TIPS Security of External Door entry phone

[LesD]

I intend installing an external sip based device built especially as a door entry phone.

Internally it has an RJ45 socket into which goes a standard network cable.

So basically I will have a connection point to my internal network out in the street.

I would appreciate some guidance and suggestions as to securing the system.

As far as I can see I have at least two potential security issues.

First, someone can connect a regular sip phone to the network. To protect against that I obviously need to have strong passwords on all extensions. It would also help to have DHCP turned off, though that may be somewhat inconvenient.

Secondly, someone could connect a taptop to the cable and have physical access to my whole network.

Obviously, securing all devices on the network with strong passwords is a must, but I wonder what I can do to lock things down even further.

I have thought of creating a VLAN for all PIAF related devices but I see two problems with that.

a. PIAF itself runs as a VM running on the main office server which has to be accessible to all computers on the network. Which means, I think, that the PIAF VM won't be able to talk to the phones! Rather unfortunate!

b. Network access to PIAF and the phones would not be possible from a general PC on the network.

A theoretical solution comes to mind but I can't get my head round how to implement it.

Rather than connecting the phone as a 'local' device, it should be connected as if it is an 'external' connection so that it can be firewalled. That way we could limit the connection to a specific IP and specific ports.

 

[rjaiswal]

Why not use an analog door phone, something like this:

http://www.vikingelectronics.com/products/view_product.php?pid=336

And then hook it up to an ata that will autodial when it goes off hook.

This would remove the security risk of having a hardwired network connection on the outside of your building.

 

[LesD]

I'd go with such a solution if it worked properly but there is an other requirement that I have not mentioned.

After answering the ring, the use must be able to trigger the door release from the extension. The VoIP solution has a built-in tone triggered door-release relay [*]. With the analogue device we would need to find some way to conveniently trigger the relay from an extension.

[*] While a convenient all-in-one solution, the door release is in fact, as far as I can understand, also a security issue. The relay to release the door is in the external phone. So someone with the right tools (or the wrong tools) could remove the cover of the unit and manually trigger the relay. I intend to talk to the importer about it.

 

[rjaiswal]

Ok... You can pair the door phone with something like this to control the door strike.
http://www.vikingelectronics.com/products/view_product.php?pid=665

 

[rjaiswal]

If you really want to be all sip,
Then you could use this:

http://www.valcom.com/products/ip_solutions/pdfs/VIP172L.pdf

The "brain" is external, and is mounted in the building. The wire to the door phone uses a proprietary signaling scheme to talk to the brain.

It also has the ability to control a door strike or mag lock.

 

[LesD]

The only way I can think of to do this requires a managed switch. If you have a managed switch, you could configure an ACL (access control list) so that the ethernet port used by your exterior endpoint would only accept connections from specific MAC addresses.

That sounds like it will do the trick.

 

[LesD]

rjaiswal: Thanks for those suggestions. Do you have any idea of prices for those units?

This is a UK project to that also adds to the complexity as far as equipment availability is concerned.

 

[rjaiswal]

For the valcom unit, you can try nimans +44 0870 444 3101 They are the distributor in the in UK.

As for the viking units, There website suggests that you call them directly. +1 715 386 8861

 

[phonebuff]

You might also check out Algosolutions -- http://www.algosolutions.com/products/doorphones-security.html

I have used the 8028 a number of times with PBXinaFlash systems and it works great, never had an issue with the phone or relay components and the outdoor piece is tamper proof-

-----------------------

 

[LesD]

You might also check out Algosolutions -- http://www.algosolutions.com/products/doorphones-security.html

I have used the 8028 a number of times with PBXinaFlash systems and it works great, never had an issue with the phone or relay components and the outdoor piece is tamper proof

The unit I was looking at is available under several names (I think it originates from Poland). A UK supplier is
http://www.broadbandbuyer.com/products/18417-protalk-pt-door01cav/


I have looked at its spec and it basically suffers from the design faults I have implied above - external exposure of the network and the door-open relay.

The 8028 unit overcomes both by having an external unit consisting of a speaker and a call button connected by a single pair of wires to the internal control unit.

An other advantage of the 8028 for me is that currently there is a Panasonic door entry phone with what is probably phone cable with two pairs - one for voice and the other for power to the door release. We can hopefully use that without any need to run new cables.

Price wise it is similar to the UK unit.

Normally I would not consider shipping such units from the US but in this case the match is so good and there does not seem to be anything here doing the same thing - unless someone out there puts me right! The unit even runs on UK 230 volts.

 

[jroper]

Hi

First, someone can connect a regular sip phone to the network. To protect against that I obviously need to have strong passwords on all extensions. It would also help to have DHCP turned off, though that may be somewhat inconvenient.

Secondly, someone could connect a taptop to the cable and have physical access to my whole network.

Why not consider a cheap and cheerful router/firewall, and only allow the ports you need through it, which I imagine will be 5060 and 10K to 20K UDP. This should prevent your second concern of someone connecting a laptop as the only protocols allowed will be SIP. Not any other protocols that may cause problems.

Physical security would be important - I've seen some network engineers glue in the network cable, (mostly to stop enthusiastic amateurs "improving" things) but a strong box on the wall sounds like it would be useful to cover the internet connection in some way.

In terms of firewalling on the PBX to only allow that device to connect, and no other device. Google on iptables, and in particular, the --algo switch. a TCP dump should give you the string that the phone passes so any other phone type will not be able to register.

Joe

 

[phonebuff]

An other advantage of the 8028 for me is that currently there is a Panasonic door entry phone with what is probably phone cable with two pairs - one for voice and the other for power to the door release. We can hopefully use that without any need to run new cables.

Panasonic Door phone replacements is what I use them for most.. An If I miss member correctly they are a Canadian Company not US.

 

[TwigsUSAN]

I will have to talk to a couple of my co-workers, but I do know the old analog versions with the door strike will work. They normally just require a certain set of DTMF tones. I've gotten them to work with Audiocode gateways.

 

[LesD]

Joe: Thanks for the idea of a cheap router/firewall. That would solve the network issue but on the physical protection front I don't think there is anything practical one can do to stop someone removing the cover of the unit and opening the door. I think it is simply a design fault of the unit. The Algo unit explicitly mentions the problem as a reason for them providing a split system where the external door unit is separate from the internal network unit and door-open circuits.

Phonebuff: Thanks for the confirmation. Indeed the company is Canadian though they only quote prices in US Dollars

TwigsUSAN: Which units are your referring to?
-------

The Algo contact page does provide a link to a UK rep who has pointed me to http://www.mouse.uk.com/search.php?pg=1&stext=8028

So the 8028 is available in the UK but with an uplift in price of about $85 before VAT This is about the same price as the Polish unit, though that does have a camera built in. Taking into account the probable saving in cabling costs it should turn out to be a good deal as well as doing a good job without the need for extra equipment.