CPE / ACS Management Application is an application that use CPE WAN Management Protocol (CWMP) on CPE and ACS. This application is not specified by CWMP and may be represented as different services, GUI applications, etc.
RPC is a set of RPC methods used in interaction between ACS and CPE, described in the CWMP specification.
SOAP - all messages transmitted between ACS and CPE which converted to XML format. The application of SOAP allows you to provide a platform-independent solution, to leave implementation of specific applications.
HTTP is selected as a transport protocol for SOAP requests due to its popularity. It is supposed that in most cases, the firewall settings imply transmission of traffic through http ports, respectively, implementation of CWMP will not require a significant revision of corporate information security policies SSL / TLS. (The appropriate traffic encryption methods are used during data transfer between CPE and ACS to ensure confidentiality and integrity of transmitted information). Authentication of CWMP-communicating parties using certificates is used.
TCP / IP - all messages transmitted between ACS and CPE in accordance with TR-069, should be transmitted using TCP protocol to ensure their guaranteed delivery. The use of TCP is also determined by the need to work under NAT conditions.
Objectives of TR-069 specification developers
In terms of information security, the developers of TR-069 specification were focused on achievement the following objectives:
- Prevention of falsification of CPE or ACS control functions in case of interaction between CPE and ACS
- Ensuring the confidentiality of connection between CPE and ACS
- Provision of authentication capabilities for each type of transaction
- Prevention of unauthorized use of services
For effective and successful goal accomplishment is recommended to use the SSL 3.0 and / or TLS 1.0 protocols mentioned above. Another way of security is common http authentication using username and password. TR-069 defines application of both protocols SSL and TLS from ACS side. It is necessary to ensure that the most convenient for the CPE authentication option is supported. The mechanisms for issuing and revoking of certificates are not defined by TR-069 specification:
- Usage of HTTPS is highly recommended (whole communication with the ACS will be encrypted and resistant to eavesdropping)
- A proper strict configuration of the device's firewall can improve the security (a range of IP addresses that perform Connection Request should be limited to a safe pool)
- Device authentication uses username and password (by default HTTP Digest so the password is not sent publicly)
- Usage of unique usernames per device as well as random and individual passwords can significantly improve security
- SSL/TLS certificates can be used to mutually verify ACS' and device's identities