Manualshelf

Specifications

ManualsBrandsShoreTel ManualsConsumer electronicsIP100
131132133134135136137138139140
Network Requirements and Preparation
Planning and Installation Guide 923
With a TCP SYN flood, a stream of TCP SYN packets is sent to the receiving device
(often the firewall). The finite memory and size of the TCP entry tables can be overrun
by spurious SYN packets, preventing any real users from making a TCP connection
required for HTTP communications.
An ICMP flood attack also floods a device, by streaming ICMP echo packets at a
recipient destination. This flood of packets requires the device to process and respond
to these pings, burning precious resources and preventing other traffic from being
serviced. By examining the site’s traffic patterns, advanced firewalls can apply logical
rules that prevent the device from trying to keep up with the denial-of-service attack
traffic. They also prevent this traffic from reaching the valuable web, application, and
database servers that create your Internet presence and service your customers.
By using firewalls in conjunction with the DMZ design technique, many businesses and
service providers are striving to present as much information without permitting
unwanted access to the corporate resources.
One way to keep your mission-critical resources as private as possible, while still
allowing for a strong Internet presence, is to use Network Address Translation (NAT).
NAT offers the outside world one, or a few, IP addresses. This allows a manager to set
up whatever internal IP addressing scheme may be required by corporate policies and
business needs. An internal resource’s IP address (source IP) is changed as it passes
through the NAT function to one of the “outside” IP addresses. Thus, the external
world does not know any of the enterprise’s internal IP addresses. Only the NAT device
presents an IP address that is known, and used by external devices. The NAT device
keeps track of these conversations and performs the IP address translation as needed.
Extending the private network of the corporate LAN to remote sites via VPN is a
proven method of deploying a ShoreTel 6.1 system across multiple sites. All IP
telephony endpoints (such as ShoreWare server(s), ShoreGear switches, and IP
telephones) should participate in the same private network, with firewalls between
ShoreTel equipment and the public Internet. If needed, you can elect to open access to
the ShoreWare server(s) to access ShoreWare Director via HTTP, using the same
precautions you would when exposing any critical server’s web services to the public
network.
NOTE Configuring firewalls to function correctly with VoIP traffic is very difficult.
ShoreTel does not recommend deploying ShoreTel equipment across firewalls.