Where's the Firewall?Where's the Firewall?
Don’t give "chance" the opportunity to erode your ROI, and instead, apply attention to small details that do matter.
August 14, 2014
Don’t give "chance" the opportunity to erode your ROI, and instead, apply attention to small details that do matter.
We recently embarked on another installation, and we asked the customer, "Where is your firewall?" His reply was that his "IT contractor" assured him that it is onsite and that ports will be open to designated IP addresses for traffic to and from the provider.
We successfully installed the SIP gateway and used a temporary DID number to test traffic in both directions without any issues. Still, we wanted to "see" the firewall because our site survey revealed no firewall onsite. Perhaps it was hosted and our apprehension was misguided. We did open port scans and found the site closed and actually in "stealth" mode, but that gut feeling of concern just wouldn't go away.
Next we wanted to deploy a client-agent app so that we could remotely monitor, troubleshoot and program the UC server--to avoid truck rolls and wasted time. We asked the IT contractor to set up a VPN so we could maintain the site. This time the response was no reply, so after a week or so we called the customer to inquire about our request that we all initially agreed upon. The next day the customer called to say that the firewall doesn't support VPN.
We agreed to meet with his contractor the next day. During the meeting, after we asked several questions about the firewall, the contractor grew annoyed or seemingly uncomfortable and said, "Let me show you the firewall."
The access point/router with limited firewall capabilities is a retail product - is it really meant for "the particular purpose" of supporting a converged network? Realistically, it is not, and this is the very point of contention that many small businesses will need to come to terms with.
Going back to securing the SIP traffic to and from the provider using the specific IP ranges of the provider didn't happen; while the ports are open, the specificity of "to whom are they open to" is missing in the equation. It works, but not securely is the reality. Also, not having the remote support is another setback. Are these minor issues that could lead to costly maintenance down the road?
These concerns don't justify a hosted PBX solution; instead, they nullify the benefits of a hosted solution or any solution. Reliable infrastructure is what will determine the outcome of any solution customers adopt. The solution is only as good as the infrastructure supporting it, and this expectation is why hosted providers have churn rates that are unacceptable to companies that focus on premises-based solutions and why customers are quick to abandon IP/SIP/VoIP - because they've heard of bad experiences from other businesses and employees.
The basic minimalist approach to infrastructure includes: wiring, grounding, power, circuit and power protection, switching, firewall and desktop security, backup and restoration, heating/cooling, lighting and space, housekeeping and documentation.
While there is a firewall on this customer site, there isn't adequate support behind or in front of the customer to properly maintain the site without truck rolls, and the gaping hole in security still exists to exploit traffic using port 5060. Don't give "chance" the opportunity to erode your ROI, and instead, apply attention to small details that do matter.
Follow Matt Brunk on Twitter and Google+!
@telecomworx
Matt Brunk on Google+