How can I make an internet facing TFTP server secure?

Question

I have many Cisco IP phones that operate in the following manner (oversimplified):

Negotiate with DHCP for IP, DNS, TFTP, etc.
Look for SEPXXXXXXXXXXXX.cnf.xml configuration file on TFTP server where X is the MAC address of the phone
Parse the configuration file to load its configuration and update firmware (also stored on TFTP server) if necessary

The issue here is that I have some phones that need to be put in small offices or peoples' homes. I need to be able to update the configuration files at all times so I can't just preconfigure the phone and send it out. How can I make the TFTP access secure over the internet and prevent someone unauthorized from getting to the configuration files? I know I could do an IP based ACL but this doesn't stop the possibility of someone spoofing the IP.

score 13 · Answer 1 · answered Apr 30 '14 at 17:48

You would make TFTP access over the internet secure the same way you'd make access to anything over the internet secure. By going through a VPN.

Cisco's IP phones can be set up to use a VPN, and someone even put together a handy doc around common issues with this setup that you might want to take a look at.

score 10 · Answer 2 · edited Oct 07 '21 at 06:47

Then you can't do it. You've rejected another protocol that permits authenticating the requestor (hcsteve's answer) and you've rejected a VPN which would have allowed TFTP to be tunneled through an authenticated service (Hopeless N00b.*'s answer), so you're stuck with stock TFTP.

RFC 1350 makes it fairly clear, in section 1, that authentication is not an option:

The only thing [TFTP] can do is read and write files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication.

If you insist that the configuration files not be indiscriminately available, you will need to rethink your architecture.

score 3 · Answer 3 · answered Apr 30 '14 at 18:42

Cisco Small Business (SPA3xx, SPA5xx) phones support provisioning over HTTPS with mutual SSL authentication - the client can authenticate the provisioning server and the server can also authenticate the client based on the client's built-in certificate. That's the way to do it securely over the internet - forget about TFTP. See the full provisioning guide from Cisco - it's way too much info to post here.

score 2 · Answer 4 · answered May 01 '14 at 12:44

TFTP over internet is never a good approach. you will run into several problems with firewalls,NAT, and timeout related aborted transfers. Considering your constraints probably you should think of securely distributing (i.e. a password protected download) the phone configuration file with a small footprint portable TFTP server; then when the update is required the being updated phone will find a locally hosted TFTP server with the reqd conf file.

score -2 · Answer 5 · answered May 07 '15 at 19:28

Ask this question: how does Vonage do it? If you do something for money, you better have some security in place. I'm sure they upgrade infrastructure all the time.

If your not to concerned about security within the employees home, a router set up to connect to the company's VPN might be useful. Connect your IP phone to that.

How can I make an internet facing TFTP server secure?

5 Answers5