Hi D'Arcy,

this is usually vendor-specific and depends on the particular device's capabilities.
I don't know the SPA-122, but there should be some PIN or shared-secret
that you can send "out-of-band" (web-portal, e-mail, mail, ...) to your clients.
It is used to either pre-encrypt the config data on your server, or to encrypt/authenticate the
whole connection. Ideally, this may also be used to transfer device certificates in an encrypted way;
those certificates may then be used for all follow up communication between the device and
your provisioning server in mutually authenticated https sessions.

Some principles around that are described in the TR-069 standard
(http://www.broadband-forum.org/technical/download/TR-069.pdf).
And if all your devices support TR-069, you may think of implementing that one.
(Sidenote: I have no practical experience with TR-069 ;-)

At the very least - which does not require any device's contribution - I would
recommend to:
- use your server's awareness of device status: at any time, allow only those profiles being downloaded,
where the device (--> Mac address) had been delivered to a client, and not yet initially provisioned
- define a time limit, when a Mac address is blocked again (even if not yet provisioned)
- this needs an "out-of-band" mechanism for your clients (e.g. web-portal) to re-activate a
Mac address, in case they put their devices on stock.

Stefan

________________________________________
From: Voipsec [voipsec-***@voipsa.org] on behalf of D'Arcy J.M. Cain [***@Vex.Net]
Sent: Thursday, October 18, 2012 21:22
To: ***@voipsa.org
Subject: [VOIPSEC] Security considerations with provisioning

I am planning to set up a provisioning server. I have scoured the net
but can't find anything that addresses security on this topic very
well. I understand that the device (SPA-122 in my case) is set up with
a profile rule like this:

https://192.168.207.105:8888/phone-$MA

The critical point here is the $MA which is converted to the MAC
address. The server is expected to send back the configuration.

Now the connection is encrypted since it is a https URI but what stops
someone from guessing MAC addresses and stealing configs? I could just
connect to https://192.168.207.105:8888/phone-001122334455 and get the
config for that device. Am I missing some element that makes this
secure?

--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:***@Vex.Net

Yes, these kinds of servers can be subject to dictionary attacks. It's actually interesting that the badguys have been working harder on SIP-based dictionary attacks; I've always thought provisioning servers to be a more fruitful and efficient vector.

But, you can make it harder to steal the config in a few ways:

(a) Use client certificates, so that the server refuses to send the config to anything other than a Cisco/Linksys device

(b) Encrypt the config using a shared secret

(c) If the SPA-122 supports it, use explicit HTTPS authentication

(d) If your network allows it, only allow downloads from specific IP ranges

One big challenge with (b) and (c) of these is keeping the shared secret out of your customer's hands, and off of the Internet.

Hi D'Arcy

As Stefan writes, it's very much depending on your setup, what i am doing
is:

Each enterprise is assigned to an MPLS-VPN, in each MPLS-VPN network i have
an tftp server running with it's own instance (using virtual network
stacks).

So practically each enterprise has it's own hosted TFTP server, only
providing device configuration for the enterprise in it's own MPLS-VPN

This solution was the most flexible (supports Many different device types)
and most secure i could design, so far it scales fine, and has not given me
any problems.

Thomas

Hi,
Add "SSLVerifyClient require" in the configuration of the web server (the option is valid for Apache). The only way to get the configuration file via https is if you succeed to read the certificate file from the Linksys/cisco firmware.

Best Regards,
Anatoliy