September, 2008

Cisco Patches CUCM Security Flaw

Cisco is preparing to launch the next release of their Cisco Unified Communications Manager (CUCM) product - CUCM 7.0. But, last week they released an update for the current CUCM release. Actually, they released a total of 12 security updates or patches, but 11 of them deal with Cisco’s IOS and only 1 of them is related to CUCM.

The CUCM threats have been rated by Secunia as ‘moderately critical’. Vulnerable systems may be exposed to denial-of-service (DoS) attacks from a successful exploit. You can get more information from the Cisco Security Advisory and download the appropriate updates directly from Cisco.

What’s Next From Microsoft UC?

Microsoft is working on the next major release of Office Communications Server 2007. The new version, Microsoft OCS 2007 R2, is in a tightly controlled Beta test version currently. Microsoft is working closely with partners to incorporate needed functionality and work out the bugs. Gurdeep Singh Pall, Microsoft Vice President of the Unified Communications Group, has started to drop some hints about what to expect:

“In addition, customers should look for more focus on mobility, spanning mobile messaging and mobile telephony. They should also expect to see more comprehensive conferencing solutions than before and the ability to extend OCS telephony beyond remote and mobile workers. “

In the All About Microsoft column on ZDNet, Mary-Jo Foley talks about the upcoming OCS 2007 R2, as well as some hints at what might be coming for Microsoft’s hosted service, as well as some significant updates for how Microsoft UC works with mobile phone, codenamed ‘Rouge’.

Shore Up Security With ShoreTel

It is an unfortunate truth in IT that hot new technologies tend to be embraced and adopted long before the concept of ’security’ enters the picture. Things are improving, but in general security is often an afterthought. VoIP was no different. As vendors pushed the idea of leveraging the existing IP data network for voice communications, and customers bought the idea that they could both save money, add features, and work more effectively, VoIP took off. Well after the fact the realization hit that voice communications were now residing on that same data network that is impacted by viruses, worms, denial-of-service (DoS) attacks and more. Communications that used to be completely separate might now be sniffed or intercepted on the network.

VoIP security is emerging as one of the next hot technologies (logical- as all of the VoIP adopters now need to protect their communications investments). ShoreTel, one of the bigger players in the IP PBX and VoIP arena, has introduced new products that incorporate a host of security features. The ShoreTel 8.0 software is pre-configured with many of the security features enabled. The remaining security functions can be turned on with a simple checkbox in the software.

Remember ROI?

Ah, the ‘Good Ole Days’. Remember when business decisions and investments could be made based on ROI (return on investment). If a business invests $1 million in new manufacturing equipment that helps them produce higher quality widgets faster, thereby increasing output and bringing in $200,000 a month more in revenue, then the investment pays for itself in 5 months and after that its all gravy. Simple enough.

The problem is that many of the business decisions and investments on the table these days do not fit into ROI calculations. Investing in network security does not generate revenue. It just (hopefully) protects you from losing money. Investing in process automation does not generate revenue. It (hopefully) makes processes more efficient resulting in cost savings per process execution which reflects back to the bottom line. Unified communications is sort of in the same boat.

In and of itself, UC won’t generally make money. What it will (hopefully) do if implemented properly is allow employees to work more efficiently and be more productive. It will allow employees to collaborate more effectively and help to generate team synergy where it wasn’t possible before. It will enable the business to respond to market pressures and customer needs more agilely. UC is a tremendous investment, but companies need to understand the big picture and both implement and use the tools effectively. Oh, and don’t try to justify the investment with a straight ROI measurement. Your CFO probably won’t cut a check based on that argument.

Free VoIP Security Tools from SecureLogix

SecureLogix has released a suite of VoIP security assessment tools that are available as a free download from their web site (SecureLogix.com).  The tools can help analyze the security of your VoIP network and determine whether it is susceptible to attacks such as Denial-of-Service (DoS), Man-in-the-Middle, eavesdropping, call teardown and more.

Pretty much since companies have been making the switch from traditional switched POTS (plain old telephone system) networks to VoIP, SecureLogix has been around to help secure communications. SecureLogix provides tools and services to analyze and protect both traditional and VoIP networks, and they are in the fairly unique position to assure security of both as organizations transition.

Mark Collier, SecureLogix CTO and VP of Engineering, is also known for having been co-author of McGraw-Hill’s Hacking VoIP Exposed, a part of the hugely successful Hacking Exposed series. The book contained some earlier versions of te tools released by SecureLogix. Collier maintains a blog called VoIP Security Blog.

