Workloads can run on devices ranging from a Raspberry Pi to a converged edge server. You use Azure IoT Hub to manage your edge applications and devices. DevOps personnel in your organization can deploy and iterate containerized applications that IT builds and supports via traditional VM management processes and tools. This section describes at a high level how to acquire hardware for branch office and edge deployments on Azure Stack HCI and use Windows Admin Center for management.
It also covers deploying Azure IoT Edge to manage containers in the cloud. First, you'll need to procure hardware. In the catalog, you can filter to see vendor hardware that is optimized for this type of workload.
For information on supported operating system versions, VM types, processor architectures, and system requirements, see Azure IoT Edge supported systems. In the Azure portal, create an Azure IoT hub. In the Azure portal, register an IoT Edge device. In addition, the following Windows Server R2 operating systems can be used as BranchCache hosted cache servers:. BranchCache implements a secure-by-design approach that works seamlessly alongside your existing network security architectures, without the requirement for additional equipment or complex additional security configuration.
BranchCache is non-invasive and does not alter any Windows authentication or authorization processes. After you deploy BranchCache, authentication is still performed using domain credentials, and the way in which authorization with Access Control Lists ACLs functions is unchanged.
In addition, other configurations continue to function just as they did before BranchCache deployment. The BranchCache security model is based on the creation of metadata, which takes the form of a series of hashes. These hashes are also called content information. Cached data is kept encrypted and cannot be accessed by clients that do not have permission to access content from the original source.
Clients must be authenticated and authorized by the original content source before they can retrieve content metadata, and must possess content metadata to access the cache in the local office. Because content information is created from multiple elements, the value of the content information is always unique. These elements are:. Configuration parameters, such as the hashing algorithm and block size. To generate content information, the content server divides the content into segments and then subdivides those segments into blocks.
BranchCache uses secure cryptographic hashes to identify and verify each block and segment, supporting the SHA hash algorithm. A server secret. All content servers must be configured with a server secret, which is a binary value of arbitrary length. The use of a server secret ensures that client computers are not able to generate the content information themselves. This prevents malicious users from using brute force attacks with BranchCache-enabled client computers to guess minor changes in content across versions in situations in which the client had access to a previous version but does not have access to the current version.
BranchCache uses the server secret as a key in order to derive a content-specific hash that is sent to authorized clients.
Applying a hashing algorithm to the combined server secret and the Hash of Data generates this hash. This hash is called the segment secret. BranchCache uses segment secrets to secure communications. BranchCache uses the Peer Content Caching protocol and the Retrieval Framework protocol to implement the processes that are required to ensure the secure caching and retrieval of data between content caches. In addition, BranchCache handles content information with the same degree of security that it uses when handling and transmitting the actual content itself.
In the first phase, the client computer in the branch office requests content, such as a file or a Web page, from a content server in a remote location, such as a main office. The content server verifies that the client computer is authorized to receive the requested content. If the client computer is authorized and both content server and client are BranchCache-enabled, the content server generates content information.
The content server then sends the content information to the client computer using the same protocol as would have been used for the actual content. Because of this, the wire-level security guarantees of the content and the content information are identical. The primary threat at this layer is the risk to the Segment Secret, however BranchCache encrypts the content data blocks to protect the Segment Secret. BranchCache does this by using the encryption key that is derived from the Segment Secret of the content segment within which the content blocks are located.
This approach ensures that an entity that is not in possession of the server secret cannot discover the actual content in a data block. The Segment Secret is treated with the same degree of security as the plaintext segment itself, because knowledge of the Segment Secret for a given segment enables an entity to obtain the segment from peers and then decrypt it.
Knowledge of the Server Secret does not immediately yield any particular plaintext but can be used to derive certain types of data from the cipher text and then to possibly expose some partially known data to a brute-force guessing attack.
The server secret, therefore, should be kept confidential. After the content information is received by the client computer, the client uses the Segment ID to locate the requested content in the local branch office cache, whether that cache is distributed between client computers or is located on a hosted cache server.
