Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained

© 2016 Cisco and/or its affiliates. All rights reserved. 1

CiscoConnect

Cloud and On Premises Collaboration Security explainedJoseph BassalyArchitect

Oct 12th 2017


What will we cover today ?

• Cisco Collaboration Elements

• Managing Identity

• Cisco Spark Security and Compliance

• Cisco Spark Network Security


Continuous Workstreams


Messaging Call ControlMeetings

Seamless Collaboration Experience

Link on-premises assets to the cloud


Cisco Spark


Hybrid Call Service

Hybrid Calendar Service

Hybrid Directory Service

Directory ConnectorCisco Expressway

Cisco Call Control

Call Connector Calendar Connector

Hybrid Collaboration

Hybrid Media Service

MEDIANODES

MEDIANODES

7© 2016 Cisco and/or its affiliates. All rights reserved.

Managing Identity


IdP – Identity Provider: RP – Relying Party

Users

Explicit Initial Trust Agreement

Identity Framework

8


Paulo

Authentication and Authorization (AuthN and AuthZ)

Authentication

When you enter a hotel and walk up to reception, the receptionist authenticates you by checking your passport

Authorization

After authentication has taken place, the receptionist gives you a room key

Your room key is your authorization token to enter your room and any resource that you are entitled to in the Hotel

You do not need your passport to enter your room. Your room key authorizes you to enter your room only, and not any other rooms. The room key (authorization token) does not identify the holder of the key/token.

9

Authentication verifies that “you are who you say you are”

Authorization verifies that “you are permitted to do what you are trying to do”


Authentication and Authorization (SAML and OAuth)

Authorization

Client Services IdP

Authentication


SAML 2.0 Cookies to prevent re-authentication

CUCM

Identity Provider

2. Redirect with SAML authentication request

6. POST signed response

3.GET with SAML authentication request

1. Resource Request

Cisco Jabber

5. Signed response in hiden HTML form with IdP cookie

IdPCookie

7. Supply resource with cookie

CUCM Cookie

4. Authentication method define by IdP

IdPCookie

WebEx MCUnity Connections


SAML 2.0 Cookies to prevent re-authentication

CUCM

Identity Provider

2. Redirect with SAML authentication request

5. POST signed response

1. Resource Request

Cisco Jabber

4. Signed response in hidden HTML form

IdPCookie

CUCM Cookie

3.GET with SAML authentication request with IdP Cookie

IdPCookie

No Authentication needed since IdP Cookie is valid

6. Supply resource with cookie

WebEx Cookie

WebEx MCUnity Connections


An application would like to connect to your account

The application “XYZ” would like to access your basic account information.

Allow application “XYZ” access?

AllowDeny

Do these look familiar?

Authorize “XYZ” Application?This application will be able to:• Access your basic account information• Read your posts• See your list of contacts

Authorize app No, thanks

“XYZ” ApplicationThis application would like to:• Read and manage your files and documents• View your email address

AcceptCancel

OAuth

Spark Service

Customer IdP

Access Service

Common IdentityCisco SparkSpark

Thick ClientEmbedded

Browser

Redirect to Authorization Service’

Provides SAML cookie and UID to OAuth Service

AuthZ URL

Redirect to the AuthN

SAML GET

Authentication request

Authentication Provided

SAML POST with uid and IdP cookie

POST SAML Assertion

Redirect to the Oauth Service with SAML cookie and UID of the user

Identity Broker

Send back OAuth TokenAccess_token

Access to the Spark Service

Authz URL

AuthN Request

Provide IdP URL for SAML Exchange

Validates Assertion and create the SAML SP cookie

Verifies Entitlement and Scope for the user and generate OAuth Token


Cisco Spark Security


Spark Clients

The scenario

Spark Board Video End Points

MEDIANODES

Expressway

Existing Services

Hybrid Calendar Service

Hybrid Call Service

Hybrid Directory Service

Hybrid Media Service


Spark – User Identity Sync and Authentication

Directory Sync

User Info can be synchronized to Spark from the Enterprise Active Directory

Multiple User attributes can be synchronized

Passwords are not synchronized - User :1) Creates a Spark

password or2) Uses SSO for Auth

Identity Service


Spark – SAML SSO Authentication

Directory Sync

SAML SSO

Administrators can configure Spark to work with their existing SSO solution

Spark supports Identity Providers using SAML 2.0 and OAuth 2.0

Identity Service

IdP


Client Connection

Spark Service

IdP

Identity Service

1) Customer downloads and installs Spark Client (with Trust anchors)

