X25 & X50 Security

Importance of security

Security is required on any system that connects to the Internet. Most XBLUE IP Telephone system servers are installed “behind” a router and are therefore very much protected; however even in this configuration preventative security measures should be deployed to ensure illicit access and use of your telephone system is not possible. It is your responsibility to secure your XBLUE DIY system against unwanted access. Case-In-Point: One actual case of fraudulent access caused the customer’s server to be hacked and over $2000 in telephone calls were generated by the perpetrator in just over 24 hours!

Security is important!

When to secure a system:

1. The best answer is always.
2. SIP Trunking – VoIP Trunking or Session Initiation Protocol Trunking is great for inexpensive use of the PSTN (Public Switched Telephone Network) but it is also a point of intercept that must be secured against hackers.
3. Remote Phones (these are phones deployed at other locations that use the Internet to connect to your XBLUE server)… XBLUE’s remote phones work wonderfully in most cases and provide a remote user experience that is identical to that of users where the XBLUE server is located. However this connection requires direct connection to the Internet and hence requires protection as well.

Use the following checklist to secure your XBLUE IP Telephone application server, if you have remote phones use the Inserted Remote Phone steps to ensure that they continue to function when loading new SW versions.

NOTICE:  Remote Phone Support for X25 & X50 is Unavailable for Systems Purchased After 12/31/2020.

Federal Laws regarding 911 compliance have changed with the introduction of Kari’s Law, which requires direct 911 dialing and notification capabilities from all extensions (phones) in a multi-line telephone systems. This affects all new X25 and X50 systems purchased after 12/31/2020. XBLUE QB & Cloud systems are unaffected.  Full details about Kari’s Law can be found at FCC.gov:  www.fcc.gov/mlts-911-requirements

End of Remote Phone Insert… following is the checklist for securing your server:

Make a backup

Before starting any programming procedure it is best to create a backup of the system database in case recovery is necessary. You’ll be advised to make a back up in a few checkpoints in this guide.

In the XBLUE IP Telephone Application Server:

1. Navigate to the Management – Settings – Backup
2. Click on the Backup Settings button (this will initiate a download of the XBLUE server database to your PC)
3. Save this database on your PC in a location where you will be able to retrieve it easily.

Change passwords used to access your server. (Change them all!)

The XBLUE Telephone Application Server has three administrative accesses

1. User
2. Support
3. Administration

However there are other passwords that must be changed as well:

1. Extensions (XBLUE IP Phone users) passwords used to authenticate IP Phones as allowed to use your XBLUE Telephone Application Server.
2. Voicemail (accessing your system is also possible via a regular telephone the DISA feature is turned on.)

Steps to change Admin Passwords:

1. Logged in as the Administrator, navigate to the Management – Access Control – Password page in the X25/50 administration and set each password to something other than the default (hackers will try that one first).
2. Input the current password
3. Input the new password
4. Input the new password again to confirm your input
5. BACKUP the database… repeat the steps to backup the database so that if you forget the passwords you’ve entered you will have something that can be used to retrieve them

Notes:

• Change the User password first… then change the Support password …then change the admin password
• When the admin password is changed it will be required to log in again using that password
• X50 servers previous to SW Version 10.4 had a very generic default password of 000000 (six zeros). This was improved in SW version 10.4 to be “admin” plus the last six characters of the server’s MAC Address
• X25 servers used the “admin” plus the last six characters of the MAC Address since the first iteration.
• X50 SW Version 11.4 and X25 SW Version 4.2 and above allow the login name to be changed… previously this was not possible.

Change the passwords that your phones use to authenticate to your XBLUE server.

The XBLUE IP Phones in your office and outside your office use a registration that authenticates their use on the XBLUE Telephone Application Server. If a hacker can guess (they use software that helps them guess – quickly) what your telephone’s authentication password is, they can register to your system and use it to make calls. You must change the registration passwords to protect against easy access.

1. Extensions (XBLUE IP Phone users) passwords used to authenticate IP Phones as allowed to use your XBLUE Telephone Application Server. Passwords can be up to 16 characters in length in SW version 10.4 (X50) and 4.2 (X25) and greater. It is not possible to use some punctuation so restrict password generating SW’s to provide only non-punctuation characters.
2. Voicemail (accessing your system is also possible via regular telephone access when set for certain features) These passwords are digits only since they must be entered from a telephone dial pad.

