安全框架:通信安全 | 缓解措施Security Frame: Communication Security | Mitigations
使用 SSL/TLS 保护与事件中心之间的通信Secure communication to Event Hub using SSL/TLS
标题Title | 详细信息Details |
---|---|
组件Component | Azure 事件中心Azure Event Hub |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | 事件中心身份验证和安全模型概述Event Hubs authentication and security model overview |
步骤Steps | 使用 SSL/TLS 来保护与事件中心的 AMQP 或 HTTP 连接Secure AMQP or HTTP connections to Event Hub using SSL/TLS |
检查服务帐户特权,并检查自定义服务或 ASP.NET 页面是否遵循 CRM 的安全性Check service account privileges and check that the custom Services or ASP.NET Pages respect CRM's security
标题Title | 详细信息Details |
---|---|
组件Component | Dynamics CRMDynamics CRM |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | 空值N/A |
步骤Steps | 检查服务帐户特权,并检查自定义服务或 ASP.NET 页面是否遵循 CRM 的安全性Check service account privileges and check that the custom Services or ASP.NET Pages respect CRM's security |
将本地 SQL Server 连接到 Azure 数据工厂时使用数据管理网关Use Data management gateway while connecting On-premises SQL Server to Azure Data Factory
标题Title | 详细信息Details |
---|---|
组件Component | Azure 数据工厂Azure Data Factory |
SDL 阶段SDL Phase | 部署Deployment |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 链接服务类型 - Azure 和本地Linked Service Types - Azure and On-premises |
参考References | 在本地与 Azure 数据工厂之间移动数据、数据管理网关Moving data between On-premises and Azure Data Factory, Data management gateway |
步骤Steps | 需要使用数据管理网关 (DMG) 工具连接到受企业网络或防火墙保护的数据源。The Data Management Gateway (DMG) tool is required to connect to data sources which are protected behind corpnet or a firewall.
|
确保发往标识服务器的所有流量都通过 HTTPS 连接传输Ensure that all traffic to Identity Server is over HTTPS connection
标题Title | 详细信息Details |
---|---|
组件Component | 标识服务器Identity Server |
SDL 阶段SDL Phase | 部署Deployment |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | IdentityServer3 - 密钥、签名和加密、IdentityServer3 - 部署IdentityServer3 - Keys, Signatures and Cryptography, IdentityServer3 - Deployment |
步骤Steps | 默认情况下,IdentityServer 要求所有传入连接都通过 HTTPS 建立。By default, IdentityServer requires all incoming connections to come over HTTPS. 只能通过受保护的传输来与 IdentityServer 通信,是一项绝对需要遵守的要求。It is absolutely mandatory that communication with IdentityServer is done over secured transports only. 在某些部署方案(例如 TLS 卸载)中,可以放宽此项要求。There are certain deployment scenarios like TLS offloading where this requirement can be relaxed. 有关详细信息,请参阅“参考”部分中的标识服务器部署页。See the Identity Server deployment page in the references for more information. |
验证用于对 SSL、TLS 和 DTLS 连接进行身份验证的 X.509 证书Verify X.509 certificates used to authenticate SSL, TLS, and DTLS connections
标题Title | 详细信息Details |
---|---|
组件Component | Web 应用程序Web Application |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | 空值N/A |
步骤Steps | 使用 SSL、TLS 或 DTLS 的应用程序必须全面验证它们所要连接到的实体的 X.509 证书。Applications that use SSL, TLS, or DTLS must fully verify the X.509 certificates of the entities they connect to. 这包括验证证书的以下信息:This includes verification of the certificates for:
