Security Configuration

An important aspect in planning of your UCX system's configuration are security considerations.

Access to the UCX System from Public Network

The first security aspect that you must consider is the exposure of the UCX system to the public Internet. You should not expose the UCX system to the public network more than what is absolutely necessary. If you have no users who must access the UCX system remotely, you should not expose the system to public network at all. If you plan to support remote users, you should first consider the use of VPN for these users. If using VPN is not acceptable (or applicable) for some reasons, you should make publicly accessible only those services that are really necessary.

If you decide to allow the access to certain services of the UCX system from the public network, you must make all necessary precautions to safeguard these services. Specific measures are beyond the scope of this section.

Password Strategy

The second most important security aspect that should be reviewed as part of your planning are passwords for

  • System accounts
  • SIP extensions
  • Voicemail accounts

You should use the following common guidelines for passwords:

  • A minimum password length of 8 characters
  • Using randomly generated passwords when feasible
  • Avoiding passwords based on repetition, dictionary words, letter or number sequences, user names, names of relatives or pets, romantic links or biographical information
  • Including numbers and symbols in passwords if allowed by the system
  • Using both capital and lower-case letters
  • Avoiding using the same password for multiple sites or purposes

Passwords for System Accounts

As the very first step in the configuration of your UCX system, you should change the password of the admin account. The UCX Web-based Configuration Utility presents a page where you can change this password when you enter the utility for the first time. We strongly recommend you to use a strong password for this account because the password provides full access to the UCX Web-based Configuration Utility as well as the Linux system's admin account.

You could also prepare a list of additional user accounts for access to the UCX Web-based Configuration Utility and configuration areas to which these user accounts should have access.

Passwords for SIP Extensions

You should decide what strategy you will use when generating passwords for SIP extensions. Typically, these passwords must be entered only once and then they are stored in the SIP phone configuration files or in the phones' non-volatile memory. As the user does not have to remember or enter the password every time, there should be no reason to provide simple or easy to remember password for SIP extensions. We recommend the use of strong passwords that are different for each SIP extension (for example randomly generated passwords). This practice can be a very good safeguard against attempts to hack your SIP accounts using brute force methods when you support remotely connected SIP users.

Passwords for Voicemail

On the UCX system, the voicemail password can be used for more than just the access to the user's mailbox. This password can be also used to access the UCX User Portal that provides a number of features including the following:

  • Access to voice messages (including the ability to download voicemail messages)
  • Access to recordings (including the ability to download recorded conversations)
  • Access to detailed call log
  • Configuration of certain telephone features (call waiting, do not disturb, call screening, call forwarding)
  • Follow me configuration
  • Configuration of voicemail to email options
  • Configuration of Web playback
  • Configuration of call monitor settings (automatic recording of calls)

From the feature list above, it is obvious that even voicemail passwords must not be simple, common to all mailboxes or easy to guess. We recommend the use of at least 6 digits for voice mail passwords and avoiding repetitions, sequences or easy to guess numbers such as various dates.