2) Spark Client establishes a secure TLS connection with the Spark Cloud

3) Spark Identity Service prompts for an e-mail ID

4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO)

5) OAuth Access and Refresh Tokens created and sent to Spark Client

• The Access Tokens contain details of the Spark resources the User is authorized to access

5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel


Spark Device connection

Spark ServiceIdentity Service

1) User enters 16 digit activation code received via e-mail from the Spark provisioning service

2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established)

3) OAuth Access and Refresh Tokens created and sent to Spark Client

• The Access Tokens contain details of the Spark resources the User is authorized to access

5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel

1234567890123456


SparkSecure Messages and Content


Content Server Key Mgmt Service

message messagemessagefilefilemessage

Spark - Encrypting Messages and Content

Spark Clients request a conversation encryption key from

the Key Management Service

Any messages or files sent by a Client are encrypted before being

sent to the Spark Cloud

Each Spark Room uses a different Conversation Encryption key

Key Management Service

AES256-GCM cipher used for Encryption


Encrypted messages sent by a Client are stored in the Spark Cloud and also

sent on to every other Client in the Spark Room

Key Mgmt Service

messagemessagemessage

Content Server

message messagemessage

Spark - Decrypting Messages and Content

If needed, Spark Clients can retrieve encryption keys from the Key

Management Service


The encrypted message also contains a link to the conversation encryption

key


SparkSecure Search and Indexing


Indexing Service

Spark IS the messageSparkIS themessage

Content Server

Spark IS the message

Key Mgmt Service

###################

Searching Spark Rooms : Building a Search Index

The Indexing Service : Enables users to search for

names and words in the encrypted messages stored

in the Content Server

A Search Index is built by creating a fixed length

hash* of each word in each message within a Room

###################

B957FE48

B9 57 FE 48

Hash Algorithm

###################

Indexing Service

The hashes for each Spark Room are stored by the

Content Service

###################

* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room


Indexing Service

“Spark”Spark


###################

Searching Spark Rooms : Querying a Search IndexSearch for the word “Spark”

Client sends search request over a secure connection to

the Indexing Service

The Content Server searches for a match in it’s

Hash tables and returns matching content to the

client *###################

B957FE48

B9 57 FE 48

Hash Algorithm

Indexing Service

“Spark”

Search for the word “Spark”

“B9”

B9 57 FE 48

######################################

Spark IS the Message

B9 The Indexing Service uses Per Room Search keys to

hash the search terms

*A link to Conversation Encryption Key is sent with encrypted message


Spark E-Discovery


Cloud Collaboration Management Portal

Indexing Service

Jo Smith’s ContentJo Smith’s Content


###################

Spark Compliance Service : E-Discovery

Administrator selects a group of messages and files

to be retrieved for E-Discovery e.g. : based on date range/ content type/

user(s)

The Content Server returns matching content to the

Compliance Service

###################

X1GFT5YYHash Algorithm

Indexing Service

Jo Smith’s Content

“X1GFT5YY”


###################

X1GFT5YY

The Indexing Service searches Content Server for

related content

Compliance Service

###################


###################


###################


E-Discov. Storage

Compliance ServiceContent Server Key Mgmt Service


The Compliance Service :Decrypts content from the

Content Server, then compresses and re-encrypts it before sending it to the E-Discovery Storage Service

The E-Discovery Storage Service :

