Aeeee pessoal, o PDC rolando e muita informação sobre o novo Windows 7 caiu na rede. Vale a pena conferir as imagens do sistema operacional e também os vídeos com relação ao tempo de boot, achei bem legal. Claro que qualquer máquina boa zeradinha boota rápido, mas também o Windows 7 está em fase de pré-release, muita coisa vai melhorar ainda!

Agradecimento especial ao Stephen do UX Evangelist. Ele postou muita informação logo quando pegou o HD entregue aos participantes do PDC 2008.

Windows 7 32-bit: 6801.0.080913-2030_Client_en-us_ULTIMATE-ULTIMATE_GB1CFRE_EN_DVD.iso
Windows 7 64-bit: 6801.0.080913-2030_Client_en-us_ULTIMATE-ULTIMATE_GB1CXFRE_EN_DVD.iso
Windows 7 Server 64-bit: 6801.0.080913-2030_amd64fre_Server_en-us-GB1SXFRE_EN_DVD.iso
Windows 7 32-bit Symbols: Windows_Winmain.6801.0.080913-2030.X86FRE.Symbols.msi
Windows 7 64-bit Symbols: Windows_Winmain.6801.0.080913-2030.AMD64FRE.Symbols.msi
Windows 7 32-bit SDK: 7.0.6801.0.3634.WindowsSDK_Windows7_idw.WindowsSDK.DVD.Release.iso
Windows 7 MCE SDK: WindowsMediaCenterSDK6.msi

Tudo o que veio dentro do HD de 160GB:
PDC 2008- All About The Goods

Tom Warren’s Review - @ Neowin
Paul Thurrott’s - Winsupersite
Screenshots - WinFuture.de
It's Official- Windows 7 M3 Pre-Beta Build 6801

Windows 7 Deployment Process
Windows 7- The Development Process

[]’s
Carlos A.

Após deixar de ser um FTE na Microsoft, Bill Gates cria sua nova empresa, com um escritório super high-tech e até um Surface na recepção com software de guestbook.

Em documentos públicos, a empresa chamada de bgC3, realizará trabalhos nas áreas de científicas e tecnológicas, análise  e pesquisa industrial, e por fim design e desenvolvimento de hardware e software para computadores (OMG!).

E o nome, bgC3, o que pode ser? Alguns dizem que pode ser “Bill Gates Company 3”, que seria sua terceira empresa depois da Microsoft e Bill & Melinda Gates Foundation.

A empresa será pequena, com espaço para 40 a 60 pessoas, incluindo funcionários e visitantes. Agora é esperar para ver mais novidades do BillG.

Source –> TechFlash

Bom pessoal, mais um TechED se passou, porém dessa vez vai ficar na memória. Um keynote do Steve Balmer não acontece várias vezes ao ano aqui no Brasil.

Balmer deu uma palestra sobre Dynamic IT e como os produtos da Microsoft ajudam as empresas a serem mais dinâmicas, utilizando metodologias e ferramentas para isso. A palestra foi ótima, ainda mais escutando do próprio Steve Balmer.

Tirando isso as tracks técnicas tiveram um foco grande em Virtualização (Hyper-V) e Gerenciamento (System Center). Algumas foram boas e outras deixaram a desejar viu, mas isso acontece.

Só vou ressaltar uma apresentação que achei ótima, tanto pelo conteúdo quanto pelo apresentador, foi a do Steve Riley da Microsoft Corp. Ele fez uma palestra totalmente diferente, utilizando um tablet digital, escrevendo coisas (que eram mostradas no telão), interagindo com as pessoas (mesmo falando em inglês) e andando pelo corredor (acho que ele ficou uns 5min no palco, o resto foi do lado das pessoas). O assunto era interessante, uma abordagem diferente de segurança, mostrando que uma DMZ não é necessária se você utilizar várias camadas de segurança como IPv6, IPsec, NAP, Forefront, SCCM, Vista, etc.

Video: TechED 2008 Brasil - Steve Balmer1

[]’s
Carlos A.

Bom, agora o pessoal de Mac vai começar a me odiar hahaha .. a Apple lançou uma nova linha de produtos e baixou o preço do seu notebook mais simples para U$999. Você acha isso interessante? Sério, responda com sinceridade, você que trabalha com PC acha bom um notebook por U$999?

Vamos então fazer a seguinte comparação. O notebook da Apple possui um Core 2 Duo de 2.1Ghz, 1GB de memória, 120GB de HD, leitor de DVD e placa de vídeo Intel x3100.