If the client computer is configured for hosted cache mode, it is configured with the computer name of the hosted cache server and contacts that server to retrieve the content. If the client computer is configured for distributed cache mode, however, the content might be stored across multiple caches on multiple computers in the branch office.
The client computer must discover where the content is located before the content is retrieved. When they are configured for distributed cache mode, client computers locate content by using a discovery protocol that is based on the Web Services Dynamic Discovery WS-Discovery protocol.
Clients send WS-Discovery multicast Probe messages to discover cached content over the network. Probe messages include the Segment ID, which enables clients to check whether the requested content matches the content stored in their cache. Clients that receive the initial Probe message reply to the querying client with unicast Probe-Match messages if the Segment ID matches content that is cached locally. The success of the WS-Discovery process depends on the fact that the client that is performing the discovery has the correct content information, which was provided by the content server, for the content that it is requesting.
The main threat to data during the Request content phase is information disclosure, because access to the content information implies authorized access to content.
To mitigate this risk, the discovery process does not reveal the content information, other than the Segment ID, which does not reveal anything about the plaintext segment that contains the content. In addition, another client computer run by a malicious user on the same network subnet can see the BranchCache discovery traffic to the original content source going through the router.
If the requested content is not found in the branch office, the client requests the content directly from the content server across the WAN link.
After the content is received, it is added to the local cache, either on the client computer or on a hosted cache server. In this case, the content information prevents a client or hosted cache server from adding to the local cache any content that does not match the hashes.
The process of verifying content by matching hashes ensures that only valid content is added to the cache, and the integrity of the local cache is protected. After a client computer locates the desired content on the content host, which is either a hosted cache server or a distributed cache mode client computer, the client computer begins the process of retrieving the content.
First the client computer sends a request to the content host for the first block that it requires. The request contains the Segment ID and block range that identify the desired content. Because only one block is returned, the block range contains only a single block. Requests for multiple blocks are currently not supported. The client also stores the request in its local Outstanding Request List.
Upon receiving a valid request message from a client, the content host checks whether the block specified in the request exists in the content host's content cache. If the content host is in possession of the content block, then the content host sends a response that contains the Segment ID, the Block ID, the encrypted data block, and the initialization vector that is used for encrypting the block.
If the content host is not in possession of the content block, the content host sends an empty response message. This informs the client computer that the content host does not have the requested block. An empty response message contains the Segment ID and Block ID of the requested block, along with a zero-sized data block.
When the client computer receives the response from the content host, the client verifies that the message corresponds to a request message in its Outstanding Request List.
The Segment ID and block index must match that of an outstanding request. If this verification process is unsuccessful and the client computer does not have a corresponding request message in its Outstanding Request List, the client computer discards the message. If this verification process is successful and the client computer has a corresponding request message in its Outstanding Request List, the client computer decrypts the block.
The client then validates the decrypted block against the appropriate block hash from the content information that the client initially obtained from the original content server. If the complete segments of content do not exist on one computer, the retrieval protocol retrieves and assembles content from a combination of sources: a set of distributed cache mode client computers, a hosted cache server, and - if the branch office caches do not contain the complete content - the original content server in the main office.
Before BranchCache sends content information or content, the data is encrypted. BranchCache encrypts the block in the response message. In Windows 7, the default encryption algorithm that BranchCache uses is AES, the encryption key is Ke, and the key size is bits, as dictated by the encryption algorithm.
BranchCache generates an initialization vector that is suitable for the encryption algorithm and uses the encryption key to encrypt the block. BranchCache then records the encryption algorithm and the initialization vector in the message. Servers and clients never exchange, share, or send each other the encryption key. The client receives the encryption key from the content server that hosts the source content. This solution and architecture center brings together the technical guidance you need to understand, plan, and implement integrated Microsoft solutions for enterprise resource planning and secure and compliant modern collaboration.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.
0コメント