Large Scale VoIP Deployment and ACL's

Discussion in 'Cisco' started by thrill5, Mar 25, 2005.

  1. thrill5

    thrill5 Guest

    We are planning a large scale VoIP deployment at our company and we are
    currently "negotiating" with info security group over what security measures
    we need to put into place. They have read the Cisco "SAFE" white paper on
    IP Telephony deployments it recommends to apply ACL's to block traffic
    between the data VLANs and the voice VLANs. In a large deployment (over
    1000 locations) this seems very impractical because to make a call from one
    location to another the traffic must pass over the "data" portion of the
    network. They want us to deploy ACL's at every location that only allows
    traffic out of the voice VLAN's on to the data network if it going to
    another voice VLAN (to prevent DoS, hacking of the voice traffic etc.) With
    a few sites this would be manageable but in large deployments this would be
    a management nightmare! (Every time you and another voice location you
    would need to update the ACL's at every existing voice location). My
    question is what is everyone else out there doing? We have excellent
    security practices and policies in place, IDS, virus protection software on
    every computer, and I think the risk is small. The last time we had a virus
    outbreak was 3 years ago and it was a very limited outbreak. (The only
    systems infected were those that were found not to have had virus protection
    software installed, about 1% of the computers. This has subsequently been
    corrected). The virus was detected very early by the IDS's and was
    eradicated in a few days. What are other companies out there doing in large
    scale VoIP deployments?


    thrill5, Mar 25, 2005
    1. Advertisements

  2. thrill5

    BradReeseCom Guest

    BradReeseCom, Mar 26, 2005
    1. Advertisements

  3. thrill5

    stephen Guest

    this doesnt prevent DoS - anyoine who can spoof the address to get past your
    ACLs can send packets into the voice domain - but it does take local
    knowledge and customisation so isnt an issue for a generic worm or virus.

    i think that this may be fixable - if you have the ability to plan the
    address space.

    if all voice subnets come from a single block of space, then you can use a
    single simple ACL to limit access at each point. And if you have some spare
    space then you wont need to alter ACLs later when more voice subnets get

    the drawback is that if you already try to minimise the number of IP routes,
    then this technique will expand the number of subnets in routing tables
    throughout your network - but that is surely why cisco keep increasing the
    default RAM in thier boxes ? :)

    i designed a campus about 2 years back where we planned separate address
    space blocks for voice and data - and it has worked reasonably well. Note
    sure whether this would be as easy over a WAN though.

    We have excellent
    stephen, Mar 26, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.