[VoiceOps] Preventing unauthorized access to SIP device config files
Dovid Bender
dovid at telecurve.com
Tue Nov 17 09:19:20 EST 2020
Jeff,
It depends on the device manufacturer and what they support. We use a
combination of these where the hardware vendor supports them.
1) Mutual TLS with the built in certs.
2) Encryption of the configuration files.
3) Matching user agents (this can easily be spoofed but it's better then
nothing).
4) Different URL's for different device manufacturers. eg.
polycom.prov.example.org, yealink.prov.example.org
5) Deploying ip black lists.
6) Only allowing IP ranges where you expect traffic from.
I gave a talk about security at Astricon a few years back which talks
amongst other things about provisioning security
https://www.youtube.com/watch?v=9Wzzlo1kfTQ&ab_channel=OfficialAsteriskYouTubeChannel
On Tue, Nov 17, 2020 at 9:10 AM Jeff Anderson <ciscoplumber at gmail.com>
wrote:
> For providers that have centralized SIP device management that is
> available on the internet how have you been protecting your
> configurations from unauthorized access over https?
>
> Are there any specific measures that you found most helpful?
>
> I am assuming that certificate authentication is probably the best option.
> For people that are doing this, are you using the factory installed certs
> from the hardware provider or installing your own certificates on the
> devices? Are there any lessons learned on using certs that you can share?
>
> Thanks
>
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20201117/3f6a52cb/attachment.htm>
More information about the VoiceOps
mailing list