Cisco VoIP Phone Hacked, Turned into Listening Device

by Michael Mimoso

Network-enabled devices such as routers and printers are notoriously insecure and fully exploitable gateways leading attackers toward network resources. A researcher and PhD student at Columbia University recently added VoIP phones to the list of pressing concerns.

Ang Cui demonstrated an attack against a Cisco-branded phone where he was able to put code on the phone by installing—and then removing—an external circuit board from the Ethernet port on the phone. Then using his smartphone, Cui was able to turn the phone into a listening device even though the phone’s Off-Hook switch was enabled.

Cui said he was also able to pull off another exploit, this time remotely, with similar results and without the need for physical access to the phone. Cui said the circuit board attack could easily and quickly be done by someone with physical access. He added that the compromise of one phone would put an organization’s network at phones at risk.

Cisco said the issue was patched in November (Bug ID: CSCuc83860).

“We can confirm that workarounds and a software patch are available to address this vulnerability, and note that successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings,” Cisco said in a statement.

Cui demonstrated the attack at the recent Amphion Forum in San Francisco. He went down this road after a similar project with network-connected laser printers called Project Gunman. Cui was able to hack the printer’s firmware update and add malicious code. The code enables remote compromise of the printer inside the firewall; an attacker could steal documents with needing to physically be in the same building as the printer.

Cui said he could also use the printer as a launch pad for other network attacks.

Cui, who has also demonstrated other research on embedded devices, said that traditional security measures are not built in to these network-enabled devices making them attractive targets. Recently, US-CERT warned users of certain Samsung and Dell printers that a hardcoded password was discovered. Attackers could use this built-in authentication to remotely hack in to an organization. The attacker could also modify printer configurations, access device or network information, device credentials and anything else passed to the printer.

(Read more at http://threatpost.com/en_us/blogs/cisco-voip-phone-hacked-turned-listening-device-121712)

Dealing with the classic Catalyst 6500 end-of-life

Network managers who have relied on the classic Cisco Catalyst 6500 platform in their data center and campus networks are approaching a crossroads: the Catalyst 6503, 6506 and 6509 platforms will reach end-of-life in November, which means Cisco will cease offering hardware support. Cisco will also stop selling the classic Catalyst 6513 in November, ending hardware support in August 2017.

Cisco offers a couple of migration options for customers facing classic Catalyst 6500 end-of-life. In the campus LAN, users can invest in the newer Catalyst 6500-E platform, which got a new lease on life with the release of the Supervisor Engine 2T. Meanwhile Cisco recommends that customers with the classic chassis in their data centers migrate to the Nexus line.

Catalyst 6500 end-of-life: Core migration is a headache

Catalyst customers are more concerned with a rip-and-replace at the core than in the wiring closet. Migration is somewhat simple in the wiring closet, while at the core it's much more radical.

“Replacing a core is not a trivial event. The hardware is cheap, but swapping out that hardware is an expensive proposition from an outage perspective, from a time perspective, and [in terms of] configuration validation,” said Forrest Schroth, network manager with staffing firm Randstad. “I would rather an upgrade at the core layer be a [result] of me needing functions that [the classic Catalyst 6500] doesn’t support rather than a vendor trying to push me new products.”

For many customers, the classic Catalyst is still sufficiently meeting their needs in the core.

“If you still have Catalyst 6500s around, they’ve been running in a fairly stable state for a while and most folks out there are going to continue running them as they stand. They understand that [the Catalyst 6500s] have limited functionality, but they are put in places in the network where [users] are not worried about a lot of forward evolution in terms of functionality,” said Eric Hanselman, research director with the 451 Group.

Even those that want to make change in the data center don't love the fact that Cisco is pushing them toward the Nexus line. In a newer data center, Schroth installed Catalyst 6500-Es in his core rather than migrating to the Nexus line.

“We were going back and forth because there are features we don’t need [in Nexus] and features we would lose going to Nexus,” Schroth said.

Can you avoid a Catalyst 6500 end-of-life?

