PBX Firewall

In recent years, PBX firewall technology has been increasingly used by military installations, hospitals, energy firms, banks, and others to dramatically increase their control of telecommunications traffic. In some cases, the increased reporting available from the firewall has enabled them to reduce costs as well.

How does it work? A series of very fast, special-purpose computers sit between the "demarc" wiring from the telephone company and the PBX. These pizza box size computers have the unique ability to look inside the traffic on the telecommunications lines and apply predefined, logical rules. For example, the PBX firewall can:

  • Stop or log unauthorized modem traffic (e.g., individuals may set up PCAnywhere on their workstations as a convenience, unintentionally leaving a backdoor for hackers).

  • Stop modem traffic detected on lines that are supposed to be for fax-only. The same event could also trigger logging-only or a page to security personnel.

  • Stop voice traffic on fax lines after a certain time at night. Or limit calls to no more than three minutes (time to communicate with a distant party regarding fax status).

  • Report on any lines not used in the past six months.

  • Page or show exception reports when anyone in the organization calls a direct competitor.

  • Disable any calls to or from ISPs not relevant to the organization's business.

  • Provide special-purpose reporting on individual lines, odd usage, traffic between company locations, etc.

Exhibit 5 illustrates how hackers often thwart a strong IT firewall. Hackers, like most others, first look for the easy way in.

The PBX firewall, shown in Exhibit 6, sits between the demarc and the PBX, significantly lessening the likelihood of unauthorized intrusion (assuming the appropriate logic rules have been programmed).

Savings Potential Using PBX Firewall

The detailed information gathering and reporting available from the PBX firewall can potentially result in cost reduction. In a case study reported by Memorial Hermann Hospital in Houston, Texas, significant savings were obtained from:

  • Elimination of unauthorized modem calls to ISPs, freeing up trunk lines for voice communications so that installation of new T1s could be eliminated or at least delayed.

  • Replacement of higher-cost local access trunks with cost-effective tie trunks. By identifying that much of the PSTN traffic was between Memorial Hermann locations, it was easy to justify fixed cost tie lines that proved to be less-expensive, even in the short run. Three local access trunks costing a total of $4500 per month were replaced with three tie lines at $1050 per month, resulting in a savings of $3450 per month.

  • Reduction of full-time equivalent employee costs. The higher visibility of telecom information plus the ability to centrally monitor the entire Memorial Hermann enterprise resulted in decreased telecom FTEs per end user.

Another cost savings was reported by an East Coast banking enterprise. The telecom organization within the bank installed a PBX firewall for a few weeks at each of several locations. When the traffic patterns were recorded at one location, the firewall was moved to another site. After the round-robin process was complete, the bank had identified enough unused capacity to justify the firewall purchase several times over.