網路控制器安全性Network Controller Security

您可以使用本主題以了解如何設定 Network Controller 和其他軟體與裝置間的所有通訊的安全性。You can use this topic to learn how to configure security for all communication between Network Controller and other software and devices.

注意

概觀網路控制器,請查看Network ControllerFor an overview of Network Controller, see Network Controller.

您可以安全通訊路徑包含在管理平面,Network Controller 虛擬機器 (VMs) 叢集,之間上的資料平面 Southbound 通訊叢集通訊 Northbound 通訊。The communication paths that you can secure include Northbound communication on the management plane, cluster communication between Network Controller virtual machines (VMs) in a cluster, and Southbound communication on the data plane.

  1. Northbound 通訊Northbound Communication. 管理平面 SDN\ 能力管理軟體,例如 Windows PowerShell 和 System Center 一樣 Manager (SCVMM) network Controller 通訊。Network Controller communicates on the management plane with SDN-capable management software like Windows PowerShell and System Center Virtual Machine Manager (SCVMM). 這些管理工具提供您定義原則的網路,並建立目標的網路,您可以針對比較實際網路設定為實際設定目標狀態同位到狀態的能力。These management tools provide you with the ability to define network policy and to create a goal state for the network, against which you can compare the actual network configuration to bring the actual configuration into parity with the goal state.

  2. 網路控制器叢集通訊Network Controller Cluster Communication. 當您設定為 Network Controller 叢集節點的三個或更多 Vm 時,這些節點彼此。When you configure three or more VMs as Network Controller cluster nodes, these nodes communicate with each other. 此通訊,否則可能會相關同步處理和資料複寫節點或特定的通訊 Network Controller 服務之間上。This communication might be related to synchronizing and replication of data across nodes, or specific communication between Network Controller services.

  3. Southbound 通訊Southbound Communication. Network Controller SDN 基礎結構和其他裝置,例如軟體負載平衡器、閘道和主機上的資料平面通訊。Network Controller communicates on the data plane with SDN infrastructure and other devices like software load balancers, gateways, and host machines. 您可以使用 Network Controller 設定及管理這些 southbound 裝置,使其維持目標狀態,您所設定的網路。You can use Network Controller to configure and manage these southbound devices so that they maintain the goal state that you have configured for the network.

Northbound 通訊Northbound Communication

Network Controller 支援 Northbound 通訊驗證、授權及加密。Network Controller supports authentication, authorization, and encryption for Northbound communication. 下列章節如何這些安全性設定提供的資訊。The following sections provide information on how to configure these security settings.

驗證Authentication

當您設定的網路控制器 Northbound 通訊驗證時,您可以允許 Network Controller 叢集節點與管理用護端驗證身分與進行通訊的裝置。When you configure authentication for Network Controller Northbound communication, you allow Network Controller cluster nodes and management clients to verify the identity of the device with which they are communicating.

Network Controller 支援下列三種管理戶端與 Network Controller 節點間驗證的模式。Network Controller supports the following three modes of authentication between management clients and Network Controller nodes.

注意

如果您正在僅部署 Network Controller 的 [系統中心一樣管理員] 中,Kerberos支援模式。If you are deploying Network Controller with System Center Virtual Machine Manager, only Kerberos mode is supported.

  1. KerberosKerberos. 這兩個管理 client,例如電腦的執行 SCVMM,以及所有的網路控制器叢集節點加入網域帳號用於驗證 Active Directory domain 時,您可以使用 F:kerberos 驗證。You can use Kerberos authentication when both the management client, such as the computer running SCVMM, and all Network Controller cluster nodes are joined to an Active Directory domain, with domain accounts used for authentication.

  2. X509X509. X509 是 certificate\ 為基礎的驗證。X509 is certificate-based authentication. 您可以使用 X509 Active Directory domain 未加入管理戶端時進行驗證。You can use X509 authentication when management clients are not joined to an Active Directory domain. 若要使用 X509,您必須註冊憑證所有網路控制器叢集節點和管理戶端,且所有節點和管理戶端必須都信任彼此的 ' 憑證。To use X509, you must enroll certificates to all Network Controller cluster nodes and management clients, and all nodes and management clients must trust each others' certificates.

