Are Separate VLANs A Good Idea?
One of the gospel truths since the first IP voice packets were put on a data network is that you have to establish separate VLANs for voice and data traffic. But that piece of conventional wisdom may not be so wise.
Over at the Voice Of VOIPSA blog, Dustin D. Trammell recently wrote a very thought-provoking post on the issue of isolating voice and data traffic. Here's the key point:
By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you’ll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.
Go read the whole thing. It's right on the money. Dustin mainly addresses security attacks such as SIP-based cross-site scripting attacks and the VOIPHopper attack tool that lets bad guys jump back and forth between voice and data VLANs.
The other major point that's come up in several conference sessions I've moderated is that VLAN separation is ineffective anyhow for any and all softphone users. They're using a device--the PC--that's on the "data" VLAN, so that's where their voice traffic hangs out.
This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
