iPhone

Enterprise admins should say no to FaceTime

Consultant Erik Eckel explains why enterprise admins should have no problem saying no to supporting FaceTime on the new Apple iPhone.

I'm an Apple advocate. I use a MacBook Pro. I leverage an iPad in the field. I carry an iPhone mated to my consultancy's Exchange server. But I'm no FaceTime believer.

Apple's new FaceTime feature, included in the new iPhone 4, enables users to conduct video telephone calls using their new iPhones. According to Apple's marketing copy, "with the tap of a button, you can wave hello to your kids, share a smile from across the globe, or watch your best friend laugh at your stories."

Don't get me wrong. Those are cool uses for a cell phone. I just don't see much of a legitimate business need for such a feature in the enterprise. Large distributed organizations with remote offices likely already have a dedicated video conferencing solution in place, anyway. There's no need to reinvent the wheel, especially using a cell phone technology that's dependent upon Wi-Fi networks to fuel the video communications.

Those organizations that might wish to enable FaceTime operation face a dilemma. Numerous and potentially dangerous ports must be opened to allow FaceTime communications. An Apple support article updated in late June notes that, on Wi-Fi networks that use a firewall, port forwarding must be enabled for ports 53, 80 (80!), 443, 4080, 5223 and 16393 to 16472. That's a lot of doors to open for a feature that's arguably an element best used by consumers outside the office.

Apple's done a lot of things right. iPhone popularity is proof. But there's no reason enterprise administrators should feel pressured to update hardened firewall configurations, thereby lessening security on carefully secured networks, to accommodate the video-calling feature. IT professionals should feel no remorse saying "no" to requests to open FaceTime's necessary ports on restricted wireless networks. Further, I suspect many enterprise admins will just say no, sans the guilt.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

10 comments
travis.duffy
travis.duffy

One major security hole after another. Protect your company's data and leave these things at home.

Jaqui
Jaqui

7 ports to use one app? ain't no excuse for that. that just screams of incompetence. I could see it needing 2, one for outgoing video stream, one for inbound video stream, but most definitely no more than 2. there is no need to open ports for audio, the device is a phone, you have audio connection capabilities already. and there is no way any port below 1,000 will EVER be a viable port for an iphone app, not if they are well designed and written.

jshaw4343
jshaw4343

So right now, it should be pretty easy to say no. Not worth the risk for such limited use.

khit
khit

While I agree that this does pose a security risk and I would like to see Apple decrease the attack surface, I disagree that there is no legitimate business use for the technology. I had a perfect opportunity to use it just yesterday. I had a pbx engineer on the phone while trying to trace down a fax line on a gigantic wall of punch-down blocks. I took pics with my iPhone and emailed them to him (it was nice that I didn't have to hang up while I did this) but it would have been great to be able to talk to him while I showed him video of exactly what I was looking at. I can imagine numerous remote scenarios like this.

retrofire
retrofire

Probably the official "Facetime" yes -- but I'm sure that our field techs will have much better capabilities to share live repair info with inside engineering and tech support groups. We already have a web-cam in tech support to help explain how things look and going forward the options using live video sharing feed will be under even more demand... No matter what method we choose, I have video sharing needs now and it's for business needs, not for executives on conference calls. A picture can be worth a thousand words...

Vulpinemac
Vulpinemac

I disagree with your opinion, Erik. [i]"Large distributed organizations with remote offices likely already have a dedicated video conferencing solution in place, anyway."[/i] Quite often these are dedicated conference rooms that pretty much have to be scheduled for use. Even if not, any other video conferencing solution requires either sitting at your desktop with a web cam mounted (unless it's an iMac or exactly equivalent type) or a laptop with built-in webcam--which we already know is not all that common outside of Apple's products. This also doesn't take into consideration that one or more of the attendees may not have their laptops with them as they may be mobile for whatever reason. I will grant that a laptop could conceivably be used anywhere Face Time can be used, but it's bulk may make it impractical in some places. [i]"There?s no need to reinvent the wheel,"[/i] Even so, the wheel has been reinvented many times, from stone, to wood, to steel, to rubber. Each advancement has made that wheel more practical and reliable over the millennia, and the same can be said for communications. The wheel needs to be continuously reinvented, or our technology and society will stagnate. In today's world especially, stagnation means extinction.

Snak
Snak

.... if only because it has a sadly unimaginative, copied name.

elrico-fantastica
elrico-fantastica

a few of our customers have enquired about the best way to handle this as with all new geek toys once the directors get them suddenly they become a "business need". as a security company we have a tough job balancing adequate security against the whims of the businesses we advise... a work around i have advised a few of our customers to run maintains a degree of security.. its not ideal but it allows the use of iphones without opening ports to the general staff population and its fairly simple to implement for the average network tech. if you access the settings app on your iphone and go into the networks and wireless settings you can get the MAC address for your wireless card.. then on your DHCP server you can add some reservations.. i reccomend picking a different range to your regular DHCP scope as then there is less risk of confusion on the firewall or another tech applying a static IP out of the restricted range to a workstation. in each of the IP's you have reserved you can enter the advanced settings and enter one of the MAC addresses of one of the iphones you wish to grant access. then on your firewall you can create a specific rule allowing access from the new range you have reserved one whatever ports you want them to be able to use.. a generic catchall (any) rule (or default route) will probably be fine as the iphone is limited in what damage it can bring to the network and the IP's covered by this rule will only be handed out if the MAC address is matched.. if you want the iphones to access internal LAN resources you will need another rule on the firewall granting access to your LAN and maybe a static route on the firewall depending how you have subnetted everything... like i said not perfect but it allows iphone users onto the app store and facetime without opening ports to your workstations or other people on the wireless..

deb
deb

"... a laptop with built-in webcam--which we already know is not all that common outside of Apple's products." Huh? Every Windows laptop I've bought in the last several years has had a built-in webcam and microphone; it's difficult to find one without those features.

QAonCall
QAonCall

How does that relieve the security risk associated with the point of attack. Allowing something that can be docked locally in the enterprise to be compromised seems like bad mojo. If you used this in the enterprise, you may have a level of security, however, the phone remains a viable and rich target (especially if they are CIO/CTO etc) and they will be using this technology in airports and coffee shops. While I agree you can tighten the noose, the risk reward still seems fairly high. But I don't have a CIO telling me it is a business need, that didn't exist before he got his new toy! ;)

Editor's Picks