S 2.376 Separation of data network and VoIP network

Initiation responsibility: IT Security Officer, Head of IT, Building Services Manager

Implementation responsibility: Building Services, Administrator, Head of IT

With IP telephony it is possible to make telephone calls using existing IP data networks. However, the data networks may also be separated logically from the voice networks to increase the scalability, quality of service (QoS), administration capabilities, and security. It must be examined whether separation of the data and VoIP networks is necessary. Separation makes sense when the data and VoIP networks have different protection requirements.

Separating the networks using VLANs

Local networks can be segmented physically using active network components or logically using a corresponding VLAN (Virtual Local Area Network) configuration. Logical separation can be obtained with VLAN technology in Layer 2 using VLAN-enabled switches (see also S 2.277 Functional description of a switch). VLANs alone, though, do not offer any protection against attackers who physically connect to the VLAN using their own IT system (PC, laptop, or server). Since the network connection, i.e. the VLAN port, of the telephone can be accessed directly by anyone, an attacker could attack the telephones in the VLAN directly by connecting his/her PC to the VLAN instead of his/her telephone, for example.

For this reason, additional safeguards extending beyond logical network separation should be implemented to counteract such attacks.

Physical separation of the networks

When the security requirements are high, it makes sense to physically separate the entire voice network from the data network. Physical separation of the data and voice networks significantly reduces the possibilities for an attack. In addition, when one network fails (for example due to the failure of the active network components or a broken wire), the other network can be used for communication purposes. Due to the separation, the load placed on the data network has no effect on the load placed on the voice network.

Problems with separation

However, other problems may arise elsewhere in practical applications when the VoIP network is completely separated from the IP data network:

• The VoIP components require access to user databases such as LDAP directories, which are typically located in the data network already, but possibly require double maintenance in the event of network separation.
• VoIP network administration, e.g. name resolution using DNS, generally requires access to the data network.
• The administration of the VoIP components can be more complex when the networks are separated consistently, for example because software updates for the VoIP components cannot be transmitted any more using a data network, e.g. SFTP, but must be installed on the components wherever they are located. Even the remote configuration of the VoIP components, for example using SSH or SHTTP, assumes there is a connection to a data network or separate IT systems available for configuration.

These problems can be solved, however, by installing corresponding gateways between the data and voice networks. A proxy server could be operated in the voice network for many services that forwards requests from the voice network to the data network.

• Other problems associated with network separation include the use of multi-function devices such as VoIP telephones with integrated mail clients or the commonly encountered softphones. These terminal devices require access to the voice network as well as to the data network.
  
  An approach to a solution would be to operate these devices in a logical network created specifically for this purpose. Physical separation is impossible in this case.
• In order to reduce the amount and number of cables required, many hardphones have an integrated "mini-switch". In this case, the telephone is connected directly to the network socket, and an additional IT system such as a workstation computer is then connected to the telephone.
  
  This arrangement prevents the physical separation of the voice network from the data network. To separate the networks logically in this case, the access switch must be able to differentiate between the two devices connected to the switch port. This is possible using the MAC address or an IEEE 802.1X login procedure, for example.

Protecting the ports

If hardphones or other VoIP terminal devices will be used solely for making telephone calls, it must be ensured that only the intended VoIP connections can be established on the network ports these devices are connected to. Otherwise, an attacker could connect a mobile IT system to the network connection intended for the PBX terminal device and access information and services not intended to be used by the attacker. An example of this is a telephone located in an area that is not monitored continuously such as an underground car park. This protection can be obtained by specifying the corresponding filter rules on the active network components.

Depending on the protection requirements, additional safeguards such as authentication according to IEEE 802.1X can be used to guarantee secure operation. It must be taken into account, though, that dynamic or static assignment of the MAC address to a (switch) port or a VLAN access list alone does not provide sufficient protection, since MAC addresses can be forged easily.

Review questions:

• Do the protection requirements require a separation of the data and VoIP networks?
• Do the devices used for VoIP and data services have access to the data network and the VoIP network?
• Are network ports for VoIP terminal devices only allowed to establish VoIP connections?