OCS Exposed - Three-Headed Dog Kerberos Advanced Security Protection

February 19, 2008
Kerberos is used to provide security in OCS and one of the types of security in a Forest.   Kerberos security protocol comes from Greek mythology of a three-headed dog. Kerberos is a three-step security process used for authorization and authentication. The three-heads of Kerberos are: 1-User, 2-KDC-Key Distribution Service (security server) and 3-Services (servers). Kerberos is a standard feature of Windows software. To create the trust on the Forest on the external side of the firewall, the administrator publishes the following ports on the internal server domain controllers: Kerberos-sec (port 88) UDP-User Datagram Protocol. Other potential ports are: Microsoft-DS (port 445), LDAP TCP (port 389) Lightweight Directory Access Protocol Transmission Control Protocol or LDAP UDP (port 389).   Kerberos-sec (security) (Port 88) UDP is an assigned/known UDP port. Ports are used to determine function such as Port 21 TCP for FTP-File Transfer Protocol or Port 80 TCP/UDP for HTTP-HyperText Transfer Protocol (web surfing).
An explanation of Kerberos.
User Clark Kent signs-on to the network via sign-in (login/logon) name and password and requests a TGT-Ticket to Get Ticket by the AS-Authentication Service portion of the KDC-Key Distribution Center. The AS-Authentication Service has access to AD-Active Directory user account database. Once authenticated, user is granted a TGT-Ticket to Get Tickets valid for the local domain with time stamp. The user presents the TGT to the TGS-Ticket Granting Service.  The TGS reads the Ticket using its own encryption key. If valid, a ST-Service Ticket is generated for both the user and the targeted server. The TGS is sent to the Server, is decrypted and authenticated. The Server uses its own encryption key from the KDC. If valid, returns a time stamped using the Ticket and establishes service. The TGT is stored in local cache memory and has a default lifetime of 10 hours which may be renewed without password re-entry. 
In the second animation, Kerberos can also be used in a multi-domain (server) computing network.
The user contacts the local domain KDC TGS-Ticket Granting Service using a TGT-Ticket to Get Ticket. KDC recognizes request is for a foreign domain server and responds with a Referral Ticket for the foreign KDC. The Foreign TGS-Ticket Granting Service decrypts Referral Ticket and issues new Ticket for foreign service. The TGS is sent to the Server, is decrypted and authenticated. The Server uses its own encryption key from the KDC. If valid, returns a time stamped using the Ticket and establishes service. Additional Referral Tickets can be used to authorization in other domains (database or proxy server). An interdomain key based on the trust password becomes available for authentication. The TGS is sent to the Server, is decrypted and authenticated. The Server uses its own encryption key from the KDC. If valid, returns a time stamped using the Ticket and establishes service.  
The complete details and recommendations for SIP Security and other types of VoIP security can be found in the SIP Essentials and OCS-Office Communications Server classes. For more go to http://www.techtionary.com.


See this page in TechnoratiTechnoratibook mark in del.icio.usDel.icio.usSlashdot.comSlashdotSubmit to Digg.comDigg BoingBoingBookmark in FurlFurlBookmark in SpurlSpurl

Related Tags: , , , , ,

Listed below are links to sites that reference OCS Exposed - Three-Headed Dog Kerberos Advanced Security Protection:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/35169

Comments to OCS Exposed - Three-Headed Dog Kerberos Advanced Security Protection


(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)