VLAN security question

[Doug Lee]

I set up a FreeBSD box to be firewall/NAT/mailserver/etc. for a
company, but that company subsequently went to a VoIP system,
installed a Cisco switch, programmed the switch to route Internet
traffic through the BSD box as before but also to route telephone
traffic NOT through it, then set things up so that the workstations in
the building are plugged into the phones (which have little hubs in
them).  Internet traffic is now on a VLAN, and telephone traffic is on
a different VLAN.  Running tcpdump on a workstation indicates that
VLAN traffic can be seen there (sensible because the phones contain
hubs, not switches).  Tcpdump also shows that people on the Internet
can send packets onto the telephone VLAN (i.e., random packets from
the world can reach the phones and the workstations on that VLAN).
The packets I'm seeing with tcpdump are still encapsulated.

Question:  Is this a security problem?  For example, can a packet be
crafted out there to show up non-encapsulated and on the workstation
network, thus circumventing my FreeBSD firewall?

Up to now, I've been assuming that this network is as secure as the
phones themselves, meaning that if someone can hack a telephone and
make it do things on the network, we have a problem, but otherwise we
don't.  That prospect also bothers me but is probably outside the
scope of my question. :-)


-- 
Doug Lee                 dgl at dlee.org        
SSB + BART Group         doug at bartsite.com   http://www.bartsite.com
"Determine that the thing can and shall be done, and then...find
the way." - Abraham Lincoln