Review: ShoreTel 8.0 Shores Up Security
Traditional telecom networks used to be considered fairly secure because you generally needed to be physically there to access the system. With IP networks, voice is much more vulnerable because of all the security weaknesses associated with IP—including sniffing, spoofing, denial of service and integrity attacks. The phone environment is exposed to the same worms and viruses that steal information and slow down the network on the data side, except these threats also affect call quality. An unprotected voice network is also a potential entry point into the data network. Voice networks need the same careful attention to security as data networks do, if not more, since there are more endpoints to protect.
The Test Center deployed a full system from ShoreTel Inc., Sunnyvale, Calif., to evaluate the ways the VoIP vendor incorporated security features into its latest offering. The system, ShoreGear-90 and four IP phones, were configured using ShoreTel 8.0. For the most part, all the security features were either built-in out of the box or could be enabled with a checkbox in ShoreWare Director, the management interface.
ShoreTel allows the network to be logically segregated by supporting VLANs and tagging straight out of the box. Customers can use existing switching infrastructure to create VLANs separating data and voice traffic. As long as the ShoreGear switch and phones are plugged into the ports designated for the voice VLAN, the system will obtain the correct configuration and route the calls along the proper network. Voice packets can also be prioritized to optimize performance and guarantee bandwidth.
IP telephony calls are vulnerable to snooping, as voice packets can be decoded into audio files, making it possible to eavesdrop on conversations. It's essential to encrypt voice data on local network segments, and is something ShoreTel has handled for several versions now. This is just a matter of checking off a box on ShoreWare Director, and the actual encryption is handled by each IP phone. ShoreTel 8.0 upgraded encryption to 128-bit from the previous version's 64-bit. Because the phones automatically handle peer-to-peer encryption on the local network, the entire conversation is private, secure and seamless. With a proper VPN gateway in place, the encryption can be extended to remote users, as well.
With ShoreTel 8.0, administrators can develop policies to restrict user-level access. The end-user management application, Call Manager, can be different for each user based on the authentication level. Users with operator privileges get more features unlocked in Call Manager than the basic end user. ShoreWare Director restricts access to SSL and a secure connection.
ShoreTel 8.0 requires multiple passwords to protect various components. The voicemail password is different from the password to access the Call Manager interface. There is also an entirely different password for the conference room feature. Since the Call Manager interface contains individual settings (such as the address book), the password requirements are much stronger than the voicemail (which is all-numeric). The ShoreTel system is flexible enough to account for the customer's internal security requirements. Some verticals require passwords to be changed at frequent intervals. Some customers may require some level of logging. Others may impose minimum requirements for creating a password. The policies can also be applied to certain groups, such as traders being required to change passwords every 30 days, in contrast to public access phones in the elevator banks, which do not.
ShoreTel partners with networking vendors like Juniper Networks Inc., Sunnyvale, Calif., and Enterasys Networks, Andover, Mass., to extend its security features. Customers using networking products, such as switches, routers and VPNs, from these partners can set up policies or QoS functions to enhance the ShoreTel system. For example, Enterasys switches can set policies to discover, classify and prioritize ShoreTel switches and traffic on the network. Enterasys switches can then implement bandwidth control over ShoreTel's VoIP servers.
An important indicator of a VoIP security feature's performance is how well it protects against a vulnerability or threat, ease of management and its transparency to end users. Turning on SSL and encryption is just a matter of finding and checking off a box. Since encryption is an all-or-nothing proposition (either all calls are encrypted or none are), end users do not have to worry about the process. ShoreTel has incorporated security into the product in such a way that solution providers don't have to think separately about how to protect the customer's system: It's built in from the start.