Saturday, December 17, 2005

"Voice VLANs" - something else I just don't get

The voice VLAN recommendation has been around for a very long time. I understand what the idea was for them, but never really bought into them then - and even less so now. But what do we continue to hear from the vendors, security 'specialists', and even NIST? "Separate your traffic" for better security. Well, I'm declaring shenanigans on that one right here ;)

"I don't want all the data hackers attacking my voice system, so I want them separated." Well, if that were truly the case, every application on your network better have its own VLAN. I have visions of the people that make this recommendation as being the same ones that don't want your chocolate in their peanut butter or their corn to touch their mashed potatoes (my brother was like this - had compartments in his stomach ya know). I think someone started using voice VLANs to sell their gear - and everyone else had to follow suit or be considered less secure. We just keep echoing these things without really looking at the impact of it.

How in the world can you really separate voice and data on your network and still provide the functionality we all want and need? If you really want to integrate voice you must allow for CTI-like functions to cross boundaries (SIP, XML, etc.). Management functions as well I'll assume (SNMP, HTTP, SSH, etc.). And once you allow these kinds of things between the networks ask yourself this question - what other traffic would a voice system even listen to? I know in the system we have built, that the handsets and soft switches are hardened - listening only to pertinent traffic. But if that's all they are listening to, what is the value of ignoring it twice? All the things that the system needs to do, and are then allowed by the firewalls or ACLs to do, are exactly the only things the system will listen to anyway. What value does the remaining firewalling provide? And at what cost to provide it?

I'm supposed to spend time and money to implement and maintain something that blocks traffic the voice system is going to ignore anyway. Does this make sense?

Now, obviously there are some things you can do to protect a data center implementation of IP telephony servers - and I will concede that voice VLANs make that a bit easier. However, we already have certain protections for our data center applications - IDS and other things. Why, again, duplicate those efforts for voice? That is not convergence. If we want to consider voice just another application on the network - then treat it like one. A very important and sensitive one yes - but there are better ways to protect your system than the false security provided by voice VLANs.

And if you still want to use voice VLANs, tell me this: are you not going to allow softphones on your network? Ever?

Spend your time and effort on real security measures (hardening your systems, good patch management, etc.) and stop worrying about what vendors and NIST say about voice VLANs - I don't think they've thought it through.

Friday, December 16, 2005

I never 'got' Skype

The hoopla anyway.

Sure, its a fine product - but jeesh, what mileage its received in blogs and the press. Well beyond its value IMO. I always kinda thought of it as the Tucker - some great ideas, even industry influencing; but was never going to be what the owners, and press, thought.

Reason #1 I didn't drink the Kool-aid: Its still just voice. We've been talking over the Internet on our PCs for years now - sure Skype-out was new, but not revolutionary.

Reason #2 I didn't drink the Kool-aid: Its proprietary. Yes, they say that standards inhibit innovation - they innovate, then submit for standards approval later. OK, but I just saw it as yet another "who's IM do you have?" problem. Why re-create that mess? I'm on Yahoo, my buddy is on AOL and I have to jump through hoops to talk between them. Its a mess, and Skype was re-creating it all over again. Bah!

(obviously voip peering could help solve this, but proceed to #3 on why that won't matter.)

Reason #3 I didn't drink the Kool-aid: It was irrelevant unless they made some real moves towards becoming a complete portal (same goes for Vonage, Lingo and others - more on this in a forthcoming post). Voice is going to be a service (already is?) integrated into your 'portal'. If I have all my contacts, calendar, email, and IM with Yahoo - why would I not use their voice as well? If you don't have a portal, you aren't a long term player - period. Skype was not a portal; still isn't, but at least with eBay they could grow into one - if eBay 'gets it'.

So, people wrote way too much about it (and I'm adding to that now - shamefully enough), eBay paid way too much for it, and it will hardly be a footnote in the migration of voice to packet-based delivery. And if you look at #3 again - you'll see that I think Vonage and others will likely follow the same path into irrelevance (and yes, I'm a Lingo customer anyway - for now).

Thursday, December 15, 2005

My oldest best idea...

Well, not my oldest by any stretch - but most before this one smelled something rotten; perhaps this one does too ;)

While no longer revolutionary, it was a bit ahead of its time when I had it. I had neither the resources or cajones to get it done but I am convinced it would have worked. Afterall, Moxi did and my idea went much further. It was 2000 - I was 31, the bubble had decidedly burst (making any investment seeking difficult) and, again, I didn't have the cajones to leave my job and make a go of it, having no programming talent of my own (at least at this level). Again, think Moxi - and a whole lot more....