|
在 Azure 应用服务中为自定义域配置 TLS/SSL 证书Configure TLS/SSL certificate for custom domain in Azure App Service
标题Title | 详细信息Details |
---|---|
组件Component | Web 应用程序Web Application |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | EnvironmentType - AzureEnvironmentType - Azure |
参考References | 为 Azure 应用服务中的应用启用 HTTPSEnable HTTPS for an app in Azure App Service |
步骤Steps | 默认情况下,Azure 已使用 *.chinacloudsites.cn 域的通配符证书为每个应用启用了 HTTPS。By default, Azure already enables HTTPS for every app with a wildcard certificate for the *.chinacloudsites.cn domain. 但是,就像所有通配符域一样,这不如将自定义域与自己的证书配合使用那么安全。参考However, like all wildcard domains, it is not as secure as using a custom domain with own certificate Refer. 建议针对通过其访问所部署应用的自定义域启用 TLSIt is recommended to enable TLS for the custom domain which the deployed app will be accessed through |
强制要求发往 Azure 应用服务的所有流量都通过 HTTPS 连接传输Force all traffic to Azure App Service over HTTPS connection
标题Title | 详细信息Details |
---|---|
组件Component | Web 应用程序Web Application |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | EnvironmentType - AzureEnvironmentType - Azure |
参考References | 对 Azure 应用服务强制执行 HTTPSEnforce HTTPS on Azure App Service |
步骤Steps | 尽管 Azure 已使用 *.chinacloudsites.cn 域的通配符证书为 Azure 应用服务启用了 HTTPS,但它并不强制实施 HTTPS。Though Azure already enables HTTPS for Azure app services with a wildcard certificate for the domain *.chinacloudsites.cn, it do not enforce HTTPS. 访问者仍可使用 HTTP 访问应用,这可能会损害应用的安全性,因此必须显式强制 HTTPS。Visitors may still access the app using HTTP, which may compromise the app's security and hence HTTPS has to be enforced explicitly. ASP.NET MVC 应用程序应使用 RequireHttps 筛选器,强制要求通过 HTTPS 重新发送不安全的 HTTP 请求。ASP.NET MVC applications should use the RequireHttps filter that forces an unsecured HTTP request to be re-sent over HTTPS. 或者,可以使用 Azure 应用服务随附的 URL 重写模块来强制 HTTPS。Alternatively, the URL Rewrite module, which is included with Azure App Service can be used to enforce HTTPS. 开发人员可以使用 URL 重写模块来定义将请求传递给应用程序之前应用到传入请求的规则。URL Rewrite module enables developers to define rules that are applied to incoming requests before the requests are handed to your application. URL 重写规则在 web.config 文件中定义,该文件存储在应用程序根目录中。URL Rewrite rules are defined in a web.config file stored in the root of the application |
示例Example
以下示例包含可强制所有传入流量使用 HTTPS 的基本 URL 重写规则The following example contains a basic URL Rewrite rule that forces all incoming traffic to use HTTPS
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
此规则的工作方式是当用户使用 HTTP 请求某个页面时,返回 HTTP 状态码 301(永久重定向)。This rule works by returning an HTTP status code of 301 (permanent redirect) when the user requests a page using HTTP. 301 将请求重定向到访问者请求的同一个 URL,但使用 HTTPS 来替换请求的 HTTP 部分。The 301 redirects the request to the same URL as the visitor requested, but replaces the HTTP portion of the request with HTTPS. 例如,HTTP://contoso.com
会重定向到 HTTPS://contoso.com
。For example, HTTP://contoso.com
would be redirected to HTTPS://contoso.com
.
