Re: Secure Provisioning

Chad Monroe · ‎04-01-2013

Hi,

Accordign to everything I've seen there are only two ways to securly provision a remote phone:

1.) VPN

2.) HTTPS with SSL certificate signed by Cisco

I'm using a pure-SIP deployment and would like to stay away from option #1. Option #2 seems easy according to the document here:

https://supportforums.cisco.com/docs/DOC-9852

However you need a Cisco reseller to submit the request. None of the resellers Cisco support has directed me to in my area offer this service. Has anyone been successful in obtaining a signed certificate and using HTTPS provisioning? I have a case open with small business support but they don't seem to know the process either. Is there some reason myself (as the administrator of 100+ SPA devices) can not submit the request? Has anyone found a workaround or another method to securely send provisioning to these devices? Thanks.

--

Chad Monroe

Dan Lukes · ‎04-01-2013

Not answer, just notice. VPN should not be considered "secure provisioning". Attacker can catch unencrypted packets just between the phone and wall ethernet socket. HTTPS is only secure method for virgin and post-factory-default-reset devices known to me.Of course, the provisioning server needs to maintain list of "know" devices and must not configure unknown devices.

Unfortunatelly, I can't give you an advice how to identify your's Cisco sales representative ...

Patrick Born · ‎04-01-2013

Hi Chad,

The reason for submitting the CSR via a Cisco representative is in order to preserve the chain of trust.
If you do not have a relationship with a Cisco representative who can submit for you, you can use your own certificate authority by defining the path to your CA using the "Custom CA URL" parameter at Voice tab > Provisioning tab > CA Settings > Custom CA Rule:

Regards,

Patrick---

Dan Lukes · ‎04-01-2013

... but then you can't configure the device the secure way from scratch. You need to configure Custom CA URL at the first, using a non-SSL method.

By the way, the Custom CA URL is not documented very well:

Field

Description

Custom CA URL

The URL of a file location for a custom Certificate Authority (CA) certificate. Either the IP address or the FQDN of the server can be specified. The file name can have macros, such as $MA, which expands to the ATA MAC address.

Default setting: null

There is no word what such CA will be used for (provisioning ? SIP/TLS ? both ? something other ?), but more important, there is no word about expected format of the file. No information how to delete previously loaded certificate (reset to factory default ?) as well.

andrewhotlab · ‎04-01-2013

Maybe I can suggest a third option: to create plain-text configuration files and encrypt them with the spc (Sipura Profile Compiler) tool, which you can download for free from the Cisco support web site.

Then you can provision encrypted files simply over the "insecure" HTTP channel. Honestly, I'm not sure whether this method is as secure as HTTPS transport (I guess it isn't so much...), but at least it allows you to support Internet connected IP phones with a minimal effort, by deploying a somewhat "secure" payload.

Just my 2 cents.

Sent from Cisco Technical Support iPhone App

Dan Lukes · ‎04-01-2013

SPC is avaiable for very limited number of platforms only. And it is suitable for pre-generated configurations. It's not easy to use it when configuration is generated on-the-fly.

In advance, it's security is questionable as there is no informations related to security. May be it is AES with per-device specific random password, but may be the weak password that can be derived from serial number, or it may not be AES but just XOR or something funny liek it. Overall security can be anywhere in the range from "secure" to "funny".

I'm not trying to say it's not usable at all. It depend on security requirements.

Joao Oliveira · ‎04-02-2013

I have implemented HTTPS provisioning using a Certificate Authority that is not Cisco.

I start by using a single unsecure file (HTTP) that performes a Firmware upgrade and load the CA Certificate, then it loads every other configuration file that contains sensitive information via HTTPS.

Be aware that you need at least 7.5.1a for the custom CA Rule. Believing in the Cisco Release Notes, the Cisco IP Phones also accepts SSL certificates signed by Verisign (I believe Cisco had included Verisign certificate on the Firmware). However I haven't tested it.

Dan Lukes · ‎04-02-2013

I start by using a single unsecure file (HTTP) that performes a Firmware upgrade and load the CA Certificate,

Yes, It work. It just increases time to configure device (from virgin state to fully functional state). Also WWW server allowing non-SSL connections needs to be carefully configured - it must not serve sensitive content via HTTP. It's more safe to just reject all non-SSL connections.

But again, yes, it works. Note that client side certificate needs must be required by WWW server. Session covered by server certificate only may be subject of the man-in-the-middle attack.

By the way, you claimed you tried it - may I ask you what format of CA certificate is expected to be in Custom CA URL file ?

Cisco Release Notes, the Cisco IP Phones also accepts SSL certificates signed by Verisign

Unfortunatelly, Verisign has many CAs. It's not clear what CA has been elected.

Joao Oliveira · ‎04-02-2013

You need to have the certificate available as a downloadable file (HTTP). On the Custom CA URL, just indicate the URL where the file can be downloaded from.

The file will contain the public certificate of the Certificate Authority (CA):

-----BEGIN CERTIFICATE-----

MIIDdT

...

ZlXi/EjJKSZp4A==

-----END CERTIFICATE-----