Security, Privacy, and Compliance

PortSIP PBX

Being in charge of a communication system in the planning to deployment stage makes communication security one of your main considerations. PortSIP provides a secure and reliable unified communications system that is critical to business communications and offers a robust multi-tenant cloud PBX system with several security features.

PortSIP PBX provides extended security options, advanced privacy features, and built-in compliance options for industry and regional requirements so you can communicate and collaborate securely.

Data privacy and security processes

CAPABILITIESPORTSIP PBX
Strict privacy policyPortSIP PBX is installed in the customer's server, PortSIP does not access, share, rent, or sell customer information with any third parties.
Security and privacy governanceDesigning and developing features in accordance with our data protection and privacy program ensures that our customers’ data remains private.
Customer data residency choicesCustomers can select the location to store PortSIP PBX data and user identities. For example, external storage, local disk, AWS S3.
Regulatory compliance●  EU GDPR
●  EU standard contractual clauses
●  EU-US privacy shield
●  Swiss-U.S. privacy shield
●  APEC cross-border privacy rules
●  APEC privacy recognition for processors

PortSIP offers a robust communications solution designed with a primary focus on keeping customer data secure. This commitment to privacy and security is reflected in every aspect of our work, from the design and development stages to the deployment and maintenance of our networks, platforms, and applications. PortSIP employs multiple technologies, procedures, and teams to ensure the communication solution meets privacy and security requirements.

Recording privacy and security processes

To comply with various countries’ regulations regarding call recording, PortSIP PBX offers the following recording features:

  1. System Administrators can control whether to record calls between two external callers. For instance, when Caller A calls a contact center agent, and the agent subsequently refers Caller A to Caller B’s PSTN phone number, the conversation occurs between Caller A and Caller B. PortSIP PBX, based on the system administrator’s configuration, can automatically stop recording their conversation.
  2. Tenant Administrators can configure a prompt to play when users call into PortSIP PBX. If the user does not agree to the recording, the system can automatically disconnect the call.

IP Phone security

Typically, most PBX systems store an extension's IP phone auto-provisioning file in a fixed folder path. Unfortunately, this approach can lead to security issues. For instance, if someone gains knowledge of another person's IP phone MAC address, they can easily download the configuration file to get the extension's password.

To address this security vulnerability, PortSIP PBX takes a proactive approach. Specifically, each extension's IP phone configuration file is stored in a separate directory with a randomized name. This measure ensures that even if an attacker obtains the phone's MAC address, they won't be able to guess the configuration file's download URL easily.

User provisioning

Authentication and authorization

PortSIP PBX employs standard methods to ensure secure authentication and authorization for users, whether they represent a small business or a federal government agency requiring the utmost level of security. If the organization utilizes a username and password system, PortSIP PBX offers a customizable password policy. This allows customers to enhance password entropy. Customers can modify the complexity of their passwords by adjusting the password policy, which may include the number of required characters, the use of special characters, uppercase letters, and numbers.

Additionally, PortSIP PBX supports Single Sign-On (SSO) with Microsoft 365. This feature enables enterprises to redirect users from PortSIP to Microsoft 365, allowing them to utilize the password and authentication flows of Microsoft 365.

Password security

After creating a user with the Admin, Standard User, or Standard International User role, an extension user was created, there are two passwords with a user.

  • SIP Password. It's used for the IP Phone, Softphone, and WebRTC client to register to PortSIP PBX.
  • User Password. It's used for the user to sign the PBX Web Portal to check voicemail, recording, CDR
  • Both SIP Password and User Password must meet the tenant's password policy.

Login Security

There are some settings that allow the PBX system administrator to control login security for tenant managers, tenants, and extensions.

  • Set the maximum number of login tries on the Web Login page, and the user IP will be blocked if the number of failed login attempts exceeds the allowed times.
  • Set the period of an IP block, a blocked IP will be removed after this time.

Flexible admin control for security

You can assign a role type for a user when creating it and change it later as well. There are three roles by default: Admin, Standard User, and Standard International User. The Admin user has all permissions in the tenant scope and can manage the whole tenant. The Standard International User has permission to make calls to local, national, and international numbers. The Standard User only has permission to make calls between users.

Administrator security control functions

  • Enable or disable an extension
  • Modify roles to manage permissions for both national and international calls
  • Adjust the password policy
  • Restrict calls to specific countries
  • Block calls based on specific prefixes of dialed numbers

SIP and TCP/IP security

PortSIP PBX offers security features primarily designed to thwart malicious attacks aimed at the PortSIP PBX, particularly if the administrator hasn’t implemented necessary precautions at the firewall level. It operates by identifying and blocking packet floods, DoS attacks, or brute force dictionary attacks that attempt to decipher the extension number and password. This includes:

  • Protection against failed SIP authentication
  • Handling of failed SIP authentication challenge requests (407)
  • Control of TCP and UDP packet rates

User-Agent blacklist

To safeguard against malicious activities such as SPIT (Spam over Internet Telephony), TDoS (Telephony Denial-Of-Service), fuzzing, and War dialing, PortSIP PBX offers a feature that blocks specific User-Agents found in SIP messages. This feature is instrumental in enhancing the security of your telecommunication services.

