Security Advice

gelcom · May 21, 2014, 11:01am

Hi guys, I have a fresh install of FreePBX but as I am no expert in network security/FreePBX I ask you for some advice.

I have a 100mb/s internet connected to my DD-WRT home router.
In this router I have 4 LAN ports. Each one is set as a VLAN. All VLANs can access, send and receive data from internet connection but cannot talk to each other (I have VLAN10, VLAN20, VLAN30 and VLAN40).

On port 1 of the router (VLAN10) I connected a 5-port switch and from there I connected my FreePBX server (Port1), my 2 linksys SPA3102 (Port 2 and 3). The port 5 is connected to my DD-WRT router. Port 4 is FREE.

I want to be very secure on this config as I will connect my SPA3102 to my landline phone so any security gaps in here can cost me thousands of dolars.

I also have another computer that I use on a daily basis to surf the net, read emails and work with some excel sheets.

I don’t have the need to connect any device from remote locations on my FreePBX server and I don’t need to be able to access it from the internet as all configuration will be done locally using this computer I just mentioned.

My question is: is it a better option to connect this computer on the same VLAN10 as the FreePBX server and SPAs so I don’t need to access the FreePBX server via SSH or remote or is it better to connect this computer to the other VLAN20?

In this case (computer, FreePBX and SPAs in the same VLAN10) what IP TABLES command should I use on my DDWRT router/firewall and FreePBX server to close all ports from outside the VLAN but allow internet access?

Is it a security gap to have this computer in the same VLAN or is it better to have it on a separated VLAN and allow remote configuration on FreePBX server?

kind regards

Stewart1 · May 21, 2014, 4:15pm

Send a letter to your landline provider stating that you are concerned about possible toll fraud and are authorizing a maximum charge of $XXX per billing period. If this amount is reached, outbound calling should be blocked. Get them to acknowledge this arrangement in writing.

Configure your SPA3102 with strong admin and user passwords, allowing only digest authentication (with a strong password) for VoIP to PSTN. Set the Dial Plan used by that entry to only permit destinations that you need to call. In most cases, you’ll be using a VoIP provider for international calls; the Dial Plan should permit only domestic or perhaps only local calls. Set VoIP-To-PSTN Call Max Dur to 3600 (one hour) or whatever your business needs. Test with a softphone or temporary trunk access code that calls to expensive destinations are blocked.

Sorry, but I don’t feel qualified to answer your original question. My system blocks all access from outside, except for SSH listening on a non-standard port, with a strong password and fail2ban.

cdsJerryw · May 23, 2014, 6:27pm

It looks like you’re making this harder than it should be. You have FreePBX behind the DD-WRT firewall. Since you don’t have any remote machines, there are no ports in the DD-WRT forwarded to your FreePBX machine thus there is no way for outside traffic to get into your phone system to place calls or do anything else. I see no reason to make this so complicated.