atcomsystems.ca/forum Forums VOIP Phones & IP PBX VoIP & Cloud Phones, Hosted PBX, General IP Phones All IP Phone Systems

"If the customer is going to limit the movement of VoIP sets due to local 911 laws, then they've lost the one thing that VoIP could do that digital couldn't!!"

This is a fact of life in Illinois. Besides, every digital/IP system we sell allows for set relocation with one important difference...security. Even with 911 notification, digital systems do this as well, you do not meet the criteria in Illinois for the 911 laws as it has to do with the notification to the 911 center.

posted March 31, 2008 11:31 AM
--------------------------------------------------------------------------------
Just my not really worth two cents.

I have done analog systems, electronic, key, PBX, hybrid key/pbx, IP, hybrid IP/digital, etc., etc., etc.

Change is the only constant!

The market is currently not dominated by IP, or even digital.

When you look at the most implemented, and in use system you are looking the Avay/ATT/???Partner system last time I did research. If you look at the second most, it is probably another manufacturers system of the same type as the partner system. I see 15 year old partners in janitor wash rooms next to the mop sink, and the water heater with a musty dusty smell as soon as you open the door. They have been there for 15 years, and will probably be there another 5, which is true for proably most of the type(Partner system type including their competitors) they have about a 15 year life span. Until half of these systems are replaced there is no IP domination of the market, and will not be.
Even with the marketing focus on IP it will take a decade before half the phone systems in the field will even begin to approach being hybrid, let alone full IP. Even consdiering that most PBX's installed in the last 5 years are hybrids as they allow some, or full IP functionality.

Now is marketing dominated by hybrids, yes it is, but that is not the same as the market sector being hybrid.

For the end user who posted.

If you are not going to converge your data, and voice (Share cable runs, swithches, and do VLANS). Then you are missing the biggest savings available to you in regard to a converged telephony platform. That savings is that you no longer need to have any internal voice cabling infrastructure of any kind.

With a hybrid system which is what almost all systems are since they almost all offer an analog station port they are a hybrid, not full IP you can use the same network cable for station ports of any kind. That goes for analog station(fax), digital (re-use your exisitng phones in most cases saving money), IP hard phones, IP soft phones, Convergerged IP hard phones(use same network cable/switch/switch port as the PC per station), Converged IP soft phones(uses same same cable/switch/switch port as the PC per station). While the hybrids(since there are no full IP systems, correct me please) can share the same cable in a converged network (saving wiring infrastructure costs), non-converged networks can not share the same cable thus not saving any wiring infrastructure costs, and increasing the number of data switches required to service the voice, and data. Digital phones reduce the number of data switch ports require by the number of digital phones used, and can translate to less data switches. Digital phones also do not then require VLANS, or VLAN security, VLAN foirewalling, etc. to maintain security on your data network due to the vulnerability inherant in VLANS, and IP phones accessing your network. You do have to make sure that you have security for your VOIP whether it is converged or not, and if nto encrypted can be very insecure within the network.

Look up voip hopper, or cane, and able, of other applications that can capture VOIP packets, and record them in WAV format. If you do not have acounted for VOIP security then go digital on a hybrid system, as it does not require these things. You can always do VOIP trunking for site to site P2P, and VOIP exts off site(VPN security).

As a follow up to this, I posted here hoping for general "all IP" comments, not necessarily ESI only, we're looking at multiple systems (shopping).

As far as security, using all switches, no internet connectivity (at least not exposed), would there be a worry about packet sniffing? My thought was someone could in theory get into the admin of an unsecured switch, turn on a monitor port on an unused jack, and use it to packet sniff one particular port, but they would really have to know what jack went to what port, etc.

The Mitel 3300 apparently has a "teleworker" option that acts as a proxy between the remote phones and the system, encrypting the data in between without the use of a VPN. I think ESI has a comparable function with their "remote" labeled phones.

As far as network management, I'm still curious to exactly what it takes to keep the VOIP network running when nothing would really change much other than moving a phone here or there. I do plan to have some interconnection, either through a router or using the built-in routing that my switches already have.

