Realtime Interview with Jeff Hicks at NetIQ
If you're a member of the Realtime VoIP Community, you know from the logo you see here and there that NetIQ is our corporate sponsor. They've provided us a variety of white papers, and their generous support is greatly appreciated. In collaborating on the early development of the community and as part of my recent work writing an e-book on enterprise VoIP security, I've had the opportunity to speak with Jeff once or twice. Jeff and I share an overlapping set of interests around VoIP and network security, but we also share a focus from the business environment of the corporate network.
VoIP means many different things to different users. VoIP to the consumer often means Vonage or Skype. To the SMB market, VoIP might also imply Vonage or Skype, but it often includes something like the hot solutions from Asterisk. When you move into the large enterprise market, solutions often come from vendors like Cisco, Nortel or Avaya. Each market sector has real needs and a viable interest, but VoIP as a term, can mean something very different to each.
I thought Jeff's viewpoint, and some questions about the corporate focus and VoIP implementations would make for interesting discussion. Read along and I'm sure you'll agree.
Jeff''s Background
Jeff Hicks is a Principal Software Engineer/Architect at NetIQ Corporation. He led the development teams for the award-winning Chariot and Vivinet Assessor products. He has been active in the design and development of VoIP deployment, testing, and management solutions for the past several years. In earlier jpositions, Jeff helped develop innovative network communications software products at IBM. Jeff holds a master of engineering degree from North Carolina State University and a bachelor of science degree in computer engineering from Auburn University.
Jeff spoke on a panel about enterprise VoIP security at the recent IP Telephony Expo presented by TMCNet. Jeff was also recently interviewed by Dan York and Jonatho Zar on the Blue Box Podcast.
Ken: What area do you see as the largest pitfall for company’s planning a VoIP implementation? Where do you see the single biggest problem in preparation?
Jeff: My view is that the planning phase and readiness assessment is a weak area. Weak really in several distinct ways.
The first has to do with how much time and effort gets put into a readiness assessment. It's always a challenge for users to allocate enough time and resources to do a comprehensive job of assessing the network. Then there’s the problem of “what should I do?” One of the things we tried to help define is what a comprehensive readiness assessment entails and identifying the major components of that. We’ve done this through research with numbers of customers and vendors and users of our products.
One of the things we’ve found is a weakness in the area of network inventory. A surprising number of companies really don’t know what they have. The area of network inventory is very important - to go out and discover the devices in your network and get a categorization of those devices. . .to see what you have. What kind of routers do you have? What kind of switches do you have? What kind of links are there between sites? Gathering that kind of information is the first step.
The second step is to do a configuration assessment. What we mean by that, is looking at all these devices in your network. Now that you know where they are and what they are, look at their configuration to identify the status of each device. Is it a device that’s already been end-of-life’d be the vendor? That could be a problem. Maybe it’s an older device that’s no longer supported. These are the sorts of things you need to know. If you needed to updgrade a feature or do something with that device to support VoIP, that could pose a problem. Likewise, there’s functional support in the device. VoIP implementations have some new requirements on network devices. For example, switches that can support inline power are very important. You generally want to drive your phones from power over Ethernet in a VoIP environment. Knowing that your switch has the right kind of power supply and the right operating system to support that is very important. That's not a problem you want to discover after you've made investments in VoIP technology.
The third area is the utilization assessment. This involves looking at your network infrastructure from kind of a capacity perspective and taking a baseline. You want to see if network devices are already at maximum CPU utilization and memory utilization before even adding VoIP services. Also, after you add VoIP what does the baseline look like then? It’s important to do a before and after baseline for comparison. You really need to know your network.
Then finally, probably one of, if not the single most important areas is call quality. What’s the user experience going to be like? Are there any performance issues with any of the key performance metrics that can impair VoIP - like delay, lost packets or jitter? Knowing the user experience or call quality before you even put VoIP equipment on the network is very important. Once you put the VoIP equipment there and find a call quality problem, you’ve got a lot more to debug. You have to go through and determine where the problem is. Is it the phone? Is it the application? Is it the network? There are lots of areas to troubleshoot and the resolution can be very difficult. Doing a readiness assessment and determining what’s required before you even invest is very important.
Ken: There’s been quite of press lately about the complexity or work involved in doing full readiness assessments. I think people often underestimate how important, and how time consuming it is to do them right. How do you sell people on the need to perform a thorough and comprehensive readiness assessment?