Um HP DV4-1140go, tem um Core 2 Duo 2.0Ghz, 4GB de memória, 320GB de HD, gravador de DVD Lightscribe, placa de vídeo Intel 4500MHD, HDMI, leitor 8-in-1, e custa apenas U$799. Agora me diz que o PC ainda não continua sendo a melhor escolha? Wake up !

A Apple é muito boa em design, mas isso que vocês estão pagando a mais vale a pena? Empresas como Dell e HP estão com um design muito bom ultimamente. Para os leigos, que não conheçem nada e acham que o iPhone é o melhor celular do mundo, eu até entendo eles cairem nessa da Apple, agora o pessoal que conhece e sabe fazer uma comparação, vamos ficar atentos.

Vejam mais comparações neste PDF:
http://blog.seattlepi.nwsource.com/microsoft/library/PCs_are_still_a_better_value.pdf

Source –> Blog SeattlePi

Pessoal, já foi anunciado o dia oficial do lançamento do novo Office Communications Server 2007 R2, que será dia 03/02/09, trazendo algumas novidades neste produto incrível:

Next-Generation Collaboration

• Dial-in audioconferencing. Office Communications Server 2007 R2 enables businesses to eliminate costly audioconferencing services with an on-premise audioconferencing bridge that is managed by IT as part of the overall communications infrastructure.

• Desktop sharing. This feature enables users to seamlessly share their desktop, initiate audio communications and collaborate with others outside the organization on PC, Macintosh or Linux platforms through a Web-based interface.

• Persistent group chat. This enables geographically dispersed teams to collaborate with each other by participating in topic-based discussions that persist over time. This application provides users with a list of all available chat rooms and topics, periodically archives discussions in an XML file format that meets compliance regulations, provides tools to search the entire history of discussion on a given topic, and offers filters and alerts to notify someone of new posts or topics on a particular topic.

Enhanced Voice and Mobility

• Attendant console and delegation. This allows receptionists, team secretaries and others to manage calls and conferences on behalf of other users, set up workflows to route calls, and manage higher volumes of incoming communications through a software-based interface.

• Session Initiation Protocol trunking. This feature enables businesses to reduce costs by setting up a direct VoIP connection between an Internet telephony service provider and Office Communicator 2007 without requiring on-premise gateways.

• Response group.A workflow design application manages incoming calls based on user-configured rules (e.g., round-robin, longest idle, simultaneous), providing a simple-to-use basic engine for call treatment, routing and queuing.

• Mobility and single-number reach. This extends Microsoft Office Communicator Mobile functionality to Nokia S40, Motorola RAZR, Blackberry and Windows Mobile platforms, allowing users to communicate using presence, IM and voice as an extension of their PBX from a unified client.^*

New Developer Tools for Business Applications

• APIs and Visual Studio integration. This improves the efficiency of everyday business processes by enabling businesses to build communications-enabled applications and embed communications into business applications.

http://www.microsoft.com/communicationsserver/virtualevent/languageselect.aspx

Basta se registrar para participar do lancamento virtual.

Link para o PressPass Microsoft

Pessoal, sempre que estou próximo a um projeto de Office Communications Server 2007, na hora de implantar o Edge Server (mais específico o A/V Edge Server) nós temos que solicitar ao cliente um IP público roteado diretamente ao servidor, ou seja, sem o famoso NAT.

Nem preciso dizer que isso é um dilema, nenhuma pessoa que trabalha com segurança permite isso, achando que NAT é uma forma de segurança. O intuito do NAT nunca foi segurança, mas sim permitir que mais máquinas fossem atingidas com poucos IPs disponíveis, pois no IPv4 isso era um problema. Agora no IPv6, NAT não irá mais existir, então o povo de segurança precisa começar a rever seus conceitos.

Pesquisando um pouco, achei um e-mail do Alan Shen, que é Program Manager na Microsoft, explicando detalhadamente porque o IP diretamente roteado é necessário, o que faz a tecnologica ICE, STUN e o papel da Microsoft e Cisco nisso.

Acho que agora nós temos “munição” para encaminhar a todo mundo que não quiser te liberar um IP roteado ;)

The A/V edge server enables users to participate in audio and video connections from outside the corporate network, such as a point to point call, a conference, leaving a voicemail with Exchange UM, or making a PSTN call.  Contoso has deployed the A/V Edge server with two NICs in the perimeter network.  The “external” firewall separates the edge server from the Internet and the “internal” firewall separates the server from the corporate network.  In order for the A/V Edge server to function correctly, the internal firewall must allow traffic to UDP 3478, TCP 443, and TCP 5062 (A/V authentication port).  And the external firewall must allow bi-directional traffic to the following ports: UDP 3478, TCP 443, UDP 50,000-59,999, and TCP 50,000-59,999.  No NATing behavior is allowed on either firewall.  The external IP address must be publicly routable and the internal IP address must be routable from within the corporate network.
The ports on the external edge tend to undergo greater scrutiny because they involve more ports open to the Internet.  This sidebar first explains why are there are so many publicly addressable ports and then how these ports are secured from an attack.

