November, 2008

Verizon Provides Ground Rules for Successful UC

In the world of IT it seems like it is often too easy to throw things together. New technologies are bought and implemented. Integrating them with existing hardware and software is an exercise in duct tape and shoe horns that happens after the initial rollout. Security is something that is tacked on months, or even years later, immediately following a major security event and executive management questioning the judgment of having left the system insecure for so long.

Given all of that, it is nice to see an organization stop and take a look at how you might approach a UC project if you wanted to get it right. Because, while it may *seem* easy at the time to just stick things together with chewing gum and determination, and you may realize some short term benefit from being on the bleeding edge of using some cool new technology, it will eventually come back to haunt you. It may be months, or it may be years, but an IT network, more specifically a UC implementation, will eventually start to crash and burn and show its ill-fated lack of planning.

To help organizations get it right the first time, Verizon has developed a set of guidelines or best practices to use when approaching a UC deployment project. Here are the major steps to their plan:

1. Invest in advanced IP networks
2. Inventory technology and personnel resources
3. Align technology with business objectives
4. Establish a benchmark for success
5. Create a comprehensive roadmap
6. Maximize impact of UC&C on business processes
7. Tackle security at the onset
8. Determine capabilities for ongoing management
9. Develop support systems and processes
10. Train and educate end users
11. Measure and modify

Security Concerns of UC Networks

When voice was just voice, it did not pose a security risk to the data network…at least not directly. It could be argued that there is still potential to exploit the voice network for social engineering purposes that result in a compromised data network, but that is a semi-convoluted argument and not really the point of this post.

With VoIP alone, standard best practices suggest keeping the voice VLAN and the data VLAN separate so that a compromise of the voice network would not have any effect on the data network. However, we live in a converged world. Unified communications merges voice and data and requires that they all play nice on the same network. Where does that leave us? That leaves us with some new security concerns to be aware of and guard against.

This post from Nortel’s Voice Security Blog, in conjunction with Sipera Systems Chief Marketing Officer, Eric Winsborrow, provides some additional detail and illustrates some potential scenarios that could exploit a vulnerable VoIP system and lead to a compromise of the UC or data network.

Beware Extension ‘9011′

If you have ever used a corporate phone system, you are probably familiar with the concept of dialing ‘9′ to get an outside line. That allows employees to simply dial extensions to communicate internally, but still use the normal plain old telephone system for placing calls outside of the company. Typically you dial ‘9′ which results in a second dial tone and then you can dial the phone number like usual.

One of the most low-tech forms of attack on a voice system is for an outside caller to ask to be transferred to extension ‘9011′. The ‘9′ initiates the outside line dial tone, and the ‘011′ is the code to initiate an international direct dial phone call. Transferring a caller to extension ‘9011′ enables that caller to place international phone calls that end up being charged to the company because they originate from your phone system. It doesn’t happen often, but it is low-tech enough that it still happens on occasion. Make sure your users, particularly receptionists or customer service representatives that answer incoming calls frequently, are aware of this toll fraud scam and are educated to never transfer anyone to extension ‘9011′.

Connecting Cisco to Microsoft OCS

According to a recent Gartner Magic Quadrant report for Unified Communications, Microsoft, Cisco, and Nortel are the industry leaders in terms of both innovation and the ability to actually deliver that innovation to customers. Nortel and Microsoft have an intimate partnership through their ICA (Innovative Communications Alliance) relationship with Microsoft, and they work very closely together to ensure seamless interoperability of their unified communications products.

Cisco is another story. At one point Microsoft and Cisco made a very public showing of burying the proverbial hatchet and vowing to cooperate in the best interests of corporate customers and unified communications in general. That cooperation lasted right up until they started rolling out products at which time the mud-slinging began. Each declared their approach and solution superior and slammed the other.

Whether they want to admit it or not though, they are sort of forced to play nicely together (sort of like the nerd and the playground bully while the teacher is actually monitoring recess activities). Cisco is a dominant player in network infrastructure and VoIP communications. Microsoft has a virtual monopoly on the PC desktop and a significant share of the enterprise server market. There is a high probability that a prospective customer is already using Cisco networking in conjunction with  their Microsoft Windows network, so that prospective customer may very well wish to continue that balance as they move forward into unified communications.

Thankfully for the prospective customer, Cisco Unified Communications Manager (CUCM) does integrate with the Microsoft Office Communications Server environment. It isn’t always pretty, but it works. Mike Stacy, a Director with Evangelyze Communications, provides an illustrated step-by-step guide to configuring direct SIP connectivity between the Cisco and Microsoft communications products.

Evangelyze Communications SmartChat

Recently at VoiceCon Evangelyze Communications announced their SmartVoIP solution which enables customers to bridge Microsoft Office Communications Server and Microsoft’s small and medium business phone system, Response Point, to deliver unified communications to remote or branch office locations. Following on the heels of that release, Evangelyze Communications is also offering SmartChat.

Mike Stacy, a Director with Evangelyze Communications, explains in his blog what separates SmartChat from other live chat type applets found on web sites. “In addition to simple chat, SmartChat has capabilities for reporting on the browser history (”I see you were looking at sweaters on our website”), enabling co-browsing (automatically navigating the web visitor’s browser), integrating with Microsoft CRM, and adding audio/video or desktop sharing to the conversation.  Best of all, you don’t need any additional software on either side of the conversation.  Flash is required for audio/video, but most people on the web already have this anyway.”

