I work in a multi-customer environment and we provide a centralized / shared Cisco IPT solution for some of our customers.
We need to keep each customer seperate such that Customer A doesn't know about Customer B even if they happen to call eachother through our IPT solution. We have CM partitioned properly and that's all well and good, but I have a couple questions regrading general network security.
At sites that have a significant amount of users, we create a sepearte voice VLAN and on our central router have an access-list that allows the voice VLAN access to any other internal network for UDP ports 16384-32767. THis seems to be a good solution because the only devices on the Voice VLAN are the phones, so that's OK. Switch ports are set to trunk dynamic-desirable with voice vlan defined etc.
There are a couple locations that only have 1-2 users where we have not implemented a sepearte voice VLAN for them just basic QoS. We previously had a very broad and insecure access-list for sites like this that was define as such:
access-list 106 permit udp 10.0.0.0 0.255.255.255 any range 16384 32767
Basically, this allows any PC at that location to ANY other site, including other customer sites on those ports. Not a good idea. We just implemented a DHCP reservation system for these locations that involves setting a reservation for the phone in a certain range of IPs, and only allowing that range of IPs access, like this:
access-list 103 permit udp 10.0.0.222 0.255.255.1 any range 16384 32767
This allows 10.x.x.222 or 10.x.x.223 access to the network on that port range.
Better than it was, but still I wonder... How can we make this more secure without a ton of overhead associated with keeping a ton of specific access-lists on our router.
We also have a number of remote VPN locations that terminate on our central firewall that use our IPT solution as well. These are currently implemented with an ASA5505 or PIX501 at the remote site and the VPN terminates on our ASA5520. These are either EasyVPN OR L2L VPNs. For these sites, I placed a filter on the VPN allowing only access to the entire 10's network for those UDP ports.Goes back to my first point, ANY pc on those remote VPN networks can get to ANY other network on those UDP ports... The ASAs / PIXs can't do DHCP reservations nor can I forward DHCP across the VPN tunnel to a central DHCP server so I can't use the same scheme as what we're doing with our IOS routers at our datacenter.
Any Thoughs on how we can tighten up the security?
Router Platforms: 7206
Firewalls: ASA5520 (Hub) 7.2(4), Remotes: ASA 5505 7.2(4) or PIX501 6.3(5)
Using all Cisco IP phones.
Thanks in advance!