Steps to change Extension Passwords:

1. Logged in as the Administrator, navigate to:
   1. Voice – Phone – Registered Phone page
      1. Click on the Link to Phone button for each IP Telephone
      2. A new browser tab will open ad you must log into the IP Phone administration
         1. The IP Phone User Name is admin
         2. The IP Phone Password is 1234 (this password can be changed but it is not as critical as the SIP Registration password)
      3. In the IP Phone navigate to SIP and look for Authorized Password …this is what must be changed and matched to the server
      4. Use another browser tab and navigate to strongpasswordgenerator.com or random.org/passwords and generate a password for this IP Phone
      5. Copy the password generated to the PC Clipboard (Cntrl-C)
      6. Return to the IP Phone browser tab and paste this new strong password into the Authorized Password data field.
      7. Go to the bottom of the SIP page and click on Save Settings
   2. In the X25/50 server administration navigate to: Voice – Phone – Phone Extension page.
      1. Find the extension programmed above in the Phone Extension page
      2. Click on and replace the Password on this page with the password generated and pasted into the IP Phone SIP page.
      3. Click on Save Settings at the bottom of the page (if multiple phones are equipped, all may be input before the save procedure is completed)

Notes:

• IP Phones located in other locations must also have strong passwords. The person using the IP Phone at the remote office must set the password for that phone. This is easiest via the web page interface as in the above steps but the IP Address of the phone must be found on the network where the phone is installed. (Note: It is NOT possible to navigate to a phone on a different network using the Link to Phone button in the server Phone Extension page.)
  • X3030, press the “OK” button to view the IP Address of the telephone and input that IP Address into the browser address bar.
  • X2020
    • press the button below “MENU” in the display
    • Scroll down to 6. Info
    • Press the check mark
    • Scroll down to IP Address… use this IP Address in the browser address bar

Change the passwords used to access your user’s voicemail mailboxes.

Your IP Phone’s voicemail mailbox password should be changed to avoid unwanted access. The use of DISA (Direct Inward System Access) is a means for callers to use your X25/50 to place phone calls if they know the password. DISA is off at default and is best left off if not needed. If you use DISA at certain periods of the day, turn it on only when needed.

Steps to change Voicemail Passwords:

1. Logged in as the Administrator, navigate to:
   1. Voice – Voicemail – Phone Extension
   2. For each extension:
      1. Click on the Configure button
      2. Select the Password box and input a new unique password.
         Passwords can also be set from the voicemail box dial-in menu
      3. Click Save Settings
      4. Repeat for every Extension
   3. Voice – Voicemail – Virtual Extension
      1. Repeat the above for every virtual extension if there are any in use.

Steps to Turn OFF DISA:

1.  Logged in as the administrator, navigate to:
   1. Voice – Voicemail – General
   2.  Set DISA to Disable (this is the default setting)
   3. Click on Save Settings at the bottom of the screen.

Change the default Port and Engage the Firewall

The WAN Port is that “side” of the XBLUE Telephone Application server that “faces” the Internet when connected as the “edge device“. Being on the edge means that it is connected to the internet directly. In this mode of operation it is imperative that the Firewall be enabled and that the default Port of entry is changed.

Firewall

A Firewall is a function of security to eliminate unwanted network traffic (hacks). Firewalls are widely deployed and widely varied. Firewalls can be very specific and granular in their processes – those with the greatest capabilities are also usually VERY expensive and require routine maintenance. Firewalls restrict traffic using “Ports” and packet analysis.

The XBLUE Telephone Application server Firewall is a basic firewall that prohibits traffic based on ports by comparing the ports requested to those defined in the various Services lists:

• Management – Access Control – Service Port
  • Web Port
  • FTP Port
  • Telnet Port
• Voice – Phone – Phone Extension
  • SIP Port
• Voice – Trunk – IP Trunk
  • SIP Proxy Port
  • Outbound Proxy Port
  • Register Server Port
  • Outbound Registrar Port
  • Local SIP Port for IP Trunk
  • Local RTP Port for IP Trunk
• And the Ports Used by the X25/50

Services

Services are those access portals through which administration of your server is possible on various levels. In general turn OFF any access that is not required on the WAN (from outside the building – via the Internet). In SW versions prior to 4.2 (X25) and 10.6 (X50) Services allowed were selected by enabling and disabling them on each hardware interface (LAN port and WAN port). In version 4.2 and 10.6  an enhanced IP Addresses allowed table was implemented to select the various services allowed or not allowed per IP Address.