As Cisco winds down the classic Catalyst 6500, network engineers can turn to after-market equipment specialists like Network Hardware Resale (NHR) that offer third-party support for the equipment. In fact, these companies see the Catalyst end-of-life as an opportunity.

Mike Lodato, senior vice president of sales and marketing at NHR, gives the example of one   healthcare organization with 385 classic Catalyst 6500s that was facing a $65 million migration bid from Cisco to the Catalyst 6500-E. The upgrade was driven by an upcoming rollout of voice over IP (VoIP) that would need the more robust Power-over-Ethernet capabilities of the Catalyst 6500-E. However, the VoIP rollout was a phased project with 85 sites in the first year, 120 in the second year and 92 in the third year. Rather than upgrade them all at once, the healthcare provider wanted a phased installation of the new switches, saving money by staggering the purchase, installation and support costs in time with the VoIP rollout. NHR was able to support that slow transition

“We came in and said, 'instead of converting them all before you need them, how much does it save you to put those on third-party support?'” Lodato said. “'How much can you save in capital and depreciation expense by deploying them at the time of business need rather than the time of vendor mandate?'”

NHR is also working with Matrix Telecom Inc. to maintain 18 classic Catalyst 6500s in its service provider network, according to the company’s manager of IP network services, who asked not to be identified. He  plans to keep the switches for as long as NHR can keep getting him replacement parts.

“As technology grows and evolves, we will need to upgrade them. Right now, my network is really stable. We’re not looking to do any major upgrades,” he said.

Other companies have been reluctant to use third-party support for network infrastructure because it is difficult to change course and get back on a Cisco support contract, Hanselman said. But with the classic Catalyst 6500, this worry is irrelevant. “Something bordering on antique becomes less of a concern,” he added.

Will Cisco stick to the Catalyst 6500 end-of-life dates?

Cisco has tried to retire elements of the Catalyst 6500 line in the past but has encountered pushback from customers. Some wonder if customer protest will stop this upcoming end-of-life.

“There are so many backbone nodes out there,” Schroth said. “[Customers] did not allow them to outdate CatOS, and they have not allowed them to remove the 6500 series. I believe this is more of a threat than an end-of-life. There is going to be a customer revolt and that date is going to slide.”

(Sources - http://searchnetworking.techtarget.com)

Asterisk vs. Cisco Unified Communications

BY DJ MONROE

Over my 12 years in the Telecommunications Industry I have worked with a variety of phone systems including Avaya, Aspect, Nortel, Cisco and Asterisk. I am often asked how Asterisk compares to other traditional phone systems. These days I am most often asked to compare Asterisk with Cisco. Many times I am told by a prospect that Cisco can do things that Asterisk cannot, or that Asterisk is not as reliable as Cisco. Allow me to set the record straight regarding the two systems.

Asterisk vs. Cisco, here are some points where we can differentiate. Since I have administered both systems, I can speak with authority on this subject.

1. Cost – Even if Cisco undercuts their cost upfront, they will make it up on the backend. If you buy a Cisco system you will pay a license for every extension on the system, the phones are more expensive, and you have to buy Microsoft exchange licenses for each voicemail box on the Unity voicemail system. On top of this, you will pay for annual support from a Cisco partner who will charge 20% - 30% of the total cost of the system yearly.

2. Features – In some areas the Cisco phone system really excels. The distributive architecture of the system is quite nice. All in all it is a great phone system. However, out of the box if you compare feature for feature Asterisk can do much more. In addition, due to the openness of its architecture you can make Asterisk do pretty much anything that you want.

3. Voicemail Systems – The voicemail system that comes free with Asterisk is 100% better than the Unity voicemail system that Cisco uses. Unity relies on a Microsoft Exchange mail system to manage voicemails. This is a needlessly complex design that does not provide any enhancements to the overall features of the voicemail system. In addition, on the Cisco system voicemail administration is separate from user/extension administration. Therefore, in addition to logging into the Cisco Call Manager to manage the user and extension, the administrator has to log on to a completely separate system to administer voicemail. With Asterisk, combined with our device management software, the User, Extension, Voicemail and device configuration are all managed from one screen.

