[VOIPSEC] softphones and VPNs

Wence Van der Meersch wence.vandermeersch at ascure.com
Wed Apr 5 02:52:26 CDT 2006 

A Netscreen was also what I thought about first. You can indeed define
multiple vlan interfaces per physical interface and assign them to
different security zones. This is, of course, a feature of most modern
firewalls so this doesn't mean you should go with netscreen because of
this, I'm just describing the solution with a netscreen because I am
most familiar with them.
Also you can make a separate subnet for your vpn connections and assign
them to another security zone, allowing it access to the local network
and finely tuning it's access to the voice vlan so it can do what it
needs to do. Thus providing only access to the callmanager (I suggest to
leave it in the media path and not to use reinvites, that way you can
deny access to the fixed phones on your voice vlan) on the required
ports (Netscreen has good support for the SIP protocol (I assumed you're
using SIP) so this should be a breeze.). Ofcourse when some day you
decide to use SIPS then all this application intelligence(TM?) won't do
you any good since it can't read the information it needs anymore.
The Juniper Netscreen ISG2000 also provides SIP anomaly detection in its
IDS/IPS services providing an extra layer of protection for your voip
infrastructure. I would suggest on using as much security layers as your
budget allows, because providing any type of user access to your voice
network is a serious risk, considering the current state of voip
security.
Also don't forget to check up on the best practices in vlan deployment
to protect against vlan hopping attacks.
http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switche
s.pdf provides a good overview of this.

Regards,

Wence Van der Meersch
Information Security Consultant
Ascure nv.
Bijenstraat 10, B-9051 Gent, Belgium

Tel		+32 (0)9.243.10.20
Fax		+32 (0)9.243.10.30
Mobile	+32 (0)479.90.33.95
e-mail	wence.vandermeersch at ascure.com
Web		http://www.ascure.com

Ascure - "Doing YOUR business securely"
 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Graham, Doug
> Sent: dinsdag 4 april 2006 16:48
> To: Craig; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] softphones and VPNs
> 
> I'm confident you could do this with a Juniper Netscreen. I 
> think you can define sub-interfaces or separate physical 
> interfaces and assign them to separate VLANS. Add the 
> Netscreen Remote client to the PC and then use routes and 
> policies in the Netscreen to route, permit and deny traffic 
> on an interface by interface basis. I would probably define a 
> separate security zone for voice and data and build policies 
> on that basis.
> 
> I'm not as familiar with the Cisco product line, but I would 
> be surprise if you can't do it with that also.
> 
> Doug Graham
> CISSP, GSEC, JNCIS-FWV 
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Craig
> Sent: Tuesday, April 04, 2006 10:22 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] softphones and VPNs
> 
> 
> All, I'm hoping someone can help out with some configuration 
> and/or solution suggestions.  I am on the design team of a 
> VoIP project.  The solution we are designing has two separate 
> VLANs, one for voice and one for data.  The only traffic 
> allowed to travel between VLANs is DNS, DHCP, SNMP and NTP.  
> The customer is interested in using softphones remotely 
> (business trips, for example) on laptops only.  What we would 
> like to do is make it as simple for the user as possible.  
> What we would
> 
> like to do is set up a VPN solution where the customer 
> establishes one VPN back to the corporate network to check 
> email and make phone calls.  
> The VPN server would be attached to both VLANs and distribute 
> the traffic to the correct VLAN. 
> 
> Does anyone know of a VPN server that will do this?  Another solution?
> 
> Thanks In Advance.
> 
> -- 
> 
> Craig L. Bowser
> Security Engineer
> CISSP
> SANS GSEC (Gold)
> SRA International, Inc.
> 703-652-6912
> craig.bowser1 at us dot army dot mil
> -------------------------------
> Rome did not create a great empire by having meetings; they 
> did it by killing all those who opposed them.  
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it 
by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or 
any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html

More information about the Voipsec mailing list