Fonality is Fine, but Worrisome

I won’t dispute my friend Andy Abramson’s assertion, later echoed by the knowledgeable Ted Wallingford, that Southern California Asterisk front-end reseller Fonality is better poised to bring the open-source PBX into the large enterprise space than even Digium, the company behind Asterisk.

I won’t because I long ago gave up playing Swami in the unpredictable world of IP communications and because I can see that Fonality has done an exceptional job of marketing its product, its company and its CEO, Chris Lyman.

Still, I wonder whether Fonality is indeed the right solution for businesses — particularly those businesses concerned about security.

The company’s products include a $1,000 “Standard” Asterisk PBX and a $3,000 “Call Center” edition that features unlimited call queues, recording and other bells and whistles.

Each of the offerings packs a well-designed front end that makes the notoriously prickly Asterisk easier to use. But, unlike a stock Asterisk installation, Fonality’s offerings require a constant — and potentially worrisome — connection to the company’s own servers.

Though one can use Fonality’s products with any SIP- or IAX-based termination services provider, the company builds a Virtual Private Network (VPN) back to Fonality from all its installed PBXes.

Ostensibly, there are good reasons for this, particularly that all upgrades to the product occur seamlessly and with no need for operator interaction. Also, because all configuration changes to an installed PBX are made by logging into an account with Fonality’s servers, and those changes are then pushed back to the local PBX, the risks of operator error are somewhat mitigated.

But there is reason for concern. Ease-of-use comes with trade-offs.

First, because the link is over VPN, it is possible for someone at Fonality to enter the local PBX in a virtually undetectable manner. An unscrupulous employee can then run a network sniffer on the PBX and, if the local PBX computer is part of the office network (as is likely to be the case in most offices), the employee potentially has access to all the computers on the network.

Second, the level of information logged by and maintained on the Fonality server is staggering. The PBX comes with a built-in IM chat client and all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.

The central server also maintains a log of all call detail records (CDR). Fonality uses the CDRs when its customers want to see a calling history (i.e.: all outgoing sales calls made by an employee, all incoming customer support calls, etc.).

It can be argued, of course, that the phone company has a list of those calls (but not inter-office calls) as well. But Fonality is a hardware and software vendor, not the phone company.

Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering. It may be a bit harder to configure (though Digium is working feverishly to make Asterisk more user-friendly), but Digium doesn’t require an outside computer to be listening in and keeping track.

Be Sociable, Share!
  • Chris_Lyman

    Marcelo,

    I took the courtesy of replying to your inaccurate characterization of Fonality here:
    Chris Lyman – An Open Letter to Marcelo Rodriguez | Smith On VoIP – Insights on VoIP Products and Services

    Sincerely,

    Chris Lyman
    Fonality CEO

  • marcelo

    In order to keep the discussion in one place, I took Chris Lyman’s “OPEN LETTER TO MARCELO RODRIGUEZ” published on another web site and printed in its entirety below:

    Marcelo,

    Since we have only ever spoken once, and it was nearly two years ago, it was odd to see this inaccurate blog appear — as if it was actually representing Fonality’s products.

    While you are a blogger, your day job is acting as president of your IP hardware store on Voxilla.com. And, to be fair to your readers, I should note that in your store you sell a number of PBXs, none of which are from Fonality. So, you don’t exactly have a current financial incentive to portray us in a fair light.

    That being said, I will give you the courtesy of responding to each of your points in the order you wrote them. Next time, maybe do what other journalists do…just call me up.

    Quote:
    “Each of the offerings packs a well-designed front end that makes the notoriously prickly Asterisk easier to use. But, unlike a stock Asterisk installation, Fonality’s offerings require a constant — and potentially worrisome – connection to the company’s own servers.”
    This is actually not true. Fonality’s VPN is only required when an admin wants to do a move, add or change. And, it is trivial to disconnect this VPN and reconnect it when you wish. In fact, a number of our customers do this today.

    Marcelo, what you probably don’t know is that all the leading IP-PBX vendors (Alcatel, Cisco, Nortel, etc.) have similar VPN interfaces that let resellers, and even customers manage their PBXs from outside the firewall. Perhaps, ours is a bit more pervasive as it sets up automatically, but this is only because we sell into the low-end of the market and most of our
    customers don’t have IT staff to actually build and manage VPNs. But, the security of our product is comparable to any leading IP-PBX vendor.

    Look, at the end of the day IP-PBXs are complex and really must have the ability to be remotely managed…or you have to roll a truck every time. Remember, not all our customers are as geeky as you or me.

    Quote:
    “First, because the link is over VPN, it is possible for someone at Fonality to enter the local PBX in a virtually undetectable manner.”
    You are treading in dangerous waters once you start making the argument that “if someone broke the law they would be doing something bad”. For instance, what about salesforce.com employees – don’t they have access to all your critical sales data? What about your cell phone provider? What about your ISP? A rogue employee anywhere can make life difficult for anybody. Fonality’s employees pride themselves on their ethics and it is an important part of our corporate culture.

