Are Separate VLANs A Good Idea?

Over at the Voice Of VOIPSA blog, Dustin D. Trammell recently wrote a very thought-provoking post on the issue of isolating voice and data traffic. Here's the key point:

By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you'll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.

Go read the whole thing. It's right on the money. Dustin mainly addresses security attacks such as SIP-based cross-site scripting attacks and the VOIPHopper attack tool that lets bad guys jump back and forth between voice and data VLANs.

The other major point that's come up in several conference sessions I've moderated is that VLAN separation is ineffective anyhow for any and all softphone users. They're using a device--the PC--that's on the "data" VLAN, so that's where their voice traffic hangs out.