  3. None. 當您選擇此模式下時,就會執行管理戶端和 Network Controller 之間不驗證。When you choose this mode, there is no authentication performed between management clients and Network Controller. 此模式只適用於測試目的,並建議您不要 production 環境中使用。This mode is provided only for testing purposes, and is not recommended for use in a production environment.

您可以使用 Windows PowerShell 命令設定 Northbound 通訊的驗證模式安裝-NetworkControllerClientAuthentication的參數。You can configure the Authentication mode for Northbound communication by using the Windows PowerShell command Install-NetworkController with the ClientAuthentication parameter.

如需詳細資訊,下列主題。For more information, see the following topics.

授權Authorization

當您設定的網路控制器 Northbound 通訊授權時,您可以允許 Network Controller 叢集節點與管理用護端確認的裝置通訊的受信任,且已參與通訊權限。When you configure authorization for Network Controller Northbound communication, you allow Network Controller cluster nodes and management clients to verify that the device with which they are communicating is trusted and has permission to participate in the communication.

針對每個支援 Network Controller 的驗證模式,使用下列的授權方法。For each of the authentication modes supported by Network Controller, the following authorization methods are used.

  1. KerberosKerberos. 當您使用的 Kerberos 驗證方法時,您可以定義的使用者及授權通訊 Network Controller 的 Active Directory 中建立安全性群組,然後將會在授權的使用者與電腦新增到群組的電腦。When you are using the Kerberos authentication method, you define the users and computers that are authorized to communicate with Network Controller by creating a security group in Active Directory, and then adding the authorized users and computers to the group. 您可以設定 Network Controller 的授權使用安全性群組使用ClientSecurityGroup的參數安裝-NetworkController Windows PowerShell 命令。You can configure Network Controller to use the security group for authorization by using the ClientSecurityGroup parameter of the Install-NetworkController Windows PowerShell command. Network Controller 安裝之後,您可以變更安全性群組使用設定為 NetworkController命令的參數-ClientSecurityGroupAfter Network Controller is installed, you can change the security group by using the Set-NetworkController command with the parameter -ClientSecurityGroup. 如果您使用 SCVMM,您必須提供參數安全性群組期間部署。If you are using SCVMM, you must provide the security group as a parameter during deployment.

  2. X509X509. 當您使用 X509 驗證方法、Network Controller 只接受從管理已知的憑證憑證碼 Network Controller 的要求。When you are using the X509 authentication method, Network Controller only accepts requests from management clients whose certificate thumbprints are known to Network Controller. 您可以將這些憑證碼設定使用ClientCertificateThumbprint的參數安裝-NetworkController Windows PowerShell 命令。You can configure these thumbprints by using the ClientCertificateThumbprint parameter of the Install-NetworkController Windows PowerShell command. 您可以隨時新增其他 client 憑證碼使用設定為 NetworkController命令。You can add other client thumbprints at any time by using the Set-NetworkController command.

  3. None. 當您選擇此模式下時,就會未授權管理戶端與 Network Controller 節點間通訊嘗試執行。When you choose this mode, there is no authorization performed for communication attempts between management clients and Network Controller nodes. 此模式只適用於測試目的,並建議您不要 production 環境中使用。This mode is provided only for testing purposes, and is not recommended for use in a production environment.

如需詳細資訊,下列主題。For more information, see the following topics.

加密Encryption

Northbound 通訊使用安全通訊端層 (SSL) 建立加密的通道管理戶端之間 Network Controller 節點。Northbound communication uses Secure Sockets Layer (SSL) to create an encrypted channel between management clients and Network Controller nodes. SSL 加密進行通訊 Northbound 包含下列需求。SSL encryption for Northbound communication includes the following requirements.

