<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Do you mean for a provisioning
server? Rather than the management web interface of device.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If for a provisioning server<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1) use devices with unique factory
installed client certificates. (Snom, Yealink, Cisco,
Panasonic). Verify the MAC presented matches that in the
certificate - you will need a script rather than plain files on a
server. Set your webserver to only allow access from devices
with a client cert. And also different URLS (and often, sadly
IP addresses) for each phone type. Turn off plain HTTP.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1b) TLS authentication needs to be
mutual, so proper certs server side. <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1c) Grill your device supplier about
their procedure for signing and burning in the factory.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Encryption of configuration files - you
still have to get a key into the device. And it needs to be a
unique key per device, which leads you straight back to needed 1)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The cisco (and their sipura and linksys
grand parents) have had this setup sorted since like 2004, it is
pretty tried and tested.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If you are going to do your own certs,
then you need to have the devices on your desk and have a good
setup for doing this. Or you end up back using 1) to seed the
device.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">And watch out for certificate expiry
dates.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">(There are various companies who don't
do unique factory certs, who claim still to have a secure setup,
whose security can be bypassed in like 3 seconds. Like their CA
private key is in the firmware)<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">This is a good read:<br>
</div>
<div class="moz-cite-prefix"><a class="moz-txt-link-freetext" href="https://www.itspa.org.uk/wp-content/uploads/1705_Provisioning_BCP.pdf">https://www.itspa.org.uk/wp-content/uploads/1705_Provisioning_BCP.pdf</a><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Tim<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 17/11/2020 14:08, Jeff Anderson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPz3n-whyVHZseT-6UYYmthiQ5GfebHsxtYPoQPcU4bP-tQb4A@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>For providers that have centralized SIP device management
that is available on the internet how have you been protecting
your configurations from unauthorized access over https? </div>
<div><br>
</div>
<div>Are there any specific measures that you found most
helpful?<br>
</div>
<div><br>
</div>
<div>I am assuming that certificate authentication is probably
the best option. For people that are doing this, are you using
the factory installed certs from the hardware provider or
installing your own certificates on the devices? Are there any
lessons learned on using certs that you can share?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Tim Bray
Huddersfield, GB
<a class="moz-txt-link-abbreviated" href="mailto:tim@kooky.org">tim@kooky.org</a>
+44 7966479015</pre>
</body>
</html>