    Quote:
    “An unscrupulous employee can then run a network sniffer on the PBX and, if the local PBX computer is part of the office network (as is likely to be the case in most offices), the employee potentially has access to all the computers on the network.”
    It is trivial to separate your phone network from your data network. You can use a LAN segmentation (physical) or a separate subnet (logical). We have long had documentation on our public knowledge base about how to do this. In fact, go to http://www.fonality.com/help and type in “security” and click on the first article: “Tips for Security and Performance”.

    Quote:
    “Second, the level of information logged by and maintained on the Fonality server is staggering. The PBX comes with a built-in IM chat client and all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.”
    Not true at all. Fonality does not log its customer’s chats. The chats all occur on the customer’s premise server and those chats *never* flow back to Fonality. They never have, and never will. I wonder where you get your information, given that we only launched this chat feature out of its ten-month beta a few days ago?

    Quote:
    “The central server also maintains a log of all call detail records (CDR). Fonality uses the CDRs when its customers want to see a calling history (i.e.: all outgoing sales calls made by an employee, all incoming customer support calls, etc.).”
    Finally, you have made a correct statement. Yes, Fonality’s central system does poll the customer’s servers, once per hour, and maintains a copy of call records (but not content of course.)

    Not that every phone company in the world doesn’t do this…but what is *our* logic for doing so? Simple. We, at Fonality, have invested a ton of money and time into our central reporting engine which provides customer’s high-end reporting functionality (super fast reports with a high degree of customization) for a super low price. There is simply no way these reports could be run on most of our customer’s $1,000 servers. The database crunching alone would spike those CPUs into a coma, effecting audio quality. Remember, these premise boxes are designed to pass great audio, not crunch thousands of call records in under a second.

    Quote:
    “Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering.”
    What do you mean by Digium’s offering? Am I missing something…or does Digium make hardware cards and soon a SoHo appliance (ala LinkSysOne)? Perhaps you are talking about Digium’s rarely-sold “Asterisk Business Edition”? Have you ever seen a normal business owner (not an Asterisk/Linux geek) try to install Asterisk? Asterisk is an Operating System for the PBX and Fonality’s PBXtra is a commercial product.

    Marcelo, it is common knowledge in the software industry that when one makes software easier to use one has to assert a bit of control to accomplish this. The age old see-saw in this industry has been between flexibility and ease-of-use. Fonality, which serves the SMB, chose to make our product incredibly easy to use. Take a look at Tivo vs. MythTV for a comparable.

    Quote:
    “It may be a bit harder to configure (though Digium is working feverishly to make Asterisk more user-friendly), but Digium doesn’t require an outside computer to be listening in and keeping track.”
    Again, Fonality is not “listening in”. Our central servers have never stored any audio or audio files. All calls are point-to-point. And, all stored audio files, such as voice prompts, greetings, voicemails, and recordings are stored on the customer’s local server *only*. To recap: there is no “listening in” and our central server simply pushes text-based configuration changes to the customer’s box and stores a duplicate of their CDRs so they can run great reports quickly.

    Whew, you are a tough customer Marcelo. I would hate to read your blog about the whole hosted PBX (IP Centrex) movement from the likes of: Comcast, Covad, SpeakEasy, and basically every other telco in the world who is insisting you no longer need any switch on premise again. Eat your heart out, Vonage!

    –
    Chris Lyman
    Fonality CEO & Janitor
    http://www.fonality.com

  • Tdesigns

    As a prospective Fonality customer this opens up new concerns regarding processing on the PBX server.

    We are a company of 100+ employees with well over 150k calls a month… Our company relies on #1 – The quality and reliability of the phone call. #2 – The statistics and reporting of all call information (including realtime data).

    Since Fonality needs to port all CDR information via VPN to improve the processing performance of the PBX – how can we be assured that all of this VPN traffic (150k calls a month) will not impact the actual call quality?

    Does Fonality offer alternative methods to offset performance? other than utilizing VPN and sending the CDR data to one of their onsite machines? For example, could we purchase our own server and perform all of our CDR crunching on our own network? (the same goes for our recording/audio processing).

    This would seem to be a winning solution for both parties as we could stop the VPN process but not effect the actual PBX processing power.

    Any thoughts?

    TD

  • Chris_Lyman

    TD,

    Hi there. You wrote:

    > Since Fonality needs to port all CDR information via VPN to improve the
    > processing performance of the PBX – how can we be assured that all of
    > this VPN traffic (150k calls a month) will not impact the actual call
    > quality?

    You are slightly confusing the issues. It is not the size of the CDR information that causes the performance problem. Rather it is the crunching of huge volumes of CDRs on a local database that can impact the performance of the local PBX. Actually this is the *exact* reason we designed our central reporting engine. Our VPN very slowly pulls your text based files into the central database so that you can run reports on our remote multi-server high-availability Mysql cluster instead of taxing your own CPU. Think about it, if you get 150K call a month, then you get 1,800,000 calls per year. If you tried to run a big report on all of those calls, using agent-level intelligence to measure the productivity of your agents it would *absolutely* impact the performance of your box.

