• Security Services and Features
  • Applications and Web Services Support




    Download 0,66 Mb.
    bet6/9
    Sana26.12.2019
    Hajmi0,66 Mb.
    #5175
    1   2   3   4   5   6   7   8   9

    Applications and Web Services Support


    The Windows CE platform enables OEMs, service providers and enterprises to add applications and services to gateway devices, including such features as voice mail, e-mail filtering, and multimedia applications for managing audio, video, and other media types. Windows CE 5.0 provides an application layer with device and application management services that includes the features in the following table:

    Windows CE 5.0 Applications and Web Services Support

    Description

    File and Print Sharing

    File and print sharing features, which are included with Windows CE 5.0, allow users to manage network connections and access remote file systems and printers through the Windows Networking API/Redirector. Due to the fact that some Server Message Block (SMB) functionality is included in Windows CE 5.0, printer and file redirection through Windows computers functions without users having to install any additional drivers.

    Logging

    Windows CE 5.0 supports the logging of errors, events, database transactions, and data such as a list of visited Web sites. Error reporting (Dr. Watson) is also available.

    Error Reporting

    Error reporting is provided as a Catalog item you can use in your OS design. This error reporting allows a device to automatically save the state of the machine at the time of an exception. You have the option of transferring the saved information to a file and uploading the file to the Watson Web site at Microsoft. The standard error-report format includes extremely useful information for developers, such as the following:

    Stack details



      • Some system information

      • A list of loaded modules

      • Exception type

      • Global and local variables

    Management Information Base (MIB-II)

    Windows CE 5.0 supports MIB-II, which is a map of the hierarchical order of all managed objects or MIB variables. Each system in a network—for example, workstations, servers, routers, or bridges—maintains a MIB that reflects the status of the managed resources in that system, simplifying administration.

    Web Server (HTTPD)

    Contained in Windows CE 5.0, Web Server (HTTPD) is a light­weight HTTP server that provides a means for remote configu­ra­tion on headless devices and offers ASP and ISAPI extension and filter support, in addition to Secure Socket Layer (SSL) support. HTTPD supports:

    • Active Server Pages (ASP). Provides a server-side scripting environment to create and run dynamic, interactive Web server applications.

    • Web Administration ISAPI Extensions. Provides remote device configuration, device browsing, file uploading and downloading, and registry editing.




    USB Flash Config

    The USB Flash Config Tool directly addresses the pain points a user encounters configuring networked devices, particularly wireless. The USB Flash Config tool was developed to support a significant better together scenario using Windows XP Service Pack 2. The USB Flash Config Tool uses a subset of the XML schema that is supported in the service pack to automate the association of networked devices. It currently supports WEP (40 bit , 84 bit ) and WPAPSK.

    Quality of Service (QoS)

    Windows CE 5.0 supports Differentiated Services (diffserv), enabling quality of service (QoS) by marking IP packets for priority migration across routers.

    Security Services and Features


    With the broad range of security features available in Windows CE 5.0, device manufacturers, service providers, and enterprises can provide more secured network gateways to help protect the data, communications, and privacy of office and home users alike. The following illustration shows how the application layer supports security and administration services and features in a Windows CE-based device.


    Figure 6. Key Windows CE 5.0 Security Services and Features

    The following three tables outline the key security technologies that are available in Windows CE. The encryption and authentication features listed below are a sampling of those included in the latest version of the operating system platform:



    Windows CE 5.0 Encryption and Authentication Features

    Description

    Cryptographic API 2.0 (CryptoAPI 2.0)

    In addition to CryptoAPI 1.0, Windows CE 5.0 supports certificate creation using CryptoAPI 2.0. CryptoAPI is an interface that provides basic cryptography services, such as data encryption/decryption schemes, authentication using digital certifi­cates, and encoding/decoding to and from ASN.1 to their Microsoft Win32®–based applications. CryptoAPI also enables users to manage X.509 digital certificates. You can use the functions in CryptoAPI without detailed knowledge of the underlying implementation.

    A cryptographic service provider (CSP) contains implementations of cryptographic standards and algorithms. Examples of CSPs included with Windows CE 5.0 are Smart Card Encryption Provider, the Microsoft Digital Signature Standard (DSS), and Diffie-Hellman Cryptographic Providers.



