Saturday, December 17, 2005

"Voice VLANs" - something else I just don't get

The voice VLAN recommendation has been around for a very long time. I understand what the idea was for them, but never really bought into them then - and even less so now. But what do we continue to hear from the vendors, security 'specialists', and even NIST? "Separate your traffic" for better security. Well, I'm declaring shenanigans on that one right here ;)

"I don't want all the data hackers attacking my voice system, so I want them separated." Well, if that were truly the case, every application on your network better have its own VLAN. I have visions of the people that make this recommendation as being the same ones that don't want your chocolate in their peanut butter or their corn to touch their mashed potatoes (my brother was like this - had compartments in his stomach ya know). I think someone started using voice VLANs to sell their gear - and everyone else had to follow suit or be considered less secure. We just keep echoing these things without really looking at the impact of it.

How in the world can you really separate voice and data on your network and still provide the functionality we all want and need? If you really want to integrate voice you must allow for CTI-like functions to cross boundaries (SIP, XML, etc.). Management functions as well I'll assume (SNMP, HTTP, SSH, etc.). And once you allow these kinds of things between the networks ask yourself this question - what other traffic would a voice system even listen to? I know in the system we have built, that the handsets and soft switches are hardened - listening only to pertinent traffic. But if that's all they are listening to, what is the value of ignoring it twice? All the things that the system needs to do, and are then allowed by the firewalls or ACLs to do, are exactly the only things the system will listen to anyway. What value does the remaining firewalling provide? And at what cost to provide it?

I'm supposed to spend time and money to implement and maintain something that blocks traffic the voice system is going to ignore anyway. Does this make sense?

Now, obviously there are some things you can do to protect a data center implementation of IP telephony servers - and I will concede that voice VLANs make that a bit easier. However, we already have certain protections for our data center applications - IDS and other things. Why, again, duplicate those efforts for voice? That is not convergence. If we want to consider voice just another application on the network - then treat it like one. A very important and sensitive one yes - but there are better ways to protect your system than the false security provided by voice VLANs.

And if you still want to use voice VLANs, tell me this: are you not going to allow softphones on your network? Ever?

Spend your time and effort on real security measures (hardening your systems, good patch management, etc.) and stop worrying about what vendors and NIST say about voice VLANs - I don't think they've thought it through.


Post a Comment

<< Home