I read some information on keeping voice over IP (VoIP) traffic on separate VLANs and was curious if this security practice is still in use in 2012. Should we use softphones as standard issue? If so, my company cannot run them on separate
Keeping data and VoIP traffic on separate VLANs is certainly a good security practice, but it may be easier said than done. If it takes an extra NIC and switch port to separate the softphone VoIP traffic from data traffic on the same workstation, it will be a hard sell in an enterprise environment.
Are there any secure, yet economically justifiable alternatives? It's necessary to dissect and then expound upon this question. While I can't address all the variables, I will address the variables we do have.
Some IP phones have programmable primary and secondary Ethernet ports. The primary is for the phone and the secondary port is for the desktop, meaning there is one dedicated wire to the desktop.
Now the switch supporting this must at least support VLANs. To gain unified communications access or enable your desktops/server(s) to communication with the telephone system, you must have routing between the VLANs. You will need a firewall, and most firewalls have routing capabilities.
If your network lacks any of the above, then why are you adopting IP phones? Without an extra NIC and switch port, it doesn't make sense to even attempt to deploy softphones. While performance issues with a PC will jeopardize the voice application, you can still implement softphones without dual NICs.
The dual NIC was something we tested at least 10 years ago with early IP PBXs. This idea was well intended, but it's not possible to control or prevent the PC performance issues that require the user to reboot his or her computer.
Softphones are more viable than in the past, but the same concerns remain. Right-sizing the desktop is still important, but other options remain for softphone clients that run on thin clients, and there are numerous USB devices for voice that provide options to enhance the user voice experience on a soft client.
In order to find value in the VLAN you must think of VLANS as "virtual communities of interest." Placing data in VLAN-1, voice in VLAN-2, as a basic example, will enable you to have better overall network performance because you are isolating broadcast traffic for the data side to the data VLAN and the same for voice. You don't want music-on-hold or paging traffic to run on your data network.
Then, to address a secure and economically justifiable VoIP solution, you at least need these basic elements:
- A firewall
- A router
- Managed Layer 2 switches
You can't forfeit the basics in any enterprise environment because without them, it's impossible to justify carrying the additional role of real-time traffic on a data centric network.
This was first published in October 2012