Ports

Ports have a default value that makes it easy to use from the factory – which makes it easy to find. A simple technique to avert malicious access to your telephone application server is to change the Port from the default to another thereby eliminating easy access by hackers attempting to access whatever system they “find” on the internet. E.g. the default HTTP port is 80. In my example I’ve changed this to 8850 (the new default for XBLUE servers). This means that this port number must be included in the IP Address bar to get a response from the server. (HINT: use a different number than our selected default – because hackers can read this too.) Read about Ports on wikipedia at: https://en.wikipedia.org/wiki/Network_address_translation

Turn on the Firewall

1. Logged on as the Administrator, navigate to Advanced Setup – WAN
2. Find the WAN Services – Enable Firewall and check the box
3. Scroll to the bottom of this page and click on Save Settings

Services

(SW Versions less than 4.2 and 10.6 (X25/50) newer versions place this function in the IP Addresses table)

1. Logged on as the Administrator, navigate to Management – Access Control – Services
2. Uncheck every box under WAN unless that service must be accessed from outside.
3. Scroll to the bottom of this page and click on Save Settings

Change the default ports

1. Logged on as the Administrator navigate to Management – Access Control – Service Port
2. For each systems access port change the port number to one that is NOT the default.
   1. Don’t use the ports we’ve used because hackers can read this security notice too
   2. Make NOTE of your Port Number selections YOU WILL NEED THEM
3. Scroll to the bottom of this page and click on Save and reboot

Notes:

1. Every webpage in the world has a default Port number of 80 therefore it is not necessary to stipulate the port number for general access allowed websites.
   1. E.g. It’s not necessary to stipulate port 80 when accessing Google.com …it’s assumed.
      (Try google.com:80 and you’ll still go to Google)
2. When the server reboots notice you will now have to put in the port number to access administration… notice in the example that we used the IP Address with “:8850” at the end to access administration. (10.0.0.2:8850)
   1. This test system (the example) is behind a router and hence has a private IP Address.

Firewall

Services

Port

Block everyone but you and your list of allowed people.

IP Address Filtering is one of the best techniques to ensure that only those people you want on your network get there.

The XBLUE Tel App servers IP Address Filter function was enhanced in version 4.2 (X25) and 10.6 (X50) to allow specific functions to be restricted/allowed per IP Address. Previously the implementation allowed for the blocking of the IP Address on an all or nothing basis.

For the examples below review the IP Addresses connected to your server by going to Device Info – Summary …find both the LAN IP Address and the WAN IP Address… these will become the basis for accessing administration.

NOTES:

1. It is possible to lock yourself out of administration with this function. Find your IP Addresses before making changes because they must be correctly input.
2. DO A BACKUP NOW… save the database since if you get locked out you will need to default the system to regain access. Having a backup now will enable you to get back to where you were before you got locked out.

Previous SW IP Address Allowed Table Programming

1. Logged on as the Administrator, navigate to Management – Access Control – IP Addresses
2. Click on the Add button (you must have one IP Address rule built before this function can be enabled).
3. Use the IP Addresses discovered from Device Info – Summary and input the allowed IP Addresses using the model below (but with your IP Addresses):
   

   Device Info IP Address	Input this IP Address	Effect
   (LAN) 192.168.10.1	192.168.10.0/24 (note “…0/24”)	Allows access by anyone on the Local Area Network (LAN)
   (WAN) 10.0.0.4	10.0.0.0/24 (note “…0/24”)	Allows access by any of 256 possible users on the Wide Area Network

