5.1.3Emerging Security Standards
5.2Utilizing VLANs
5.3MAC Filtering and Authentication
5.4Firewalls and Traffic Filtering
Page 14
White Paper
Recognizing the need for stronger security standards, the IEEE is developing the 802.11i standard, which is expected to be ratified in late 2004. The 802.11i standard includes stronger encryption, key management, and authentication mechanisms. An interim solution endorsed by the
SpectraLink is committed to industry standards and will implement the 802.11i security standard once it is ratified. Depending on the required components of this standard, an enhanced security method that is conducive to mobile voice requirements, like the Cisco FSR mechanism, may be required to provide the best voice quality.
Virtual LANs (VLANs) can be used to segregate traffic into different security classes. By using separate VLANs, data traffic can utilize the most robust, but process intensive, security methods.
The 802.1Q standard establishes a method for inserting VLAN membership information into Ethernet frames via header information tags. NetLink infrastructure equipment and SpectraLink Voice Priority are not compatible with 802.1Q tags. The Ethernet switch must remove 802.1Q tags prior to forwarding packets destined for NetLink Telephony Gateways or a NetLink SVP Server. In other words, the Ethernet switch ports must not be configured as trunked ports.
Access points can be configured to filter certain MAC addresses, which can be used as a method of securing the wireless LAN. This process generally works, but does cause some performance issues on some APs.
A more robust method of using MAC addresses to secure the network utilizes authentication back to a RADIUS server. In general, the delays caused by this authentication are not acceptable for voice traffic. Having the RADIUS server on the local network will help reduce delays, but the response time of the server may still be an issue. Adding any network delays will compound the issue. Network administrators should evaluate whether such delays are not great enough to affect the voice quality of NetLink Wireless Telephones.
The traffic filtering capabilities of firewalls, Ethernet switches, and wireless switches can be used as security methods by allowing only certain types of traffic to pass onto specific areas of the LAN. To properly provide access control, it is necessary to understand the kind of IP traffic utilized by the NetLink Wireless Telephones.
When using NetLink Telephony Gateways to interface to a traditional PBX, the NetLink Wireless Telephones utilize the SpectraLink Radio Protocol (ID 119). This protocol in on a peer level with TCP and UDP and does not uses ports unique to TCP and UDP.
For an IP telephony server interface, the ports that are used depend on