Hi, I want to ask how are you guys doing for the autoprovisioning. I know that the cfg file is created by the PBX Manager and located in a directory that is accessed by the phone for example using HTTP. The problem I see is that the cfg file contain critical information as user, passwords. Does any one implemented a solution for this? Maybe an encription? Please comment about your setup so we can evaluate how to improve the security that all want.
Thanks
DB
Encryption
Just wanted to let you know that we support execution of external programs during auto-provisioning, which can be specified in models.txt ( and could be used for encryption).
models.txt should contain something like:
command_1=encryptionprogram ${mac}
command_2=someotherprogram (if needed)
etc.
Best regards,
Alex
Question
Hi Alex, great info. Can you tell me if that is working for PBX Manager 5.051 ?
I will test in in our Lab Server to check if we can deploy it for production. we are using Linksys and Polycom, so after we have the results, I will let you know so more people can do the same.
;-)
I wonder if it would work to
I wonder if it would work to use an html redirect to keep the directory from being browsable. Create a file called index.html in the config directory and put something like this in it. That way if someone tries to browse your configs they get sent to your company website.
[html>
[head>
[META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://yourwebsite.com">
[/head>
[body>
[/body>
[/html>
[/cite>
I would call this more of a work around than a fix. Something like that plus encrypting the files would be even better.
Hmmm.... Can't seem to post html here, so I'm replacing the < with a [.
Encryption
I don't think this feature is available in 5.0.51, so an update would be required.
Testing this on the lab server is a good idea :)
I wonder if it would work to
dozment
what we do is using a different server we mount the provisioning directory from TL to it and lock down the provisioning directory. We then restrict access to the mounted directory, no browsing and listing do unless you know the file names (MAC).cfg there is nothing to see or obtain.
From there we also allow our private network to access the files so when the phone/ATA is plugged in it will get the files needed with out having to do anything other then power and Ethernet, give it 2-3 minutes and the phone/ata is ready for shipping..
George
Hi George, It looks like the
Hi George, It looks like the same thing we are doing, but we are using a multitenant servers so we need to allow the access from any IP to our provisioning directory. The ONLY way I thing we can improve the security is implementing an encription to the files.
why wouldnt you just turn
why wouldnt you just turn off indexes so you have to know the exact file name to issue a GET on.
Hi dbenders by using a
Hi dbenders
by using a different server to have the provisioning directory mounted to it, we can lock the MTE server down so there is no direct access and the server providing provisioning access can be accessed from any where BUT no listing and read only access..
hope that makes sense
Erik, doing it this way there is no direct access to the server and it can be changed, moved, renamed what ever with out causing a problem with provisioned hardware.
if you think about it in an Enterprise network it make more sense
George
I know that many handsets (at least Cisco and Aastra phones) support some level of config file encryption, although we have chosen not to deploy this because it would require some rewrite of Thirdlane to encrypt these files on the fly.
What I would like, at the least, is a way to make the /unathenticated/provisioning/ directory not list the directory contents when you browse to it. I might be dumb, but I haven't worked out how to do this yet.
AY