4. Phones -- Cisco makes a great phone, however in my opinion Polycom makes the best devices currently on the market, and they are priced much lower than equivalent Cisco phones. Furthermore, Asterisk allows you to choose the phones you want to use with your system. Good luck attaching and managing anything to Cisco's Call Manager that does not have a Cisco logo emblazoned on it.

5. System Integrity – Like any application there are good ways to deploy Asterisk and there are bad ways to deploy Asterisk. If you ask around organizations that have Asterisk based phone systems you will find an array of experiences. Many of these organizations will tell you that their phone system is their biggest nightmare. Still others will tell you that their Asterisk based phone system is the best thing since sliced bread.

In most cases the difference between these organizations is their deployment methods. Many organizations are attracted to Asterisk because of cost. Sometimes this leads those same organizations to cut corners on implementation, phones, interface cards, and server hardware. With Asterisk you get what you pay for. Cutting corners now will cost you in the future. Therefore, hire an experienced integrator to build and support your system, listen to their advice when purchasing phones, and don’t cut corners on equipment costs. PLEASE DON'T EVER BUY CHEAP PHONES! Unless you have a staff member that has performed several Asterisk deployments, don’t do it yourself. This strategy will ensure that you have a quality phone system that rattles and hums as it drives up productivity while enhancing the workplace environment, and you will still come out way ahead on cost over a traditionally branded system.

6. Future Proof Technology – Asterisk is open, freely available, and developed by a community of developers committed to constant improvement of the product. This ensures that the latest enhancements and fixes are available to you without the purchase of new software, licensing, or equipment. If the latest version of Cisco's Call Manager arrives on the market with some fancy new feature, plan on starting from scratch to upgrade your environment. In many cases a Cisco Call Manager upgrade will require you to purchase new software, pay for the same licenses again, and often times buying new rebranded HP servers that have been marked up by Cisco three times their original retail price from ~$4000 to ~$12,000.

Several Cisco shops have dumped Cisco in favor of Asterisk. In many cases they cite cost and features as the reason:

http://blog.tmcnet.com/blog/tom-keating/asterisk/asterisk-replaces-cisco-callmanager.asp

http://www.networkworld.com/news/2006/091206-von-sam-houston.html?t5

Here is another interesting article that discusses why some people integrate Asterisk with Cisco:

http://www.voip-info.org/tiki-index.php?page=Asterisk+Cisco+CallManager+Integration

Needless to say they are both good systems, but at the end of the day open standards, ongoing cost of ownership, and flexibility win in my opinion.

If you are interested in a full list of Asterisk and Cisco features, they can be found here:

http://www.asterisk.org/support/features

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps556/solution_overview_c22-493511.html

Here is a very good post comparing Polycom and Cisco Phones:

http://asterisk.mdaniel.net/?p=11

For more information about BitWare Technologies and our product please visit our website:

http://www.bitwaretech.com

Brocade’s network hardware price model: Pay-as-you-go

Shamus McGillicuddy, News Director.Published: 1 Sep 2011

Why should you buy your switches and routers when you can rent them month-to-month? Brocade is offering that option as of this week with its new Brocade Network Subscription, a pay-as-you-go network hardware price model.

IT cost reduction has always been an issue for enterprises, particularly with network hardware prices. Cisco Systems’ customers joke about a “Cisco tax” because the company charges premium prices for its equipment; meanwhile, vendors like HP Networking and Juniper Networks win over deals by offering lower list prices on their switches and routers.

Attempting to drive down costs, many organizations turn to leasing network infrastructure rather than buying it. But this only shifts costs from capital to operational, and lease agreements bind a customer for a minimum number of years, charging a penalty if the enterprise backs out of the deal early.

Brocade’s new network hardware price model, announced at VMworld this week, is a month-to-month “rental” of network infrastructure, which won't necessarily bring down costs, but will enable IT shops to try on new technology for size with the ability to return or exchange without penalty—and that could mean overall savings if companies are able to avoid overbuying or investing in technology that doesn't work for them.

The program, available immediately, covers all of Brocade’s IP/Ethernet products and includes Essential Support from Brocade Global Services. Brocade hasn’t published the actual subscription rates for the program, but it is offering free quotes on its website. The company will also continue to offer its original network hardware price scheme alongside Brocade Network Subscription.

