Thanks for returning. You're a very smart person.
A post on the Voxilla blog by Marcelo Rodriguez, caught my eye, via Andy Abramson, on the Fonality IP PBX solution. After reading the post and disagreeing with most of what Marcelo had to say, from working with the solution from the sales, support, and day-to-day use of the solution I decided to give Chris Lyman, Fonality’s Founder, CEO & Janitor a “SmithBox” from which to set the record straight.
Disclosure: I am employed by a Fonality partner and have personally sold almost a dozen Fonality solutions to businesses with 15 to a little over 100 users. In addition to my experience selling the Fonality solution, we used the Fonality solution in house for almost a year and experienced zero security issues during that time. The thoughts and comments below are that of Chris Lyman. Marcelo’s blog excerpt’s are indented and in “quotes.”
OPEN LETTER TO MARCELO RODRIGUEZ
Marcelo,
Since we have only ever spoken once, and it was nearly two years ago, it was
odd to see this inaccurate blog appear — as if it was actually representing
Fonality’s products.
While you are a blogger, your day job is acting as president of your IP
hardware store on Voxilla.com. And, to be fair to your readers, I should note that in
your store you sell a number of PBXs, none of which are from Fonality. So,
you don’t exactly have a current financial incentive to portray us in a fair
light.
That being said, I will give you the courtesy of responding to each of your
points in the order you wrote them. Next time, maybe do what other
journalists do…just call me up. 
“Each of the offerings packs a well-designed front end that
makes the notoriously prickly Asterisk easier to use.
But, unlike a stock Asterisk installation, Fonality’s
offerings require a constant — and potentially worrisome
– connection to the company’s own servers.”
This is actually not true. Fonality’s VPN is only required when an admin
wants to do a move, add or change. And, it is trivial to disconnect this VPN
and reconnect it when you wish. In fact, a number of our customers do this
today.
Marcelo, what you probably don’t know is that all the leading IP-PBX vendors
(Alcatel, Cisco, Nortel, etc.) have similar VPN interfaces that let
resellers, and even customers manage their PBXs from outside the firewall.
Perhaps, ours is a bit more pervasive as it sets up automatically, but this
is only because we sell into the low-end of the market and most of our
customers don’t have IT staff to actually build and manage VPNs. But, the
security of our product is comparable to any leading IP-PBX vendor.
Look, at the end of the day IP-PBXs are complex and really must have the
ability to be remotely managed…or you have to roll a truck every time.
Remember, not all our customers are as geeky as you or me.
“First, because the link is over VPN, it is possible for
someone at Fonality to enter the local PBX in a virtually
undetectable manner.”
You are treading in dangerous waters once you start making the argument that
“if someone broke the law they would be doing something bad”. For instance,
what about salesforce.com employees - don’t they have access to all your
critical sales data? What about your cell phone provider? What about your
ISP? A rogue employee anywhere can make life difficult for anybody.
Fonality’s employees pride themselves on their ethics and it is an important
part of our corporate culture.
“An unscrupulous employee can then run a network sniffer on the
PBX and, if the local PBX computer is part of the office network
(as is likely to be the case in most offices), the employee
potentially has access to all the computers on the network.”
It is trivial to separate your phone network from your data network. You can
use a LAN segmentation (physical) or a separate subnet (logical). We have
long had documentation on our public knowledge base about how to do this. In
fact, go to http://www.fonality.com/help and type in “security” and click on
the first article: “Tips for Security and Performance”.
“Second, the level of information logged by and maintained on the
Fonality server is staggering. The PBX comes with a built-in IM
chat client and all chats are logged by the central server.
Any sensitive IM information within and outside the office
through the local box is available to Fonality.”
Not true at all. Fonality does not log its customer’s chats. The chats all
occur on the customer’s premise server and those chats *never* flow back to
Fonality. They never have, and never will. I wonder where you get your
information, given that we only launched this chat feature out of its
ten-month beta a few days ago?
“The central server also maintains a log of all call detail
records (CDR). Fonality uses the CDRs when its customers
want to see a calling history (i.e.: all outgoing sales calls made by an
employee, all incoming customer support calls, etc.).”
Finally, you have made a correct statement. Yes, Fonality’s central system
does poll the customer’s servers, once per hour, and maintains a copy of
call records (but not content of course.)
Not that every phone company in the world doesn’t do this…but what is
*our* logic for doing so? Simple. We, at Fonality, have invested a ton of
money and time into our central reporting engine which provides customer’s
high-end reporting functionality (super fast reports with a high degree of
customization) for a super low price. There is simply no way these reports
could be run on most of our customer’s $1,000 servers. The database
crunching alone would spike those CPUs into a coma, effecting audio quality.
Remember, these premise boxes are designed to pass great audio, not crunch
thousands of call records in under a second.
“Fonality may very well be a good solution for some businesses.
But those concerned about keeping company secrets are probably
better served by Digium’s offering.”
What do you mean by Digium’s offering? Am I missing something…or does
Digium make hardware cards and soon a SoHo appliance (ala LinkSysOne)?
Perhaps you are talking about Digium’s rarely-sold “Asterisk Business
Edition”? Have you ever seen a normal business owner (not an Asterisk/Linux
geek) try to install Asterisk? Asterisk is an Operating System for the PBX
and Fonality’s PBXtra is a commercial product.
Marcelo, it is common knowledge in the software industry that when one makes
software easier to use one has to assert a bit of control to accomplish
this. The age old see-saw in this industry has been between flexibility and
ease-of-use. Fonality, which serves the SMB, chose to make our product
incredibly easy to use. Take a look at Tivo vs. MythTV for a comparable.
“It may be a bit harder to configure (though Digium is working
feverishly to make Asterisk more user-friendly), but Digium
doesn’t require an outside computer to be listening in and
keeping track.”
Again, Fonality is not “listening in”. Our central servers have never stored
any audio or audio files. All calls are point-to-point. And, all stored
audio files, such as voice prompts, greetings, voicemails, and recordings
are stored on the customer’s local server *only*. To recap: there is no
“listening in” and our central server simply pushes text-based configuration
changes to the customer’s box and stores a duplicate of their CDRs so they
can run great reports quickly.
Whew, you are a tough customer Marcelo. I would hate to read your blog
about the whole hosted PBX (IP Centrex) movement from the likes of: Comcast,
Covad, SpeakEasy, and basically every other telco in the world who is
insisting you no longer need any switch on premise again. Eat your heart
out, Vonage!
–
Chris Lyman
Fonality CEO & Janitor
http://www.fonality.com
{ 7 trackbacks }
{ 0 comments… add one now }
Leave a Comment