    Internet Key Exchange (IKE)

    Windows CE 5.0 supports IKE, which is an encryption/decryption method that uses public key cryptology to transmit a secret key to a recipient device so data can be decrypted. IKE also authenticates users when negotiating encryption and keys.

    Virtual Private Networking (VPN)


    Windows CE 5.0 enables VPN—a private network configured within a public network such as the Internet—for home and small business communications and data sharing. A VPN uses security services and encryption protocols such as RAS and PPTP to control access to the network. Windows CE 5.0 contains a PPTP VPN client and server in addition to an L2TP/IPSec VPN client. VPN services are available on headless devices, such as gateways, and display-based devices.

    Point-to-Point Tunneling Protocol (PPTP)


    Windows CE 5.0 supports PPTP, a protocol that provides an encrypted and secured connection so a user can communicate or exchange data securely with another IP-connected device or a remote network. By supporting multiple protocols and data encryption technologies, PPTP provides secured, on-demand, virtual networks over dial-up lines, LANs, and WANs including the Internet and other public TCP/IP-based networks. Windows CE 5.0 supports both the PPTP client and server. Having client-side and server-side PPTP available in Windows CE enables PPTP pass-through scenarios, such as using the PPTP client from within a LAN to connect to a WAN, in addition to the reverse scenarios, such as connecting to the LAN from the WAN, for example a VPN connection from a public Internet terminal or a corporate PC to the home network.

    Protected Store

    In a home or small business network where two or more users can access the same devices, the protected store API provides a convenient solution to cryptography, key management, and user experience issues while protecting sensitive information and preventing data tampering. Windows CE 5.0 uses two CryptoAPI functions, CryptProtectData and CryptUnprotectData, to take user logon credentials and lock and unlock private data. Using Protected Store, OEMs can add smart card or biometric credential functionality to a device.

    Authentication Services

    Windows CE provides security services for user authentication, credential management, and message protection through a programming interface called the Security Support Provider Interface (SSPI). SSPI is a well-defined, common interface for obtaining integrated security services for authentication, message integrity, and message privacy. It provides an abstraction layer between application-level protocols and security protocols, enabling users to access one of several security providers without knowing the details of the security protocol. The security providers included with Windows CE are Kerberos, NTLM, and Schannel.

    • Kerberos. A protocol for mutual authentication between entities that uses unique keys to enable the exchange of private information on an open network.

    • NTLM. The default authentication protocol for Windows NT®. NTLM is a challenge/response authentication protocol and includes the Windows NT LAN Manager.

    • Schannel. A protocol for secure authentication and encryption using SSL 2, SSL 3, and Transport Layer Security (TLS/SSL 3.1) public key-based protocols.

    OEMs also have the option of writing their own security package and adding it to the registry for applications to use.

    Credential Manager

    This feature is automatically included with Kerberos and NTLM authentication service in the Windows CE 5.0 Catalog. The Credential Manager enables users to save a name, password, and other authentication information on a device and keeps track of that information.

    Extensible Authentication Protocol (EAP)

    EAP provides a standar­dized support mechanism for authentication schemes, such as token cards, certificates, Public Keys, and S/Key. EAP allows OEMs to plug in additional authentication schemes. On a Windows CE-based device, 802.1x, PPP, and PPTP can support EAP.

    Protected Extensible Authentication Protocol (PEAP)

    PEAP is an EAP extension for Windows CE that provides increased security during authentication. PEAP allows for secure mutual authentication between an EAP client and an EAP server using username/password authentication instead of client certificate authentication.

    Public Key Infrastructure (PKI)

    Windows CE 5.0 contains support for PKI, an authentication technology that uses digital certificates issued by certificate authorities (CA) to authenticate users (or messages signed with a digital certificate) on public and private networks.

    Smart Card Support

    Windows CE provides a smart card subsystem that supports CryptoAPI and the Windows CE-based device driver model for developing smart card readers. The subsystem provides a link between smart card reader hardware and applications that are smart card aware, and consists of dynamic-link libraries (DLLs), the smart card resource manager API, and the smart card reader hardware device drivers. Additional PC/SC support facilitates the porting of existing smart card reader drivers and service providers.

    Secure Socket Layer (SSL)

    SSL enables an application to use secured sockets to send and receive encoded data over communication lines. Windows CE supports SSL versions 2.0, 3.0, and 3.1—SSL version 3.1 is also known as Transport Layer Security (TLS)—which are available through Windows Internet Services (WinInet) or directly from Windows Sockets (Winsock).

