EXPERT RESPONSE
There are many ways to protect a VoIP network, but the first decision to make is what are you protecting? In any type of IP communications, e-mail, Web, IM and now voice you must first ask yourself the following questions -- Do I need external communications? Is it two way? What are my corporate policies? Are there legislative concerns I must address? Then you must take a look at the internal network and ask yourself -- Do I need to separate this traffic for bandwidth concerns, policy needs or compliancy requirements?
After looking through these criteria, implementing a solution based on the capabilities of your servers must be addressed. Can the basic implementation address the issues raised in the design phase? Where are the gaps? Are there third party solutions that compliment an existing implementation while enhancing the security aspects that must be addressed?
In the scenario you describe, you are proposing to separate the traffic by implementing a VLAN approach. This approach is quite costly (as you noted) and requires an investment in extra networking equipment. Yet this still allows a determined hacker the chance to 'sniff' the network and capture voice traffic. If separated traffic is the intent and a necessary requirement, easier options such as TLS between the phone, soft or hard and the server would be a better design, reducing the hardware requirements while providing a more secure implementation.
|
