Here is my conversation with our shoretel partner. Am I wrong to assume that this is a blatantly risky security practice. Does anyone else run shoretel for VoIP? Do you have your firewall disabled too?
I say:
Hi Brett,
This is Karl with [company]. I was wondering if you had or know where I can find a list of firewall exceptions that Shoretel needs in order to run. Currently the whole firewall is turned off on the server and I’m concerned about security.
He says:
You are talking about the windows firewall on the server itself correct? ShoreTel requests that this be disabled completely on the server. The newer versions are requiring it to be disabled for it to be installed. Do you have specific concerns about the security of that server?
I say:
Brett,
Thanks for the reply. Yes, I am talking about the windows firewall. It is against our security policy to leave the Windows firewall disabled. With it disabled I now have a huge hole in security. If this server was to be compromised, all VoIP traffic would be vulnerable as well as creating an easy foothold in the network to use as leverage against other servers on the same VM host and network. Having the firewall disabled is not in accordance with any ISO/IEC security policy nor any best practice. There must be certain services, ports, and/or protocols that can be opened while windows firewall is operable to provide the needed functionality to shoretel while maintaining security. Crossing my fingers and hoping my server doesn’t get owned isn’t an option with millions of dollars of intellectual property sitting on the same VM host and network. If you don’t have access to the protocols, services, and ports that shoretel needs to run correctly can you point me in the right direction?