Sends the compressed and encrypted content to the Administrator on request

Compliance Service


Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################

Jo Smith’s Messages and Files

######################################

################

######################################

################


E-Discovery Content Ready


3rd Party Integrations

Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance, archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:

Compliance and Archiving

Archive content to comply with retention requirements and enable eDiscovery

Data Loss Prevention

Apply policies to content, violation alerts, and take remediation actions

Identity Management

Single Sign-On via SAML, Mobile Device Management (MDM), SCIM user provisioning and deactivation


Spark Hybrid Data Security


Secure Data Center

Content Server

Key Mgmt Service

Spark – Hybrid Data Security (HDS)

Compliance ServiceIndexing Service

Hybrid Data Security

Hybrid Data Services =

On Premise :Key Management Server

Indexing ServerE-Discovery Service


Secure Data Center

Content Server

Key Mgmt Service

Hybrid Data Security traffic and Firewalls

Compliance ServiceIndexing Service

Hybrid Data Servicesmake outbound connections

only from the Enterprise to the Spark cloud, using HTTPS and

Secure WebSockets (WSS)

No special Firewall configuration required

FirewallHybrid Data Security


Secure Data Center

Content Server Key Mgmt Server

Spark – Hybrid Data Security: Key Management

The Hybrid Key Management Server performs the same

functions as the Cloud based Key Management Server

Now all of the keys for messages and content are owned and managed by the Customer

BUT


Key Mgmt Service


Secure Data Center

Content Server

The Hybrid Data Security is managed and upgraded from the

cloud

Customer’s can access usage information for the HDS Servers via the cloud management portal

Multiple HDS servers can be provisioned for

Scalability & Load Sharing

Key Mgmt ServerKey Mgmt Service

Hybrid Data Security - Scalability





Secure Data Center

Key Mgmt Service


message messagemessagemessage

HDS - Encrypting Messages & Content

Spark Clients request an encryption key from the Hybrid Key Management

Server

Any messages or files sent by a Client are encrypted before being sent to the

Spark Cloud

Encrypted messages and content stored in the cloud


Encryption Keys stored locally


Secure Data Center

Key Mgmt Service

Encrypted messages from Clients are stored in the Spark Cloud

Key Mgmt Service

message

Content Server

message messagemessage

If needed, Spark Clients can retrieve encryption keys from the Hybrid Key

Management Server


These messages are sent to every other Client in the Spark Room and

contain a link to their encryption key on the Hybrid Key Management Server

HDS - Decrypting Messages & Content


Secure Data Center

Indexing Service

Spark IS the messageSparkIS themessage

Content Server

Spark IS the messageKey Mgmt Service

###################

The Indexing Service : Enables users to search for

names and words in the encrypted messages stored

in the Content Server

###################

B957FE48

B9 57 FE 48

Hash Algorithm

###################

Indexing Service

###################

* A new hashing key (Search Key) is used for each room

Hybrid Data Security: Search Indexing Service


Secure Data Center

Indexing Service

“Spark”Spark

Content Server

Key Mgmt Service

###################

Hybrid Data Security: Querying a Search IndexSearch for the word “Spark”

Client sends its search request over a secure

connection to the Indexing Service

###################

B9

B9 57 FE 48

Hash Algorithm

Indexing Service

“Spark”

Search for the word “Spark”

“B9”

B9 57 FE 48

######################################

Spark IS the Message B9

*A link to Conversation Encryption Key is sent with the encrypted message


Secure Data Center

Indexing Service

Content Server


X1GFT5YY

Indexing Service

Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content

Key Mgmt ServiceCompliance Service


############################################################################

######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY

Hash Algorithm

Admin selects a group of messages and files to be retrieved for E-Discovery

e.g. : based on date range/ content type/ user(s)

The Content Server returns matching content to the

Compliance Service

The Indexing Service searches the Content

Server for selected content


Secure Data Center

Key Mgmt ServiceCompliance Service


E-Discov. StorageContent Server

Spark Compliance Service : E-DiscoveryThe Compliance Service :Decrypts content from the