Pay-as-you-go networks could make enterprises early adopters

Aaron Mahler, director of network services at Sweet Briar College in Virginia, is less than halfway into five-year leases from both Juniper and Meraki for the college’s network infrastructure. While Mahler usually leaves network hardware price analysis to his financial officers, the flexibility of a pay-as-you go model intrigues him because it introduces the potential to try new technology.

“If there are no penalties [for canceling a hardware subscription], that would make us much more nimble in terms of scaling with the network we have. If a big shift in technology happens, it would be nice to be able to make that change within the term of our lease. As long as our finance folks look at the numbers and say it makes sense from a total cost perspective, then I would definitely be interested in it.”

Being nimble is especially important at a time when so many new networking technologies are pending. So, for example, as all of the major networking vendors hammer out their data center roadmaps, network managers can use the pay-as-you-go approach to wait out a plan from their preferred vendor, said Andre Kindness, senior analyst with Forrester Research.

“If Juniper had this for their products, customers would feel comfortable with bringing [Juniper’s] EX8200 [into their data centers] and then switch to QFabric down the line. They wouldn’t be as scared to invest. It’s lower risk.”

Pay-as-you-go models also allow organizations to back out of technology that doesn't pan out, mitigating the risks in trying new architectures, according to Mike Spanbauer, principal analyst with Current Analysis. That's helpful considering vendors are currently knee-deep in choosing sides among competing pre-standard technologies like Transparent Interconnection of Lots of Links (TRILL) and Shortest Path Bridging (SPB).

Brocade has rolled out its new VCS data center network fabric, based loosely on TRILL, and its new line of VDX data center switches. With no capital investment and no penalty for backing out, users are much more likely to try the new technology.

“There’s no commitment to a single path necessarily because you can return [the hardware] if it doesn’t work out for you. Once it’s installed you definitely have migration challenges to get off that equipment, but you’d have that challenge with any solution. In this case you don’t have to worry about capital depreciation issues that limited you to only making changes every three years or so,” said Spanbauer.

Economic environment demands new network hardware price models

Beyond enabling technical innovation, pay-as-you-go models may help companies drive down costs.

Whether pay-as-you-go networks are cheaper than those bought with a traditional capital budget will probably depend on how long an enterprise keeps the rented network in place and how well it plans for growth. Most enterprises build a network with a lifecycle of five to seven years with excess capacity to account for growth over that time. A company that builds a pay-as-you-go network can install and pay for only the capacity that is needed, and add more ports when growth is required.

Some vendors have introduced pricing schemes for application delivery controllers and WAN optimization appliances that allow customers to pay a fee for a temporary burst in capacity when needed, said Kindness. Meraki, a provider of wireless LAN infrastructure, also introduced a pay-as-you-go model to its network hardware price scheme earlier this year.

“When pharmaceutical manufacturers buy chemical, they’ll bring in two truckloads of the chemical. But if they only use one truckload, they can send the other one back,” said Kindness. The same need is growing in IT infrastructure spending, he said.

(Source - http://searchnetworking.techtarget.com)

Cisco Live 2011: Catalyst 6500 upgrade the game changer?

Rivka Gewirtz Little, Senior Site Editor. Published: 13 Jul 2011

LAS VEGAS—Cisco served up comfort food for the networking masses on the first day of Cisco Live 2011, sidestepping edgy cloud announcements and focusing instead on a major Catalyst 6500 upgrade.

Cisco is in full battle mode in the switching market where it has lost some ground to competitors with less expensive equipment, including HP Networking. Some customers had expected Cisco to launch a smaller and less expensive addition to the Nexus line (the Nexus 7009 mentioned at Cisco Live 2010), but the Catalyst 6500 upgrade will enable 25,000 existing customers to upgrade their E-Series chasses without the cost of a rip and replace. The message is that they don't need to go with less expensive and less functional equipment from competitors.

“Our goal and aim was to make sure we could protect those customers' investment,” said Scott Gainey, Cisco director of marketing.

