Firewall Configuration

[golfnut]

I am hoping to get approval to install a new system in our office and will install it on its own subnet. I would prefer to isolate this subnet from the main LAN for security purposes. I know I need to allow access through the firewall for the PIAF (both ways) but will I also need to allow access for each phone? I think that if I use DHCP my phones will get their time from PIAF and not have to use NTP, which as far as I know is the only reason they would need to access the internet.

Am I approaching this correctly?

 

[blanchae]

These are just questions for clarification:

1. I take it that the "new system" is referring to PiaF?
2. Are you planning on putting a firewall between the main LAN and the new subnet?
3. Are all the phones going to be on the new subnet or on the main subnet?
4. You can point the phone's time to your PiaF box and they will get the time that way. Then point the PiaF box to a time server.
5. You haven't mentioned what model of phones you will be using.
6. If you have your router open from the main LAN to point to PiaF then that's all you need to do. The phones on the main LAN will register with PiaF.

 

[golfnut]

Sonicwall Pro 2040

Wow! Thanks for the fast reply!

Yes, the new system will be PIAF and I plan to use Yealink phones that will be on the new "voice" subnet. I actually do not have to install a new firewall as the Sonicwall Pro 2040 I have can handle an additional subnet. Basically, I want to deny all traffic in or out of the subnet unless it is destined or originating from the PIAF. I may also have a few softphone on workstations on the main LAN

 

[Linetux]

If you're not doing any kind of external communications (SIP trunks, etc) all you should need is http from your workstation subnet to the PIAF box for users to listen to voicemail or change settings.

You'll probably want ssh from 'admin' workstations as well.

That's usually all I ever open up.

 

[golfnut]

I will probably be doing some outbound SIP trunking (or IAX2) and will also have two remote servers connected to the box via IAX2 trunks. My biggest reason for needing to do to this is that our internal policies to not allow DHCP to be run on our local LAN (an extra layer of security....frustration). If I run DHCP on the PIAF then I want to make it so that someone cannot just unplug a phone, plug in their laptop or wireless AP, and gain access to our entire network.

 

[blanchae]

If I run DHCP on the PIAF then I want to make it so that someone cannot just unplug a phone, plug in their laptop or wireless AP, and gain access to our entire network.

All someone would have to do is apply a static IP address that matches the subnet to their laptop and plug in. No security there... DHCP won't matter. The only way to have the security that you are wanting is to have it at the Data Link layer (see the OSI model is good for something after all) and map MAC addresses to port security at the switch. Close all unused ports except for the ones that the phones and PiaF are connected to on the new subnet.

 

[golfnut]

No argument there, but it does require the malicious user to gain additional information about the network before gaining connectivity.

Now that I know I only need to expose the PIAF server I will lock down the subnet regardless of if I use DHCP or not.