Want a job in VoIP? Consider BroadSoft Training

BroadSoft Inc's BroadWorks platform is undoubtably one of the leaders in VoIP platforms out there. They've created two certification programs: BroadSoft Certified Platform Administrator (BCPA), and BroadSoft Certified Application Administrator (BCAA).

They're also using Ziiva, aka Prosperty Learning Management Systems (LMS), to host a site http://certification.broadsoft.com where you can take the tests and study for the tests.

One of the frustrating things about the voice-telecom industry is that their documentation is typically kept closed, and only available to customers. But why? Documentation from Cisco, Oracle, and IBM is all publicly available; it's not hurting them in their industries. But you'll see companies like Adtran open their data-telecom documentation, while keeping some of their voice-telecom documentation behind a login and password. (I consider documentation to be "open" if you can get it without being a customer of the company.)

BroadSoft's certification site bucks that trend. The courseware is free and open. If you're trying to break-in to carrier-grade VoIP systems, studying the free BroadWorks documentation on their certification site is a good way to learn.

And if you're actually willing to do the work to read and learn that material, my hat's off to you. This industry needs people who are willing to crack open a PDF and do some studying.

Nortel Networks Bankruptcy and the CS2000 / CS2K: Finding Alternatives

Nortel Networks has gone bankrupt, and is selling bits and pieces to Nokia Siemens. I'm not sure if the CS2K is one of those pieces.

Nortel has a lot of really smart people. It's difficult to change from charging $16M for a telephone switch servicing 100,000 lines in 1997 (which is what they charged BellSouth for the DMS100 in my home town) to the current marketplace.

There are interesting engineering and technical questions that arise when a company does this. People have long complained about Nortel's support for the CS2K. At least one carrier is rumored to have stopped provisioning new subscribers on their Nortel CS2K as soon as the bankruptcy was announced.

If you need a modern alternative to the CS2K, what are the choices? There are plenty, but a few front-runners:

• MetaSwitch is the first to come to mind because CS2K users often have copious TDM and SS7 interconnections. The MetaSwitch platform can definitely do this, Class-5 and Class-4/tandem type features.
  
  
• BroadSoft may be a fine choice if you were using the CS2K primarily for Class-5-like features, and you have some other way of interconnecting SIP to the PSTN.
  
  
• Alcatel-Lucent has the old Telica Plexus 9000 platform (not to be confused with the Plexus 8000). I think the name-of-the-month is the "Alcatel-Lucent Network Gateway". It's a nice box, but somewhat difficult to troubleshoot. (Especially if you don't have the super-secret list of debug commands and logging that you can run on the individual CPU and VSM cards.) Still, if you're looking for solid SIP-to-PSTN interworking, it's a good option to consider.
  
  
• Taqua has a platform worth considering.
  
  
• You might consider Cisco because of the PGW or BTS10200. These come across as pretty weak players, compared to other folks in this list. If you're interconnecting the VoIP world with the PSTN, then you can use AS5400s and have great joy. (Just be sure you add access-lists to control the paths SIP can take. IOS will accept a call from anybody!)
  
  

Three Rules for Effective Naming

1. ONE OF THE RULES that has served me well is this: things should have unique names so I can distinguish them. Filenames are easy examples; I've noticed it's a lot easier if, for output I don't intend to edit, I don't re-use filenames.

Output I don't intend to edit includes things like the output of mysqldump (which dumps the contents of a database) for backup purposes; or the output of wget (as it downloads a web page or site). Or the output of "show tech-support" on a network box.

At the moment, I put a timestamp in the filename; such as "show_tech_support_200906131557".

This raises some questions:

(a) Can't we depend on the filesystem for this? After all, every filesystem has time and date stamps. BUT: Files don't just live on filesystems: they're often sent through email, or attached to ticket systems on web sites.

(b) What timezone should be used? I just use the timezone I'm actually in, but I'm not sure that's "ideal". It *CAN* be confusing when a system (such as a server) is in one timezone and I'm working in another timezone. I probably need a better rule for this case.

2. FILESYSTEM HIERARCHIES ARE GREAT, but unfortunately they're not useful once the file leaves the filesystem (such as when it's sent by email). So if you're file is named "tech-support.txt", you only know the least bit about its content. If you add the timestamp as I suggest above, you get "tech-support_200906131607.txt". It's also smart to add your organization to the name if it's going to be crossing organizational boundaries, such as when you email the output to a vendor. It's also smart to include the name of the system that generated the output.

So you'd end up with "acmecorp_router_1_tech-support_200906131607.txt".

Occasionally, I'll get a complaint that the files named this way are too long. I attribute this to sloth on the part of the complainer, but perhaps other theories may explain the complaints.

