Re: [asterisk-users] Auto provisioning from public server
On 10/26/2010 06:30 PM, Andrew Latham wrote: snom phones can do http digest authentication... I think this digest authentication is for accessing the phone's web interface, not for contacting a provisioning server Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Tue, 2010-10-26 at 17:31 +0200, Jonas Kellens wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. The company we use for provisioning snom phones delete the un pass info from the server once it has been picked up for the first time. That way no one else can access it by spoofing the MAC address -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens jonas.kell...@telenet.bewrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. Yes, there is a danger, especially with TFTP, but also with FTP to a lesser degreee. If someone guessed correctly, they could download the config file for another phone. Thanks, Steve T -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Wed, Oct 27, 2010 at 4:04 AM, Ishfaq Malik i...@pack-net.co.uk wrote: On Tue, 2010-10-26 at 17:31 +0200, Jonas Kellens wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. The company we use for provisioning snom phones delete the un pass info from the server once it has been picked up for the first time. That way no one else can access it by spoofing the MAC address -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 What company is that? I have seen companies that do this but have never felt very secure handing the keys to the castle over to a 3rd party service. It seems like a good idea, but I have trust issues, especially when you top off your prepaid service with $15k a week. Thanks, Steve T -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Wed, 2010-10-27 at 04:10 -0400, Steve Totaro wrote: On Wed, Oct 27, 2010 at 4:04 AM, Ishfaq Malik i...@pack-net.co.uk wrote: On Tue, 2010-10-26 at 17:31 +0200, Jonas Kellens wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. The company we use for provisioning snom phones delete the un pass info from the server once it has been picked up for the first time. That way no one else can access it by spoofing the MAC address -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 What company is that? I have seen companies that do this but have never felt very secure handing the keys to the castle over to a 3rd party service. It seems like a good idea, but I have trust issues, especially when you top off your prepaid service with $15k a week. Thanks, Steve T It's our hardware supplier, the provisioning server is a free service if you purchase the hardware from them. I totally understand your point but there's always got to be some trust at some point whether it be in your suppliers or even your employees or co workers They are a UK based company called Provu, I'm pretty sure they are active on this list too -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On 10/27/2010 10:06 AM, Steve Totaro wrote: On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens jonas.kell...@telenet.be mailto:jonas.kell...@telenet.be wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. Yes, there is a danger, especially with TFTP, but also with FTP to a lesser degreee. If someone guessed correctly, they could download the config file for another phone. Thanks, Steve T If I find a way to implement it... https would be safer ? Or is the only safe way to work with certificates that are loaded on the IP-phone ?! Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
Hi, On Tue, Oct 26, 2010 at 05:31:00PM +0200, Jonas Kellens wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? What is it exactly that you want to guarantee? Authenticating the client? The server? Avoiding any leak of data to some eavesdropper? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? On a LAN it wouls be quite difficult to forge the MAC without it getting detected. But in your case, the MAC is merely an arbitrary ID of the client. It can probably serve as a useful unique ID. See the above question regarding authentication. I also guess you should not use TFTP. Unless you have some spare time at boot. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
Jonas A quick look at the snom wiki will tell you that I am right... On 10/26/2010 06:30 PM, Andrew Latham wrote: snom phones can do http digest authentication... I think this digest authentication is for accessing the phone's web interface, not for contacting a provisioning server Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
You can provision over a WAN and access-lists or iptables can limit the networks allowed. Define what level of security you need first. For further security you can use an inbound proxy and check the http headers for agent identification. This can also be faked. Practice layers of security... ~ Andrew lathama Latham lath...@gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Tue, Oct 26, 2010 at 12:31 PM, Jonas Kellens jonas.kell...@telenet.be wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
I havent had much auto provisioning experience, however, what about just using IPTables to create an access list essentially for known IPs to connect via HTTP/HTTPS and block all other addresses. This would only work if the phones are coming from a Static IP, but I figured i'd give my 2 cents to try and help. On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens jonas.kell...@telenet.bewrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Matt -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Tue, Oct 26, 2010 at 12:31 PM, Jonas Kellens jonas.kell...@telenet.be wrote: Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Andrew Latham Sent: Tuesday, October 26, 2010 10:41 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Auto provisioning from public server You can provision over a WAN and access-lists or iptables can limit the networks allowed. Define what level of security you need first. For further security you can use an inbound proxy and check the http headers for agent identification. This can also be faked. Practice layers of security... ~ Andrew lathama Latham lath...@gmail.com To second Andrew's reply - Auto-provisioning is generally done in a TFTP/HTTP environment. So you will want to set up a layered-vlan environment using IPTABLES or whatever so you can poke freely with constraints. The phone is dumb, so your network needs to be smart... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On 10/26/2010 05:40 PM, Matt Desbiens wrote: I havent had much auto provisioning experience, however, what about just using IPTables to create an access list essentially for known IPs to connect via HTTP/HTTPS and block all other addresses. This would only work if the phones are coming from a Static IP, but I figured i'd give my 2 cents to try and help. Thank you for your input, but IP-addresses will change, so this would then become an administrative and time-consuming job... Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
Hello, many SIP phones offer you the possibility to provisioning them over a FTP connection (with username and password). Regards - Bakko -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
With the new phones with VPNs you can also do a stepped provision One provisioning service for the vpn and another for the sip that can only be reached with the vpn. This is advanced stuff so take your time and learn about the tech. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
Think about limiting geographically or use a CDN with good controls. Thank you for your input, but IP-addresses will change, so this would then become an administrative and time-consuming job... Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On 10/26/2010 05:41 PM, Andrew Latham wrote: You can provision over a WAN and access-lists or iptables can limit the networks allowed. Define what level of security you need first. For further security you can use an inbound proxy and check the http headers for agent identification. This can also be faked. Practice layers of security... Well, what I'm really aiming for is this : I let users make easy config files via web interface. This results in a config file with name MAC-address of the IP-phone. This config file is then available on the public server. User just needs to points his IP-phone to the provisioning URL. Remarks : - User from site A will want other configuration then user from site B. - User from site A may not have access to or download config file of user from site B and vica versa. Expand setup : Also a phone book becomes available from the public server for the users... Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On 10/26/2010 05:52 PM, bakko wrote: Hello, many SIP phones offer you the possibility to provisioning them over a FTP connection (with username and password). Regards - Bakko In this case I will want to use Snom phones. TFTP is available, but no FTP (with indeed then a username and password). FTP would be great... Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On Tue, Oct 26, 2010 at 12:06 PM, Jonas Kellens jonas.kell...@telenet.be wrote: On 10/26/2010 05:52 PM, bakko wrote: Hello, many SIP phones offer you the possibility to provisioning them over a FTP connection (with username and password). Regards - Bakko In this case I will want to use Snom phones. TFTP is available, but no FTP (with indeed then a username and password). FTP would be great... I wouldn't do this unless your connection is encrypted. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
snom phones can do http digest authentication... In this case I will want to use Snom phones. TFTP is available, but no FTP (with indeed then a username and password). FTP would be great... Jonas. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
Hi! In this case I will want to use Snom phones. TFTP is available, but no FTP (with indeed then a username and password). FTP would be great... You could also consider to use the SNOM Redirection Service for provisioning: http://wiki.snom.com/PROVISIONING Remark: TR-69 provisioning doesn't appear to fit to your environment from what you have disclosed. Philipp -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto provisioning from public server
On 26 Oct 2010, at 16:31, Jonas Kellens wrote: has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? What handset? That's rather what controls your options. Some support HTTPS with client certificate authentication. Some support passwords. Some don't. S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users