[VoiceOps] Preventing unauthorized access to SIP device config files

Tim Bray tim at kooky.org
Tue Nov 17 10:13:27 EST 2020 

Hi,

Do you mean for a provisioning server?     Rather than the management 
web interface of device.

If for a provisioning server

1) use devices with unique factory installed client certificates.  
(Snom, Yealink, Cisco, Panasonic).     Verify the MAC presented matches 
that in the certificate - you will need a script rather than plain files 
on a server.    Set your webserver to only allow access from devices 
with a client cert.     And also different URLS (and often, sadly IP 
addresses) for each phone type.  Turn off plain HTTP.

1b) TLS authentication needs to be mutual, so proper certs server side.

1c) Grill your device supplier about their procedure for signing and 
burning in the factory.

Encryption of configuration files - you still have to get a key into the 
device.   And it needs to be a unique key per device, which leads you 
straight back to needed 1)



The cisco (and their sipura and linksys grand parents) have had this 
setup sorted since like 2004, it is pretty tried and tested.


If you are going to do your own certs, then you need to have the devices 
on your desk and have a good setup for doing this.   Or you end up back 
using 1) to seed the device.

And watch out for certificate expiry dates.


(There are various companies who don't do unique factory certs, who 
claim still to have a secure setup, whose security can be bypassed in 
like 3 seconds.   Like their CA private key is in the firmware)

This is a good read:
https://www.itspa.org.uk/wp-content/uploads/1705_Provisioning_BCP.pdf

Tim


On 17/11/2020 14:08, Jeff Anderson wrote:
> For providers that have centralized SIP device management that is 
> available on the internet how have you been protecting your 
> configurations from unauthorized access over https?
>
> Are there any specific measures that you found most helpful?
>
> I am assuming that certificate authentication is probably the best 
> option. For people that are doing this, are you using the factory 
> installed certs from the hardware provider or installing your own 
> certificates on the devices? Are there any lessons learned on using 
> certs that you can share?
>
> Thanks
>
>
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops


-- 
Tim Bray
Huddersfield, GB
tim at kooky.org
+44 7966479015

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20201117/bbd70a40/attachment-0001.htm>

More information about the VoiceOps mailing list