Jeff: This is an area we’re beginning to see some increased education around. We’re seeing a lot of the vendors starting to promote readiness assessment and encouraging their partners to perform these. It’s a potential problem area. If you think you can shortcut it of think you can get around it, then later on when you deploy the system, problems may be more difficult to resolve. You may encounter delays in your deployment because of upgrades you need or things you could have planned for in advance.
In looking at filling the need for comprehensive readiness assessment, one thing I’d like to point out is that tools are very important. I could not imagine performing an assessment manually, especially in a larger network where you’re talking about looking at hundreds or thousands of devices. Tools like NetIQ’s Vivinet Assessor can more pay for itself in a single assessment because it automates the collection and recording for the assessment.
Jeff: From my perspective firewalls are a very important aspect of any kind of network security. Here at NetIQ we did a survery last year of a number of our VoIP customers and found that around 95% were using firewalls in their networks already as a security mechanism. So firewalls are out there being used to protect the perimeter. We know they can become a performance bottleneck or single point of failure without good network design. They can potentially cause performance issues and add that latency which is so critical to VoIP traffic. Due to the realtime characteristics of that VoIP traffic, it’s very sensitive to delay or jitter. Any network that is potentially adding delay or jitter (the variance of the arrival times) to those packets can be a detriment to call quality.
There are many different types of firewalls like you mentioned like proxy-based or stateful inspection. There’s kind of a whole class of firewalls that are VoIP aware firewalls called Session Border Controllers or SBCs. These SBCs are really growing in value and features. You see a lot of startups and vendors entering this market with these devices that capable of talking VoIP or being aware of the VoIP protocols.
The questions I’d be looking to address in a firewall and determining which type to use include things like can the stateful inspection firewall really look at the VoIP protocols? Can it effectively inspect the call setup protocols associated with VoIP flows and the associated data protocols like RTP that are tied to the data stream. Can it actually look at those or does it just pass those through? I don’t know about all firewalls. Some of the firewall vendors are starting to support those features better today.
Proxy firewalls always seem to need an add-on module to support a specific service type. I'd be concerned about the enhancement and availabity to proxy for every protocol required in VoIP, especially as advances occur.
Those are the sorts of things I’d look at. I’d definitely take a look at Session Border Controllers. They’re being designed with VoIP in mind first rather than a traditional firewall that’s looking at the traditional data network protocols like TCP and UDP and is now being kind of retrofitted to support VoIP or to look at VoIP protocols.
Ken: NetIQ offers a pretty comprehensive set of tools for monitoring VoIP networks, call quality and for managing network security, but one of the hardest things to accomplish is balancing those against cost. What advice would you offer people trying to find that balance point between call quality and network security?
Jeff: I think the first step is understanding what your call quality is. Using management tools like we provide with NetIQ in the assessment phase you can understand your quality. And it’s very important in the "Day Two 24X7 monitoring phase" and beyond. Once you get VoIP set up and running you know what your users expect and what your network can deliver. Then as you add security features you have to continue to monitor call quality to measure the impact. If you’ve got a solution in place that’s looking at your call quality and you drop in a new firewall security measure, you should be able to readily see the impact of that change in the reporting aspect of your management system. That sort of analysis can be done as part of an assessment or as part of the 24X7 monitoring. or as part of both. It's an ongoing process of continually monitoring the network.
Integration of performance, availability and security information is very important as well. Typically you might have a performance system looking at performance data, including availability, and a security system looking at your security data. One of the things we do with NetIQ tools is that we integrate those together. Looking at all three metrics together (performance, availability, security) can help you assure the service that you’re providing. For example, as performance levels decline, you can see if there are security events going on that are related and causing the performance metric to decline. The integration of those traditional areas of network management is one of the things we’re looking at here at NetIQ. We believe it’s very important to find this balance point between good call quality and securing the service as well.
Holistic monitoring is crucial. You have to monitor your system every day. You’ve got new users, you’ve got changes, you got new applications, new devices and all kinds of things going on. You have to have a good management strategy in place to support all that and also be able to continuously monitor your performance, availability and security at the same time.
Ken: Open source tools, specifically Asterisk lately, are gaining momentum in VoIP implementations. Do you see a for open source solutions in the business market? And if so, where do you see them fitting best?
Jeff: I think Asterisk is very interesting and I think it is causing some stirring within the industry about how open source is going to impact the telecom industry, specifically the IP telephony industry. I think specifically for the small-medium business market that Asterisk has very strong appeal. The SMB market growth for VoIP has been exploding over the last year or so, with a need for VoIP services. With Asterisk there’s a couple of related things going on. One is the lowered barrier to entry for some of the service providers to provide VoIP. Asterisk can be cost effectively deployed on a very economical system. The other big factor is that they can take Asterisk and customize solutions for the SMBs. These two factors let VoIP service companies provide them with cheaper solutions that are more customized for their particular business than could be done with an off-the-shelf type IP PBX.
