What issues can arise if there are IP phones on a network that uses 802.1x? What if, behind the phones, there are connected PCs that share the same switch port?
Voice over IP (VoIP) telephony technology is beginning to replace traditional PBX (private branch exchange) telephony in the enterprise. Last year, SearchSecurity.com discussed Cisco's move toward quadplay convergence – putting data, voice, video and mobile communications on the same network. And you're right to question the security issues of such an arrangement.
When deploying VoIP on an 802.1x network, a significant issue is the use of the Ethernet port. Most VoIP phones provide this port so that a client PC can connect to the network. If you're using 802.1x, make sure that the switch is configured to allow multiple devices on the same port. Otherwise, only the first device to establish a connection -- the phone or the PC -- will be able to access the network.
You'll also need to take measures to protect against a new kind of eavesdropping threat. By placing your voice traffic on the same network as your data traffic, it's exposed to confidentiality risks not seen on a traditional voice network. Now, if your security controls aren't up to par, any computer on your network has the potential to become an eavesdropping device. For that reason, not only should VoIP traffic be placed on a separate VLAN, but you also need to consider the security of the VLANs themselves. Read Combining 802.1x and VLANs for advice on implementing VLAN segregation, or check out Popular VLAN attacks and how to avoid them for tips on securing your VLAN implementation.
Dig Deeper on Network Protocols and Security
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.