启用 HTTP 严格传输安全性 (HSTS)Enable HTTP Strict Transport Security (HSTS)
标题Title | 详细信息Details |
---|---|
组件Component | Web 应用程序Web Application |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | OWASP HTTP 严格传输安全性速查表OWASP HTTP Strict Transport Security Cheat Sheet |
步骤Steps | HTTP 严格传输安全性 (HSTS) 是 Web 应用程序使用特殊响应标头指定的一个选用的安全增强功能。HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. 支持的浏览器收到此标头后,将阻止通过 HTTP 将任何通信发送到指定的域,并改为通过 HTTPS 发送所有通信。Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. 它还可以防止浏览器中出现 HTTPS 点击提示。It also prevents HTTPS click through prompts on browsers. 若要实现 HSTS,必须在代码或配置中为网站全局配置以下响应标头。Strict-Transport-Security: max-age=300; includeSubDomains。HSTS 可解决以下威胁:To implement HSTS, the following response header has to be configured for a website globally, either in code or in config. Strict-Transport-Security: max-age=300; includeSubDomains HSTS addresses the following threats:
|
确保加密 SQL Server 连接并验证证书Ensure SQL server connection encryption and certificate validation
标题Title | 详细信息Details |
---|---|
组件Component | 数据库Database |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | SQL AzureSQL Azure |
属性Attributes | SQL 版本 - V12SQL Version - V12 |
参考References | 有关为 SQL 数据库编写安全连接字符串的最佳做法Best Practices on Writing Secure Connection Strings for SQL Database |
步骤Steps | SQL 数据库与客户端应用程序之间的所有通信始终使用传输层安全性(TLS,以前称为安全套接字层 (SSL))进行加密。All communications between SQL Database and a client application are encrypted using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), at all times. SQL 数据库不支持未加密的连接。SQL Database doesn't support unencrypted connections. 若要使用应用程序代码或工具验证证书,需显式请求一个加密的连接并且不信任服务器证书。To validate certificates with application code or tools, explicitly request an encrypted connection and do not trust the server certificates. 即使应用程序代码或工具未请求加密的连接,它们仍会收到加密的连接If your application code or tools do not request an encrypted connection, they will still receive encrypted connections 但是,它们可能不会验证服务器证书,因此将容易受到“中间人”攻击。However, they may not validate the server certificates and thus will be susceptible to "man in the middle" attacks. 若要使用 ADO.NET 应用程序代码验证证书,请在数据库连接字符串中设置 |
强制以加密形式来与 SQL Server 通信Force Encrypted communication to SQL server
标题Title | 详细信息Details |
---|---|
组件Component | 数据库Database |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | OnPremOnPrem |
属性Attributes | SQL 版本 - MsSQL2016,SQL 版本 - MsSQL2012,SQL 版本 - MsSQL2014SQL Version - MsSQL2016, SQL Version - MsSQL2012, SQL Version - MsSQL2014 |
参考References | 启用数据库引擎的加密连接Enable Encrypted Connections to the Database Engine |
步骤Steps | 启用 TLS 加密可以提高在 SQL Server 实例与应用程序之间通过网络传输的数据的安全性。Enabling TLS encryption increases the security of data transmitted across networks between instances of SQL Server and applications. |
确保与 Azure 存储之间的通信通过 HTTPS 进行Ensure that communication to Azure Storage is over HTTPS
标题Title | 详细信息Details |
---|---|
组件Component | Azure 存储Azure Storage |
SDL 阶段SDL Phase | 部署Deployment |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | Azure 存储传输级加密 - 使用 HTTPSAzure Storage Transport-Level Encryption - Using HTTPS |
步骤Steps | 为了确保传输中 Azure 存储数据的安全性,请在调用 REST API 或访问存储中的对象时,始终使用 HTTPS 协议。To ensure the security of Azure Storage data in-transit, always use the HTTPS protocol when calling the REST APIs or accessing objects in storage. 此外,可以使用共享访问签名,它除了可以委派对 Azure 存储对象的访问权限,还能指定在使用共享访问签名时只能使用 HTTPS 协议,确保任何使用 SAS 令牌发出链接的人都使用正确的协议。Also, Shared Access Signatures, which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when using Shared Access Signatures, ensuring that anybody sending out links with SAS tokens will use the proper protocol. |
如果无法启用 HTTPS,请在下载 Blob 后验证 MD5 哈希Validate MD5 hash after downloading blob if HTTPS cannot be enabled
标题Title | 详细信息Details |
---|---|
组件Component | Azure 存储Azure Storage |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | StorageType - BlobStorageType - Blob |
参考References | Windows Azure Blob MD5 概述Windows Azure Blob MD5 Overview |