In the large enterprise space I think it’s going to be kind of a wait and see approach. I think a lot of large enterprises are probably not going to jump right away to bet their business-critical, mission-critical telephony on an open source product like Asterisk. The same argument could have been made for Linux as well. Actually it was, but we’ve seen over time that Linux has penetrated the enterprise server space. Certainly open source has the potential to do that in IP telephony as well. If you think about it, the IP PBX is kind of something that sits in a closet somewhere. You don’t really necessarily care what OS it’s running or what it’s doing in background. All you really care about is the features and functions it’s providing for your VoIP network. So over time as Asterisk gets more robust and there’s more testing done on it, and it’s shown to be a reliable business-critical, mission-critical solution, I think the large enterprise space might come around to it. I think it’s a little bit early for that right now in that space.
I think it’s definitely something worth watching. It’s created a lot of excitement in the industry, especially with some of the service providers and the solutions can offer based on Asterisk.
Ken: I don’t believe that NetIQ does much of anything with Skype, but I have to ask. Skype has recently started trying to position their service for business. And while I might see them as useful for a small business or some niche companies myself, I’d really like to hear your thoughts. Do you see a good fit for Skype? If so where? And what words of caution would you share for people looking into Skype for a business solution?
Jeff: With Skype, there’s a couple things that I see. I don’t think that it can be a replacement for an enterprise telephony service given all the features that enterprise telephony users are accustomed to. Even down to some of the basic things. I’m not sure that Skype can even offer emergency calling and we’re accustomed to calling 911 on our phone at our desk.The whole idea of using your computer as a phone is another thing. I think a lot of people still have issues with that. I think that Skype is now providing some phones that plug into your computer via USB port and that sort of thing, but I think some people may still have a little concern about even plugging their phone into their computer. That’s just kind of a psychological thing that I’m not sure how it’s going to work out. It just doesn't seem to be a strong fit with enterprise customers today.
I’m not sure that businesses are going to want to depend on something like Skype for mission-critical applications. You know, thye as if it's ready for that. You mentioned peer-to-peer type functionality. I think Skype does a good job of that, but is it ready to handle critical business functions? Conference calls, hold, call transfer and things of that nature? I haven't seen the kind of support required for standard business features.
Security features are another area to consider. With Skype, a lot of aspects are proprietary. I’ve seen some analyses that are very favorable – that Skype's been well thought out and takes a strong approach to security. I’m just not sure how many of those analyses have been done or what the depth has really been. Is Skype ready for prime time from a corporate security perspective as well? I think that’s a good question.
Some corporations even block Skype. That shows there are concerns, and I think it’s still questionable for many people. If people are taking an active approach, there’s some good reason.
Wrap up from Ken
Chatting with Jeff was an interesting experience. I think he and I tend to reinforce each other's views on corporate customers requirements to a large extent. For me this has often been an overlooked facet of VoIP. To me it often seems to easy to focus in no niche solutions. Vonage is really a niche solution, and so are Asterisk, Skype and a host of others. Through the process of maturing VoIP services, it's been interesting to watch the smaller sectors within VoIP become quite vocal and focused on their particular needs. Having a 30 year background in a variety of voice and data services, I've developed a big appreciation for the needs of business enterprises. Those VoIP needs are still developing as business cautiously embraces new and emerging technologies.
As Jeff pointed out, business will take a wait and see approach in many areas. Telephony in the business enterprise is a business-critical, mission-critical application. Smart business managers adopt new technology using a measure of caution and oversight to ensure that the business needs are met first and foremost.
As with every interview I do, any errors in this writeup are mine, and not due to any oversight or ommission on Jeff's part.
Our next interview coming up here will be with David Mandelstam, CEO of Sangoma Technologies.
If you find these interviews useful or helpful, or there's someone in particular (either an individual or a company) that you'd like to read or hear an interview with, please drop me a note.
For archival and reference purposes, a PDF copy of this interview write-up will also be available in the Realtime VoIP Community Reading Room.
Technorati Tags
VoIP
IP Telephony
Voice Over IP
NetIQ
Jeff Hicks
Vivinet Assessor
VoIP Community
Realtimepublishers
Realtime
Realtime VoIP Community
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine