Chapter 9: Network Requirements and Preparation Media Encryption
ShoreTel 8 Planning and Installation Guide 121
from trying to keep up with the denial-of-service attack traffic. They also prevent this
traffic from reaching the valuable web, application, and database servers that create your
Internet presence and service your customers.
By using firewalls in conjunction with the DMZ design technique, many businesses and
service providers are striving to present as much information without permitting unwanted
access to the corporate resources.
One way to keep your mission-critical resources as private as possible, while still allowing
for a strong Internet presence, is to use Network Address Translation (NAT). NAT offers the
outside world one, or a few, IP addresses. This allows a manager to set up whatever internal
IP addressing scheme may be required by corporate policies and business needs. An
internal resource’s IP address (source IP) is changed as it passes through the NAT function
to one of the “outside” IP addresses. Thus, the external world does not know any of the
enterprise’s internal IP addresses. Only the NAT device presents an IP address that is
known, and used by external devices. The NAT device keeps track of these conversations
and performs the IP address translation as needed.
Extending the private network of the corporate LAN to remote sites via VPN is a proven
method of deploying a ShoreTel 8 system across multiple sites. All IP telephony endpoints
(such as ShoreWare server(s), ShoreGear switches, and IP telephones) should participate in
the same private network, with firewalls between ShoreTel equipment and the public
Internet. If needed, you can elect to open access to the ShoreWare server(s) to access
ShoreWare Director via HTTP, using the same precautions you would when exposing any
critical server’s web services to the public network.
Configuring firewalls to function correctly with VoIP traffic is very difficult. ShoreTel does
not recommend deploying ShoreTel equipment across firewalls.
9.12 Media Encryption
In addition to using a VPN or a firewall, another method of enhancing the security on your
network is to enable the ShoreTel media encryption feature. Media encryption, as the name
suggests, encrypts calls between users on a ShoreTel system. The encryption scrambles
communications between callers so an intruder on the network cannot eavesdrop on the
The ShoreTel encryption algorithm utilizes dynamically generated keys to encrypt the RTP
data for the media stream. The payload inside the RTP packets is encrypted by the sending
party, and the transmission is decrypted by the receiving party. The ShoreTel algorithm was
selected due to its reliability, simplicity and its efficiency – it places very little burden on the
switch's CPU even during maximum loads.
•TCP/IP and UDP packet headers are not encrypted.
•Only calls inside a ShoreTel network will be encrypted. Once the call passes
through TDM or analog trunks or via SIP, the encryption is stripped away and the
conversation is no longer encrypted.
•The encryption algorithm handles the key exchange between the sending and
receiving parties at the time of call setup. If the call starts off without encryption,
and encryption is enabled during the middle of a call, the call will remain