Mac Address Filtering; Rogue Activity Detection; Isolation Practices; Layer 3 & 4 Filtering (Acl & Packet Inspection) - Alcatel-Lucent OmniPCX Enterprise R7.1 Manual

Voice over WLAN Mobile IP Touch Design Guide R2.0

2.3.3. MAC Address Filtering

MAC address filtering facilities are provided for within Alcatel-Lucent's OmniAccess product
platforms. Alcatel-Lucent strongly encourages the use of Local MAC address filter rules to help
ensure that only authorized wireless clients are permitted to join the VoWLAN network.
For more information on MAC address filtering, please refer to the Alcatel-Lucent VoWLAN
Engineering Reference.

2.3.4. Rogue Activity Detection

Rogue Access Points and Rogue Ad-Hoc Wi-Fi activity can seriously degrade VoWLAN voice quality
by wreaking havoc with carefully designed and implemented Radio Frequency coverage patterns.
For this reason, Alcatel-Lucent strongly recommends the use of the OmniAccess Wireless
Protection option to identify and eliminate these potential threats. The nominal cost of this
technology option provides an immense amount of investment protection, and the value of Rogue
Activity Detection can not be stressed enough.

2.3.5. Isolation Practices

Network segmentation is seen as a critical core component of any network security design.
Separating traffic by type and application scope allows for more sophisticated security
methodologies to be later implemented. VPN, Packet Inspection/Filtering, Access Control Lists,
and other security technologies generally rely on network segmentation in order to be most
effective.
For the above reasons, Alcatel-Lucent strongly suggests a Voice and non-Voice domain separation
on VoWLAN equipment. Sharing the VoWLAN environment with non-voice related elements is a
compromise in security that does not need to be made. For example at WLAN switch level
Alcatel-Lucent recommends to implement first a single Voice VLAN dedicated to Voice and a
Data VLAN dedicated to Wireless Data.
2.3.6. Layer 3 & 4 Filtering (ACL & Packet Inspection)
It is assumed that the VoWLAN environment will be hosted on a customer network which also
supports data networking environments. To assure privacy and system security, security controls
should be implemented at network routing points to restrict the ability of non-voice related
elements from gaining access to VoWLAN and OmniPCX Enterprise components. These security
controls can be delivered in the form of router or route-switch based Access Control Lists or via
dedicated Packet Filtering and Packet Inspection platforms.
Alcatel-Lucent's OmniAccess WLAN 43xx and 6xxx products incorporate integral Stateful
Inspection technology (SRP Protocol for VoWLAN). This allows for strong access control policies
and network protection.

2.3.7. Auxiliary Security Measures

In addition to the standard security mechanisms discussed above, some customers may desire to
implement specialized security measures that apply specifically to their environment. Use of
MAC address controls within the external TFTP server or DHCP server, as well as other application
security methods can be very advantageous. Alcatel-Lucent offers none of these server-based
features, but encourages customers to explore the security capabilities present in third-party
support hardware.
ESD/ Central Pre Sales / DF/ PH 21/45 January 2007 – Ed 01