  • 所有網路控制器節點都必須包含伺服器的驗證,驗證 Client 目的增強金鑰使用方法 (EKU) 擴充功能相同憑證。All Network Controller nodes must have an identical certificate that includes the Server Authentication and Client Authentication purposes in Enhanced Key Usage (EKU) extensions.

  • 管理用用於與 Network Controller 的 URI 必須憑證主體名稱。The URI used by management clients to communicate with Network Controller must be the certificate subject name. 必須包含憑證主體名稱,完全完整網域名稱 (FQDN) 或控制器其餘端點網路的 IP 位址。The certificate subject name must contain either the Fully Qualified Domain Name (FQDN) or the IP address of the Network Controller REST Endpoint.

  • 如果網路控制器節點位於不同子網路,憑證主體名稱必須是相同的您使用的值為RestName中的參數安裝-NetworkController Windows PowerShell 命令。If Network Controller nodes are located on different subnets, the subject name of their certificates must be the same as the value that you use for the RestName parameter in the Install-NetworkController Windows PowerShell command.

  • 所有的管理用必須信任 SSL 憑證。The SSL certificate must be trusted by all of the management clients.

SSL 憑證註冊和設定SSL Certificate Enrollment and Configuration

您必須手動註冊 Network Controller 節點上的 SSL 憑證。You must manually enroll the SSL certificate on Network Controller nodes.

憑證已退出之後,您可以設定網路的控制器使用憑證的-伺服器的憑證的參數安裝-NetworkController Windows PowerShell 命令。After the certificate is enrolled, you can configure Network Controller to use the certificate with the -ServerCertificate parameter of the Install-NetworkController Windows PowerShell command. 如果您已經安裝網路控制器,您可以更新隨時設定使用設定為 NetworkController命令。If you have already installed Network Controller, you can update the configuration at any time by using the Set-NetworkController command.

注意

如果您使用 SCVMM,您必須為資源庫中新增憑證。If you are using SCVMM, you must add the certificate as a library resource. 如需詳細資訊,請查看設定中 VMM fabric SDN 網路控制器For more information, see Set up an SDN network controller in the VMM fabric.

網路控制器叢集通訊Network Controller Cluster Communication

Network Controller 支援 Network Controller 節點間通訊驗證、授權及加密。Network Controller supports authentication, authorization, and encryption for communication between Network Controller nodes. 通訊是透過Windows 通訊基本知識(WCF) 與 TCP。The communication is over Windows Communication Foundation (WCF) and TCP.

您可以使用此模式來設定ClusterAuthentication的參數安裝-NetworkControllerCluster Windows PowerShell 命令。You can configure this mode with the ClusterAuthentication parameter of the Install-NetworkControllerCluster Windows PowerShell command.

如需詳細資訊,請查看安裝-NetworkControllerClusterFor more information, see Install-NetworkControllerCluster.

驗證Authentication

當您設定的網路控制器叢集通訊驗證時,您可以允許 Network Controller 叢集節點,以驗證身分與進行通訊的其他節點。When you configure authentication for Network Controller Cluster communication, you allow Network Controller cluster nodes to verify the identity of the other nodes with which they are communicating.

Network Controller 支援下列網路控制器節點間驗證的三個模式。Network Controller supports the following three modes of authentication between Network Controller nodes.

注意

如果您只使用 SCVMM,部署 Network Controller Kerberos支援模式。If you deploy Network Controller by using SCVMM, only Kerberos mode is supported.

  1. KerberosKerberos. Active Directory 網域中加入所有網路控制器叢集節點網域帳號用於驗證時,您可以使用 F:kerberos 驗證。You can use Kerberos authentication when all Network Controller cluster nodes are joined to an Active Directory domain, with domain accounts used for authentication.

