How can I make an internet facing TFTP server secure?

Question

I have many Cisco IP phones that operate in the following manner (oversimplified):

Negotiate with DHCP for IP, DNS, TFTP, etc.
Look for SEPXXXXXXXXXXXX.cnf.xml configuration file on TFTP server where X is the MAC address of the phone
Parse the configuration file to load its configuration and update firmware (also stored on TFTP server) if necessary

The issue here is that I have some phones that need to be put in small offices or peoples' homes. I need to be able to update the configuration files at all times so I can't just preconfigure the phone and send it out. How can I make the TFTP access secure over the internet and prevent someone unauthorized from getting to the configuration files? I know I could do an IP based ACL but this doesn't stop the possibility of someone spoofing the IP.

If you could tell us the OS and identifying version information, that would be helpful to us in helping you. — mdpc, Apr 30 '14 at 18:23
My current TFTP server runs Ubuntu 12.04. I'm not married to a distribution or OS. We're not actually using Call Manager with these phones either. I was hoping there would be some type of attribute attached with the phones GET request that makes it unique and unable to be spoofed and that there would be some type of tftp server option or tftp proxy that could allow or deny requests based on this. I don't think this is the case though. — getsauce, Apr 30 '14 at 18:40
An IP based ACL won't protect you against a skilled hacker who can spoof an IP, but it would eliminate a large number of the scripted attacks and is an improvement over the defaults. Reducing the noise will allow you to see the attacks, at least. — Stefan Lasiewski, Apr 30 '14 at 18:52
Why simply protect the TFTP...what about the phone calls themselves? Thus protecting the company's intellectual property (IP). — mdpc, Apr 30 '14 at 19:44
The phones talk to the SIP proxy over TLS and send media over SRTP. No issues there. — getsauce, Apr 30 '14 at 19:49
From wikipedia: "Due to the lack of security, it is dangerous to use it over the Internet. Thus, TFTP is generally only used on private, local networks." — thomasrutter, May 01 '14 at 02:47
How are they finding the TFTP server address? Is it statically assigned? I presume the DHCP settings in this case are coming from the home network? — Adam, May 01 '14 at 09:36
You can configure the TFTP server and other network settings directly from the phone. — getsauce, May 01 '14 at 14:13

score 13 · Answer 1 · answered Apr 30 '14 at 17:48

13

You would make TFTP access over the internet secure the same way you'd make access to anything over the internet secure. By going through a VPN.

Cisco's IP phones can be set up to use a VPN, and someone even put together a handy doc around common issues with this setup that you might want to take a look at.

answered Apr 30 '14 at 17:48

HopelessN00b

53,385
32
133
208

VPN isn't an option here unfortunately. I can't configure VPN connections at small offices or peoples' homes and the Cisco phones that support VPN get their configuration from the cnf.xml file on the TFTP server. We're also not using ASA firewalls. – getsauce Apr 30 '14 at 17:59
4

@getsauce Well, doing it right costs money. If they're not willing to pay for it, they may just have to do without. – HopelessN00b Apr 30 '14 at 18:02
Really this just isn't an ideal way to deploy these kind of phones. I'd much rather be able to do the configuration directly on the phone but unfortunately I can't with these phones. – getsauce Apr 30 '14 at 18:44
1

Hmmmm...if you feel that you need a secure TFTP it seems that the phone calls themselves should be protected as well. Thus the VPN solution seems the correct call. I thought there were a few good public domain solutions available here. – mdpc Apr 30 '14 at 19:43
1

@getsauce: Dude! Get a WRT54GL for each remote phone, configure it as a VPN client, put the phone behind the WRT. Boom. Done. – MikeyB May 01 '14 at 04:27
@MikeyB I know this is an inexpensive solution to the problem but unfortunately some of the users getting phones will not belong to my organization, so I won't be able to put a router in their office/home. – getsauce May 01 '14 at 14:18
3

Tough shit for them. Also, you're not putting a router in their office/home. You're putting a Phone Connectivity Device. The only thing behind it should be the phone. – MikeyB May 01 '14 at 18:59
2

@getsauce Like MikeyB, I am perplexed by this. You'll put a $250 IP phone in someone's home, but you won't put a in a < $50 router to make it secure (and functional)? The hell? – HopelessN00b May 01 '14 at 19:13
@MikeyB & Hopeless I might have 1000 phones that need to go in homes or small offices. I'm not going to send a preconfigured router out with each one and then have 1000 VPN sessions going all the time just to serve configuration files. I would deploy a small device running TFTP locally or completely switch phone models before I would do that. The whole idea behind this is to make it easy for the user and allow me to manage the whole thing easily and with minimal risk. – getsauce May 01 '14 at 19:33
1

Cheap, Easy, Risk-Free? Choose two. Guess you should have bought phones that can VPN. – MikeyB May 01 '14 at 20:27
5