    The potential for misinformation on our incredibly (and now patent-pending) architecture is exactly why I have grown a bit frustrated in this blog by Marcelo – because the issue has gotten confused along the way. The VPN *is* what helps your machine focus on its task of reliably processing calls and not running monster call center reports in a local database on the box. The simple act of pulling text files through a VPN as virtually zero impact to your box.

    To be clear, Fonality has over 600 call centers in the field, many of them doing 5,000 and 10,000 calls per day.

    > Does Fonality offer alternative methods to offset performance? other than
    > utilizing VPN and sending the CDR data to one of their onsite machines?

    As stated above, this *is* our performance solution – designed for just that reason. You just don’t want your box crunching reports. Let them trickle upstream and have our huge remote cluster do it from within your web browser.

    > For example, could we purchase our own server and perform all of our CDR
    > crunching on our own network? (the same goes for our recording/audio
    > processing).

    Sure you could setup your own machine and process your CDRs on it. In fact, there is even an option to disable our central call logging from within the PBXtra Web Panel. See here: http://www.fonality.com/images/you_c…_would_you.gif

    But…if you did this, you would not be achieving what you are trying to achieve – which is having your PBX focus on what it needs to do – reliability make and receive calls.

    This being said, a copy of your call logging is always stored on your local box in either case. You could purchase any reporting engine you want and connect it on your LAN, such as Crystal Reports.

    You asked about call recording, for privacy reasons, that is only done on your local box and yes it can impact the performance of your CPU in a *big* way, so use it with caution. If you need to record lots of concurrent calls there are 3rd party onsite recording solutions you can get as well.

    > This would seem to be a winning solution for both parties as we could
    > stop the VPN process but not effect the actual PBX processing power.

    Again, to be clear. The VPN uses basically zero resources. It very slowly shuttles text files up and down from your box.

    Sincerely,

    Chris Lyman
    Fonality CEO

  • nlarson

    Chris, you need to take a good long look at your company and recognize the fault lines. We have had our deployment up for 14 months with nothing but constant trouble. The product is unstable and can not handle a 25 person team never mind the enterprise space. Here are some highlights… We have had 6 major Fonality caused phone outages this year. Our DR failover has yet to correctly fail over in any outage. Their support is abysmal, and we have issues that have been in place since day 1 that are still not resolved in 14 months. Don’t even get me started on their QA program for software updates… suffice to say 48 hour outage to both production and DR with 5 days gone before we got a full resolution; this was a result of a ‘painless 15 second update’. We have had the system for 14 months I can tell you this was the worst technology decision we ever made. Regards – Njal Larson, Satuit Technologies, Inc.

  • crusecom

    Crusecom Technology Inc, located in Oscoda, Michigan provides call center operations with the Fonality Call Center PBXtra. We average approximately 3000+ calls per day (160k Month), the calls are less than 2 minutes in duration and are process with an average of 27 CSR on staff.

    We selected Fonality based on the small business model and cost. On our initial deployment we tried to save on cost by purchasing the smaller system but quickly realized that our hardware selection would not meet our performance requirements or disaster recovery initiatives.

    We upgraded and expanded our solution to the Fonality HP server and only integrating the required T1 lines to the system. We doubled the CPU/RAM and increased our T1 count (from 1 to 3) and added roll over capabilities.

    By reviewing and analyzing our technical solution, Crusecom has been able to exceed our client expectation in areas of client satisfaction, call volume and reporting. The Fonality support services for the application and hardware has by far exceeded my expectation and we look forward to new opportunities and challenges with new and current client utilizing the Fonality products and services.

    The Fonality support team and management are there to help any client take the necessary steps to determine and analyze your objectives and aggressively support your technology goals.

    We would recommend Fonality to any organization that is moving forward with expanding their operation and moving toward a fully supported VoIP solution.

    Art Cruse
    President/CEO
    http://crusecom.com

  • potomactech

    I came across this just today, but I feel that it is warranted to leave a comment.

    Little Me Childrenswear has two PBXtras from Fonality. Both are relatively small compared to Crusecom. One system has 72 extensions, the other 53.

    We chose Fonality so us Administrators could rely on the IT site managers(AS400 and PC strengths) to be able to manage the phone system.

    Support has been great. The only issues we had were adding on non-recommended solutions due to limited budget allocation(tieing in with NEC h.323, non-ip paging amps, using basic linksys switches).

    If you do not want to babysit your phone system, Fonality is a good fit.

    Sam White
    Communications Administrator
    Little Me Childrenswear
    http://www.littleme.com

  • Pingback: spatially relevant » Blog Archive » #50 Friends I Can’t Wait to Meet()