Preventing unauthorized access to SIP device config files
For providers that have centralized SIP device management that is available on the internet how have you been protecting your configurations from unauthorized access over https? Are there any specific measures that you found most helpful? I am assuming that certificate authentication is probably the best option. For people that are doing this, are you using the factory installed certs from the hardware provider or installing your own certificates on the devices? Are there any lessons learned on using certs that you can share? Thanks
Jeff, It depends on the device manufacturer and what they support. We use a combination of these where the hardware vendor supports them. 1) Mutual TLS with the built in certs. 2) Encryption of the configuration files. 3) Matching user agents (this can easily be spoofed but it's better then nothing). 4) Different URL's for different device manufacturers. eg. polycom.prov.example.org, yealink.prov.example.org 5) Deploying ip black lists. 6) Only allowing IP ranges where you expect traffic from. I gave a talk about security at Astricon a few years back which talks amongst other things about provisioning security https://www.youtube.com/watch?v=9Wzzlo1kfTQ&ab_channel=OfficialAsteriskYouTu... On Tue, Nov 17, 2020 at 9:10 AM Jeff Anderson <ciscoplumber at gmail.com> wrote:
For providers that have centralized SIP device management that is available on the internet how have you been protecting your configurations from unauthorized access over https?
Are there any specific measures that you found most helpful?
I am assuming that certificate authentication is probably the best option. For people that are doing this, are you using the factory installed certs from the hardware provider or installing your own certificates on the devices? Are there any lessons learned on using certs that you can share?
Thanks
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Hi, Do you mean for a provisioning server????? Rather than the management web interface of device. If for a provisioning server 1) use devices with unique factory installed client certificates.? (Snom, Yealink, Cisco, Panasonic).???? Verify the MAC presented matches that in the certificate - you will need a script rather than plain files on a server.??? Set your webserver to only allow access from devices with a client cert.???? And also different URLS (and often, sadly IP addresses) for each phone type.? Turn off plain HTTP. 1b) TLS authentication needs to be mutual, so proper certs server side. 1c) Grill your device supplier about their procedure for signing and burning in the factory. Encryption of configuration files - you still have to get a key into the device.?? And it needs to be a unique key per device, which leads you straight back to needed 1) The cisco (and their sipura and linksys grand parents) have had this setup sorted since like 2004, it is pretty tried and tested. If you are going to do your own certs, then you need to have the devices on your desk and have a good setup for doing this.?? Or you end up back using 1) to seed the device. And watch out for certificate expiry dates. (There are various companies who don't do unique factory certs, who claim still to have a secure setup, whose security can be bypassed in like 3 seconds.?? Like their CA private key is in the firmware) This is a good read: https://www.itspa.org.uk/wp-content/uploads/1705_Provisioning_BCP.pdf Tim On 17/11/2020 14:08, Jeff Anderson wrote:
For providers that have centralized SIP device management that is available on the internet how have you been protecting your configurations?from unauthorized access over https?
Are there any specific measures that you found most helpful?
I am assuming that certificate authentication is probably the best option. For people that are doing this, are you using the factory installed certs from the hardware provider or installing your own certificates on the devices? Are there any lessons learned on using certs that you can share?
Thanks
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Tim Bray Huddersfield, GB tim at kooky.org +44 7966479015
participants (3)
-
ciscoplumber@gmail.com -
dovid@telecurve.com -
tim@kooky.org