BroadConnect CVI – Security
BroadConnect is dedicated to investigating and correcting security vulnerabilities and preventing fraud relating to our telephony services.
A number of security strategies are employed (see the following sections) that work in tandem to minimise opportunities to intercept, spoof, or hijack VoIP [Voice over Internet Protocol] services and phone systems. SPs may also choose to employ a VPN peering architecture to extend network security to the user’s site. BroadCloud supports a variety of data interconnection methods for access to customer premise equipment (Network Access). The methodologies supported include Internet-based connectivity, connectivity via Managed Internet, or connectivity via Virtual Private Networks (VPNs). There are multiple levels of security built into BroadCloud. These can be broken down into the following areas:
The following Network Security measures are used to prevent unauthorized access to user media and control traffic as well as the use of intrusion detection and prevention mechanisms, especially for mobile VoIP providers.
- Firewalls are configured in multiple zones for tiered security. All public access to BroadCloud applications and services traverse a demilitarised zone (DMZ) for added security.
- Firewalls are configured to only allow traffic specific to BroadCloud applications and services. All other traffic is restricted.
- Network protection from policy violations, vulnerability exploitations, and anomalous activity is achieved through detailed inspection of traffic in ISO Layers 2 through 7.
Intrusion detection mechanisms include inline prevention technologies that take preventive action on a broad range of threats including Denial of Service (DoS), without dropping legitimate traffic.
Network protection from policy violations, vulnerability exploitations, and anomalous activity is achieved through detailed inspection of traffic in ISO Layers 2 through 7
Call processing measures restrict communications to only authorized end users, and help prevent spoofing. BroadCloud provides the following measures:
- SIP authentication for Registrations
- SBC’s enforce source IP and port matching so that calls cannot be placed on any IP/port combination other than the one associated with the Registration.
- Very long device specific alphanumeric SIP Authentication passwords. This password is system generated by the Rialto system at the time devices are assigned to users.
- SIP authentication for Invites.
- Security features configured in the SBCs that will block calls if the source IP and port don’t match the IP and port associated with the registration, or blacklist IP addresses sending in too many failed attempts in a short period of time
Device Configuration and Security
Device Configuration policies minimise opportunities for the misuse or hijacking of end user devices. All CPE Web configuration access is disabled to avoid attempts to “hack” CPE devices. Devices themselves download their configuration file via https and are authenticated with the device management platform. Additionally, User administrative access is limited to BroadCloud personnel only to all customer devices. We have also strengthened the admin password on all phones. This increases the strength of the password (character length, mixed use of numbers and uppercase), random generation unique to a phone, and to address any potential security vulnerabilities which could lead to user spoofing and ultimately fraudulent call activity.
Other Security Measures
When phones are ported onto our service, they are flashed so that the default administrative password is changed this ensures that the configuration on the phone is properly maintained. We explicitly disable the HTTP server on the phones so that it is not possible for someone to exploit this interface to obtain sensitive configuration information.
Privileged-Based Account and Access Control
BroadCloud Account and Access Privileges are based off a hierarchical system with Permissions granularity ranging from Site Administrators through End-Users. Configuration and administration portals are restricted based on specific business functions and permissions assigned to each user, for example, end users can only access their own information. Administrators are also limited to managing information for specific sites and data types for which they have been authorized. Each account has distinct credentials, authentication vectors, and permission sets. Business directory information is made available to users that have been properly authenticated to a management or client portal. distinct credentials, authentication vectors, and permission set. Business directory information is made available to users that have been properly authenticated to a management or client portal.
Data Center Security
BroadCloud partners with Tier 4 Data Centre operators with years of experience in design, implementation, and operation of large-scale, secure Data Centres. These facilities provide physical, environmental and access security, protecting BroadCloud’s physical and virtual call routing application environments.
- 24×7 On-site security personnel
- Nondescript and unmarked facilities with natural boundary protection
- Silent alarm system with automatic notification tolocal law enforcement
- Building code compliance to local governmental standards
- Fully redundant HVAC facilities
- Automatic Fire suppression systems, dual alarmed (heat/smoke), dual interlock with cross-linked event management
- N+1 redundant UPS power system supports Datacenter capacity, with redundant backup generators
- Biometric scanning and/or 2-factor authentication for access
- All ingress/egress through vestibules (man-traps)
- Access requires valid government-issued photo ID, and all access history is recorded for audit purposes
BroadCloud solution specific fraud prevention and detection mechanisms include:
- Detailed reporting mechanisms that can be used to track service and network utilization. This information is regularly analysed to identify suspect usage patterns for further investigation. For example, the CDR feed provided to service provider could be used for offline fraud analysis.
- Portals which limit access to information based on specific business functions and permissions assigned to each user or SIP line.
- Strengthened admin password policy management on all phones. This increases the strength of the password and to address a potential security vulnerability, which could lead to user spoofing and ultimately generating fraudulent call activity.
- Disabling HTTP/HTTPS interfaces on the IP Phones to lock them down and prevent unauthorized access.
- Additional security features configured in the SBCs that will block calls if the source IP and port don’t match the IP and port associated with the registration.
Get the Right Hosted PBX Services at the Right Price
Canada’s most trusted and innovative IP Telephony provider.