Video Conference Via SmartPhone

Throw away your excuses. You won’t be missing any more meetings. As long as you have your mobile phone, you will only be a click away. CallWave is rolling out the Beta version of FUZE which, according to a Network World article, “delivers high-definition synchronized video, document collaboration and audioconferencing from any Web browser-, 3G- or Wi-Fi-enabled device.”

That sounds pretty impressive. What is more impressive is that CallWave has also integrated this application with Microsoft Office Communications Server (OCS) 2007, enabling expanded unified communications functionality including the ability to invite / add users to a meeting with a simple click of the mouse. FUZE also works with the Cisco Unified Communication Manager (CUCM) IP PBX. In addition, CallWave has announced imminent support for the Apple iPhone, as well as support coming soon for Avaya, Mitel, Nortel, and other IP PBX platforms.

Risk of RTP ‘Monoculture’

One of the issues or stumbling blocks facing organizations as they adopt unified communications is the interoperability (or lack thereof) between systems. A company would like to know that the platform they invest in will be able to integrate, or at least cooperate with, disparate platforms being used by vendors, customers, or future merger and acquisition targets.

In the world of VoIP (Voice over IP), there is a more or less agreed upon standard in RTP (Real-Time Transport Protocol). That is great for universal interoperability, but some have suggested that it may also pose a security risk for VoIP networks. The potential ‘monoculture’ of RTP could mean that any successful exploit against the protocol could cripple not one VoIP platform, but all VoIP platforms simultaneously.

I do agree that organizations need to be concerned with VoIP and unified communications security, but I believe that the ‘RTP monoculture’ issue is primarily FUD being used to sell VoIP security solutions from the vendors claiming the sky is falling. The thing is that monoculture is largely a myth. The ‘Microsoft monoculture’ was just anti-Microsoft FUD.

Each organization has different perimeter security, different products and applications inside the network, different security policies and controls across their environments. Yes, they may all use RTP, but everything else about their network and VoIP configuration is unique to each organization. Hopefully, if they have done their homework and put the right kinds of security controls in place, an RTP exploit that impacts one company won’t necessarily impact them.

RIM Introduces Blackberry Support for OCS 2007

I give credit to Palm for bringing the concept of the personal digital assistant (PDA) to the masses. Research in Motion (RIM) however introduced the revolution of integrating the PDA functionality with a mobile phone which can almost be said to be the beginning of unified communications. Well, unified communications evolved and moved on, but the Blackberry did not simply fade into the shadows. Many companies and government agencies are heavily invested in Blackberry communications technology, and as they adopt unified communicatons solutions they need their Blackberry infrastructure to integrate with the tools they use. RIM is continuing to support that need by introducing tools to enable Blackberry devices to integrate with Microsoft’s Office Communication Server 2007. The new capabilities allow the Blackberry to take advantage of a variety of the presence and unified communications functions.

Cisco Reversing Course?

As unified communications entered into the mainstream consciousness, a few major players emerged. Two of them were Cisco and Microsoft. They have very different visions for what unified communications means and very different approaches to get their customers there.

At one point, they actually called a cease fire of sorts and agreed to cooperate in the interest of the greater good. That amiable agreement was quickly tossed aside though once they started rolling out products and one-upping each other about which is the right way to do it.

Now Gurdeep Singh Pall, the head of Microsoft’s Unified Communications team, offers up some insights in a recent blog post. He claims that Cisco has now seen the error of their ways and that they are shifting gears and reversing course to try and play catch-up with Microsoft’s Unified Communications platform. Recent purchases, like the announcement that Cisco is buying Jabber, seem to support this change of strategy and direction on the part of Cisco.

Cisco Buys Jabber

With the speed of computers and networks today, email is virtually instant. But, many corporations consider instant messaging to be a valuable complement to email communications and a vital component of efficient communications. When 10 seconds is just too long to wait for an email to be delivered, you can rely on instant messaging to get your message there even faster.

When instant messaging first emerged, it was primarily consumer oriented and handicapped by its own proprietary nature. AOL users could only communicate with AOL users. ICQ users could only communicate with ICQ users. Etc. Jabber came onto the scene as one of the first products to legitimize instant messaging for corporate use. Jabber enabled companies to house the instant messaging server on the internal network where they could monitor, maintain, log, and secure the communications. It also provided cross-platform support, allowing users of Jabber to communicate with AOL, ICQ, Yahoo, and other instant messaging platforms.

I used Jabber at a former employer. It seemed like a solid and functional tool and I liked the ability to communicate with disparate instant messaging systems. Cisco apparently has seen the value in Jabber as well. They are purchasing the instant messaging company to add the functionality and capabilities to their line of unified communications products. You can learn more from this Information Week article.