Why the A/V Edge has so many ports

Needing UDP ports

UDP connections are more resilient to packet loss than TCP.  When a UDP packet is lost, the transport delivers subsequent packets without delay.  When a TCP packet is lost, the transport holds all subsequent packets because TCP inherently must provide a reliable stream of data.  This results in increased audio latency as we wait for the lost packet to retransmit and the rest of the TCP stream to "catch up".
Needing TCP ports
Although UDP is a more efficient transport, some clients can only reach the Internet via TCP, typically due to a corporate firewall policy.  OCS also supports a TCP media transport in case a UDP path is not available.  At the start of each call or conference, the two endpoints use the IETF's ICE protocol to dynamically choose the optimal media path available.  This protocol prefers direct media paths over those that go through a media relay, and UDP paths over TCP paths.
Needing the port range at 50,000
The A/V Edge server is an implementation of the IETF's STUN protocol with TURN relay extensions.  The standard requires this port range because it cannot assume the remote party has access to the same media relay server.  Phone calls often traverse company boundaries, such as a federated VOIP call in OCS2007.  Calls to standalone SIP devices are another example that one could envision as VOIP technology continues to evolve.  The federated company cannot access the local company’s A/V Edge server via UDP3478/TCP443.  The 50,000 port range allows media to traverse in a federated call.  It is a port range instead of a multiplexed port to enable efficient relaying of RTP packets.  A multiplexed port would require increased packet inspection and lowered efficiency of the server.  As you’ll see below, the port range also increases the security of the A/V Edge Server.

Needing a publicly routable IP address on the external interface
The external A/V Edge requires a publicly routable IP address for several reasons.  First, the A/V Edge server implements the STUN protocol, a mechanism whereby the A/V Edge server reflects back the IP address it saw from a user’s home router.  This home router IP address is used to enable the use of efficient media paths using the ICE protocol and is also needed to ensure proper IP permissions are set on the A/V Edge server’s 50,000 port range.  If the A/V Edge external address was behind a NATed IP, the A/V edge server would return that address instead of the address of the home router, leading to less efficient (sometimes broken) media paths and permission issues on the 50,000 port range.  A second reason for publicly routable IPs is to support UDP load balancing.  For real time audio/video traffic, UDP is the preferred protocol to transfer RTP packets.  However, UDP is a stateless protocol, so some load balancers distribute UDP packets to the servers without any context for the current session.  To mitigate this, the A/V edge server returns its external IP address on the first UDP packet of a media session, and OC or the Meeting Console client sends subsequent UDP traffic directly to that IP address instead of through the load balancer.  In order for this mechanism to work, the external IP must be publicly routable.  Note that supporting a publicly routable IP address on the external edge does not preclude a company from using a firewall.  To the contrary, Microsoft recommends that all externally facing servers be protected with a firewall…provided that firewall does not NAT the IP address.

Needing a routable IP address on the internal interface
For the same reason of needing to support UDP media across load balancers, the A/V edge server returns its internal IP address on the first UDP packet of a media session, and OC or the Meeting Console client sends subsequent UDP traffic directly to that IP address instead of through the load balancer.  That is the reason why the internal IP address needs to be routable from the corporate network.  And to be specific, this internal IP address needs to be routable by client endpoints (OC/Meeting Console) as well as server endpoints (Mediation Server/AVMCU/ExchangeUM), given that OCS 2007 supports media point to point and via a conference.

Understanding the technology is not enough, though.  Like most corporations, Contoso’s IT department is composed of emerging technology and network security engineers.  Deploying the technology described above will only happen if it passes a security review.  The following section discusses security aspects, first providing a summary of the mechanisms in place along with a more detailed description afterward.

Security Overview
Security of A/V Edge Server Auth Port TCP5062 (internal edge only)
OCS front end servers must provide a validly signed certificate whose subject name matches the FQDN of that server.  (The OCS front end server performs the same check against the A/V Edge Server’s certificate.)

The OCS front end server FQDN must be on a trusted list of the A/V Edge Server.  (The OCS front end server performs the same check against the A/V Edge Server FQDN.)
All SIP signaling is protected with 128-bit TLS encryption.

Security of UDP3478/TCP443(internal and external edges)
Port allocation is protected by 128-bit digest “challenge” authentication, using a computer generated password that rotates every 8 hours.

A sequence number and random nonce are used to deter replay attacks.