Content Server, then compresses and re-encrypts it

before sending it to the E-Discovery Storage Service

E-Discovery Storage Service : Sends the compressed and

encrypted content to the Administrator on request

Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################


######################################

################

######################################

################


E-Discovery Content Ready


Key Management Server Federation


Hybrid Key Management Servers

in different Enterprises establish a Mutual

TLS* connection via the Spark Cloud

Key Mgmt ServiceKey Mgmt Service


HDS: Key Management Server Federation

Enterprise A Enterprise B

Hybrid Key Management Servers

make outbound connections only :

HTTPS, Web Socket Secure (WSS)

*All connections to and within the Spark Cloud use ECDH to generate symmetric Encryption Keys


With a secure connection between

Hybrid KMSs…

Users can be added to rooms created by each

Enterprise

Key Mgmt ServiceKey Mgmt Service


HDS: Key Management Server Federation

Enterprise A Enterprise B

Mutually Authenticated Hybrid KMSs can

request Room Encryption Keys from one another on behalf

of their Users


Cloud Collaboration Network Security


• VLANs• Switch Port VLAN configuration and device requirements

• Firewalls • Whitelists for Spark clients, devices and Services

• Media support – UDP/TCP/HTTP

• HTTP Proxies• Proxy Types and Proxy Detection

• Proxy Authentication Methods ( Basic/Digest/ NTLM/ Negotiate/Kerberos) Auth Bypass

• Proxy TLS/ HTTPS traffic inspection – Certificate Pinning

• 802.1X – Authentication Methods EAP-FAST/ EAP-TLS, MAC Address Bypass

Cloud Collaboration Network Security Primer


Cisco Spark Cloud AccessEnterprise VLANs


Connecting from the Enterprise - VLANs

How are the switch ports configured ?

Minimum Enterprise Network Requirements :

Internet Access

DHCP, DNS server access

Internal TCP connectivity and ICMP to devices for support

???

• Single static untagged VLAN ?

• Dynamic VLAN assignment based on CDP/LLDP TLV values ?

• Multiple static VLANs (e.g. Data VLAN & Aux VLAN) ? –802.1Q VLAN tagging required for the Auxiliary VLAN


Network Capabilities Spark Devices – CDP/LLDP, 802.1Q

Spark Device Protocol Software Train CDP/ LLDP 802.1Q Ethernet PC Port

Granular Configuration

Windows, Mac, iOS, Android, Web

HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN

DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q Tagging, Connected PC supported

Room Kit, MX, SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging

Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging


Connecting from the Enterprise - Firewalls

Whitelisted Ports and Destinations :

Media Port Ranges: Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)

Destination UDP/ TCP/ HTTP Port : 5004, 5006Destination IP Addresses : Any

• Spark Call (7800, 8800 Phones)• Spark Desk and Room Devices• Spark Clients• See following slides for details

SignallingMedia


Voice and Video Classification and MarkingPort Range Summary – Endpoints and Clients

Audio:52000-52099

Spark Soft Clients Spark Devices

Video:52100-52299

52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299


Spark Apps : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination

PortsDestination Function

Spark applications :

Windows, Mac, iOS,Android, Web

UDP Voice 52000 – 52049 Video 52100 – 52199

Exception - Windows (OS Firewall issue) Ephemeral source ports used today (Fix due by Q3 CY '17)

5004 &5006

Any IP Address SRTP over UDP to Spark Cloud Media Nodes

TCP Ephemeral 5004 & 5006

Any IP Address SRTP over TCP or HTTP to Spark Cloud Media Nodes

TCP Ephemeral 443identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*.appsflyer.com*.adobetm.com*.omtrdc.net*.optimizely.com

HTTPSSpark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous AnalyticsMobile Clients only - Ad AnalyticsWeb Clients only - AnalyticsWeb Clients only - TelemetryWeb Clients only - Metrics


Spark Devices : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination


Desktop and Room Systems :