    Windows CE 5.0 also contains support for the following security protocols:

    Windows CE 5.0 Security Protocols

    Description

    Layer 2 Tunneling Protocol/IP Security (L2TP/IPSec)


    Windows CE enables L2TP/IPSec client functionality and can be used to provide confidentiality and data integrity protection in a VPN. L2TP uses IPSec encryption to help protect a remote VPN connection through a gateway device to a home or small office LAN. IPSec is an Internet-based security protocol that provides authentication and encryption to all devices within a network.

    VPN Pass Through


    Windows CE Network Address Translation (NAT) has built-in handling that allows multiple PPTP sessions to pass through, allowing multiple clients on a private (internal) network to connect and maintain PPTP sessions to external PPTP servers.

    Wi-Fi Protected Access (WPA)/802.1x

    WPA implements 802.1x and Extensible Authentication Protocol (EAP), and uses Temporal Key Integrity Protocol (TKIP) to address known Wired Equivalent Privacy (WEP) issues, increasing data protection and access control for wireless networks. Windows CE 5.0 includes client-side support for WPA.

    802.1x is a security protocol that provides authenticated access to 802.11 wireless networks and to wired Ethernet networks. 802.1x minimizes wireless network security risks by providing user and computer identification, centralized authentication, and encryption services based on the WEP algorithm. 802.1x addresses WEP shortcomings with enhanced mutual authentication and dynamic key distribution, and includes TKIP. 802.1x also supports the EAP that allows you to use different authentication methods, such as smart cards and certificates.



    In addition, Windows CE 5.0 contains the following firewall and filtering technologies:

    Windows CE 5.0 Firewall and Filtering Technologies

    Description

    Internet Connection Firewall (ICF)

    Windows CE includes firewall software that blocks unsolicited connections originating from the Internet (also known as the packet filter). To accomplish this, the firewall uses Network Address Translation (NAT) logic to validate incoming requests for access to a network or the local ICF host. The firewall also allows rules to be created based on source and destination information, ports, and other criteria.

    ICF can protect a single device or a home network from network attacks. ICF also makes files and folders that are shared among networked devices invisible to other users on the Internet.



    ICF features in Windows CE 5.0 include:

    • Port Filtering. Silently discards unsolicited communications, stopping common hacking attempts such as port scanning. ICF can create a security log to view the activity that is tracked by the firewall.

    • Internet Control Message Protocol (ICMP) Filtering. Provides a way to create a security log of firewall activity.

    • Stateful Packet Inspection. ICF monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles.

    • Denial of Service (DoS) Attack Prevention. Allows you to set the allowable size of the ICF security log to prevent the potential overflow that could be caused by denial of service attacks.

    • Demilitarized Zone (DMZ). ICF provides packet filtering capabilities to computers on a perimeter network, also sometimes referred to as a demilitarized zone. A DMZ is a boundary between the Internet and an internal network's line of defense, usually a combination of firewalls and bastion hosts, which are gateways between private and public networks. DMZ support enables hosting of Internet services without sacrificing unauthorized access to a private network.

    • Firewall Support for Internet Protocol version 6.0 (IPv6). IPv6 addresses many of the IPv4 limitations. The latest version of the protocol provides increased address space, uses hierarchical routing tables, and supports both stateful and stateless IP address configuration.

    Internet Protocol version 6.0 (IPv6)

    Windows CE 5.0 supports IPv6, a suite of standard network layer protocols that uses 128-bit addresses to provide more IP addresses than its predecessor, IPv4, which uses 32-bit addresses. IPv6 uses hierarchical routing tables, supports both stateful and stateless IP address configuration, and is available in headless devices and display-based devices. Windows CE 5.0 includes IPv6 components specifically designed for gateway devices that enable the richest IPv6 experience for clients sitting behind the gateway, providing protection while ensuring connectivity.

    IPv6/IPv4 Tunneling


    Windows CE 5.0 provides support for IPv4 and IPv6 coexistence and migration technologies such as 6to4, an address assignment and router-to-router automatic tunneling technology used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet.

    Download 0,66 Mb.
    1   2   3   4   5   6   7   8   9




    Download 0,66 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Applications and Web Services Support

    Download 0,66 Mb.