Whitelist/Blacklist

PortSIP PBX allows you to whitelist and blacklist IP addresses. All traffic originating from whitelisted IP addresses will be allowed unchecked by the anti-hacking features. All traffic originating from blacklisted IP addresses will be dropped immediately and silently.

Trunk security

SIP Trunk Authentication

Register Based Authentication: Many SIP Trunk Service Providers will require a level of Authentication within the SIP Trunk. The Service Provider requires Registration Authentication and Call Initiation Authentication from the PBX. When the PBX initiates a call to the Service Provider, the PBX must provide Authentication within the SIP Protocol for the Service Provider to accept and process the call.

IP Based Authentication: Because some SIP Trunk Service Providers do not support the SIP REGISTER method, you'll need to set up Trunk as the IP Based and add Trunk IP addresses as trusted peers in PBX, then the PBX to accept SIP traffic from trunk IP does not challenge for authentication credentials.

PortSIP PBX supports both Register Based and IP Based Authentication Trunks, but the IP Based Authentication trunk is strongly recommended, it's more secure.

PortSIP PBX is also supporting accepting the Trunk/E1/T1 gateway registration. For example, if an E1/T1 gateway is located in a local LAN but the PBX is in the cloud, we can create an Accept Register" Trunk in PortSIP PBX, set the username and password, and the E1/T1 gateway will be able to use that username and password register to the PortSIP PBX, the PBX only allows make & accept calls with E1/T1 gateway after successfully authorized.

Max concurrent calls limited

PortSIP PBX provides a feature that allows you to set a limit on the maximum number of concurrent calls at both the global and tenant levels for a trunk. If a trunk has already reached its maximum concurrent call limit, any new call attempts will not be processed. This feature ensures efficient call management and prevents overloading of the system.

Outbound route permission

When creating the outbound rule in the PortSIP PBX, you will need to consider outbound rule permission for different users. You can create the outbound rule using the given called number prefix, called number length, and caller belonged user groups.

For example, you can set up outbound rules as below.

  • The outbound rule for local calls, long-distance calls, and international calls
    • Create an outbound rule and select the trunk that is least-cost for local calls, and set the user role as Standard International User, then that user will have permission to make calls to the trunk.
  • In the menu Blacklist and Codes > Codes and E164, you can find Allowed Country Code and Disallowed Codes options that let you block the calls based on the country code.
  • Office hours for the outbound rule
    • PortSIP PBX allows specified office hours for an outbound rule, once set, the outbound rule will be unavailable and no one can make the call on it if outside of those hours.

Network security

Separate Voice Traffic and Data Traffic for some VoIP ISPs, and provide dedicated SIP trunks that support NGN ports (Next Generation Network). NGN can separate data, voice, and video networks or any combination of the three to form a converged network.

For the on-premise deployment, the best practice is to suggest setting up VLAN (Virtual Local Networks) on the PBX. VLAN can improve the call quality but also can secure PBX. The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secure. Also, limiting the rate of traffic to IP telephony VLANs can slow down an outside attack.

Transport security

TLS and WSS for SIP signaling

Transport Layer Security (TLS) is a mechanism for securing SIP connections. It is recommended to use TLS as PortSIP PBX SIP transport to prevent data from being passed between other SIP endpoints and PortSIP PBX.

For the WebRTC client, PortSIP offers WSS transport (WebSockets over SSL/TLS). WSS is encrypted, just like HTTPS, and so protects against man-in-the-middle attacks. If the transport is secured, a range of attacks against WebSockets becomes unfeasible.

SRTP and DTLS-SRTP for audio and video

PortSIP PBX and PortSIP Apps support SRTP and DTLS-SRTP. SRTP extends RTP to include encryption and authentication so that all SIP and WebRTC conversations are as secure as possible. The audio and video media data is transported and protected by SRTP/DTLS-SRTP with AES-256 encryption.

Web access security

PortSIP PBX provides HTTPS and HTTP access on the port 8887 and 8888. The following are the recommended practices for securing web portal transactions and preventing unwanted access.

  • Create the security rule/firewall rule to disable the HTTP access on TCP port 8888
  • Disable Redirect from port 80
  • Disable Redirect from port 443
  • Upload the trusted SSL certificates, for example, purchase an SSL certificate from DigiCert, GeoTrust