SX SeriesDX SeriesMX SeriesRoom KitsSpark Boards*

UDP Voice 52050 – 52099Video 52200 – 52299

EFT TodayGA Q3 CY '17

5004 &5006

Any IP Address SRTP over UDP to Spark Cloud Media Nodes

TCP Ephemeral 5004 & 5006

Any IP Address SRTP over TCP or HTTP to Spark Cloud Media Nodes* (Not Spark Board)

TCP Ephemeral 443

identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*dropboxusercontent.com

HTTPS

Spark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous Analytics*Spark Board (firmware updates)



Media Port Ranges: Source UDP Ports : Voice and Video 33434 - 33598

Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)

Destination UDP/ TCP/ HTTP Port : 5004Destination IP Addresses : Any

Hybrid Media Node (HMN) :• Can be used to limit source IP address range to HMNs only• Hybrid Media Node Source UDP ports for voice and video are different to

those used by endpoints – Used for cascade links to the Spark Cloud• Voice and Video use a common UDP source port range : 33434 - 33598

SignallingMedia



Hybrid Data Security Node (HDS) :• Key Management Service• Indexing (Search) Service• E-Discovery Service

SignallingMedia

Hybrid Data Services

• HDS Signaling Traffic Only• Outbound HTTPS and WSS Signaling Only


HMN & HDS Nodes: Network Port & Whitelist RequirementsSpark Device Protocol Source Ports Destination


Hybrid Media Node (HMN)

UDP Voice and Video use a common UDP source port range : 33434 - 33598

5004 Cascade Destination

Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes

TCP Ephemeral 5004 Cascade Destination

Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes

TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS

TCP Ephemeral 443 *wbx2.com*idbroker.webex.com

HTTPS Configuration Services

Hybrid Data Security Node (HDS)

TCP Ephemeral 443 *.wbx2.comidbroker.webex.comidentity.webex.comindex.docker.io

Outbound HTTPS and WSS


What do we send to Third Party sites?Site Clients that Access It What is sent there User

PII?AnonymizedUsage info?

EncryptedUser GeneratedContent

*.clouddrive.com Win, Mac, iOS, Android, Web, Spark Board

Encrypted files for Spark file sharing.Part of Rackspace content system.

N N Y

*.rackcdn.com Win, Mac, iOS, Android, Web, Spark Board

Encrypted files for Spark file sharing.Part of Rackspace content system.

N N Y

*.mixpanel.com Win, Mac, iOS, Android, Web

Anonymous usage data N Y N

*.appsflyer.com iOS, Android Anonymous usage data related to onboarding

N Y N

*.adobedtm.com Web Anonymous usage data N Y N

*.omtrdc.net Web Anonymous usage data N Y N

*.optimizely.com Web Anonymous usage data for AB testing

N Y N


Cisco Spark Cloud AccessEnterprise Proxies


• Proxy Address given to Device/Application……….

Connecting from the Enterprise - Proxy Types

Proxy Types:

• Transparent Proxy (Device/Application is unaware of Proxy existence)

• In Line Proxies (e.g. Combined Proxy and Firewall)

• Traffic Redirection (e.g. Using Cisco WCCP)

SignallingUDP Media

HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443


• Proxy Detection (Proxy Address given to Device/Application)

Connecting from the Enterprise – Proxy Detection

• Manual Configuration

• Auto Configuration (Proxy Auto Conf (PAC) files)

Proxy Address

Proxy Address

Proxy Address

PACPACPAC

SignallingUDP Media


Network Capabilities Spark Devices – Proxy Detection

Spark Device Protocol Software Train Proxy Detection Granular Configuration

Windows, Mac, iOS, Android, Web

HTTPS WME Yes : Manual Yes : PAC Files

Manually Configure Proxy Address or Use PAC files (or Windows GPO)

DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address


• Proxy Authentication

Connecting from the Enterprise – Proxy Authentication

• Proxy intercepts outbound HTTP request

• Authenticates the User (Username & Password)• Authenticated User’s traffic forwarded• Unauthenticated User’s traffic dropped/blocked

