OCS 2007 進階系列 - 安全機制探討 馮立偉 台灣微軟特約講師.

Presentation on theme: "OCS 2007 進階系列 - 安全機制探討 馮立偉 台灣微軟特約講師."— Presentation transcript:

1 OCS 2007 進階系列 - 安全機制探討 馮立偉 台灣微軟特約講師

2 需先有初步認知 Level 300 MTLS TLS Edge Servers SIP, RTP, PSOM NTLM, Kerberos
Certificates Level 300

3 議程 說明 OCS 2007 各階段通訊如如何運作 說明 OCS 2007 各項安全元件如何運作
說明 Edge servers 如何提升與外部使用者溝 通時之安全性

4 Trustworthy Computing Overview
Trustworthy by design 以 Security Development Lifecycle 為前提下進行開發 Trustworthy by default 通訊 – 訊號跟媒介 – 預設全部加密 (除了 mediation server 與 basic media gateway 之間) Trustworthy by deployment 在規劃及部署手冊中提供安全性最佳實務

5 Trustworthy Computing OCS 2007 Communications 面臨的風險
Compromised-key attack Network denial of service attack Eavesdropping Identity spoofing IP address spoofing Man-in-the-middle attack RTP replay attack SPIM Viruses and worms

6 OCS 2007 安全性基礎架構 Microsoft ® Active Directory ® Domain Service
Public Key Infrastructure (PKI) Transport Layer Security (TLS), Mutual-TLS (MTLS), Secure Real-time Transport Protocol (SRTP) Industry-standard authentication protocols

7 OCS 2007 安全性基礎架構 Active Directory Objects
Trusted Server List Active Directory Container Standard Edition servers and pool Front End Servers RTC Service/Global Settings Conferencing Servers RTC Service/Trusted MCUs Web Components Servers RTC Service/ TrustedWebComponentsServers Mediation Servers and Communicator Web Access Servers (also 3rd-party SIP servers) RTC Service/Trusted Services Proxy Servers RTC Service/Trusted Proxies

8 OCS 2007 安全性基礎架構 PKI, TLS, MTLS, SRTP
Certificates are used for server authentication Valid certificate Issued by a trusted CA FQDN of server or load balancer VIP Server authentication EKU SIP, HTTP, PSOM protected by TLS or MTLS encryption Media protected by SRTP encryption Mediation server to gateway not encrypted

9 OCS 2007 安全性基礎架構 Trusted Connections

10 OCS 2007 安全性基礎架構 驗證 所有使用者都要驗證 – 包含匿名使用者 內部使用者使用 Kerberos
遠端使用者使用 NTLM 跟 Director 進行驗證 Access Edge 不會執行驗證但是會確認 SIP URIs 及 headers 匿名使用者使用摘要驗證及提供一個有效的會議 鑰匙 邦聯使用者由各自的企業進行驗證

11 OCS 2007 安全性基礎架構 強化核心架構 伺服器更新隨時保持最新 檢查安全性權限及委派管理權限 管控實體存取權限 停用不必要服務
保護資料伺服器

12 Edge Server 安全性 網際網路邊界 Edge servers 及 reverse proxy 控制存取經由企業 防火牆的流量

13 Edge Server 安全性 目錄服務 單一連接點 : SIP 流量進出企業 Access Edge 不要是網域成員
依據 SIP domain 強制 routing rules 確認傳入訊息的表頭 驗證遠端邦聯伺服器及驗證邦聯流量 傳弟流量到 Director 進行驗證 Access Edge 不要是網域成員

14 Edge Server 安全性 Ports 是一個讓媒體進出企業的受信任的連接點 External ports
TCP/443, UDP/3478 For address allocation using A/V Edge server authentication credentials provided via SIP UDP/50,000-59,999, TCP/50,000-59,999 Single process using these ports – no increased attack surface Not listening on unused ports Allocation performed randomly within range

15 Edge Server 安全性 Web Conferencing
驗證 邦聯使用者由各自企業內部進行驗證 匿名使用者經由會議鎖匙及會議邀請中的進行驗證 資料部分的授權 token 及解密的鎖匙由 SIP 通道 中提供

16 Edge Server 安全性 防火牆及 port
只有 Access Edge 及 RP 起始內部連線 A/V Edge server addresses 必須是 publicly routable (不能 用 NAT) 細部說明在 OCS Edge Server 部署手冊 中

17 Edge Server 安全性 Reverse Proxy
通訊錄下載 群組展開 會議內容下載 針對 Microsoft® Internet Security and Acceleration (ISA) Server 2006 提供詳細設定步 驟

