How to Protect LAN security from the perspective of VoIP Security

Recently I have heard of many new types of LAN attacks, such as VoIP attacks or the use of printers as attack sources. So how can LAN security measures protect us from these attacks?

These attacks are on the rise. This is definitely a fact. In fact, the SANs Research Institute recently listed client attacks as one of the most serious vulnerabilities today. However, if anyone of us thinks we can fully protect ourselves from such attacks, we will be brave. When an attack threatens your company, you can certainly have some powerful measures to mitigate the threat.

The first step is to implement an authentication mechanism in your LAN, which includes devices and users. If you have purchased some products similar to 802.1x, they are not adequate because the vast majority of phones, printers, health check equipment, robots, and other devices do not support 802.1x requirements.

You need a way to ensure that you know the non-user devices that are inserted into the network and what kind of devices it is. Find an authentication method that allows you to include certain of your devices in the excellent list, or, better, helps you automatically identify those devices, by using reverse DNS, the device name is associated with the device type.

Next, you need to put these non-user devices into a role and assign access permissions to the role. For example, you can subscribe to a printer role and apply it to all printers and printer servers in your environment. As for access permissions, you can specify that the printer can only communicate with the printer server, and all user devices can only communicate with the printer server. With this type of policy, you can access the direct communication between the user's device and the printer.

In terms of VoIP, you can specify a VoIP phone number to the VoIP role, and then define that these VoIP phones can only communicate with the Call Manager. You can even use application-based policies to surpass this region-based protection. For example, you can say that devices with VoIP roles should only use SIP, H.323, or SKINNY for communication, for example, to further protect against data-based attacks.

This type of domain is very helpful in protecting phones, printers, or other devices that may act as the starting point of attacks. For example, if a constrained printer is installed with a vulnerability scan software, it will not be touched by all network devices looking for open ports. There is also a VoIP Phone that cannot be used to initiate an attack against other servers or end-user machines. Through application protection, it cannot even use data protocols to attack the Call Manager.

So how can you obtain such LAN security protection? You have many options. The next-generation LAN switch, with authentication outside 802.1x, can implement policy-based access control for users and devices. This is a very good way to directly introduce this capability into your LAN. If you do not want to upgrade the vswitch, consider having to authenticate the user and device capabilities to automatically assign roles to the device, and adopt policy-based security devices based on fields and applications.

Whether an access switch or a device is selected, the key is to apply the protection to the user edge of the LAN. This location is critical to reducing these customer-based attacks. Otherwise, you don't have a tool to block transport traffic at the beginning of their journey.

1. Wireless LAN VoIP technology application details 1
2. Application of Wireless LAN speech extension VoIP technology
3. Small security measures block VoIP Security Vulnerabilities