In Stacy’s blog, he also mentions that Microsoft is conducting a case study based on SmartChat and the ability to tap into the Microsoft Office Communications Server in new and innovative ways that extend its unified communications capabilities.

Comodo Offers 3-year Certificates for Microsoft UC

While it is possible to build a Microsoft unified communications infrastructure using only private certificates generated internally, it greatly handicaps the effectiveness of the UC environment. In order to communicate with devices connected outside of the network- including laptops of employees in hotels or coffee shops, or mobile phones, as well as the ability to connect with vendors, customers, or partners- a 3rd-party trusted certificate is necessary.

Certificates are sold with expiration dates and must be renewed, which adds some administrative overhead. Someone has to track and monitor certificate expirations and make sure new certificates are purchase so that the unified communications network does not experience an interruption as a result of an expired certificate. Comodo has rolled out a new offering with a 3-year expiration that is also customized to deliver security benefits customized to the Microsoft Unified Communications environment.

According to this article, Comodo’s Microsoft UC certificates “enable administrative flexibility to secure client-server and server-server communications while supporting multiple Exchange and Office Communications 2007 services (e.g. Outlook Web Access, SMTP-TLS, Auto-Discovery, ActiveSync and Outlook Anywhere) - all with a single UC Certificate.”

UCSniff Brings Vulnerability Scanning to VoIP

Sipera Viper Labs has developed a new VoIP security tool called UCSniff. UCSniff monitors VoIP communications and identifies weaknesses or holes in VoIP security which could potentially be exploited by an attacker. As this Dark Reading article points out, the tool will not identify whether an attack has occurred, or if there are any active exploits. It is a penetration testing and vulnerability scanning tool which will help VoIP and security administrators proactively scan their VoIP networks to verify integrity or identify areas that need to be secured.

VoIPshield Finds Flaws With Microsoft UC

VoIPshield, a VoIP security solutions company based in Ottawa, Canada, recently discovered vulnerabilities affecting the RTP (Real-time Transport Protocol), a standard data format used for delivery of audio and instant messaging packets over the Internet. Microsoft Office Communications Server 2007, Microsoft Office Communicator, and Microsoft Windows Live Messenger.

This excerpt from the VoIPshield press release explains the issue further:  “Most of the attention in enterprise VoIP/UC security has been paid to the control channel, where SIP and other signalling protocols are used,” said Ken Kousky, CEO of security research and analysis firm IP3 and advisor to the VoIP Lab at Illinois Institute of Technology. “Until now, the media stream has been largely ignored by the security community as a source of malicious activity.  But attacks from these vectors have the potential to be dangerously persistent and widespread.”

There are an estimated 250 million computers running at least one of these applications. If exploited, the discovered vulnerabilities could result in a DoS (denial-of-service) attack that impacts not just the affected application, but the entire computer system. VoIPshield’s research and disclosure are specific to the Microsoft products mentioned, but they note that these same protocols are used elsewhere and that other VoIP and communications applications are likely impacted by similar vulnerabilities in the media delivery channel.

Evangelyze Communications Announces SmartVoIP

Many companies are exploring and implementing unified communications. One problem that has faced certain industries though is how to deal with scattered branch offices. Industries like banking, insurance, investing, real estate, and more often have a central headquarters, and several remote branch locations. With no way to bridge the unified communications solution from the headquarters to the branch, the branch offices generally fend for themselves and implement separate communications systems. That leads to a variety of issues related to administration, compliance, costs, etc.

Now there is a simple, cost-effective solution. At VoiceCon 2008 in San Francisco this week, Evangelyze Communications unveiled their new offering- SmartVoIP. Joe Schurman, Founder and CEO of Evangelyze Communications, introduced the solution which integrates Microsoft’s Response Point communications system for small and medium businesses with the more robust Office Communications Server and enterprise class unified communications.

“We are incredibly proud of this achievement and the opportunity that this solution brings to organizations with remote and branch office communications needs. Through the power of VoIP and using our joint collaborative integration service, we are now able to connect offices globally in a scalable manner, leveraging our innovative services and Quintum’s breadth of scalable gateway devices. As a Microsoft Gold Certified Partner who has achieved the Unified Communications competency Voice specialization, our customers are assured they are hiring a qualified vendor to deploy Microsoft’s latest unified communications voice technologies,” said Schurman.

SaaS Meets Unified Communications

What’s better than purchasing, deploying, configuring, administering and maintaining the various hardware and software components of a complete unified communications solution? Well, when I put it like that, what isn’t better?? It sounds like a lot of effort and not much fun. The return is good though assuming that users are provided with the knowledge and skills to realize the improved efficiency and productivity possible…but I digress.

What’s better than doing it all yourself? Letting someone else do it. For certain applications and for certain types of organizations, software-as-a-service (SaaS) makes tremendous sense. The SaaS vendor takes on the hardware expense. The SaaS vendor manages deployment, configuration, administration and maintenance. The expert administrator is paid by the SaaS vendor. The SaaS vendor stays on top of cutting edge technology and ensures that the solution is patched and updated as needed. All you have to do is pay the SaaS vendor and enjoy using your unified communications tools.

Unified Communications is a booming business. But, so is SaaS. According to an article on TMCNet regarding the market for UC via SaaS, “the Radicati Group predicts that yearly sales will rise from today’s $6.9 billion dollars up to $28.7 billion dollars.” If that estimate is correct, companies that provide unified communications solutions should explore delivering via the SaaS model, and companies looking to invest in unified communications might want to take a hard look at the SaaS option.