Extensions vs. Outgoing Calls vs. Security: what are the solutions offered by FreePBX 2.8?

Good day too all.

Sorry in advance for posting this question as it might had been answered a lot of times before on the forums. Unfortunately, I hadn’t been able to find the exact solution to the problem I’m facing throughout the forums, while had spotted some threads describing solutions to the similar goals.

So, here is the definitions of the goal I’m expecting to achive:

SIP and IAX2 protocols are both insecure in terms that the traffic went on unencrypted over the net. Even in cases when secure challenge-response authentication schemes are being used there’s always a possibility of a malicious sniffer sitting somewhere in the same lan segment and capturing packets. This leads us to a big possibility of successful bruteforce of the password. “Right way” ™ to avoid this problem is to tunnel traffic into some king of encrypted channel but that’s not always the case: my clients tends love to use smartphones to connect to my server when they are off on a vacation to some foreign country. As smartphones in their mass are not capable of tunneling traffic over VPN channel I have to had unencrypted SIP and/or IAX2 service available on a public accessible IP.

To partly protect myself from big charges on long-distance calls made by malicious hacker and still allow legitimate users to use the service in a way they want I would like to be able to control who is allowed to call where depending on an IP range the user agent had been registered from. Most of the PBX users sit inside secure LAN (actually these users are VoIP gateways installed inside 19" rack at the server’s room with regular phones connected to the FXS ports) and I want these users to be able to call everywhere without any restrictions. Second group of the users consists of softphone clients (including smartphones) connecting from the internet side. I want these users to be restricted in where they are allowed to call. As an example I might want to only allow them to make calls to the internal extensions numbers and to local distance toll-free calls. If there is a possibility to allow them to call long-distance numbers after entering some kind of a password (pin number) - that would be even better.

As an optional feature it would be cool if the security level for a selected extension would be determined on a per-IP basis. I mean something like this: if an extension had been registered from an IP included in “secure” subnet range, then provide it with “full permissions”; provide “restricted permissions” otherwise.

It seems to me that this use case might be very widespread and I’m sure that there should be some kind of solution built-in into FreePBX. Looks like I’m too dumb user to figure this out myself so I’m in the search of advice! Thanks in advance!