Media relay packaged messages (UDP3478/TCP443) is protected with a 128-bit HMAC signature.

Security of UDP/TCP 50,000-59,999 (external edge only)
Ports are allocated randomly within that range per call.  An attacker needs to predict which port is active and complete an attack before the call ends.
Incoming traffic is filtered according to the IP addresses of the other endpoint’s candidates.  Even if an attack finds a port in use, it must also spoof the correct IP address.
These two examples actually make the port range more secure.  If all traffic was multiplexed through one port, it would accept traffic from IP addresses of all remote endpoints.
Security of end to end media
Media packets are protected with end to end SRTP, preventing any eavesdropping or packet injection.

The key used to encrypt and decrypt the media stream is passed over the TLS secured signaling channel.

Details of Security

Security of A/V Edge Server Auth Port TCP5062(internal edge only)
When a user logs in to OC or joins a meeting, it first acquires a username/password token from the media relay by sending a SIP SERVICE message over the TLS secured signaling channel.  The last leg of this signaling path is a TCP connection from the user’s OCS front end server to the A/V authentication port of the A/V Edge server.  This connection is only accepted on the internal facing IP address of the A/V Edge Server.  Before accepting the SIP SERVICE request, a TLS connection must be set up where both sides validate the following: 1) Other server provides a certificate signed by a trusted authority, 2) the certificate’s subject name matches the FQDN of that server, and 3) that server’s FQDN matches one of the servers on a local trusted server list.  (In fact, all servers in the OCS system perform this series of checks before allowing any communication to or from another OCS server.)  If all three checks pass, the TLS connection is established and the SIP SERVICE command carried to the A/V Edge Server, which responds with a 200OK containing the computer generated username/password token.

Security of UDP3478 and TCP443 (internal and external edges)
The A/V Edge Server is an enterprise managed resource, so restricting access to authorized users is important for security and resource considerations.  Communication on the UDP3478 and TCP443 ports is only allowed for clients that belong to the corporation managing that A/V Edge Server.  A client uses these two ports to allocate UDP and TCP ports within the 50,000 port range for the remote party to connect to.  Using the computer generated username/password obtained via the SIP SERVICE request, the client performs digest authentication against the A/V edge server to actually allocate the ports.  An initial allocate request is sent from the client and responded with a nonce challenge message from the A/V Edge Server.  The client sends a second allocate containing the username and an HMAC hash of the username and nonce.  A sequence number mechanism is also in place to prevent replay attacks.  The server calculates the expected HMAC based on its own knowledge of the username and password.  If the HMAC values match, the allocate procedure is carried out, otherwise the packet is dropped.  This same HMAC mechanism is also applied to subsequent messages within this call session.  The lifetime of this username/password value is a maximum of 8 hours, at which time the client will reacquire a new username/password for subsequent calls.
Security of UDP/TCP 50,000-59,999 (external edge only)
The question arises, “Are 10,000 ports less secure than a couple well known ports?”  One might think so, but actually the answer is no.  From an attacker’s standpoint, each of those 10,000 ports behaves exactly the same.  The more pertinent question is: “How secure is each of those 10,000 ports?”  One consideration is that allocations in this range are chosen randomly.  At any given time, it’s likely that many of these ports aren’t even listening for packets.  (Contrast that with a well known port that an attacker can focus on.)  The security mechanism in place on each port is to filter traffic for only those packets that originate from the remote endpoint’s IP address.  This IP address is communicated over the TLS secured signaling channel, and packets from any other IP addresses are dropped by the A/V edge server.  In this situation, having a range of ports actually improves security.  Since a random port allocation happens for each call, this design forces the attacker to 1) deduce an active port, 2) break the TLS signaling channel, and 3) spoof the remote user’s IP address…all in the span of a single call.  Can this port range be reduced?  Yes, but doing so limits A/V Edge scale in peak conditions, and does not increase security.  A reduced port range should factor no less than 6 UDP/TCP ports per user in a peak load condition.  Can this port range be eliminated altogether for companies that don’t require audio/video federation?  Unfortunately, this scenario has not been tested and is currently an unsupported configuration.

Security of end to end media
OCS clients perform signaling to the server using 128-bit TLS encryption with validation that the server certificate has a matching FQDN and is signed by trusted authority.  This same mechanism is used by e-commerce sites.  To secure the media channel, OCS uses the IETF’s SRTP protocol.  The mechanism carries out a 128-bit key exchange over the secure signaling channel which the two endpoints then use to encrypt and decrypt the media stream via 128-bit AES.  Even if an attacker can perform a “man in the middle” attack of the media path, no eavesdropping  or false packet injection is possible.

[]’s
Carlos Alberto