Succeeding with Cisco VoIP from a Customer's Perspective


macVoIP.com the web home of Ted Wallingford

Best Tech Strategy ~ Signal to Noise Blog ~ O'Reilly Network ~ VoIP Documentation ~ Software ~ Contact ~ About

Cisco Versus the World
Succeeding with Cisco IP Telephony
from a Customer's Perspective
© Ted Wallingford 2003 - 2004

Table of Contents:

i. Background
1. Inability to perform overhead paging using Cisco SCCP phones.
2. Insecurity of Win32 platform on main Cisco softPBX imposes great overhead.
3. Meet-me paging applications are primitive.
4. Cisco's IP phones are too expensive.
5. Cisco's E911 responder servers add risk to a critical aspect of telephony.
6. The exclusively-distributed approach to telephony switching adds unnecessary failure points.
7. There's no program for 24x7 system monitoring provided by Cisco.
8. There's a hug feature gap between CallManager and CallManager Express, making large system design more difficult.
9. Cisco's legacy of non-support for 802.3af is hurting its customers in the long-term.
10. SIP endpoints can't be supported by the CallManager, making Cisco's softPBX a poor choice for service providers.
ii. Conclusion and Recommendations

2. Insecurity of Win32 platform on main softPBX imposes great overhead.
From a security standpoint, Windows is like Swiss cheese. In the last 24 months, the Computer Emergency Response Team at Carnegie Mellon University, also known as the ubiquitous “CERT”, issued 520 advisories citing software risks in Windows, and 320 advisories citing problems with Cisco IOS and CallManager. Compare that to 110 for Avaya and 170 for Nortel.

Most people are willing to experience some downtime in PC applications, but never in telephony applications. For this reason, I've recommended Avaya's softPBX chassis, the leanest, most tightly-integrated, and least-often-patched voice system (it uses Linux rather than Windows).

Cisco CallManager's security woes are intrinsic to the Windows OS, more than anything. When crackers write worms, Trojans, and viruses, who do they target? Windows. When they look for hackable exploits, who do they target? Windows. Between open source Linux and commercial Windows, which operating system usually issues exploit identification and patches most slowly? Windows. Up until now, Cisco's response has been “use VLANs, use QoS switches, and monitor your Call Manager; we'll even give you a free copy of Cisco Security Agent.”

Until Cisco ships CallManager for Unix or IOS, there will be no solution to this problem. I don't view Cisco's Security Agent as a real solution here because it requires a fair amount of expertise to configure, maintain, and understand. To me, CSA just adds more complexity to the setup. Cisco's other way of brushing aside the Windows instability objection is that they're using a “hardened” version of Windows, i.e. a version of Windows that has fewer services and drivers running, so it is, in theory, more stable. That doesn't console me much, as many of the nastiest exploits for Windows are kernel-targeted. Any experienced large data center manager will tell you that Windows just isn't suitable for real-time, 24x7 applications.

Windows can inadvertently allow garblement, loss of call-management, or disconnection of phone calls, just the way it allows applications to slow down and become unresponsive on a desktop PC. That kind of process-scheduling breakdown happens all the time on Windows, and even though there are fewer drivers and services loaded on it, Cisco's Windows load is no different. The fact is, even with all these precautions, Cisco phone systems HAVE been brought down by computer viruses. This risky prospect was one of the reasons that compelled Merrill Lynch to switch from Cisco/CallManager to Avaya's softPBX chassis.

Technology managers are naturally wary of this issue because if it ever happens in their organizations, they will have the responsibility of explaining why they allowed it to happen. Cisco has so failed to address this issue, that I would almost rather stick with a legacy phone system than have to worry about it.

Fortunately, VoIP advocates like myself have a better option-it's called Avaya. Cisco's Response: Cisco sites examples of a Cisco customer whose phone systems have never, in the history of having them running, been compromised by a virus or hacker. The customer they site is Cisco Corp. itself, the world's largest users of Cisco IP Telephony. It's good to know that the manufacturer, who has the world's largest concentration of Cisco IP experts, as well as the world's fastest access to bugfixes and security patches, can keep their phone system running uncompromised. Where does that leave us mere mortals?