18 Edge Server 安全性 部署最佳實務 Deploy Edge servers 放置於專屬子網段以及控制 路由 實體隔離內外網路
移除不必要的服務

19 Mediation Server 安全性 於 Mediation server 及 gateway 之間的通訊沒有 加密 部署於實體安全環境

20 Web Components Server 安全性
Reverse Proxy 設定 請參閱 Edge Server 部署手冊 驗證 通訊錄下載 通訊全組展開 會議資料安全性 針對簡報下載提供內容加密及授權

21 憑證

22 甚麼是 TLS 及 MTLS? Transport Layer Security (TLS)
Client 與 Server 間加密 Mutual Transport Layer Security (MTLS) Server 與 Server 間加密 TLS 需要憑證

23 OCS 如何使用 TLS 及憑證 ?

24 OCS 如何使用 MTLS 及 憑證 Pool1 Director MTLS MTLS AD 1/1/2019 11:06 PM
©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 內部連接 Office Communicator Pool1 Director MTLS MTLS Active Directory
1/1/ :06 PM 內部連接 Office Communicator Trusts the CA of the certificate used by the Director Pool1 Director MTLS MTLS Active Directory ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 遠端連接 DMZ* TLS Access Edge Firewall Remote user Pool1 Director MTLS
1/1/ :06 PM 遠端連接 Firewall port 443 or 5061 Remote user Trusts the CA of the certificate used by the AP DMZ* Pool1 TLS Director MTLS MTLS Active Directory Access Edge * Perimeter network (also known as DMZ, demilitarized zone, and screened subnet) ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 1/1/ :06 PM 直接邦聯 MTLS Enterprise A Enterprise B MTLS Communications Server 2007 Access Edge Communications Server 2007 Access Edge MTLS Communications Server 2007 Communications Server 2007 Communications Server clients Communications Server clients © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Public Instant Messaging Connectivity With MSN, AOL, Yahoo
Enterprise A Communications Server 2007 Access Edge Live Communications Server 2005 Access Proxy MTLS MTLS Communications Server 2007 Live Communications Server client Live Communications Server client Live Communications Server client SIP Proxy Live Communications Server 2005 Access Proxy Federation uses Public SIP Namespace A Host Record _sip._federationtls._tcp SRV Record

29 Certificate Subject Name (1)
Certificate Friendly Name Match DNS A Host record name Certificate Subject Alternative Name (SAN) Type = Server Authentication EKU Template similar to Secure Sockets Layer (SSL)/Web Certificate Need certificate chain Trust against a CA

30 Certificate Subject Name (2)
Most confusing part with certificates Certificate Friendly Name must match: Fully qualified domain name “FQDN” of the Communications Server Standard Edition server FQDN of the Communications Server Enterprise Edition Pool A Host record in DNS

31 demonstration Understanding Digital Certificate Properties

32 進階憑證配置技巧 Collocated Edge Server Certificates Remote user access
Federation Public Internet Connectivity A\V conferencing Web conferencing

33 甚麼是 Collocated Edge Server?
提供與外界的通訊 Access Edge A\V Edge Web Edge 不需要 Active Directory 不提供使用這驗證 只允許TLS 加密流量

34 所需之 DNS 配置 (Collocated Edge Server)
External _sip._Federationtls for federation and PIC _sip._tls.company.com for tls external (remote) access An external DNS A record that resolves to the external name of the Web Conferencing Edge Server An external DNS A record that resolves to the external name of the A/V Edge Server This IP address must be a publicly routable IP address Internal An internal DNS A record that resolves the internal FQDN of the Edge Server to internal IP address of the Edge Server

35 設定內部 Edge of Collocated Edge
設定 IP addresses 指派憑證 單一, 共用憑證且目標名稱要跟 Edge Server 的 FQDN 一樣

36 設置外部 Edge of Collocated Edge (1)
Configuring IP addresses Assigning certificates Access Edge - A certificate configured on the external interface with subject name that matches the external FQDN of the Edge Server

37 設置外部 Edge of Collocated Edge (2)
指派憑證 Web Conf Edge – 配置在外部介面上的憑證要和 Web Conferencing Edge Server外部 FQDN 一致 AV Edge – 不需要

38 Director 驗證及授權遠端使用者 把使用者導到所歸屬之伺服器 不放置任何使用者帳號 配置於 server pool 前端
提升 OCS home server 安全性 Edge Server 的下一個連接點

39 安裝及部署憑證 Certificate Wizard simplifies creating and assigning certificates to most Communications Server 2007 roles Support for external and internal servers The CA is selectable Certificates are created by default with exportable private keys (PKCS #12) Import/export operations are available

40 憑證授權中心 該使用哪種憑證授權? 公開 CA 私有 CA 公開 私有
不需要改變 Client 端配置: clients 端已信任 root CA 建議針對 : 遠端存取, 邦聯, 及 PIC 私有 CA 較能管控 沒有額外費用

41 Q&A

42 Resources OCS Security Guide
OCS Edge Server Deployment Guide OCS Planning Guide Security Development Lifecycle

43 © 2007 Microsoft Corporation. All rights reserved
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. This document may contain information related to pre-release software, which may be substantially modified before its first commercial release. Accordingly, the information may not accurately describe or reflect the software product when first commercially released MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.