@colton.conor Indeed, TR069 is designed to be used over TLS, so it's secure by default. Well, that's what it says on the tin. Like all software, TR069 is only as secure as the next zero day exploit. ACS servers are a golden goose target for hackers. An interesting background read: Best Practices for Securing TR-069
As for rollout times, you'll obviously want to push updates ASAP, but with TR069, clients can be trailing weeks behind the latest build. But as things stand, TR069 is the best supported and understood technology.
On the subject of updates and security, you must consider if your client boxes are going to be flashed with a secure bootloader. This is a bootloader which prohibits unauthorized changes - such as reflashing with malware - by authenticating the firmware before the OS starts. Customer routers that allow over-the-wire updates must have secure bootloaders to maintain their integrity. The provisioning of private/public keys adds extra costs to your rollout, but avoids future litigation.
Yes there are lots of linux management systems, most of them not specifically tailored for embedded type hardware, for example desktops would primarily just install new packages, but routers should probably download and install whole images.
if I were going to do something like this, I'd want to do telemetry via mqtt or similar and updates probably by https with a self-managed certificate trust system (ie. a client cert signed by my signing cert pre-installed on the device, the device connects to my system, provides its client cert, checks my website's cert, and only then gets a valid firmware image to download and install via sysupgrade)
You could do a similar thing for configs by having it request a uci config via mutually authenticated https, and you could trigger the request via mqtt messages.
Hi, I'm one of the developers of OpenWISP so my opinion is highly biased of course.
It is not true that OpenWRT is not suitable for ISPs, infact many ISPs use OpenWISP to manage thousands of routers (all APs shown on this public map are running OpenWRT and are being managed with OpenWISP) . It may not have all the features colton.conor is looking for at the present moment but it has the basics and can be easily extended, programmed and integrated with other networking solutions.
Moreover, the community is active and the project is moving ahead steadily, by 2019 we should manage to land an integrated monitoring solution, firmware upgrades and a full RESTful API to handle all aspects of the software (now the API is available only for some modules).
There are other organizations and companies in the same situation of colton.conor which are joining forces to build a programmable network solution to manage an OpenWRT based network which does not restrict their liberty in managing their own network as many other commercial solutions do.
if you are searching for a platform that is capable to manage any number of multi-brand access points or routers, on a single dashboard from the cloud, I would suggest you to take a look at Tanaza.
The compatibility list seems pretty dense and they are vendor agnostic, so open to support more models (compatibility list here ).
It also comes with a 15 day free trial so you can give it a try and check if it's the solution you are searching for.
Tanaza is a software that let you manage access points from a dashboard on its cloud, providing you the firmware to install, so that they can automatically connect to the Tanaza infrastructure with an encrypted connection.
From that moment, you can manage and configure everything from there, since any different brand or model will have the same user interface, which is also a great plus IMO, especially when you have to deal with many different ones.
I did various custom management services for different hotspot providers, hundreds of devices. Did openwrt firmware only, UI done by providers themselves. Not open source, though. In case of interest, PM, pls.