   In the example table above the WAN users are potential hackers but the range from which they are allowed to access the system is restricted to 256 possible users compared to 4.3 Billion. (IPv4 possible unique IP Addresses). Further tightening is possible by narrowing the allowed Subnet… see IPv4 CIDR blocks on the CIDR page of Wikipedia.org for details.
   It is possible in this table to limit the access to the system to one single IP Address… e.g. your home office. Find the unique Public (Internet) IP Address of your home office using What Is My IP or similar internet search and input that IP Address instead of the IP Address input for the WAN port. (Be careful as this can change if it is not a “Static IP Address” stipulated and subscribed to you by your ISP.)
   Reference this example entry when the IP Address at your home office is 101.102.103.104:

   IP Addresses from which login will be allowed	Input this IP Address	Effect
   (LAN) 192.168.10.1	192.168.10.0/24	Allows access by anyone on the Local Area Network (LAN)
   101.102.103.104	101.102.103.104	Only this IP Address will have access to your XBLUE server.

4. Click on Save Settings
5. Now click Enable

Block everyone but you and your list of allowed people and what services they may access.

Newer Server SW IP Addresses Table Programming

1. Logged on as the Administrator, navigate to Management – Access Control – IP Addresses.
   You’ll find that the table already contains entries. These entries allow access based on the majority of installations and are not well protected for installations on the Internet.
   Notice the two entries on the existing two rows.
   1. The first is auto generated and associated to the LAN port… this entry will likely remain as is.
   2. The second is also auto generated to allow everything to work – including all of the 4.3 Billion Internet users. This one must be tightened up when the system is installed on the Internet.
      NOTE: A scheduled change on SW for both X25 & 50 will set the default of the WAN port to just the immediate Subnet (256 users)… this will aid greatly in tightening up the default configuration but still should be tightened further for the desired access level.
2. In the empty box that is at the bottom of this table input the IP Address of the WAN port exactly as it is listed in the auto generated entry EXCEPT for the last octet (number after last period ‘.’) For the last octet input zero, a forward slash and twenty-four (“0/24”). This will restrict access to just the 256 users on the same Subnet. Further tightening is possible by narrowing the allowed Subnet… see

   IPv4 CIDR blocks on the CIDR page of Wikipedia.org for details.

3. Click on the Add button… this saves this entry
4. Now click on the Up button for the entry just added so that it is listed above the auto-generated WAN entry. (This table is referenced top-down until a match is found.)
5. Now click off all boxes in the auto-generated WAN port entry that is now the BOTTOM line of the table.
6. Click on Apply.

Notes:

• Similar to the entry suggestion above, if only one IP Address is desired as allowed access that specific IP Address can be added to the table and moved above the auto-generated entry.
  The example above uses 101.102.103.104
  Input the IP Address only without “/x” to designate that IP Address alone.
• The remaining rules must be set to stop other traffic by unchecking the services for those entries.

WIFI is great – and its your network… restrict access to only those who should have access.

WIFI

Not even Google knows what Wi-Fi stands for but WLAN is the WIFI Alliance’s definition of WIFI (so WIFI = WLAN…ok)… the bottom line is; if your WIFI is showing everyone will notice. The steps to WIFI protection are simple:

1. Protect it
2. Hide it
3. Restrict it
4. Or better – Turn it OFF

SW Version 3.10 (X25) and 10.6 (X50) changed the default of the WIFI (WLAN) access point on the servers from OPEN (unprotected) to WPA2-PSK. The default value of wireless security was set to x61ue{25}[50]  . Since this is published, you should change this or turn off wireless entirely. Since there are so many wireless access points in use you may have several in operation already. Eliminating the WIFI-AP of the XBLUE server may be best.

Protect It:

If you want to use the WLAN Access Point of your XBLUE server, change its password (or set it… in older versions):

1. Logged on as the Administrator, navigate to Wireless – Security – XBN-GW-xxxxxx (where the x’s are the last six characters of the unit MAC Address).
2. Find Network Authentication and select WPA2-PSK if it is not already selected (or pick the security mode that matches your requirement).
3. A WPA Pre-Shared Key will be auto generated, click on Click here to displayit if you want to use this code or input your own code.
   This code will be required for any wireless device that you intend to connect to the XBLUE WIFI-WLAN Access Point.
4. Click on Apply/Save.