Yes, if someone could get that far, they could indeed sniff packets. Then again, I would presume there's little on your network that wouldn't be vulnerable to such a close-proximity attack.

Of course, making use of those packets would be another task entirely. Depending on the phone system, you've got quite a variety of encoding schemes and so forth to navigate before you could begin reassembling packets in order to try to make some sense of them.

As with all things related to network security, if your scenario includes unlimited space to gather data and unlimited time to process it.. sure, I'd concede a certain amount of vulnerability.

I wouldn't expect much at all to keep things running smoothly. As long as you've got connectivity and electricity, management is a breeze. And if you're serious about your shopping, give me a call and I'll bring over a Vertical Wave IP2500 and show you how it works. I'm just an hour up the road from you..

The security risk of recording your calls is more a matter of the fact that there is software which can just record if to WAV files on your network as long as it can find a way in. For intance, one trojan of this type, and all your calls are being recorded, unless your voip is encrypted. Also, many VOIP networks are succeptible to IP phone mimicking to gain access to your network, VOIP hopper is a software tool for exposing this type of security vulberability for VLANS. Firewalls are great tools between non-converged VOIP, and data networks to make sure one is not used to compromise the other. You are only as secure as your weakest link in the network, so secure that VOIP to secure that data.
Now is it really a huge risk, not my call, but it is a concern of some level, you determine the acceptable risk level on your network.

I assume no one is going to be doing VOIP without QOS.

I assume that last sentence is a non sequitur?

I understand the points you're making but in the scenario being discussed, the voice and data LANs are completely separate so VoIP Hopper would be of no use. Also, Cain & Abel supports a limited number of codecs so simply using a different codec would, I would think, render it useless as well.

As general practice, using a firewall or router as you suggested would indeed be a good idea for a number of reasons. Using port security on switches is equally important. However, there are a number of things an alert admin could keep an eye on.

Monitoring for unusually high traffic of ARP packets should give you an indication of if your ARP is being poisoned. Checking for NICs that are in promiscuous mode should alert you to the possibility of MAC spoofing. And on and on.. I'm no network security guru and I haven't subscribed to bugtraq in years, but even I am aware of many approaches to security which could greatly reduce exposure.

I guess this whole discussion should act as a reminder that with the move into VoIP, there are a lot of things to be considered that have previously been ignored in the telcom world.

The statement about QOS is really not a security issue.

If the VOIP LAN is going to be physicaly isolated from all elements of the Data network then you have VOIP network security concerns on the VOIP network only. However, remote worker IP phones, user CTI applications, data network access for administration of the phone systems, unified messaging, VM to EM, and other features may require the convergance of the two in some way eliminating the physical isolation of the VOIP system from data. This is not unmanagable, but requires management is all I am saying. Digital phones do not require this security on the LAN is the difference I was pointing out. I was in no way trying to be alarmist in a security sense.

Just that they need to be addressed by adding some perspective on the issues related to it.

isn't that what i said?

no, i hear ya... there are indeed a lot of things to take into consideration. it's worth noting that the security of digital phones came from obscurity, not design. all this push to get everyone's equipment to get along with everyone else's brings a shift to a level of standardization that will inevitably attract the attention of black hats.

That is true about digital phones. The only real security concern for these is the physical security of the wire path, as it has no network vulnerability, and most will not work if they are tapped in on before the phone, as most will only allow one endpoint(phone) on the port. they are essentially not suceptible to E-compromise.

In the end though, those external calls still have to go over lines, and even PRIs I've heard can be intercepted and recorded, especially since you can tap into either direction of it without necessarily loading it down to the point of failure.

It seems Mitel may have some voice encryption available on their system (even internally) - not entirely sure but I saw mention of it and people trying to record internal calls getting all static. Their teleworker system utilizes a proxy (prob a sip proxy) to talk to the external phones, so its encrypting the call between that point and the phone at least.

I do like the idea of using port security on the voice network side.