Simply four steps to reject network phone security attacks

Recently I have heard of many new forms of attacks on LAN, such as Voice over IP (VoIP) attacks or vulnerability attacks (using printers as attack sources. So how can we improve LAN security to prevent these attacks?

These forms of attacks are constantly increasing and need to be paid attention to by users. In fact, the SANS Institute has recently listed client attacks as one of the most important vulnerabilities on the internet today. It can be said that it is impossible to completely eliminate such attacks, but you can try to mitigate the threats that attacks pose to your business by taking some measures.

One of the first measures should be taken is to implement an authentication policy in your LAN (including all devices and users. If you want to use a certification like 802.1 x certification technology, I am afraid it is not realistic, because most phones, printers, medical devices, machine devices and other devices will not be able to support the required 802.1xsupplicant.

In addition, you need to find a way to ensure the security of each non-user device to access the network, and you need to know the type of the device. One authentication method is used to list specific known devices in a trusted list, or it is best to use this authentication method-you can use a reverse domain name to contact the device name and type to help you automatically identify those devices.

Next, you need to classify these non-user devices and set different access permissions for different types of devices. For example, you can specify a category for a printer. This category applies to all printers and print servers in your network environment. For access permissions, you can specify that the printer can only communicate with the printer server, and all user devices can only communicate with the printer server. With this rule, you can avoid direct communication between your devices and printers.

Similarly, in terms of VoIP, you can specify a type for a network call and specify that the network call can only communicate with the traffic manager. You can even go beyond this dedicated application-specific partition protection policy. For example, you can specify that a network phone can only communicate with SIP, H.323, or SKINNY to further reduce data-based attacks.

This partitioning and door-to-door approach can greatly help prevent attacks on phones, printers, or other devices. For example, a printer that has been processed by a security partition and installed with the vulnerability scanning software will not be able to access all your access port network devices. Moreover, network telephones cannot be used to launch attacks against other servers or end-user computers. With Application protection methods, they cannot even attack telephone administrators who are using data protocols.

In what form can you get such LAN security protection? You have many options. A new generation of LAN switches with over 802.1x authentication and policy-based Access Control Capabilities for users and devices can be built directly into your local network. If you have not considered upgrading a vswitch, you can use a security device that has the ability to authenticate user identities and devices to automatically classify the devices, policy-based control is implemented based on the control area and applications.

Whether you choose an access switch or a security device, the key issue is whether the protection policy is correctly applied to the LAN client. These methods can help reduce client-based attacks. Otherwise, you cannot find the right means to block attacks from the source.

1. Youtong Communication University campus VoIP network telephone Solution
2. How to deploy VoIP
3. Talking about VOIP technology and network calls are a double-edged sword