OCS 2007 進階系列 - 安全機制探討 馮立偉 台灣微軟特約講師

需先有初步認知 Level 300 MTLS TLS Edge Servers SIP, RTP, PSOM NTLM, Kerberos Certificates Level 300

議程 說明 OCS 2007 各階段通訊如如何運作 說明 OCS 2007 各項安全元件如何運作 說明 Edge servers 如何提升與外部使用者溝 通時之安全性

Trustworthy Computing Overview Trustworthy by design 以 Security Development Lifecycle 為前提下進行開發 Trustworthy by default 通訊 – 訊號跟媒介 – 預設全部加密 (除了 mediation server 與 basic media gateway 之間) Trustworthy by deployment 在規劃及部署手冊中提供安全性最佳實務

Trustworthy Computing OCS 2007 Communications 面臨的風險 Compromised-key attack Network denial of service attack Eavesdropping Identity spoofing IP address spoofing Man-in-the-middle attack RTP replay attack SPIM Viruses and worms

OCS 2007 安全性基礎架構 Microsoft ® Active Directory ® Domain Service Public Key Infrastructure (PKI) Transport Layer Security (TLS), Mutual-TLS (MTLS), Secure Real-time Transport Protocol (SRTP) Industry-standard authentication protocols

OCS 2007 安全性基礎架構 Active Directory Objects Trusted Server List Active Directory Container Standard Edition servers and pool Front End Servers RTC Service/Global Settings Conferencing Servers RTC Service/Trusted MCUs Web Components Servers RTC Service/ TrustedWebComponentsServers Mediation Servers and Communicator Web Access Servers (also 3rd-party SIP servers) RTC Service/Trusted Services Proxy Servers RTC Service/Trusted Proxies

OCS 2007 安全性基礎架構 PKI, TLS, MTLS, SRTP Certificates are used for server authentication Valid certificate Issued by a trusted CA FQDN of server or load balancer VIP Server authentication EKU SIP, HTTP, PSOM protected by TLS or MTLS encryption Media protected by SRTP encryption Mediation server to gateway not encrypted

OCS 2007 安全性基礎架構 Trusted Connections

OCS 2007 安全性基礎架構 驗證 所有使用者都要驗證 – 包含匿名使用者 內部使用者使用 Kerberos 遠端使用者使用 NTLM 跟 Director 進行驗證 Access Edge 不會執行驗證但是會確認 SIP URIs 及 headers 匿名使用者使用摘要驗證及提供一個有效的會議 鑰匙 邦聯使用者由各自的企業進行驗證

OCS 2007 安全性基礎架構 強化核心架構 伺服器更新隨時保持最新 檢查安全性權限及委派管理權限 管控實體存取權限 停用不必要服務 保護資料伺服器

Edge Server 安全性 網際網路邊界 Edge servers 及 reverse proxy 控制存取經由企業 防火牆的流量

Edge Server 安全性 目錄服務 單一連接點 : SIP 流量進出企業 Access Edge 不要是網域成員 依據 SIP domain 強制 routing rules 確認傳入訊息的表頭 驗證遠端邦聯伺服器及驗證邦聯流量 傳弟流量到 Director 進行驗證 Access Edge 不要是網域成員

Edge Server 安全性 Ports 是一個讓媒體進出企業的受信任的連接點 External ports TCP/443, UDP/3478 For address allocation using A/V Edge server authentication credentials provided via SIP UDP/50,000-59,999, TCP/50,000-59,999 Single process using these ports – no increased attack surface Not listening on unused ports Allocation performed randomly within range

Edge Server 安全性 Web Conferencing 驗證 邦聯使用者由各自企業內部進行驗證 匿名使用者經由會議鎖匙及會議邀請中的進行驗證 資料部分的授權 token 及解密的鎖匙由 SIP 通道 中提供

Edge Server 安全性 防火牆及 port 只有 Access Edge 及 RP 起始內部連線 A/V Edge server addresses 必須是 publicly routable (不能 用 NAT) 細部說明在 OCS 2007 Edge Server 部署手冊 中

Edge Server 安全性 Reverse Proxy 通訊錄下載 群組展開 會議內容下載 針對 Microsoft® Internet Security and Acceleration (ISA) Server 2006 提供詳細設定步 驟

Edge Server 安全性 部署最佳實務 Deploy Edge servers 放置於專屬子網段以及控制 路由 實體隔離內外網路 移除不必要的服務

Mediation Server 安全性 於 Mediation server 及 gateway 之間的通訊沒有 加密 部署於實體安全環境

Web Components Server 安全性 Reverse Proxy 設定 請參閱 Edge Server 部署手冊 驗證 通訊錄下載 通訊全組展開 會議資料安全性 針對簡報下載提供內容加密及授權

憑證

甚麼是 TLS 及 MTLS? Transport Layer Security (TLS) Client 與 Server 間加密 Mutual Transport Layer Security (MTLS) Server 與 Server 間加密 TLS 需要憑證

OCS 如何使用 TLS 及憑證 ?