步骤Steps | Windows Azure Blob 服务提供相应的机制来确保应用程序和传输层的数据完整性。Windows Azure Blob service provides mechanisms to ensure data integrity both at the application and transport layers. 如果出于任何原因需要使用 HTTP 而不是 HTTPS,并且使用的是块 Blob,则可以使用 MD5 检查,帮助验证正在传输的 Blob 的完整性。If for any reason you need to use HTTP instead of HTTPS and you are working with block blobs, you can use MD5 checking to help verify the integrity of the blobs being transferred 这会有助于防止网络/传输层错误,但不一定可帮助防止中间攻击。This will help with protection from network/transport layer errors, but not necessarily with intermediary attacks. 如果可以使用提供传输级安全的 HTTPS,则使用 MD5 检查就很多余且不必要。If you can use HTTPS, which provides transport level security, then using MD5 checking is redundant and unnecessary. |
使用与 SMB 3.0 兼容的客户端来确保传输到 Azure 文件共享的数据经过加密Use SMB 3.0 compatible client to ensure in-transit data encryption to Azure File shares
标题Title | 详细信息Details |
---|---|
组件Component | 移动客户端Mobile Client |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | StorageType - 文件StorageType - File |
参考References | Azure 文件存储、Windows 客户端的 Azure 文件存储 SMB 支持Azure File Storage, Azure File Storage SMB Support for Windows Clients |
步骤Steps | 使用 REST API 时,Azure 文件存储支持 HTTPS,但经常用作附加到 VM 的 SMB 文件共享。Azure File Storage supports HTTPS when using the REST API, but is more commonly used as an SMB file share attached to a VM. SMB 2.1 不支持加密,因此只允许在 Azure 中的相同区域内连接。SMB 2.1 does not support encryption, so connections are only allowed within the same region in Azure. 但是,SMB 3.0 支持加密,并且可以配合 Windows Server 2012 R2、Windows 8、Windows 8.1 和 Windows 10 使用,允许跨区域访问,甚至桌面上的访问。However, SMB 3.0 supports encryption, and can be used with Windows Server 2012 R2, Windows 8, Windows 8.1, and Windows 10, allowing cross-region access and even access on the desktop. |
实施证书固定Implement Certificate Pinning
标题Title | 详细信息Details |
---|---|
组件Component | Azure 存储Azure Storage |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 通用、Windows PhoneGeneric, Windows Phone |
属性Attributes | 空值N/A |
参考References | 证书和公钥绑定Certificate and Public Key Pinning |
步骤Steps | 证书绑定可以防范中间人 (MITM) 攻击。Certificate pinning defends against Man-In-The-Middle (MITM) attacks. 绑定是将主机与其预期 X509 证书或公钥相关联的过程。Pinning is the process of associating a host with their expected X509 certificate or public key. 某个主机知悉或者识别到某个证书或公钥后,该证书或公钥将关联或“绑定”到该主机。Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. 因此,当攻击者尝试展开 TLS MITM 攻击时,在 TLS 握手期间,攻击者服务器中的密钥将与绑定证书的密钥不同,因此会丢弃该请求,阻止 MITM。可以通过实现 ServicePointManager 的 |
示例Example
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography;
namespace CertificatePinningExample
{
class CertificatePinningExample
{
/* Note: In this example, we're hardcoding a the certificate's public key and algorithm for
demonstration purposes. In a real-world application, this should be stored in a secure
configuration area that can be updated as needed. */
private static readonly string PINNED_ALGORITHM = "RSA";
private static readonly string PINNED_PUBLIC_KEY = "3082010A0282010100B0E75B7CBE56D31658EF79B3A1" +
"294D506A88DFCDD603F6EF15E7F5BCBDF32291EC50B2B82BA158E905FE6A83EE044A48258B07FAC3D6356AF09B2" +
"3EDAB15D00507B70DB08DB9A20C7D1201417B3071A346D663A241061C151B6EC5B5B4ECCCDCDBEA24F051962809" +
"FEC499BF2D093C06E3BDA7D0BB83CDC1C2C6660B8ECB2EA30A685ADE2DC83C88314010FFC7F4F0F895EDDBE5C02" +
"ABF78E50B708E0A0EB984A9AA536BCE61A0C31DB95425C6FEE5A564B158EE7C4F0693C439AE010EF83CA8155750" +
"09B17537C29F86071E5DD8CA50EBD8A409494F479B07574D83EDCE6F68A8F7D40447471D05BC3F5EAD7862FA748" +
"EA3C92A60A128344B1CEF7A0B0D94E50203010001";
public static void Main(string[] args)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://www.azure.cn/");
request.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
{
if (certificate == null || sslPolicyErrors != SslPolicyErrors.None)
{
// Error getting certificate or the certificate failed basic validation
return false;
}
var targetKeyAlgorithm = new Oid(certificate.GetKeyAlgorithm()).FriendlyName;
var targetPublicKey = certificate.GetPublicKeyString();
if (targetKeyAlgorithm == PINNED_ALGORITHM &&
targetPublicKey == PINNED_PUBLIC_KEY)
{
// Success, the certificate matches the pinned value.