  2. X509X509. X509 是 certificate\ 為基礎的驗證。X509 is certificate-based authentication. 您可以使用的 X509 Active Directory domain 未加入驗證時 Network Controller 叢集節點。You can use X509 authentication when Network Controller cluster nodes are not joined to an Active Directory domain. 若要使用 X509,您必須註冊憑證所有網路控制器叢集節點,以和所有節點必須都信任的憑證。To use X509, you must enroll certificates to all Network Controller cluster nodes, and all nodes must trust the certificates. 此外,主體名稱每個節點上退出的憑證必須節點的 DNS 名稱相同。In addition, the subject name of the certificate that is enrolled on each node must be the same as the DNS name of the node.

  3. None. 當您選擇此模式下時,就會執行 Network Controller 節點之間不驗證。When you choose this mode, there is no authentication performed between Network Controller nodes. 此模式只適用於測試目的,並建議您不要 production 環境中使用。This mode is provided only for testing purposes, and is not recommended for use in a production environment.

授權Authorization

當您設定的網路控制器叢集通訊授權時,您可以允許 Network Controller 叢集節點驗證的節點與進行通訊的受信任,並讓參與通訊權限。When you configure authorization for Network Controller Cluster communication, you allow Network Controller cluster nodes to verify that the nodes with which they are communicating are trusted and have permission to participate in the communication.

針對每個支援 Network Controller 的驗證模式,使用下列的授權方法。For each of the authentication modes supported by Network Controller, the following authorization methods are used.

  1. KerberosKerberos. 網路控制器節點接受只從其他 Network Controller 電腦帳號通訊要求。Network Controller nodes accept communication requests only from other Network Controller machine accounts. 您可以將這些帳號設定當您使用部署 Network Controller名稱的參數新-NetworkControllerNodeObject Windows PowerShell 命令。You can configure these accounts when you deploy Network Controller by using the Name parameter of the New-NetworkControllerNodeObject Windows PowerShell command.

  2. X509X509. 網路控制器節點接受只從其他 Network Controller 電腦帳號通訊要求。Network Controller nodes accept communication requests only from other Network Controller machine accounts. 您可以將這些帳號設定當您使用部署 Network Controller名稱的參數新-NetworkControllerNodeObject Windows PowerShell 命令。You can configure these accounts when you deploy Network Controller by using the Name parameter of the New-NetworkControllerNodeObject Windows PowerShell command.

  3. None. 當您選擇此模式下時,就會執行 Network Controller 節點之間不授權。When you choose this mode, there is no authorization performed between Network Controller nodes. 此模式只適用於測試目的,並建議您不要 production 環境中使用。This mode is provided only for testing purposes, and is not recommended for use in a production environment.

加密Encryption

Network Controller 節點間通訊使用 WCF 傳輸層級加密加密。Communication between Network Controller nodes is encrypted using WCF Transport level encryption. 這種加密驗證和授權方法 Kerberos 或 X509 時使用的憑證。This form of encryption is used when the authentication and authorization methods are either Kerberos or X509 certificates. 如需詳細資訊,下列主題。For more information, see the following topics.

Southbound 通訊Southbound Communication

Network Controller 互動不同類型的裝置 Southbound 通訊。Network Controller interacts with different types of devices for Southbound communication. 這些互動使用不同的通訊協定。These interactions use different protocols. 而有不同的驗證、授權及加密根據裝置類型和通訊協定進行通訊的裝置使用 Network Controller 的需求。Because of this, there are different requirements for authentication, authorization, and encryption depending on the type of device and protocol used by Network Controller to communicate with the device.

下表會提供有關的不同 southbound 裝置 Network Controller 互動的資訊。The following table provides information about Network Controller interaction with different southbound devices.

Southbound 裝置日服務Southbound device/service 通訊協定Protocol 使用驗證Authentication used
軟體負載平衡器Software Load Balancer WCF (MUX),TCP(主機)WCF (MUX), TCP (Host) 憑證Certificates
防火牆Firewall OVSDBOVSDB 憑證Certificates
閘道Gateway WinRMWinRM Kerberos 憑證Kerberos, Certificates
Virtual 網路Virtual Networking OVSDB WCFOVSDB, WCF 憑證Certificates
使用者定義路由User defined routing OVSDBOVSDB 憑證Certificates

針對每個這些通訊協定,通訊機制是下一節中所述。For each of these protocols, the communication mechanism is described in the following section.