OCS 如何使用 MTLS 及 憑證 Pool1 Director MTLS MTLS AD 1/1/2019 11:06 PM ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

內部連接 Office Communicator Pool1 Director MTLS MTLS Active Directory 1/1/2019 11:06 PM 內部連接 Office Communicator Trusts the CA of the certificate used by the Director Pool1 Director MTLS MTLS Active Directory ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

遠端連接 DMZ* TLS Access Edge Firewall Remote user Pool1 Director MTLS 1/1/2019 11:06 PM 遠端連接 Firewall port 443 or 5061 Remote user Trusts the CA of the certificate used by the AP DMZ* Pool1 TLS Director MTLS MTLS Active Directory Access Edge * Perimeter network (also known as DMZ, demilitarized zone, and screened subnet) ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

1/1/2019 11:06 PM 直接邦聯 MTLS Enterprise A Enterprise B MTLS Communications Server 2007 Access Edge Communications Server 2007 Access Edge MTLS Communications Server 2007 Communications Server 2007 Communications Server clients Communications Server clients © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Public Instant Messaging Connectivity With MSN, AOL, Yahoo Enterprise A Communications Server 2007 Access Edge Live Communications Server 2005 Access Proxy MTLS MTLS Communications Server 2007 Live Communications Server client Live Communications Server client Live Communications Server client SIP Proxy Live Communications Server 2005 Access Proxy Federation uses Public SIP Namespace A Host Record _sip._federationtls._tcp SRV Record

Certificate Subject Name (1) Certificate Friendly Name Match DNS A Host record name Certificate Subject Alternative Name (SAN) Type = Server Authentication EKU Template similar to Secure Sockets Layer (SSL)/Web Certificate Need certificate chain Trust against a CA

Certificate Subject Name (2) Most confusing part with certificates Certificate Friendly Name must match: Fully qualified domain name “FQDN” of the Communications Server Standard Edition server FQDN of the Communications Server Enterprise Edition Pool A Host record in DNS

demonstration Understanding Digital Certificate Properties

進階憑證配置技巧 Collocated Edge Server Certificates Remote user access Federation Public Internet Connectivity A\V conferencing Web conferencing

甚麼是 Collocated Edge Server? 提供與外界的通訊 Access Edge A\V Edge Web Edge 不需要 Active Directory 不提供使用這驗證 只允許TLS 加密流量

所需之 DNS 配置 (Collocated Edge Server) External _sip._Federationtls for federation and PIC _sip._tls.company.com for tls external (remote) access An external DNS A record that resolves to the external name of the Web Conferencing Edge Server An external DNS A record that resolves to the external name of the A/V Edge Server This IP address must be a publicly routable IP address Internal An internal DNS A record that resolves the internal FQDN of the Edge Server to internal IP address of the Edge Server

設定內部 Edge of Collocated Edge 設定 IP addresses 指派憑證 單一, 共用憑證且目標名稱要跟 Edge Server 的 FQDN 一樣

設置外部 Edge of Collocated Edge (1) Configuring IP addresses Assigning certificates Access Edge - A certificate configured on the external interface with subject name that matches the external FQDN of the Edge Server

設置外部 Edge of Collocated Edge (2) 指派憑證 Web Conf Edge – 配置在外部介面上的憑證要和 Web Conferencing Edge Server外部 FQDN 一致 AV Edge – 不需要

Director 驗證及授權遠端使用者 把使用者導到所歸屬之伺服器 不放置任何使用者帳號 配置於 server pool 前端 提升 OCS home server 安全性 Edge Server 的下一個連接點

安裝及部署憑證 Certificate Wizard simplifies creating and assigning certificates to most Communications Server 2007 roles Support for external and internal servers The CA is selectable Certificates are created by default with exportable private keys (PKCS #12) Import/export operations are available

憑證授權中心 該使用哪種憑證授權? 公開 CA 私有 CA 公開 私有 不需要改變 Client 端配置: clients 端已信任 root CA 建議針對 : 遠端存取, 邦聯, 及 PIC 私有 CA 較能管控 沒有額外費用

Q&A

Resources OCS Security Guide http://www.microsoft.com/downloads/details.aspx?FamilyID=2d1ea693-25e0-43d9-8c5c-0822ef83955a&DisplayLang=en OCS Edge Server Deployment Guide http://technet.microsoft.com/en-us/library/bb880163.aspx OCS Planning Guide http://technet.microsoft.com/en-us/library/bb880158.aspx Security Development Lifecycle http://go.microsoft.com/fwlink/?linkid=68761

© 2007 Microsoft Corporation. All rights reserved © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. Accordingly, the information may not accurately describe or reflect the software product when first commercially released MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.