Secure way for phones to download config over internet

Heres a hypothetical situation to setup my question

A FreePBX server is on the internet, lets say its a DigitalOcean VPS

A client has 2 offices. All of the phones register to the VPS, and download their configs over HTTPS

Ok, so we know HTTP and TFTP are bad because they are unencrypted and as such SIP credentials can be stolen while in transit if an attacker is able to intercept them

However, even though the configs are downloaded over HTTPS, it doesnt mean the SIP credentials are safe. They are just sitting there on a web server waiting for anyone to request them, thus they can be bruteforced, or anyone with access to the phone could get its MAC address and then request the config from the server.

So how to do this securely? In the past I have always had FreePBX on same LAN as phones and no HTTPS port forwarded so security was much less of a concern (only an attacker on the LAN could download config files).

I know that VPN is one solution, but not the solution I am looking for.

The only other way to do it that I can think of is to allow all of the phones to connect to the FreePBX server and download their configs the first time, then remove all the configs from server. The phones will still try to contact the server for new config, and when they dont find one they will keep their existing config. However, if I need to modify a phone config, I can just add it to the server for 5 minutes (or whatever the reg interval is), wait for the phone to download it, then remove it. That is much more safe than leaving the config there the whole time

So – what are you guys doing to solve this problem? Is there a better way?

1 Like

The edge version of System Admin Pro addresses this by allowing you to set login credentials for ftp/http/https provisioning protocols. Then use the username and password as part of the provisioning string for your phones.

https://<username>:<password>@domain.com:<port>
1 Like

Makes sense!

1 Like

yes but, if someone gains access to the admin part of the phone, the username and password are sitting there in clear text. so just make sure you use a strong admin password for the phone, not 456 or 22222.

1 Like

Yeah I always use secure passwords there too but its less of a concern because the phones are on the LAN

With HTTPS, the payload is encrypted, but the URL is still sent in the clear. So your username and password in this example are wide open to anyone in the chain, and will show up in firewall logs in plaintext.

VPN is not the solution you are looking for, but it’s the solution you need, unfortunately. Rather than investing time and effort in finding ways to avoid VPN, get cracking on implementing it.

What do you use for routers on the LAN side?

@Basildane
very good point

@rymes
Thanks for the advice.

The reason I am asking is I am actually in the process of setting up a cloud PBX service. All of the client phones connect to a single Freeswitch server (unlike FreePBX, Freeswitch supports multi tenant much better).

I am wondering if the other big Cloud PBX providers all have VPN to all client locations. Obviously for sure Vonage and small stuff like that doesnt, you just plug in your device and start making calls, theres no VPN there

But those kind of devices do not have frequent changes like a business phone system would, so manually updating the config is maybe a perfectly fine option
In the case of a business phone system, I dont want to have to manually update configs thru the Web GUI on the phones, pushing the configs from the server is the best option, but its insecure without VPN no matter how you try to implement it

VPN is fine though, its one option. For offices that cant VPN, manual configuration will be ok I think

Just because it is plug-and-play doesn’t mean you don’t have a VPN. I have some Grandstream phones that have a VPN client built into them.