Securing the Line Part 3 - Access Control

Yesterday we discussed the use of Virtual LANs (VLANs) to segment and separate voice and data networks. This level of separation significantly increases security across both the data and voice networks, and also provides yet another of complication for any would-be hacker.

While Voice VLANs sound like a good idea (and they are), they're practically useless without the proper inter-VLAN routing configuration and safeguards. LAN segmentation means virtually nothing without access control lists, firewalls, and policies to route and protect data on both VLANs.

Constructing routing policy between the WAN, data LAN, DMZ, and voice LAN should be relatively easy in respect to voice traffic. Unlike any other segment on your network, voice traffic can literally be the easiest to manage policy-wise. When you think about it, the data counterpart of network segments is designed to allow and control lots of heterogeneous traffic. We're talking about SMB, WWW, SMTP, etc... and the list goes on and on. Routing and firewall policy for these segments can become very complicated, very quickly. However, when considering the voice network, the traffic is very homogeneous, typically consisting of a signaling protocol in addition to media transport, or RTP traffic. Therefore, the increased "unity" in the traffic footprint that stems from the voice network is likely much easier to control, firewall, and route. Policies are relatively easy to manage, and need less supervision and change.

In constructing any inter-VLAN policy set, remember the Principle of Least Privilege. Start with constricting policies to the absolute necessities, and add as necessary. Consider management VPN tunnels to allow administrators from remote locations and neighboring VLANs to have unrestricted access to the segment.