SignallingUDP Media

Proxy Authentication is not mandatory, Many Enterprises do No Authentication


• Basic Authentication

Common Proxy Authentication Methods

• Digest Authentication• NTLMv2 Authentication

• Negotiate Authentication• Kerberos

SignallingUDP Media


• Basic Authentication

Proxy Authentication Methods – Basic Authentication

• Uses standard HTTP Headers

• Username and Password Base64 encoded• Username and Password are NOT

encrypted or hashed

• Basic Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)

• Create one account (e.g. LDAP account) for all devices

• Create an account per device• No Password Expiration

SignallingUDP Media


• Digest Authentication

Proxy Authentication Methods – Digest Authentication

• Uses standard HTTP Headers• Username and Password are not sent• A Hash of the Username and Password is

sent instead

• Basic Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)

• Create one account (e.g. LDAP account) for all devices

• Or create an account per device• No Password Expiration

SignallingUDP Media


• NT LAN Manager (NTLM) Authentication

Proxy Authentication Methods – NTLMv2 (Windows Only)

• Microsoft Challenge/Response AuthN. protocol• Username sent in plain text

• Challenge/Nonce sent from the server• Password hash used to encrypt the

challenge and return it to the server

• Password hashed but not sent

• Windows based Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)

• Create one account (AD account) for all devices


SignallingUDP Media


Proxy Authentication Methods – Negotiate/IWA (Windows Only) • Negotiate Authentication

• Microsoft implementation of SPNEGO• Simple and Protected GSSAPI Negotiation

Mechanism. (Generic Security Service API)

• Kerberos or fallback to• NTLM

• Negotiates the use of either :

• Windows based Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)

• Create one account (AD account) for all devices


SignallingUDP Media

IWA - Integrated Windows Access


• Kerberos Authentication

Proxy Authentication Methods – Kerberos

• Strongest Security

• Client, Authentication Key Distribution Service, Ticket Granting Service, Application Server

• Encrypted communication based on shared Secrets

• Client authenticates with the Authentication service• Once authenticated, receives a Ticket Granting Ticket (TGT)

• Client requests access to a service (e.g. the Proxy) by presenting the TGT to the Ticket Granting Service – the TGS authenticates the client and returns an encrypted Service Ticket

• The Client presents the Service Ticket to Proxy which validates the user (using the shared secret)

• HTTPS connection proceeds

SignallingUDP Media


Proxy Authentication Bypass Methods

Manually Configure Proxy Server with :• Device IP Address

IP Address 10.100.200.1

SignallingUDP Media

10.100.200.3

identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.crashlytics.com*.mixpanel.com*.rackcdn.com

• Whitelisted Destinations (e.g. *ciscospark.com)


Network Capabilities Spark Devices – Proxy Authentication

Spark Device Protocol Software Train Proxy Authentication Granular Configuration


HTTPS WME Basic - NoDigest - NoNTLM - Yes (Windows)Kerberos - No

Windows Only TodayOthers OSs use Authentication By Pass(Basic/ Digest/ Kerberos – Planned)

DX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned

Configure Username and Password for Proxy Authentication (Basic Auth)

SX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


MX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


Room Kits HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for Proxy Authentication (Basic Auth)


• HTTPS/TLS Inspection

Proxy TLS/HTTPS Inspection – Non Spark Apps (1)

• Private CA signed Certificate sent to client on connection establishment

• Client compares Private CA Root Cert with those received in Cert Chain

• If they match – accept and proceed with the TLS connection

Private CA Root Certificate sent to client

SignallingUDP Media


• HTTPS/TLS Inspection

Proxy TLS/HTTPS Inspection – Non Spark Apps (2)

