Manualshelf

Installation guide

ManualsBrandsShoreTel ManualsComputer equipmentShoreWare
61626364656667686970
Media Encryption Network Requirements and Preparation
3
ShoreTel 14.2 Planning and Installation Guide 63
advanced firewalls can apply logical rules that prevent the device from trying to keep up with the
denial-of-service attack traffic. They also prevent this traffic from reaching the valuable web,
application, and database servers that create your Internet presence and service your customers.
By using firewalls in conjunction with the DMZ design technique, many businesses and service
providers are striving to present as much information without permitting unwanted access to the
corporate resources.
One way to keep your mission-critical resources as private as possible, while still allowing for a strong
Internet presence, is to use Network Address Translation (NAT). NAT offers the outside world one, or a
few, IP addresses. This allows a manager to set up whatever internal IP addressing scheme may be
required by corporate policies and business needs. An internal resource’s IP address (source IP) is
changed as it passes through the NAT function to one of the “outside” IP addresses. Thus, the external
world does not know any of the enterprise’s internal IP addresses. Only the NAT device presents an IP
address that is known, and used by external devices. The NAT device keeps track of these
conversations and performs the IP address translation as needed.
Extending the private network of the corporate LAN to remote sites via VPN is a proven method of
deploying a ShoreTel system across multiple sites. All IP telephony endpoints (such as ShoreTel
servers, ShoreTel Voice Switches, and IP telephones) should participate in the same private network,
with firewalls between ShoreTel equipment and the public Internet. If needed, you can elect to open
access to the ShoreTel server to access ShoreTel Director via HTTP using the same precautions you
would when exposing any critical web services server to the public network.
Configuring firewalls to function correctly with VoIP traffic is very difficult. ShoreTel does not
recommend deploying ShoreTel equipment across firewalls.
Media Encryption
In addition to using a VPN or a firewall, another method of enhancing the security on your network is to
enable media encryption through ShoreTel Director. Media encryption, as the name suggests, encrypts
calls between users on a ShoreTel system. The encryption scrambles communications between
callers so an intruder on the network cannot eavesdrop on the conversation.
For details about media encryption, see the ShoreTel System Administration Guide.
Security for ShoreTel 400-Series IP Phones
ShoreTel 400-Series IP phones use a combination of methods to provide secure communications.
The ShoreTel Headquarters server functions as a X.509 Certificate Authority for the system’s public-
key infrastructure (PKI). An X.509 certificate is a public key with identifying information, which has
been digitally signed through either the associated private key (a self-signed certificate) or a Certificate
Authority (CA). The X.509 certificate also includes an expiration date. In addition to the X.509
certificate, the ShoreTel system uses Secure Session Initiation Protocol (SIPS), which is SIP plus
Transport Layer Security (TLS). This is a standard protocol that uses PKI to establish a secure
connection between two entities on an IP network.