Network security is a slippery thing. Securing voice on a network just adds to the complication. No one can answer your question with a "yes" or a "no" because the answer is: "it depends". It depends on how well you have handled your layered security model. Such as physical access to the network switches, routers, servers, etc. Do you have appropriate facility restrictions in place? If not, then your security model is suspect. Have you logically separated voice and data? Sounds like you have, which is good. Have you taken measures to avoid mac address spoofing? Have you avoided VLAN sprawl by either limiting VLANs to individual access switches/stacks/closets or, even better, running layer 3 to the access layer. Trunking vlans and RSPAN can be an annoying fact of life.
So, you logically separated voice and data. Have you employed network based ACLs or firewall filters to protect voice from data? Are you running soft phones? If so, have you looked at UC proxy and/or Trusted Relay Point?
Does your Call Manager (or CME or whatever) have one administrator password that more than one person knows? Do you have password policies on your admin IDs? Do you leverage authorization controls? Do you apply authentication/authorization policies to routers, switches, and voice gateways (using something like tacacs or radius)?
Do you have accounting policies and audit policies in place so that all of the authentication, authorization, configuration best practices remain relevant?
Security needs to be done at all layers of your network. If you have control over all aspects of the network, configurations, policies, enforcement, etc. then you are probably A-OK. If not, then there could be a hole somewhere. Remember, you aren't just watching for a guy in a black over coat.
Also, do a google search for "VLAN hopping on Cisco switches and phones". youshold make sure you are not vulnerable to that common method of gaining access to the voice VLAN and therefore being able to potentially intercept and record voice streams.
-- please remember to rate and mark answered helpful posts --
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
CUCM Database Replication is an area in which Cisco customers and
partners have asked for more in-depth training in being able to properly
assess a replication problem and potentially resolve an issue without
involving TAC. This document discusses the bas...