your site's router has this capability, change the forwarding rules for UDP port 5060 to only forward when the traffic is
from the public IP address of your known remote location. This will block traffic from any other public IP that may be attempting
to register to UDP port 5060. If the remote location does not have a static public IP address, this forwarding rule will need
to change if the remote site's IP changes.
- Keep your DSX system at the latest General Release.
New releases may contain additional security measures.
Remote programming requires a connection to system via the System Admin port (8000 by default). This can be accomplished by using
a VPN connection or port forwarding as described in the previous section.
In addition, you should always change the default Installer Level Password (632379) and Administrator Level 1 password (9999)
to something different and secure.
* WHILE NEC CORPORATION OF AMERICA ("NEC") IS PROVIDING THESE TIPS AND GUIDELINES FOR AVOIDING TOLL FRAUD AND
SECURITY BREACHES IN DSX ("GUIDELINES"), NEC DOES NOT, IN ANY MANNER, WARRANT OR GUARANTEE THAT TOLL FRAUD, SECURITY BREACHES,
OR UNAUTHORIZED INTRUSIONS OF ANY KIND ("INTRUSIONS") WILL BE PREVENTED BY FOLLOWING THESE GUIDELINES AND NEC DOES NOT, IN ANY
MANNER, WARRANT OR GUARANTEE THAT INTRUSIONS WILL NOT OCCUR BY EITHER INTERNAL AND EXTERNAL PARTIES.
NEC Corporation of America