3. ANOTHER RULE is keeping a unique tag on datasets introduced to inter-mingled sets. For example, I happened to harvest some MP4 audio files as they were flying by one month, and I added those to iTunes. Later on I decided the quality was too low on those files, so I wanted to delete them all.

Fortunately, I had included an underscore "_" in the song names when I added those files to the iTunes library, so it's trivial to select and delete them all.

Or take a less-trivial case: suppose you're managing SIP VoIP Phones, and you're adding entries to the database for 10,000 of them. The database may already have 5,000 entries. After you've added these entries to the database, you may later need to go back and work with these entries. (Maybe you didn't get it perfect the first time.) In this case, it's convenient to have some marker in the database entries for the SIP phones you added in this way. If the database has a way of marking the source of the entries explicitly, then that's good to use. If not, then you can sometimes add a tag to the name. At the very least, you can keep keep a list of the individual entries added, which you can use later to access the new data set.

Reclaiming Pragmatic Security: Why Standard Computer Security approaches Stink

The standard approach to computer security goes something like this: "Remember, Job #1 of any security professional is to make sure nothing bad happens. You don't have to be elegant, you just need to get the job done." [1] That statement is from Mike Rothman, the author of the "Pragmatic CSO". This is a book to explain to security techies how to function in a business environment.

But this statement is hogwash! I haven't read the book, but Rothman seems to be teaching you how to (a) feel influential because managers are asking you questions, and (b) make project plans and business cases for security equipment purchases. The premise has some truth: computer-system security specialists within companies need to function like grownups. But his statement "make sure nothing bad happens" reveals a misperception of any role in business.

Security always has TWO sides [2]:

(a) Safety: Be sure bad things DON'T happen.

(b) Liveness: Be sure good things DO happen.

But these ideas are not well known outside the formal Computer Science Research community.

There's an old joke: the best firewall (network security device) is the air-gap between a network cable and the port. The joke is funny because so many security people actually function as if their real job is to ensure nothing bad happens.

This absurdity is promulgated by Rothman's statement. Its practice creates the crazy situation in which the security technicians -- Chief Security Officer (CSO), IT technicians, etc. -- work *against* getting Good Things Done, leaving the rest of the business to work in favor of getting Good Things done.

Cisco published a relevant study in 2008:

"One of the most significant findings was the difference in employee and IT perspectives on policy non-compliance. According to IT, employees defy policies for a variety of reasons . . . [E]mployees said the top reason for non-compliance is their belief that policies do not align with the reality of what they need to do their jobs. More than two of five employees (42 percent) made this claim globally. In Germany, even though the majority of employees felt their companies' policies were fair, more than half of them (55 percent) said they would break them to complete their jobs." [3]

Of course the security staff feels like the users don't care: the security staff doesn't really care if the users to get their jobs done. It's as if the security staff feel that it's better not to get the job done at all rather than have it done in an insecure way.


PRINCIPLES FOR BEING PRAGMATIC ABOUT SECURITY

I. The computer security insanity has to stop. Being pragmatic about Computer System Security doesn't mean learning how to make fake business plans to buy equipment.

II. Being pragmatic about computer security must include both enabling good things to happen, and preventing bad things from happening.

III. The MAIN job of anybody in an organization is to do the business of the organization; i.e., to get good things done, to provide the service, make the product, satisfy the customer, help the world.

IV. All ventures involve risk; there's always a risk of attack and a cost to defend against it. The probability and costs of many risks cannot be quantified because you don't know what the worm or attacker will do.

V. Security is NOT about buying equipment or software. (Most serious network attacks go right through firewalls. Anti-Virus software is almost never up-to-date enough to stop new viruses.)

VI. Complex system security is sometimes worse than no security. For example, firewalls with 100-line access lists are almost always wrong.

VII. Security Controls that Prevent activity are fundamentally defense against specific attacks. For every security control (firewall, access list, etc.) you have, you should know what you're defending against.

VIII. Realize that Compliance can be a farce; being "complaint" to some standard may mean you're not defending against the right threats.Auditors are often ex- accountants with checklists and no real understanding of systems. Don't rely on policy/law compliance for anything besides satisfying paperwork requirements.



[1] Mike Rothman's 2006 blog post, "'Pragmatic Security' Coming Into View", posted at: http://securityincite.com/blog/mike-rothman/pragmatic-security-coming-into-view

[2] Fred Schneider, "Defining Liveness", http://portal.acm.org/citation.cfm?id=867712

[3] Cisco Systems, "Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk",http://newsroom.cisco.com/dlls/2008/prod_102808.html