We're all familiar with VLANs, or Virtual LANs, which are widely used in enterprise and even SMB network environments today. With the advent of converged networks, suddenly the proper use and configuration of VLANs became more and more important. Since a single network jack can be utilized to provide both phone and computer services, a new security hole suddenly appears.
It's all too easy to converge both voice and data services on the logical network, which is ultimately the easiest solution. However, imagine your corporate office's lobby, where multiple IP telephones reside to provide basic service to guests. With a simple switch, a user can connect his/her laptop to the trusted internal network. In a VLAN'ed environment, this wouldn't be as simple.
Sure, designing and enforcing multiple Virtual LANs adds an administrative overhead to any environment. Even the logical separation of sensitive data and voice networks doesn't guarantee security. Properly-defined security mechanisms even for the Voice VLAN are an absolute requirement. Advanced router and switch configurations are likely necessary to enforce security policies on the Voice network, as most IP phones contain switch ports to allow daisy-chained devices. The Voice network is therefore highly susceptible to common TCP/IP-based attacks which could cripple a telephony network.
VLAN design varies from organization to organization. Some favor port-based VLANs, while others prefer tagged (or ID'd VLAN) environments. Obviously, in a port-based VLAN configuration, each physical switch port is assigned directly to a VLAN, whereas a tagged VLAN uses ID-tagging to assign devices to VLANs.
Tagged VLAN configurations are increasingly popular due to the simplicity in administration, however they pose a risk for "VLAN hopping" attacks. In this scenario, an attacker can spoof "tag authentication" information, such as MAC addresses, or 802.1x attacks to gain access to the secured VLAN.
In conclusion, it's important to fully analyze your logical network's security before considering a converged network. There are many considerations, including physical port location, VLAN-type-design, and authentication strategies. In my opinion, it's highly worth the cost to involve a third-party auditor to ensure your new voice network is protected against these common threats.
Nickasch has been very involved in IT since he was just 13. His current and previous consulting experience includes systems architecture, virtualization, and converged networks for the financial, education, and healthcare industries. Matthew currently attends the University of Wisconsin-Platteville, where he also works as a network management assistant. While his interests include directory services and routing protocols, Nickasch's focus is on converged networks and voice over IP.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Post new comment