<div dir="ltr">Jeff,<div><br></div><div>It depends on the device manufacturer and what they support. We use a combination of these where the hardware vendor supports them.</div><div><br></div><div>1) Mutual TLS with the built in certs.</div><div>2) Encryption of the configuration files.</div><div>3) Matching user agents (this can easily be spoofed but it's better then nothing).</div><div>4) Different URL's for different device manufacturers. eg. <a href="http://polycom.prov.example.org">polycom.prov.example.org</a>, <a href="http://yealink.prov.example.org">yealink.prov.example.org</a></div><div>5) Deploying ip black lists.</div><div>6) Only allowing IP ranges where you expect traffic from.</div><div><br></div><div>I gave a talk about security at Astricon a few years back which talks amongst other things about provisioning security <a href="https://www.youtube.com/watch?v=9Wzzlo1kfTQ&ab_channel=OfficialAsteriskYouTubeChannel">https://www.youtube.com/watch?v=9Wzzlo1kfTQ&ab_channel=OfficialAsteriskYouTubeChannel</a></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 17, 2020 at 9:10 AM Jeff Anderson <<a href="mailto:ciscoplumber@gmail.com">ciscoplumber@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>For providers that have centralized SIP device management that is available on the internet how have you been protecting your configurations from unauthorized access over https? </div><div><br></div><div>Are there any specific measures that you found most helpful?<br></div><div><br></div><div>I am assuming that certificate authentication is probably the best option. For people that are doing this, are you using the factory installed certs from the hardware provider or installing your own certificates on the devices? Are there any lessons learned on using certs that you can share?</div><div><br></div><div>Thanks</div><div><br></div><div><br></div><div><br></div><div><br><div><br></div></div></div>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</blockquote></div>