We are planning a large scale VoIP deployment at our company and we are currently "negotiating" with info security group over what security measures we need to put into place. They have read the Cisco "SAFE" white paper on IP Telephony deployments it recommends to apply ACL's to block traffic between the data VLANs and the voice VLANs. In a large deployment (over
1000 locations) this seems very impractical because to make a call from one location to another the traffic must pass over the "data" portion of the network. They want us to deploy ACL's at every location that only allows traffic out of the voice VLAN's on to the data network if it going to another voice VLAN (to prevent DoS, hacking of the voice traffic etc.) With a few sites this would be manageable but in large deployments this would be a management nightmare! (Every time you and another voice location you would need to update the ACL's at every existing voice location). My question is what is everyone else out there doing? We have excellent security practices and policies in place, IDS, virus protection software on every computer, and I think the risk is small. The last time we had a virus outbreak was 3 years ago and it was a very limited outbreak. (The only systems infected were those that were found not to have had virus protection software installed, about 1% of the computers. This has subsequently been corrected). The virus was detected very early by the IDS's and was eradicated in a few days. What are other companies out there doing in large scale VoIP deployments?Thanks!
Scott