Large Scale VoIP Deployment and ACL's

We are planning a large scale VoIP deployment at our company and we are
currently "negotiating" with info security group over what security measures
we need to put into place. They have read the Cisco "SAFE" white paper on
IP Telephony deployments it recommends to apply ACL's to block traffic
between the data VLANs and the voice VLANs. In a large deployment (over
1000 locations) this seems very impractical because to make a call from one
location to another the traffic must pass over the "data" portion of the
network. They want us to deploy ACL's at every location that only allows
traffic out of the voice VLAN's on to the data network if it going to
another voice VLAN (to prevent DoS, hacking of the voice traffic etc.) With
a few sites this would be manageable but in large deployments this would be
a management nightmare! (Every time you and another voice location you
would need to update the ACL's at every existing voice location). My
question is what is everyone else out there doing? We have excellent
security practices and policies in place, IDS, virus protection software on
every computer, and I think the risk is small. The last time we had a virus
outbreak was 3 years ago and it was a very limited outbreak. (The only
systems infected were those that were found not to have had virus protection
software installed, about 1% of the computers. This has subsequently been
corrected). The virus was detected very early by the IDS's and was
eradicated in a few days. What are other companies out there doing in large
scale VoIP deployments?

Thanks!

Scott

 

Hi Scott,

You may wish to investigate Cisco's Voice Success Stories:

http://www.cisco.com/en/US/about/success-stories/technology/voice.html

Sincerely,

Brad Reese
BradReese.Com® Cisco Resource Center
Toll Free: 877-549-2680
International: 828-277-7272
Website: http://www.BradReese.Com

 

this doesnt prevent DoS - anyoine who can spoof the address to get past your
ACLs can send packets into the voice domain - but it does take local
knowledge and customisation so isnt an issue for a generic worm or virus.

With

i think that this may be fixable - if you have the ability to plan the
address space.

if all voice subnets come from a single block of space, then you can use a
single simple ACL to limit access at each point. And if you have some spare
space then you wont need to alter ACLs later when more voice subnets get
implemented.

the drawback is that if you already try to minimise the number of IP routes,
then this technique will expand the number of subnets in routing tables
throughout your network - but that is surely why cisco keep increasing the
default RAM in thier boxes ?

My

i designed a campus about 2 years back where we planned separate address
space blocks for voice and data - and it has worked reasonably well. Note
sure whether this would be as easy over a WAN though.

We have excellent