保护线第2部分 - 语音Vlaning

我们都熟悉VLAN或Virtual LAN，它今天广泛用于企业甚至SMB网络环境。随着融合网络的出现，突然间，VLAN的正确使用和配置变得越来越重要。由于可以利用单个网络插孔来提供电话和计算机服务，因此突然出现一个新的安全孔。在逻辑网络上融合到逻辑网络上的语音和数据服务都太容易了，这最终是最简单的解决方案。但是，想象您的企业办公室的大厅，其中多个IP电话驻地为客人提供基本服务。使用简单的开关，用户可以将他/她的笔记本电脑连接到可信内部网络。在VLAN的环境中，这不会那么简单。当然，设计和实施多个虚拟LAN为任何环境添加了管理开销。甚至敏感数据和语音网络的逻辑分离也不保证安全性。即使对于Voice VLAN而言，即使对于语音VLAN也是绝对要求的正确定义的安全机制。 Advanced router and switch configurations are likely necessary to enforce security policies on the Voice network, as most IP phones contain switch ports to allow daisy-chained devices. The Voice network is therefore highly susceptible to common TCP/IP-based attacks which could cripple a telephony network. VLAN design varies from organization to organization. Some favor port-based VLANs, while others prefer tagged (or ID'd VLAN) environments. Obviously, in a port-based VLAN configuration, each physical switch port is assigned directly to a VLAN, whereas a tagged VLAN uses ID-tagging to assign devices to VLANs. Tagged VLAN configurations are increasingly popular due to the simplicity in administration, however they pose a risk for "VLAN hopping" attacks. In this scenario, an attacker can spoof "tag authentication" information, such as MAC addresses, or 802.1x attacks to gain access to the secured VLAN. In conclusion, it's important to fully analyze your logical network's security之前考虑融合网络。有许多考虑因素，包括物理端口位置，VLAN类型设计和认证策略。在我看来，涉及第三方审计员的费用是非常值得的，以确保您的新语音网络受到保护免受这些共同威胁。