<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">The most common approaches we see in networks are, with the strongest at the top, are:</div><div class=""><br class=""></div><div class="">1. Mutual TLS with X.509 Attribute Validation </div><div class="">2. Mutual TLS without X.509 Attribute Validation</div><div class="">3. Per-device credentials (HTTP username/password)</div><div class="">4. Per-device-type credentials (HTTP username/password) </div><div class="">5. IP allow-list to permit only certain clients to download </div><div class="">6. Funny filenames (like <a href="https://xsp.serviceprovider.com/dms/CustomModifiedPolycomVVX/" class="">https://xsp.serviceprovider.com/dms/CustomModifiedPolycomVVX/</a> )</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">The first one, Mutual TLS (verifying the device's certificate created by proper manufacturer) with X.509 Attribute Validation (like MAC address) requires this:</div><div class="">-- HTTPS</div><div class="">-- When the client connects, the server requests the client certificate</div><div class="">-- The server checks to see if the client certificate matches the requested file type. For example, if you're requesting a Cisco MPP file, then the client should be presenting a certificate signed by Cisco.</div><div class="">-- The server checks the content of the certificate against the specific file. For example, if the file requested is /0abcdef12345.cfg then the Certificate X.509 attributes SAN or CN should contain the MAC address 0ABCDEF12345. The formatting of the SAN or CN can vary.</div><div class=""><br class=""></div><div class="">Because devices don't generally have Hardware Security Modules to protect the TLS secret key for the certificate signed by the manufacturer, I believe some attackers will, someday, determine how to retrieve the secret key and certificate from some device. Though I've analyzed many attacks on SIP device management, I am not personally aware of any examples of the disclosure of a secret key from a device. I expect it to occur someday because of the way the software on certain devices manages those keys.</div><div class=""><br class=""></div><div class="">To defend against that eventuality, and the ability to weaponize it into a tool, I would not want to rely <i class="">only</i><span style="font-style: normal;" class=""> on a client's ability to provide </span><i class="">any signed certificate provided by one of my trusted vendors to download any configuration file.</i><span style="font-style: normal;" class=""> For example, I would not want to allow a HTTPS client with a Yealink certificate to download a Poly config file. Further, by validating the MAC address inside the X.509 attributes, I am defending against this case by ensuring that the disclosed certificate and key can only be used to access files for a single MAC address from a specific manufacturer.</span></div><div class=""><span style="font-style: normal;" class=""><br class=""></span></div><div class=""><span style="font-style: normal;" class="">In our case, we've implemented this in multiple networks with F5 Labs LTM. The builtin BroadWorks support doesn't do all that is needed.</span></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">
<meta charset="UTF-8" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div><div class="" style="color: rgb(0, 0, 0); caret-color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><font class=""><span class="" style="color: rgb(0, 68, 121); font-size: 9px; font-family: Helvetica;"><font face="Arial Black" class="" style="line-height: normal;"><b class="">Mark R Lindsey, SMTS</b></font></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><font color="#794800" class=""> <span class="" style="font-size: 16px;">|</span> </font></span></span><span class="" style="color: rgb(0, 68, 121); font-size: 9px; font-family: "Arial Black";">+1-229-316-0013</span><font color="#794800" class=""><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"> </span></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><span class="" style="font-size: 16px;">|</span></span></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"> </span></span></font><span class="" style="font-size: 9px; font-family: "Arial Black";"><font color="#004479" class=""><a href="mailto:mark@ecg.co" class="">mark@ecg.co</a></font><span class="" style="font-size: 13px;"><font color="#794800" class=""> </font></span></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><span class="" style="font-size: 16px;"><font color="#794800" class="">|</font></span></span></span><font face="Arial Black" class=""><span class="" style="font-size: 9px;"><b class=""><font color="#794800" class=""> </font><font color="#004479" style="color: rgb(0, 68, 121);" class=""><a href="https://ecg.co/lindsey/" class="" style="color: rgb(0, 68, 121);">https://ecg.co/lindsey/</a></font></b></span></font></font></div></div></div></div></div></div></div></div></div></div></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On Oct 20, 2021, at 10:36 AM, Dave Sill <<a href="mailto:dave@socket.net" class="">dave@socket.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><span style="caret-color: rgb(0, 0, 0);" class="">All,</span><div style="caret-color: rgb(0, 0, 0);" class=""><br class=""></div><div style="caret-color: rgb(0, 0, 0);" class="">I’m interested in what you’re doing to protect Broadworks device profile files. Unique credentials for access, IP whitelist, HTTPS, something else?</div><div class="">
<div dir="auto" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="Apple-interchange-newline">Thanks,</div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Dave Sill</div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">IT Director, <a href="https://www.socket.net/" class="">Socket Telecom</a></div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">573-817-0000 ext 211</div><br class="Apple-interchange-newline"></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class="Apple-interchange-newline">
</div>
<br class=""></div>_______________________________________________<br class="">VoiceOps mailing list<br class=""><a href="mailto:VoiceOps@voiceops.org" class="">VoiceOps@voiceops.org</a><br class="">https://puck.nether.net/mailman/listinfo/voiceops<br class=""></div></blockquote></div><br class=""></body></html>