Hide It:

1. Logged on as the Administrator, navigate to Wireless – Basic – Primary.
2. Click on the box next to Hide Access Point.
3. Click on Apply/Save.
   Notice the before and after pictures of my PC’s available Wireless networks where the WIFI network “XBN-GW-C83534” was available for access and then when hidden does not show on the list.

Restrict It:

Even hidden, it is possible to connect to your WLAN (WIFI) AP (although very difficult) …if you use the wireless AP be specific about who may join. Every computer device that connects to a network has a unique identifier called a MAC Address. It is possible to restrict access to only those users you want on your network using the MAC Address.

1. Logged on as the Administrator, navigate to Wireless – Mac Filter.
2. The server allows you to restrict using either Allow or Deny… so you can allow only certain MAC Addresses (devices) to join the network or you can deny only those devices listed.
3. First click Add
4. Now input the device MAC Address exactly including the colons… in my example I input: 01:b0:fe:2a:90:fc
5. Continue inputting your devices onto the server until you’ve got them all input (assuming Allowed function)
6. Then select Allow
7. Click on Apply.

Shut it OFF

If you’re using another Access Point – secure it in the best way possible and turn off the WIFI (WLAN) of the XBLUE server.

1. Logged on as the Administrator, navigate to Wireless – Basic – Primary.
2. Uncheck the box next to Enable Wireless.
3. Click on Apply/Save.

Anyone that accesses the XBLUE server as the point of breach can only makes calls on that server that are allowed.

Consider the telephone numbers you call. If you call certain areas most, limit the allowed dialing patterns to those areas. If a hacker somehow gets into your system after all that you’ve done (assume its possible) you can stop them calling certain telephone numbers!

In the earlier versions of SW the default Call Routing table was simple – route everything. The default table was changed in versions 3.9 (X25) and 10.4 (X50) to allow a maximum of 11 digits and to attempt to route first to Group 2 (where IP Trunks are often placed).

If you have an older version, mimic the photos at the right to limit the calling to 11-digits.

An example is given below as how the tables might be programmed to route calls with the following conditions:

• No routing of calls that start with zero (0)
• No routing of calls that start with 900 or 1900
• Routing of 911 on Group 1 only
• Routing of any call (other than above) that is 10-digits in length
• Routing of any call (other than above) that is 11-digits in length

Older versions

versions 3.9 (X25) and 10.4 (X50)

Call Restriction is also possible.

Call Restriction monitors dialed-digit patterns as does Call Routing but Call Restriction is applied universally to all trunks.

Call Restriction may be helpful when certain calling patterns are desired but certain calls within those patterns are not. E.g. International calling may be desired but calls to China are not. The Call Routing Table can be made to route international calls while an entry in the Call Restriction Deny table of 01186 would eliminate that calling pattern.

The Tables are governed in the following manner (at default):

1. Digits dialed are compared first to the Deny Table – if matched in the Deny Table the call is stopped.
2. If not matched in the Deny Table the call and digits dialed are compared to the Allow Table.
3. If matched in the Allow Table the call is routed (processed/allowed)
4. If not matched in the Allow Table the call is stopped (denied).

See the defaults that are in the Call Restriction Tables. The parameters of these tables are:

• COS (Class Of Service) …all extensions are in COS 0 at default (Day & Night modes)
• Trunk Access is Y/N (yes and no) since the XBLUE server allows trunks (lines) to be accessed by pressing a Line button or by simply dialing then allowing the system to access the line for you, you can specify how the Call Restriction rule is to be applied… Trunk Accessed First Yes or No or Either way (Yes and No).

Call Restriction defines what calls can or cannot be made. (Call Restriction may not be required since Call Routing is an effective Call Restriction.)

Call Restriction programming:

1. Logged in as the administrator, navigate to Voice – Trunk – Call Restriction
2. Make changes as needed and click Add or Save if modifying existing entries

Station Message Detail Record

SMDR is a record of calls to and from extensions. This can be very helpful in determining the source of a hack (in addition to the advantage of managing users).

Turn on SMDR to keep track of extension calling activity.

1. Logged in as the administrator, navigate to Voice – System – SMDR
2. Click on the Configure button
3. Ensure that the mode is set for local collection (unless you have an external collection device).
4. Select the Type of calls to collect Incoming, Outgoing or both
5. Click Save Settings.

Do a backup!