- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
Senior Editor Tim Greene clarifies issues surrounding the evolving NAC security architecture.
VoIP presents its own set of NAC problems that can be overcome, but need to be up front in the minds of people making NAC decisions.
One difficulty VoIP presents to NAC is that VoIP phones don’t support NAC agents, permanent or dissolvable. That means limited testing of the devices.
Often times VoIP phones are plugged into PCs that are plugged into switches, making it difficult to enforce NAC by simply shutting off a port. Shutting down the port to isolate the phone shuts down the PC and ignites unhappiness among users.
A PC spoofing a phone can let the operator of that PC run amok on the network if the device is unchecked.
There’s not much NAC can do about checking whether a VoIP phone is infected, so the best it can do is identify the device as a phone via a white list of MACs, IPs or a combination. If it flunks that test, it should be kept off the network altogether.
If it passes, then keeping an eye on what the device does once it is admitted becomes important. If it starts doing FTP downloads or pinging IP addresses at random, it’s probably not a phone and should be isolated. NAC products can do that.
NAC is also capable of limiting what resources a device can access, so VoIP phones can operate under policies that restrict their access to call servers, for instance. If a device that successfully spoofs being a phone sets off a denial-of-service attack, it’s not going to hit the rest of the network.
For those who use VoIP and are considering NAC, quiz your vendors about how they handle IP phones.
Tim Greene is senior editor at Network World.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (1)
It depends on the VOIP and NAC implementationBy toddhooper on October 9, 2008, 12:24 pmMost the implementations we've done at Napera have been aimed at specific parts of the network like wireless, guest areas, conference rooms and mobile sales teams....
Reply | Read entire comment
View all comments