More enterprises are considering a migration from legacy circuit-switched PBXs to IP PBXs (VoIP) in order to capture the benefits of IP telephony lower telecom costs and value added convergence features, such as voice and data integrated call center applications. However, this migration leads to concerns over performance and security, since unlike circuit-switched infrastructures that physically separate voice services from data networks, IP telephony merges traffic on the same IP network.
The current enterprise best practice to address this issue is to place IP telephony resources (call managers, media gateways, and Ethernet handset phones) on separate VLANs (virtual LANs) from those used exclusively by desktop/laptop PCs and data application servers. ACLs (Access Control Lists) are then used to tightly control which devices (and TCP/UDP ports) can access resources on the other VLANs (e.g., communications between voice mail servers on the voice VLAN, and e-mail servers on the data VLAN).
While this solution does, to a certain extent, provide logical separation of voice and data networks, there are considerable security and scalability limitations inherent with this solution that will inevitably inhibit the widespread deployment of IP telephony. First, the management of MAC addresses and ACLs may be feasible for a few select users/locations within the organization; however, tracking the MAC address and physical location of each and every phone in a 50,000 user network poses a significant management challenge. The likelihood that an enterprise has and maintains a complete, up-to-date list of all the MAC addresses of user PCs and laptops throughout their network is very low. Its easy to see how this problem literally doubles with an IP telephony rollout.
With the expanded use of Windows-based softphones [enabling voice communications directly from the end system itself], such as in call centers using voice-integrated customer support applications, an alternative to separate VLANs for voice traffic is required. This is due to the fact that existing network infrastructures are unable to distinguish the specific application type that is being sent from the PC since voice and data traffic are now merged into a single pipe. As a result, voice related traffic is treated with the same level of priority and security as all other traffic, opening the enterprise up to increased risks of performance degradation and security threats for their voice traffic.
A emerging best practice that is currently being deployed by enterprises is to implement a new layer of control in the LAN. This solution consists of a high-speed, in-line device called a LAN Controller that resides between the access switches that provide connectivity to PCs, softphones, and IP handsets and the network core where the IP telephony infrastructure resides [Figure 1]. These LAN Controllers work with an existing network infrastructure to provide a very high degree of security and performance assurance required by IP telephony applications.
LAN Controllers guard the IP-PBX server infrastructure from denial-of-service [DOS] attacks. Positioned close to users in the LAN, these systems can effectively track call session and protocol flows while also identifying and blocking malicious packets before DOS attempts can infiltrate the network. Stopping threats close to the source is especially vital for IP telephony communications emanating from a branch office to headquarters over a frame relay WAN connection. Once the malicious traffic traverses the WAN, identifying the exact user or even location causing the security breach becomes considerably more difficult. A LAN Controller deployed at corporate branch offices can effectively identify the exact source of the attack and prevent any disruption of service for telephony traffic within the branch office or calls destined for the corporate headquarters.
LAN Controllers also ensure that only authorized users are able to access the IP telephony infrastructure by effectively adding a layer of port-level Network Access Control [NAC]. Before a voice-enabled system is allowed to communicate on the network, the LAN Controller will query the existing enterprise user directory [LDAP, Active Directory, RADIUS] to authenticate the user and authorize which applications may be used over the network. This will stop various types of illegal activities, such as rogue handset or softphone users from piggybacking calls over the corporate telephony infrastructure.
Finally, as LAN Controllers are application-aware, they can provide a high degree of quality of service [QOS] for IP telephony while providing an effective alternative to complex MAC-based VLAN management or an even more expensive, dedicated IP telephony network. This same solution works even for softphones. By differentiating between IP data traffic and IP telephony traffic [e.g. SIP or H.323 data and control traffic], LAN Controllers provide both preferential voice traffic forwarding that virtually eliminates jitter and latency issues and a heightened level of security protection, regardless of whether voice and data traffic are traveling on the same physical network port. This sets the stage for IP telephony to finally become ubiquitous. IT
Faizel Lakhani is vice president of marketing for ConSentry. For more information, please visit the company online at www.consentry.com.