Tim Greene's column on the relationship between NAC and VoIP and Alan Shimel's blog response both took a fairly narrow view of how NAC can help protect VoIP systems. The perspective in both cases is limited to a more admission-focused definition of NAC.
Tim talks about how endpoint scans could catch an infected system and in turn prevent that system from infecting the VoIP systems. Alan responds saying NAC really can't do much to help VoIP at all and saying so just adds to the over-hyping of NAC.
I disagree with both, because they've overlooked a key way that NAC can extend protection to VoIP systems. If by NAC one means not just admission control but also network access control, and if that access control can include policies that limit which devices can communicate with which other devices, then NAC can help substantially in protecting VoIP systems.
Think about a system that first is able to identify VoIP components - either via MAC address whitelisting or via reverse DNS lookup and using device names. Then think about policies that say VoIP phones can communicate only with the call manager and vice versa. You take just that simple combination and you've already got fairly robust protection right out of the gate. A desktop spewing a worm won't infect a VoIP phone or the call manager, whether or not an endpoint scan catches that worm, because that endpoint is not a device that's authorized to communicate with either the VoIP phones or the call manager. Similarly, a desktop trying to launch a DoS attack on the call manager will fail, because again, that's not a device that's allowed to send traffic to the call manager. Emerging SPIT (spam over IP telephony) attacks would also fail, since direct communications from VoIP phone to VoIP phone would also be against policy and therefore blocked.
Then imagine extending those controls with specific protocol support - so the policy would say that only the SIP, H.323, or Cisco Skinny protocols should ever emanate from a device known to be a VoIP phone. Same with a call manager. Now any data-based attack, from any device, will not be able to take down the call manager or the VoIP phones.
So really, NAC can do much more than just accidentally help protect VoIP systems. It's all in how you define it - and defined as network access control, with strong post-admission capabilities, NAC can get you there.
--Michelle McLean
mmclean-at-consentry-dot-com
Came here while researching about VoIP based attacks from the NW article. Nice post. Stopping VOIP traffic from non VOIP devices is a good method to avoid automated attacks from bots or SPIT. But in case of targeted attacks, how well would it hold up?
For example: How would one prevent a road warrior's laptop that has been loaded with a Soft Phone from attacking the server and the attack spreading from there? The road warrior connects over VPN to use the corporate voip service, and may end up running the attack that compromises the call manager and in turn other systems.
Thank you for your patience.
Posted by: SixTen Research | August 02, 2007 at 11:33 PM
This is an excellent topic. I really think that VoiP Services will replace most phone companies.
Posted by: Lawrence | February 05, 2008 at 07:39 PM