return true;
}
// Reject, either the key or the algorithm does not match the expected value.
return false;
};
try
{
var response = (HttpWebResponse)request.GetResponse();
Console.WriteLine($"Success, HTTP status code: {response.StatusCode}");
}
catch(Exception ex)
{
Console.WriteLine($"Failure, {ex.Message}");
}
Console.WriteLine("Press any key to end.");
Console.ReadKey();
}
}
}
启用 HTTPS - 安全传输通道Enable HTTPS - Secure Transport channel
标题Title | 详细信息Details |
---|---|
组件Component | WCFWCF |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | NET Framework 3NET Framework 3 |
属性Attributes | 空值N/A |
参考References | MSDN、巩固王国MSDN, Fortify Kingdom |
步骤Steps | 应用程序配置应确保始终使用 HTTPS 来访问敏感信息。The application configuration should ensure that HTTPS is used for all access to sensitive information.
从实践的观点来讲,负责保护网络的人不会一直跟进应用程序的不断变化的安全要求。From a practical point of view, the people responsible for securing the network do not always track the security requirements of the application as they evolve. |
WCF:将消息安全保护级别设置为 EncryptAndSignWCF: Set Message security Protection level to EncryptAndSign
标题Title | 详细信息Details |
---|---|
组件Component | WCFWCF |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | .NET Framework 3.NET Framework 3 |
属性Attributes | 空值N/A |
参考References | MSDNMSDN |
步骤Steps |
请考虑禁用加密,仅当只是需要验证信息的完整性而不关心机密性时,才为消息签名。Consider turning off encryption and only signing your message when you just need to validate the integrity of the information without concerns of confidentiality. 对于需要验证原始发送者但不传输任何敏感数据的操作或服务约定,这种做法可能很有用。This may be useful for operations or service contracts in which you need to validate the original sender but no sensitive data is transmitted. 降低保护级别时,请注意不要在消息中包含任何个人数据。When reducing the protection level, be careful that the message does not contain any personal data. |
示例Example
以下示例演示了如何将服务和操作配置为只将消息签名。Configuring the service and the operation to only sign the message is shown in the following examples. ProtectionLevel.Sign
服务协定示例:以下是在服务协定级别处使用 ProtectionLevel.Sign 的示例:Service Contract Example of ProtectionLevel.Sign
: The following is an example of using ProtectionLevel.Sign at the Service Contract level:
[ServiceContract(Protection Level=ProtectionLevel.Sign]
public interface IService
{
string GetData(int value);
}
示例Example
ProtectionLevel.Sign
操作协定示例(用于精细控制):以下是在 OperationContract 级别处使用 ProtectionLevel.Sign
的示例:Operation Contract Example of ProtectionLevel.Sign
(for Granular Control): The following is an example of using ProtectionLevel.Sign
at the OperationContract level:
[OperationContract(ProtectionLevel=ProtectionLevel.Sign]
string GetData(int value);
WCF:使用最低特权帐户运行 WCF 服务WCF: Use a least-privileged account to run your WCF service
标题Title | 详细信息Details |
---|---|
组件Component | WCFWCF |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | .NET Framework 3.NET Framework 3 |
属性Attributes | 空值N/A |
参考References | MSDNMSDN |
步骤Steps |
如果服务需要代表原始调用方访问特定的资源,请使用模拟和委派来传送调用方的标识,以便在下游进行授权检查。If your service needs to access specific resources on behalf of the original caller, use impersonation and delegation to flow the caller's identity for a downstream authorization check. 在开发方案中,请使用本地网络服务帐户,这是一个特权降低的特殊内置帐户。In a development scenario, use the local network service account, which is a special built-in account that has reduced privileges. 在生产方案中,请创建最低特权的自定义域服务帐户。In a production scenario, create a least-privileged custom domain service account. |
