How can I make an internet facing TFTP server secure?

Solution 1:

You would make TFTP access over the internet secure the same way you'd make access to anything over the internet secure. By going through a VPN.

Cisco's IP phones can be set up to use a VPN, and someone even put together a handy doc around common issues with this setup that you might want to take a look at.

Solution 2:

Then you can't do it. You've rejected another protocol that permits authenticating the requestor (hcsteve's answer) and you've rejected a VPN which would have allowed TFTP to be tunneled through an authenticated service (Hopeless N00b.*'s answer), so you're stuck with stock TFTP.

RFC 1350 makes it fairly clear, in section 1, that authentication is not an option:

The only thing [TFTP] can do is read and write files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication.

If you insist that the configuration files not be indiscriminately available, you will need to rethink your architecture.

Solution 3:

Cisco Small Business (SPA3xx, SPA5xx) phones support provisioning over HTTPS with mutual SSL authentication - the client can authenticate the provisioning server and the server can also authenticate the client based on the client's built-in certificate. That's the way to do it securely over the internet - forget about TFTP. See the full provisioning guide from Cisco - it's way too much info to post here.

Solution 4:

TFTP over internet is never a good approach. you will run into several problems with firewalls,NAT, and timeout related aborted transfers. Considering your constraints probably you should think of securely distributing (i.e. a password protected download) the phone configuration file with a small footprint portable TFTP server; then when the update is required the being updated phone will find a locally hosted TFTP server with the reqd conf file.