> Wireless PBX Solutions

Wireless PBX Solutions
Several solutions for adding wireless extensions to PBX systems have been commercialized.
Most PBX vendors have implemented proprietary 900 MHz-band solutions
in the United States as well as the 1900 MHz Digital Enhanced Cordless
Telecommunications (DECT) ETSI standard in Europe, which has driven
widespread adoptions of vendor-neutral wireless there. More recently, a number of
WiFi solutions have become available, as well as combination WiFi/GSM solutions
that let a single device work with both Cellular and Enterprise PBX infrastructure.
See the warnings about WEP later in this chapter.



Other PBX Solutions
Two other PBX solutions with security considerations bear some discussion: Call
Detail Recording (CDR) systems and Voice Firewalls. CDR systems enable every
call on a PBX to be recorded after it is complete using a standardized format.This
allows special reporting software to analyze this data for forensic or diagnostic purposes.
It is worth noting, however, that a CDR system will not allow you to stop a
fraudulent call still in progress. For this, you would need a voice firewall such as that
sold by SecureLogix. Such a firewall allows you to see current calls in real-time,
apply policy based on type of call (voice, fax, or data), and set notifications, authentication
requirements, or other policy based on rules very similar to those you might
set for data traffic on a data firewall.



PBX Alternatives
Long before the appearance of VoIP, nonswitched alternatives to the PBX have been
available. For systems of less than 50 users, Key Telephone Systems (KTS) share outside
lines directly and have dedicated intercom lines to talk between stations. Current generation
key systems are more PBX-like than ever, so it may be hard to find that distinction
anymore. But older key systems won’t support advanced switching features
like trunk-to-trunk transfer that can lead to toll fraud. Still, so-called hybrid key systems
should be treated like a regular PBX when it comes to security.
Centrex, IP Centrex, and Hosted IP-telephony services are carrier-based PBX
alternatives that provide a private dial plan plus the more popular switching features
that an on-site PBX system might. However, the switching equipment stays in the
carrier’s infrastructure and is managed by the carrier.This is a mixed blessing since
it’s likely to reduce the overall functionality and access policy tailoring available to
you if your organization uses such a service, but it does mean that the carrier shoulwww.
ders a larger share of the responsibility for any toll fraud that may result (and consequently
won’t provide high-risk services like trunk-to-trunk dialing without extra
security measures).
More recently, the appearance of IP telephony has provided an opportunity for
some manufacturers like Avaya to rearchitect their overall PBX approach and separate
the functionality once provided in a single device into multiple devices. In particular,
call control and signaling can be separated from media processing and gateway services;
this approach makes possible an architecture where a few call control servers can provide
redundant services across an entire organization with media gateways located in
every geographic location that contains their physical presence.We’ll treat this
approach along with other similar VoIP architectures in the next section.


VoIP Telephony and Infrastructure
With the introduction of VoIP came a new architectural flexibility that in theory
can completely distribute PBX functionality across an entire infrastructure.We’ll
review those concepts in this section and discuss examples of this in action, but keep
in mind that few VoIP solutions take full advantage of every aspect described here
(and it wouldn’t surprise me to discover that none of them did, but today’s VoIP
market is moving so fast that it’s difficult if not impossible to prove that kind of negative).
Regardless, these concepts each have significant security implications.



Media Servers
The term media server is totally overloaded in the VoIP world (and even more so
within the IT industry as a whole). If we restrict ourselves to VoIP-related definitions
only, a server so named still could be any of the following:
■ Interactive voice response (IVR) server or media slave, possibly running
VoiceXML or MRCP
■ Signaling Media Server (Media Gateway Controller) to handle call control
in Voice/VoIP network
■ Call distribution (ACD) for receiving and distributing calls in a contact
center
■ Conferencing Media Server for voice, video, and other applications
■ Text-to-speech server (TTS) for listening to e-mail, for instance
■ Automated voice-to-e-mail response system
■ Voice or video applications server
■ Streaming content server
■ Fax-on-demand server
Sure, some of these are similar and can roughly be grouped together, but at best
you’ll get this down to semi-overlapping groups that center on two general areas:
interactive media services and call or resource control.The point here is that in the
VoIP world, we haven’t standardized architectures and naming conventions yet so we
are left with technically vague terms like media server, media gateway, and the worst
offender, softswitch (a marketing term we will not spend more time on in this chapter
except to note that it was intended to conjure up the image of a class 5 switch being
displaced by a software blob that runs these media servers and media gateways but
has become so overloaded that it has completely lost any technical meaning it once
may have enjoyed).