驗證Authentication

Southbound 通訊,用下列通訊協定和的驗證方法。For Southbound communication, the following protocols and authentication methods are used.

  1. OVSDB 日 TCP WCF 日WCF/TCP/OVSDB. 適用於這些通訊協定,使用 X509 執行驗證憑證。For these protocols, authentication is performed by using X509 certificates. 同時 Network Controller and 等軟體負載平衡 (SLB) Multiplexer \ (MUX) / 主機上存在彼此互加好友的驗證的憑證。Both Network Controller and the peer Software Load Balancing (SLB) Multiplexer (MUX)/host machines present their certificates to each other for mutual authentication. 每個憑證必須信任遠端等。Each certificate must be trusted by the remote peer.

    Southbound 驗證,您可以使用相同的設定 SSL 憑證來加密 Northbound 戶端的通訊。For southbound authentication, you can use the same SSL certificate that is configured for encrypting the communication with the Northbound clients. 您還必須設定 SLB MUX 主機裝置上的憑證。You must also configure a certificate on the SLB MUX and host devices. 憑證主體名稱必須是裝置的相同的 DNS 名稱。The certificate subject name must be same as the DNS name of the device.

  2. WinRMWinRM. 這個通訊協定,利用 Kerberos 執行驗證 \(適用於加入網域 machines) 並使用的憑證 \(適用於非網域結合 machines)。For this protocol, authentication is performed by using Kerberos (for domain joined machines) and by using certificates (for non-domain joined machines).

授權Authorization

Southbound 通訊,會使用授權的方法與下列通訊協定。For Southbound communication, the following protocols and authorization methods are used.

  1. TCP WCF 日WCF/TCP. 這些通訊協定,授權根據等實體主體名稱。For these protocols, authorization is based on the subject name of the peer entity. Network Controller 儲存對等裝置 DNS 名稱,並使用它來進行授權。Network Controller stores the peer device DNS name, and uses it for authorization. 這個 DNS 名稱必須符合憑證的裝置的主體名稱。This DNS name must match the subject name of the device in the certificate. 同樣地,Network Controller 憑證必須符合儲存對等裝置上的網路控制器 DNS 名稱。Likewise, Network Controller certificate must match the Network Controller DNS name stored on the peer device.

  2. WinRMWinRM. 如果您正在使用 Kerberos,WinRM client account 必須要有預先定義的伺服器上的本機系統管理員群組或 Active Directory 中群組中。If Kerberos is being used, the WinRM client account must be present in a predefined group in Active Directory or in the Local Administrators group on the server. 如果您正在使用的憑證,client 呈現的伺服器授權使用主體名稱日發行者,並用伺服器對應的帳號執行驗證伺服器的憑證。If certificates are being used, the client presents a certificate to the server that the server authorizes using the subject name/issuer, and the server uses a mapped user account to perform authentication.

  3. OVSDBOVSDB. 還有不提供這個通訊協定的授權。There is no authorization provided for this protocol.

加密Encryption

Southbound 通訊,使用下列的加密方法通訊協定。For Southbound communication, the following encryption methods are used for protocols.

  1. OVSDB 日 TCP WCF 日WCF/TCP/OVSDB. 這些通訊協定,加密 client 或伺服器使用憑證已退出的執行。For these protocols, encryption is performed using the certificate that is enrolled on the client or server.

  2. WinRMWinRM. 預設使用 Kerberos 安全性支援提供者加密 WinRM 流量 (SSP)。WinRM traffic is encrypted by default using Kerberos security support provider (SSP). 您可以設定額外的加密,SSL 的形式 WinRM 伺服器上。You can configure Additional encryption, in the form of SSL, on the WinRM server.