LesD
Member
- Joined
- Nov 8, 2009
- Messages
- 408
- Reaction score
- 15
I intend installing an external sip based device built especially as a door entry phone.
Internally it has an RJ45 socket into which goes a standard network cable.
So basically I will have a connection point to my internal network out in the street.
I would appreciate some guidance and suggestions as to securing the system.
As far as I can see I have at least two potential security issues.
First, someone can connect a regular sip phone to the network. To protect against that I obviously need to have strong passwords on all extensions. It would also help to have DHCP turned off, though that may be somewhat inconvenient.
Secondly, someone could connect a taptop to the cable and have physical access to my whole network.
Obviously, securing all devices on the network with strong passwords is a must, but I wonder what I can do to lock things down even further.
I have thought of creating a VLAN for all PIAF related devices but I see two problems with that.
a. PIAF itself runs as a VM running on the main office server which has to be accessible to all computers on the network. Which means, I think, that the PIAF VM won't be able to talk to the phones! Rather unfortunate!
b. Network access to PIAF and the phones would not be possible from a general PC on the network.
A theoretical solution comes to mind but I can't get my head round how to implement it.
Rather than connecting the phone as a 'local' device, it should be connected as if it is an 'external' connection so that it can be firewalled. That way we could limit the connection to a specific IP and specific ports.
Internally it has an RJ45 socket into which goes a standard network cable.
So basically I will have a connection point to my internal network out in the street.
I would appreciate some guidance and suggestions as to securing the system.
As far as I can see I have at least two potential security issues.
First, someone can connect a regular sip phone to the network. To protect against that I obviously need to have strong passwords on all extensions. It would also help to have DHCP turned off, though that may be somewhat inconvenient.
Secondly, someone could connect a taptop to the cable and have physical access to my whole network.
Obviously, securing all devices on the network with strong passwords is a must, but I wonder what I can do to lock things down even further.
I have thought of creating a VLAN for all PIAF related devices but I see two problems with that.
a. PIAF itself runs as a VM running on the main office server which has to be accessible to all computers on the network. Which means, I think, that the PIAF VM won't be able to talk to the phones! Rather unfortunate!
b. Network access to PIAF and the phones would not be possible from a general PC on the network.
A theoretical solution comes to mind but I can't get my head round how to implement it.
Rather than connecting the phone as a 'local' device, it should be connected as if it is an 'external' connection so that it can be firewalled. That way we could limit the connection to a specific IP and specific ports.