A few at fault here
1. BT for allowing a Deny All to allow traffic through
2. Who ever sent the order in or processed it (I've never known BT supply a home hub to a business, but it could happen, Or did they fail to declare it was a business because they noticed that a home account is cheaper than a business and go down that route to save a few quid?).
3. The network installer that thought a BT router was a suitable firewall for a business.
4. The PBX installer, for not setting up the PBX correctly. How the hell did they commit this basic of frauds on an even remotely locked down system?
5. The security "expert" trying blame BT only, when this was a cluster fuck and he should be prepared to tell, the network installer, the PBX installer and even maybe the customer. If you don't tell them all the faults, they will just repeat it over and over.
As for the "locked down" part. If they did lock down 5060, how was the SIP provider going to get SIP call into the system (unless using a custom port) unless this was open. If they are attempting to justify using a basic router to do complex firewall rules, then god help them.
This just smacks of everyone trying to do everything as cheaply as possible then being surprised when it goes wrong.
Biting the hand that feeds IT
