Is there an inpenetrable phone system? 1

[Kucher]

Hi all!

I've posted a few questions before about our Nortel phone system. We are going to be shopping for a vendor that can offer a COMPLETELY secure phone system. What I am looking for is a system that has absolutely no back doors. For example on our current system, you can find instructions all over the net and this board on how to reset the System Manager password, the Operator password, mailbox password, how to enter debug mode and retrieve the config password, etc. Someone armed with this knowledge can infiltrate the office and have free reign of the system just by picking up a handset.

Does a secure phone system exist where these software shortcuts aren't available? Using the example I gave above, the system will reset to factory defaults by shorting out a capacitor/battery -- this option is acceptable because if this were to happen, it would be obvious, and it would also require physical access to the phone closet. Things like debug mode however and the existence of master reset passwords would allow someone to make these changes or allow someone to snoop around without leaving much of a trace.

Any advice for a secure system? We're definitely willing to compromise ease-of-use for security.
Thanks!

 

[RyanEOD]

Kucher,

I recommend talking to vendors about their DoD DISA JITC Certified systems. These systems are locked done and usually are loaded with specific patches/load to ensure they are a lot more secure. You can also get results of their testing that tells you exactly what each finding was and if it was a finding what the vendor's mitigation was/is. There are two sides of testing now a days, and IA side and an IO side so the IA side would be what you are really interested in mostly.

As a vendor that goes through this testing I can say that nothing is 100% fool proof. But there are systems out there that are a lot more secure than something straight off the shelf. Also usually you will pay more for these more secure systems as it takes a lot of money for the vendor to go through the testing/locking down process.

Let me know if anything didn't make sense.

 

[Kucher]

Thank you for your detailed answer. The phone system was sort of dropped in my lap and is not my main focus, so forgive me for my ignorance on some of the more technical details.

I'm not sure of the IA/IO acronyms, I am really just looking for a couple recommendations to pass on to my boss for consideration that will replace our current Nortel gear. Feel free to plug your vendor to me.

 

[RyanEOD]

IA is information assurance(testing the IP security

IO is interoperability(testing what all it works with)

Well there are many different switches out there, from Nortel, Avaya, Cisco, Lucent, etc. It all depends on what you are looking for and what type of features.

I won't plug my vendor till I know it would actually do what you want.

 

[biglebowski]

The DoD no longer bother with secure PBXs they now lock them down with telephony firewalls. The firewall the DoD uses is securelogix ETM. It works by monitoring the D channel of the E1/T1 and uses a policy scheme similar in style to checkpoint. Very good bit of kit but very expensive.

You will be better off getting a consultant in to assess and advise. There are many vulnerabilities in PBXs Voicemail, ACD and trunk to trunk allow etc and to try and cover them here would be impossible.

When I was born I was so suprised I didn't talk for 18 months

 

[RyanEOD]

Biglebowski, they still lock PBX's down. You can't mitigate a response by saying ohh ETM will be there so nothing will happen.


Heck if all else fails get a Red Switch . . most secure I have ever seen.

 

[biglebowski]

I never said that I advised getting a consultant in.

Yes red switches are secure but that's only because they don't have access to pstn and the trunks are encrypted. Besides Nortel & Siemens aren't allowed to sell EWSD, SL1 or meridian red switches to the public.

When I was born I was so suprised I didn't talk for 18 months

 

[Notsetinstone]

How big is you system?

 

[Kucher]

Very small... right now just 5 employees and I can't see us ever having over 20.

 

[Johnthephoneguy]

The last Option 11 I installed in a Marine Corps base (thats DOD if I am right) insisted on JTIC certified software.

I don't think you can make a blanket statement like "The DoD no longer bother with secure PBXs they now lock them down with telephony firewalls." without running the risk of putting out false info.

JohnThePhoneGuy

"If I can't fix it, it's not broke!

 

[gknight1]

where in the world are you located?

 

[RyanEOD]

John,

I just went through JITC last month for our system . . . so I know it is still used. All the usual's were there too, Nortel, Lucent, Cisco, Avaya, so yes everyone is still using it.

 

[RikRodgers]

Kucher- If you're concerned about security, rest assured, Nortel is, too. The "Backdoors" you're talking about are password protected, and can't be reset remotely.

There's a fine line between giving the users remote access, and protecting your system. So long as you can convince your fellow employees to use passwords other than "1234", etc... you should be ok.

Also search the Norstar forum for programming suggestions to make your system "hack proof".