It was going to be your home's media center - Internet proxy/modem/router/switch/firewall/AP, DVR, a home 'portal' with applets, NAS for the home, 'smarthome' control, home security system, stereo system, answering machine, etc. - everything a geeky family would need, and in the future - ALL families. Was my plan anyway. I was not only looking to market it to cable/satellite companies, but also housing contractors, and even provide consumer availability. It was not just a set top box (although that was to be an option) - it was infrastructure, destined for mounting next to your circuit box, wired throughout the house, and controlled via RF remotes, TVs, and network access. No more box-per-TV models, one box for the whole house, with all sorts of home control and media access - a selling point for contractors and housing developers I thought (didn't turn out so easy, but...).

It all started when I was playing with some X10 protocol stuff and home controls. I saw all the uses (lighting, HVAC controls, home security system) and I just started thinking about what else a home system/server could, and should, do. Network connectivity for DSL, cable and whatever else came along. Secure the internal network with a firewall, provide Ethernet ports for home wiring, wireless AP, integrated UPS, and on and on. I envisioned serveral web terminals in the home and even mobile devices (wirelss tablets, etc. - heck, the new Nokia 770 fits right into my plan).

Huge mirrored drives for storage that could withstand the failure of a device, a home filer for storage, a print server to share that printer, a web portal with applets for common household tasks and functions (a family calender, budgeting and account tracking tools, recipe database, photo albums, provisioning for your security system, answering machine, etc.), and finally - a DVR. Admittedly I didn't get the DVR bug until I read about Steve Perlman looking at starting another set-top box company (turned out to be Moxi), but even so, I was integrating many more household functions into this. Looking at Linux and open source projects - the web portal and applets were there, the networking and firewall functions were very ready, there was some work to be done with X10 and security systems on Linux, but I thought I could handle that. The answering machine capability was there but not polished; I would need some help with that. But it was the DVR that had me stumped - I had no idea how to do TV. This was where I needed loads of help. Or counseling, as it turned out ;)

What I failed to see at the time was cable and satellite operators not being willing to use just any box - they wanted control. The idea of a contractor building this into the home, or a family purchasing one from Best Buy would likely not fly with them. A tough sell, and one I didn't have the confidence to pursue. I had no product, no contacts, and was too comfortable in my current job. It died in the idea stage - didn't even finish the business plan.


Refinements to the idea came about in 2001. With things moving to Internet portals it seemed somewhat unnecessary to have all the web apps on the home server. So, I thought why not partner with Yahoo? Have my home server be a 'cache' (sync'd would be more accurate) of Yahoo data for the users in the home and extend applications that they did not provide. Same data - available at home, on the road(Yahoo), and even when you lose your Internet connection - a natural backup for basic data. Nowadays it would be good to have a more generic data sync process to integrate with Google, AOL, MSN, etc. as well. Think Intellisyc, AvantGo, and more - it was there ready to be used.


But it is sooo much easier to do today that I just cannot figure out whats stopping Moxi, Tivo, etc. from doing it. Even a new company or one not in that market right now (Cisco/Linksys are you listening? Nokia perhaps?)

Today we have CableCards, MythTV, Asterisk, more advanced web apps, better home controls and home security features. You can get most of this yourself now. Even today we have several devices doing these various things for us - DSL/Cable modem, router/switch/AP, security panel, thermostat, lighting panel, answering machine, multiple PCs (where is that file?); ALL controlled seperately and differently - nothing bringing them together. Heck even multiple DVRs now too - which one has what show? With this system you would record something once, centrally, and just choose which TV to watch it on. You could do or change most anything without getting off the couch - beer runs and restroom breaks were still left as an exercise for the user :)

I still think it works, but have been wrong before...

From a fairway near you..... well, perhaps the rough

My first post is just a copy of my profile intro....

I've spent many years in the networking and computer industry, almost exclusively working for enterprises (financial services, manufacturing). This blog is the result of my vanity... I have this false impression of being smarter than the average bear on several topics and want to see if I can express these ideas... to see if others agree or can improve them, as well as establishing who else dislikes me (get in the back of the line, its been forming for years now - pack a lunch).

My fear is that I may be unsuccessful in feeding my ego as a result of a mediocre talent for writing. I am confronting that fear now. Your feedback is welcome, even the bad stuff (if you enjoy being ignored).

Many of these posting are extremely latent - thoughts I've had in my head for years and never publically posted. They will become more timely as I get the old ones off my chest. Also - don't expect lots of updates. This is a hobby, I have a real life (much to your surprise :-) and will only update as the mood or current events strike me.