We are looking at implimenting a PCI call recording solution based on Layer 3 edge switches, IP (Avaya) phones, SPAN aggregation of ports to call recorder situated behind an ASA5510-SSM10 unit.
I have attached the current design spec which has a few issues.
Primarily the Aggregated SPAN from the IP phones completly bypasses the ASA unit.
If anyone could help on the following it would be appreciated.
1) I would prefer a solution that does not bypass the ASA unit. The only option I see here is to push the aggregated SPAN link traffic (H323) through a separate context on the ASA unit.
I am unsure how to permit SPAN traffic to flow through the ASA and if there are any related issues doing this. Possibly ether-type access-list.
2) If the solution is not workable (through ASA) then how secure are SPAN links? We need to ensure that the solution is PCI compliant and this may be seen as a backdoor to the secure call recording servers.
Any advice or help on this would be appreciated.