Private data networks are increasingly used to carry telephone services alongside ordinary data traffic in corporate environments to replace dedicated PBX systems. The use of private data networks for telephony service is advantageous because, for example, the voice system is more scalable and its management can be more efficient and centralised. In addition, only a single network infrastructure is required by both voice and data traffic. Voice telephony in private data network is usually carried by packetized voice data traffic and VoIP (Voice-over-Internet-Protocol) is the prevalent standard protocol, although the VoIP standard was originally developed for internet applications.
An exemplary conventional VoIP voice communication network built on an exemplary Local Area Network (LAN) is shown in FIG. 1. This conventional network comprises a Layer 2 LAN switch, a plurality of IP phone devices and an IP telephony server (ITS). Each IP phone device has a characteristic IP address IPFx and an internal phone extension number (for example, 101-104). The ITS is allocated an IP address (IPITS) and all the relevant network entities are connected to the LAN switch. Since all the entities are connected to the same data network, they are assigned IP addresses of the same IP subnet work. In this specification, the terms “client device”, “phone device” and “IP phone” are used interchangeable and have the same meaning unless the context otherwise requires.
In a conventional private VoIP system such as that described above, voice and data traffic communicable at all Layers is carried by a single physical network infrastructure. Malicious attacks on the data network (for example, due to hacking) may simultaneously bring down the voice network. This is clearly not acceptable. To mitigate the risks of damage to the voice telephony system due to malicious attack on the data network, it is desirable that the voice telephony network and the data network of a corporate is separated. With the segregation of the voice network from the data network, data traffic and voice traffic will be carried separately on their respective networks so that non-voice data in the data network will not be allowed to cross into the voice network. This segregation will result in the creation of a “trusted network” for carrying voice traffic and an “untrusted network” for carrying ordinary data or a mixture of voice and data. In the unfortunate event that the untrusted data network is paralyzed by hackers, the trusted voice network can still remain operational due to their segregation.
To take advantage of a single physical network infrastructure, a physical LAN may be logically segregated into a voice network and a data network. Logical network segregation of a LAN into voice and data sub-LANs may be achieved by using Virtual LAN (VLAN) topology or other appropriate techniques. A description of appropriate VLAN techniques can be found in, for example, “IEEE Standard for Information technology—Telecommunications and information exchange between systems—IEEE standard for local and metropolitan area networks—Common specifications—Part 3: Media access control (MAC) Bridges, ANSI/IEEE Std 802.1D, 1998 Edition”. This documentation is incorporated herein by reference.
In order to safeguard the integrity and security of a trusted voice network, each IP phone device has to be strictly authenticated before it is admitted into the trusted voice network. This initial admission authentication can follow known authentications methods such as those set out in IEEE standard 802.1X, which is incorporated herein by reference. Specifically, the IEEE 802.1X standard describes a standard method for port-based access of devices into a LAN and provides details on how a device can be granted admission into a LAN based on their network interface. The network interface of a network device is a physical interface commonly referred to as a port. U.S. Pat. No. 6,339,830 describes an admission authentication method which is a simplified variation of the 802.1X method. However, it is noted security afforded by initial admission authentication or like schemes are not adequate. Hence, it is desirable if means, methods and schemes for enhanced security of a trusted voice network can be provided.
Throughout this specification, the term “Layer” means and refers to a Layer as defined under the OSI (open system interconnection) protocol model, unless the context otherwise requires.