@getsauce I'm sorry, but you're being just a little unreasonable here: You've been given several options, from the *Right Thing* (buy phones that support VPN) to *Suboptimal but practical* (Ship a VPN router with each). I'm sorry if the answers are not what you wanted to hear, but sometimes the answer is "You can't do what you want", and I think this is one of those times. – voretaq7 May 01 '14 at 22:15
2

@voretaq7 My vote for unreasonable goes to whoever decided to deploy 1000 devices with no central management... and then decided to do it on the cheap. And have getsauce do it. Let's remember, this person may not be getsauce, but could be someone who just gets paid more to come up with these bad ideas. But whoever's idea it is, it is definitely looking more and more like a "can't be done" situation. – HopelessN00b May 01 '14 at 22:31
Lol relax guys, I was just interested in hearing different ways to skin this cat, even if it is unreasonable. I have the Cisco 8945 and 9971 VPN phones but the VPN profile is loaded after the configuration file is read and if I understand correctly, the phone won't reread the configuration file until it reboots, creating a catch 22. And again, it requires ASA FW and AnyConnect. The other big issue here is that the 894X is the best video phone for the price. If I can't make this work with little risk involved like I said, I would just change to a phone that doesn't require TFTP. – getsauce May 01 '14 at 23:16

score 10 · Answer 2 · edited Oct 07 '21 at 06:47

10

Then you can't do it. You've rejected another protocol that permits authenticating the requestor (hcsteve's answer) and you've rejected a VPN which would have allowed TFTP to be tunneled through an authenticated service (Hopeless N00b.*'s answer), so you're stuck with stock TFTP.

RFC 1350 makes it fairly clear, in section 1, that authentication is not an option:

The only thing [TFTP] can do is read and write files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication.

If you insist that the configuration files not be indiscriminately available, you will need to rethink your architecture.

edited Oct 07 '21 at 06:47

Community

1

answered Apr 30 '14 at 19:32

MadHatter

78,442
20
178
229

hcsteve is talking about authenticating with the SIP proxy. The phone can do that, its getting the configuration file that's the issue with the model phones we're using. The built in VPN doesn't work for me for two basic reasons: you need to preload the configuration file to get the VPN profile (what happens if I need to change the VPN profile?) and you have to use ASA and AnyConnect specifically. I understand auth is not supported by TFTP but I was interested to see if anyone had a creative solution for detecting what devices are requesting files. – getsauce Apr 30 '14 at 20:01
2

You could put some kind of adaptive firewall in the way, using someting like `nmap`'s OS fingerprinting logic to identify the phones, but that's still eminently spoofable. – MadHatter Apr 30 '14 at 20:02
This is an interesting idea. I know the pfSense project has a feature that can identify OS. I'm not sure if it will work for UDP traffic though. I will investigate further. – getsauce Apr 30 '14 at 20:10

score 3 · Answer 3 · answered Apr 30 '14 at 18:42

3

Cisco Small Business (SPA3xx, SPA5xx) phones support provisioning over HTTPS with mutual SSL authentication - the client can authenticate the provisioning server and the server can also authenticate the client based on the client's built-in certificate. That's the way to do it securely over the internet - forget about TFTP. See the full provisioning guide from Cisco - it's way too much info to post here.

answered Apr 30 '14 at 18:42

hcsteve

341
2
7

I'm familiar with the SPA phones. Unfortunately the ones we want to use are the Cisco 8941 model and Cisco 9971 model with video capability. These are configuration file only. – getsauce Apr 30 '14 at 18:45

score 2 · Answer 4 · answered May 01 '14 at 12:44

2

TFTP over internet is never a good approach. you will run into several problems with firewalls,NAT, and timeout related aborted transfers. Considering your constraints probably you should think of securely distributing (i.e. a password protected download) the phone configuration file with a small footprint portable TFTP server; then when the update is required the being updated phone will find a locally hosted TFTP server with the reqd conf file.

answered May 01 '14 at 12:44

Pat

3,339
2
16
17

I considered this as well. For any small offices, having a Raspberry Pi or something small just serving TFTP would work well. I would need to be able to access all these boxes to update files which I think I could achieve using reverse SSH tunnels. – getsauce May 01 '14 at 14:15
1

once you decided to run a local TFTP you have several options; probably a scheduled check on new configuration file is a simpler approach than prepping your remote locations for external SSH access. – Pat May 01 '14 at 19:19

score -2 · Answer 5 · answered May 07 '15 at 19:28

Ask this question: how does Vonage do it? If you do something for money, you better have some security in place. I'm sure they upgrade infrastructure all the time.

If your not to concerned about security within the employees home, a router set up to connect to the company's VPN might be useful. Connect your IP phone to that.

How can I make an internet facing TFTP server secure?

5 Answers5