The refresh is centered on the Catalyst 6500 Series Supervisor Engine 2T, a 2-terabit card that triples the throughput capability of the 6500 switch from 720 Gbps to 2Tbps and adds virtualization segmentation. Cisco execs compared the $38,000 Supervisor 2T to HP's A9508 switch, saying customers can triple the performance at one third of the cost with this upgrade.

HP called Cisco's comparison of the Supervisor 2T with HP's A9508 "meaningless." Mike Nielsen, director of solution marketing at HP, said that Cisco is comparing the price of a supervisor engine upgrade with the cost of a complete chassis switch system from HP. He also pointed out that HP launched a new competitor to the Catalyst 6500 platform at Interop, the A10500 series, which outperforms an upgraded 6500.

"HP delivers two times Cisco's performance with the HP 105000. Cisco 2T delivers 80 Gbps per slot; HP 10500 doubles that to 160 Gbps," Nielsen said.

The Catalyst 6500 upgrade also includes 10 Gigabit Ethernet line cards—the 6900 8-port 10G card with baked in TrustSec security and the 6800, which includes two 16-port 10G modules and a 48-port Gigabit Ethernet module. Cisco also announced service modules that enable a high performance next-generation firewall, an application control engine for acceleration and security, more comprehensive NetFlow capabilities and mobility management that enables north of 10,000 devices on one module. Cisco says the combined bandwidth from the cards and supervisor make the Catalyst 6500 40 GbE ready, but the company hasn't announced any 40 GbE ports yet.

Catalyst 6500 upgrade? What about the Nexus transition?

Many believed that the Nexus line was meant to replace the aging Catalyst 6500, but this week at Cisco Live, execs said the two addressed very separate markets with different needs.

“The Nexus was meant to bring 10 Gigabit Ethernet into the data center, but gigabit Ethernet is also enormous and there are segments [other than the data center] that have to be addressed. The 6500 fits the sweet spot of the campus that nobody in the market can keep up with,” said John McCool, senior vice president of data center and switching.

“We see the market bifurcating into a campus-based market that needs rich services and the data center network with convergence that takes a different functionality,” he added.

For those who want to keep existing 6500s in the core and aren't concerned about building a Nexus-based data center and managing two sets of equipment, the release seems only positive.

"The core of the network may not always get the limelight, but it makes or breaks the performance of the applications our faculty, students, and researchers depend upon daily,” said Ed Wilson, network test engineer at Pennsylvania State University, who was part of Cisco's press launch. “The introduction of the Catalyst 6500 Supervisor Engine 2T will extend our investment in Cisco systems.

On the other hand, customers who have invested big into Cisco's server products, the Unified Computing System (UCS), and built a Nexus-based network to support UCS want to see more than a Catalyst 6500 upgrade. Many of these users will eventually take build a core-to-edge 10 GbE network and had gotten the message from Cisco that 6500s would be eventually replaced by the Nexus.

“We're going with the Nexus because it has FCoE capabilities and we're looking at the long-term architecture. Also we need the virtualization abilities of the Nexus” said Rich Parker, security and communications manager at law firm Baker Botts LLP. “I've also heard this is the last supervisor upgrade for the 6500, so that's not an investment we would make.”

Adding speed and functionality to a much-loved switch is never a bad thing, said Gestalt IT founder Stephen Foskett. It's also not the most exciting thing Cisco could have announced when it comes to switching, he said

(Source - http://searchnetworking.techtarget.com)

Siemon, Cisco, Intel and Aquantia team up to discuss 10GBASE-T adoption in the data centre

At a recent Emerging Technology Forum in Portland USA, experts from leading network infrastructure companies Siemon, Cisco, Intel and Aquantia addressed key advances and considerations in the trend towards increasing market adoption of 10 Gigabit Ethernet (10GBASE-T) technologies in the data centre.

Topics covered were key 10GBASE-T market drivers and projections, the evolution of server connectivity, decreasing power needs and cabling design options with 10GBASE-T, and others. This event offered actionable advice for networking professionals on critical 10GbE decision points across the data centre infrastructure.

