IPOthermia
Vendor
Since the ShoreTel forum looks a bit dead, I am hopeful the Mitel forum is now the place.
I have IP480g and IP485g phones. Mitel documentation claims NTP can be set via DHCP and/or by using custom.txt files from the NTP server.
We have exhausted reasonable efforts to make either the DHCP or custom.txt options work. We have proven that neither actually does.
Mitel's is now saying 'the phones are working as designed'. In spite of their documentation to the contrary.
Problem with NTP asking for time all over the world (Mitel's default behavior) is a security issue. PCI DSS mentions this specific issue in their list of SAQ questions. Bad actors hosting an NTP for the world could use the information to pinpoint your network for DDOS or other attacks since all the phones on your network are shouting to the world "HERE WE ARE, WE ARE OVER HERE! (and here is the public IP Address).
The other problem is even if we block NTP at the firewall, then our firewall needs to keep processing bogus attempts from every phone several times a minute, and the network noise will fill up security logs that are intended for real traffic and monitoring. Not just blocking poor performance from sloppy firmware written by Mitel.
My main goal here is to inform the public and apply pressure to Mitel to fix their firmware so that it actually works as documented.
Thanks...
I have IP480g and IP485g phones. Mitel documentation claims NTP can be set via DHCP and/or by using custom.txt files from the NTP server.
We have exhausted reasonable efforts to make either the DHCP or custom.txt options work. We have proven that neither actually does.
Mitel's is now saying 'the phones are working as designed'. In spite of their documentation to the contrary.
Problem with NTP asking for time all over the world (Mitel's default behavior) is a security issue. PCI DSS mentions this specific issue in their list of SAQ questions. Bad actors hosting an NTP for the world could use the information to pinpoint your network for DDOS or other attacks since all the phones on your network are shouting to the world "HERE WE ARE, WE ARE OVER HERE! (and here is the public IP Address).
The other problem is even if we block NTP at the firewall, then our firewall needs to keep processing bogus attempts from every phone several times a minute, and the network noise will fill up security logs that are intended for real traffic and monitoring. Not just blocking poor performance from sloppy firmware written by Mitel.
My main goal here is to inform the public and apply pressure to Mitel to fix their firmware so that it actually works as documented.
Thanks...
ool.ntp.org /dataonly /samples:1