强制要求发往 Web API 的所有流量都通过 HTTPS 连接传输Force all traffic to Web APIs over HTTPS connection
标题Title | 详细信息Details |
---|---|
组件Component | Web APIWeb API |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | MVC5、MVC6MVC5, MVC6 |
属性Attributes | 空值N/A |
参考References | 在 Web API 控制器中强制 SSLEnforcing SSL in a Web API Controller |
步骤Steps | 如果应用程序同时使用 HTTPS 和 HTTP 绑定,则客户端仍可使用 HTTP 访问站点。If an application has both an HTTPS and an HTTP binding, clients can still use HTTP to access the site. 为了防止这种问题,请使用操作筛选器来确保始终通过 HTTPS 向受保护 API 传输请求。To prevent this, use an action filter to ensure that requests to protected APIs are always over HTTPS. |
示例Example
以下代码演示了一个检查 TLS 的 Web API 身份验证筛选器:The following code shows a Web API authentication filter that checks for TLS:
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}
将此筛选器添加到任何需要 TLS 的 Web API 操作:Add this filter to any Web API actions that require TLS:
public class ValuesController : ApiController
{
[RequireHttps]
public HttpResponseMessage Get() { ... }
}
确保与 Azure Cache for Redis 之间的通信通过 TLS 进行Ensure that communication to Azure Cache for Redis is over TLS
标题Title | 详细信息Details |
---|---|
组件Component | 用于 Redis 的 Azure 缓存Azure Cache for Redis |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | Azure Redis TLS 支持Azure Redis TLS support |
步骤Steps | Redis 服务器不能现成地支持 TLS,但 Azure Cache for Redis 则可以。Redis server does not support TLS out of the box, but Azure Cache for Redis does. 如果要连接到 Azure Cache for Redis 并且客户端支持 TLS(如 StackExchange.Redis),则应使用 TLS。If you are connecting to Azure Cache for Redis and your client supports TLS, like StackExchange.Redis, then you should use TLS. 默认情况下,为新的 Azure Cache for Redis 实例禁用了非 TLS 端口。By default non-TLS port is disabled for new Azure Cache for Redis instances. 请确保安全的默认设置不会更改,除非 Redis 客户端依赖 TLS 支持。Ensure that the secure defaults are not changed unless there is a dependency on TLS support for redis clients. |
请注意,Redis 旨在由受信任环境中的受信任客户端访问。Please note that Redis is designed to be accessed by trusted clients inside trusted environments. 这意味着,我们通常不建议将 Redis 实例直接在 Internet 中公开,一般情况下,在不受信任的客户端可以直接访问 Redis TCP 端口或 UNIX 套接字的环境中,也不建议公开 Redis 实例。This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
保护设备与现场网关之间的通信Secure Device to Field Gateway communication
标题Title | 详细信息Details |
---|---|
组件Component | IoT 现场网关IoT Field Gateway |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | 空值N/A |
步骤Steps | 对于基于 IP 的设备,通常可将通信协议封装在 SSL/TLS 通道中,以保护传输中的数据。For IP based devices, the communication protocol could typically be encapsulated in a SSL/TLS channel to protect data in transit. 对于其他不支持 SSL/TLS 的协议,请调查是否有安全的协议版本可在传输或消息层提供安全性。For other protocols that do not support SSL/TLS investigate if there are secure versions of the protocol that provide security at transport or message layer. |
使用 SSL/TLS 保护设备与云网关之间的通信Secure Device to Cloud Gateway communication using SSL/TLS
标题Title | 详细信息Details |
---|---|
组件Component | IoT 云网关IoT Cloud Gateway |
SDL 阶段SDL Phase | 构建Build |
适用的技术Applicable Technologies | 泛型Generic |
属性Attributes | 空值N/A |
参考References | 选择通信协议Choose your Communication Protocol |
步骤Steps | 使用 SSL/TLS 保护 HTTP/AMQP 或 MQTT 协议。Secure HTTP/AMQP or MQTT protocols using SSL/TLS. |