Panel contributors included Dave Chalupsky, Intel Network Architect, Carl Hansen, senior product manager with Intel’s Data Centre Standards group, Carrie Higbie, Siemon’s global director of data centre solutions & services, Sudeep Goswami, product line manager of Cisco’s Server Access and Virtualization Business Unit and group chair for the Ethernet Alliance 10GBASE-T committee and Sean Lundy, director of technical marketing at Aquantia.

According to Siemon’s Carrie Higbie, category 6A and higher connectivity is being planned in new data centres, “85% of the new data centre designs we see are cabling for 10GBASE-T.” Higbie also noted a continuing upswing in the global use of shielded cabling for 10GBASE-T, including the traditional UTP dominant markets such as the US.

Siemon has been marketing and selling 10GBASE-T ready cabling since 2004 and now that 10GBASE-T equipment and power consumption is becoming more economical, the time has come for customers to take full advantage of their category 6A and higher cabling investment.

Among the event highlights were Aquantia’s Sean Lundy and Intel’s Carl Hansen and Dave Chalupsky providing insight on how chip innovations from their respective companies were expected to significantly drive down 10GBASE-T power requirements for more energy-efficient 10GbE networks. According to Lundy, “The current 40nm generation can already achieve power of a couple of watts for connectivity within the rack in data centres and will trend to 1 watt or less with energy efficient ethernet and migration to finer geometries. We have now achieved a power, area, density envelope that has enabled dual-port LAN on Motherboard (LOM). Between LOM and 48-port high density switching, in 2011, we will see the beginning of the hockey stick growth curve for 10GBASE-T”.

Regarding widespread commercial availability of 10GBASE-T equipment, Cisco’s Sudeep Goswami stated that Cisco is serious about 10GBASE-T and projected that the company’s flagship Nexus product family would join its Catalyst line in supporting 10GBASE-T in 2011.

(Reference - http://www.thedatachain.com)

HP issues war cry to Cisco !

Vendor claims networking market is a two-horse race after its 3Com acquisition was recently finalised - Written by Caroline Donnelly

HP has declared war on former bedfellow Cisco, positioning its rival as the only vendor in the networking space with a product portfolio to match its own. The hardware behemoth said its recently closed buyout of networking vendor 3Com had provided it with a product portfolio that spans from the core to the periphery of the datacentre.

HP said the move also puts it “toe to toe” with Cisco well ahead of the chasing pack.

Darryl Brick, sales manager of HP Networking for the UK and Ireland, said: “Nortel, Broc­ade and Juniper are all major players, but some of them have glaring holes in their product portfolio.

“The acquisition has helped us put some space between ourselves and the other players and when we look ahead, we see only Cisco.”

The 3Com deal has also boosted HP’s share of the UK networking market from 12 to 15 per cent, to 20 per cent, according to Brick.

“We hope to push that figure north of 25 per cent,” he added.

HP’s challenge comes six months after Cisco announ­ced it was booting HP off its partner programme to stop its rival gaining access to product roadmaps and partner profitability initiatives. Simon Aron, managing director of joint HP and Cisco partner Eurodata, was not surprised that the conflict is hotting up.

“Cisco has dominated the market for so long,” he said.

“It is good news that HP has decided to step up and give it a run for its money because it means more choice for end users,” he added.

Clive Longbottom, service director at analyst Quocirca, said HP will write off the rest of its competition at its peril.

“If you want a single supplier approach, it comes down to Cisco and HP,” said Longbottom.

“But the vast majority of environments will not be that homogeneous and HP still has some holes [in its portfolio] that need filling by some other vendors.

“Therefore, it will need to cosy up to others in the market to fill those gaps.”
Steve Garrison, vice president of marketing at HP rival Force 10 Networks, said that despite Cisco and HP positioning themselves as all-in-one datacentre providers, there is still plenty of demand for vendors that specialise in one area.

“The Walmart approach, where you can get everything you need under one roof and from one vendor, is fine,” said Garrison.

“But what end users need to figure out is whether or not the solution on offer caters for each one of their business needs.”

(Source - HP issues war cry to Cisco - 30 Jul 2010 - CRN)