PBX on a DMZ or not?

freepbx
Tags: #<Tag:0x00007f7029a886f8>

#1

Hi
I have successfully updated our PBX from version 12 to the latest version via a restore and have configured the server to run in a VM.
I have 25 Cisco endpoints and 5 remote workers and the old live version 12 server is currently sitting on our LAN in our standard IP range.

I intend on moving the endpoints onto the new server and changing from 3 x PSTN lines to 4 SIP trunks and wanted to know the best network solution. I have a linux firewall with multiple zones so i could put the PBX on a dedicated zone and not on the general IP range on a DMZ and use the built in firewall.
I have a TFTP server also on our normal range which i guess ill have to move to the new range?

I have read various opinions but wanted to get an exsperienced persons point of view.


(Michael Jones) #2

Built in firewall and fail2ban works GREAT (my experience). Should wait to hear from others.


(Paul Hadley) #3

Just had a few issues with my system coming under attack and I only has port 5060 (now moved to an off standard solution) exposed with the required RTP ports to the internet.

I assume your standard

is then supported through forwarding and firewall entries in your router? why would you want to expose the PBX to any more security risk than necessary?


#4

Im concerned if the server was compromised then the complete network is visable. If it sits on the LAN as it is now ill have to open up a port for the SIP trunks to use (not 5060 though) and therefore exposing the LAN. If it was on a different range it would make it harder to see the LAN if it was compromised.
It does mention setting the server up on a DMZ when you set the server up initially but i will never do that on a company LAN.
My concern is really the exposure via the SIP trunks.


(Simon Telephonics) #5

DMZ means different things to different people.


(Paul Hadley) #6

I have run three FPBX installation’s with a local IP address and a signalling port (was 5060) as the only open port and fail2ban as a block to hackers who tried to crack a extension login, that has proved fine for five years, I have now moved my signalling port from 5060 for additional peace of mind.

My Vigor Router allows me to set a second LAN isolated from the main one that I could use for the PBX and phones only but I haven’t felt the need to go that far.


#7

If SIP trunks are your only public traffic, I wouldn’t lose any sleep opening the SIP ports just for my provider IPs.

But generally, a properly configured “DMZ” is wise. The DMZ<->LAN and DMZ<->WAN firewalling needs to be about as restrictive as the WAN<->LAN firewalling. I’ve seen many issues where the DMZ is effectively just a subnet wide open to the LAN, WAN or worse, both.


(Paul Hadley) #8

I would understand DMZ as setting one LAN IP address that all WAN requests without a clear destination through the NAT by either internal request or pre-set port forwarding go to? In other words a node inside the LAN more or less completely exposed to the internet?


#9

I would call that the “home router” definition.


(Paul Hadley) #10

The only reason I open my signalling port is because I have trunks between the three PBX’s for extension to extension calls that do not login, they simply forward to the FQDN, if I only had ISP trunks I wouldn’t open up that port and would probably never have had an attack on my PBX?


(Simon Telephonics) #11

On the networks where I operate, any host that has an inbound path from the internet is DMZ.


#12

So Sitting the PBX on the normal range,as i have it at the momment, and lock down the incomming IP’s for the SIP trunks would be the best solution rather than put the PBX on its own range ?


(Paul Hadley) #13

What incoming IP’s will you have for the trunks? are you registering with all your SIP Trunk providers or do you have PBX to PBX / Providers like I do? do you have external extensions that need to register to your PBX?