Re: [VoiceOps] Preventing unauthorized access to SIP device config files

Tue, 17 Nov 2020 07:15:35 -0800 

Hi,
Do you mean for a provisioning server?     Rather than the management web interface of device. 

If for a provisioning server


1) use devices with unique factory installed client certificates.  
(Snom, Yealink, Cisco, Panasonic).     Verify the MAC presented matches 
that in the certificate - you will need a script rather than plain files 
on a server.    Set your webserver to only allow access from devices 
with a client cert.     And also different URLS (and often, sadly IP 
addresses) for each phone type.  Turn off plain HTTP.


1b) TLS authentication needs to be mutual, so proper certs server side.


1c) Grill your device supplier about their procedure for signing and 
burning in the factory.



Encryption of configuration files - you still have to get a key into the 
device.   And it needs to be a unique key per device, which leads you 
straight back to needed 1)





The cisco (and their sipura and linksys grand parents) have had this 
setup sorted since like 2004, it is pretty tried and tested.




If you are going to do your own certs, then you need to have the devices 
on your desk and have a good setup for doing this.   Or you end up back 
using 1) to seed the device.


And watch out for certificate expiry dates.



(There are various companies who don't do unique factory certs, who 
claim still to have a secure setup, whose security can be bypassed in 
like 3 seconds.   Like their CA private key is in the firmware)


This is a good read:
https://www.itspa.org.uk/wp-content/uploads/1705_Provisioning_BCP.pdf

Tim


On 17/11/2020 14:08, Jeff Anderson wrote:

For providers that have centralized SIP device management that is 
available on the internet how have you been protecting your 
configurations from unauthorized access over https?


Are there any specific measures that you found most helpful?


I am assuming that certificate authentication is probably the best 
option. For people that are doing this, are you using the factory 
installed certs from the hardware provider or installing your own 
certificates on the devices? Are there any lessons learned on using 
certs that you can share?


Thanks






_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops



--
Tim Bray
Huddersfield, GB
t...@kooky.org
+44 7966479015


_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops






















					Reply via email to