[VoiceOps] Preventing unauthorized access to SIP device config files

Dovid Bender dovid at telecurve.com
Tue Nov 17 09:19:20 EST 2020


Jeff,

It depends on the device manufacturer and what they support. We use a
combination of these where the hardware vendor supports them.

1) Mutual TLS with the built in certs.
2) Encryption of the configuration files.
3) Matching user agents (this can easily be spoofed but it's better then
nothing).
4) Different URL's for different device manufacturers. eg.
polycom.prov.example.org, yealink.prov.example.org
5) Deploying ip black lists.
6) Only allowing IP ranges where you expect traffic from.

I gave a talk about security at Astricon a few years back which talks
amongst other things about provisioning security
https://www.youtube.com/watch?v=9Wzzlo1kfTQ&ab_channel=OfficialAsteriskYouTubeChannel





On Tue, Nov 17, 2020 at 9:10 AM Jeff Anderson <ciscoplumber at gmail.com>
wrote:

> For providers that have centralized SIP device management that is
> available on the internet how have you been protecting your
> configurations from unauthorized access over https?
>
> Are there any specific measures that you found most helpful?
>
> I am assuming that certificate authentication is probably the best option.
> For people that are doing this, are you using the factory installed certs
> from the hardware provider or installing your own certificates on the
> devices? Are there any lessons learned on using certs that you can share?
>
> Thanks
>
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20201117/3f6a52cb/attachment.htm>


More information about the VoiceOps mailing list