• Proxy starts new HTTPS/TLS connection to Web/Cloud Service

• Proxy receives Certificate from Web/Cloud Service

• Proxy uses the Certificate to establish Secure TLS/HTTPS connection

• Proxy can now Decrypt, Inspect and Re-Encrypt session traffic

SignallingUDP Media


• Certificate Pinning

HTTP Proxy - No HTTPS Inspection – Spark Certificate Pinning

• CA signed Cisco Spark Certificate sent by HTTPS/TLS server

• Client creates a hash of the Cert’s Public Key

• If they match – accept and proceed with the TLS connection

Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key

VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=• Client compares the hash with the Certificate Pin in its Trust Store

SignallingUDP Media



Proxy - HTTPS Inspection – Spark Certificate Pinning

• Proxy sends Private CA signed Certificate during HTTPS/TLS set up

• Client creates a hash of the Private CA signed Cert’s Public Key

• They DO NOT Match : TLS connection terminated• Client compares the hash with the Certificate Pin in its Trust Store

Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key

VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

SignallingUDP Media



HTTPS Inspection – Spark Devices Cert. Pinning Fix

• Proxy sends Private CA signed Certificate during HTTPS/TLS set up

• Client creates a hash of the Private CA signed Cert’s Public Key

• They DO Match : Proceed with TLS connection• Client compares the hash with the Certificate Pin in its Trust Store

Certificate Pin = SHA 256 Hash of Private CA Root Certificate Public KeyVjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

• HTTPS/TLS Inspection possible

SignallingUDP Media

• Private CA Cert copied to Spark Cloud



HTTPS Inspection – Spark Clients Cert. Pinning Fix

• Proxy sends Private CA signed Certificate during HTTPS/TLS set up• Spark App checks to see if a copy of the Private CA Cert exists in

the OS Trust Store

• Proceed with TLS connection• If the Cert exists – skip Certificate pinning process

Certificate Pin = SHA 256 Hash of Spark CA Root Certificate Public Key

VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

• HTTPS/TLS Inspection possible

SignallingUDP Media

• Private CA Cert copied to Client OS Trust Store


Network Capabilities Spark Devices – HTTPS Inspection

Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method

Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass Certificate Pinning process

iOS, Android HTTPS WME No : iOS Android HTTPS Inspection By-Pass

DX HTTPS Room OS Yes – Requires Per Org Config of Identity Service

Load Private CA Certs in Spark Service Download Trust List with Private Certs

SX HTTPS Room OS Yes – Requires Per Org Config of Identity Service


MX HTTPS Room OS Yes – Requires Per Org Config of Identity Service


Room Kits HTTPS Room OS Yes – Requires Per Org Config of Identity Service


Spark Board HTTPS Spark Board OS No (Planned Q3 CY '17) HTTPS Inspection By-Pass


Cisco Spark Cloud AccessNetwork Access Control 802.1X


Connecting from the Enterprise – 802.1X

802.1X Operation

???

• Switch port network access restricted• Client presents credentials to Authentication Server• After successful Authentication – switch port configured for the

Device e.g. VLAN(s), ACLs

Authentication Server


802.1X Network Authentication Methods

802.1X Network Authentication Methods :

?

• There are many options….• Two key Authentication methods :• EAP-FAST• EAP-TLS


UsernamePassword


802.1X Network Authentication : EAP-FAST

802.1X Extensible Authentication Protocol - FAST

?

• Flexible Authentication via Secure Tunneling• Username and Password based• Does not require Certificates

UsernamePassword

UsernamePassword



802.1X Network Authentication : EAP-TLS

802.1X Extensible Authentication Protocol - TLS

?

• Transport Layer Security• Requires Digital Certificates• Mutual Client - Server Authentication



802.1X Fallback - MAC Address Bypass (MAB)

Bypasses 802.1X Authentication Mechanisms

?

• Uses the Device MAC Address• Commonly used for Non 802.1X capable devices• MAC address manually entered into Auth. Server

Phone 1 MAC AA:BB:CC:11:22:33


Phone 1

AA:BB:CC:11:22:33


Network Capabilities Spark Devices – 802.1X

Spark Device Protocol SoftwareTrain

EAP-FAST EAP-TLS MIC Non CUCM LSC

Certificate Installation Capability

Granular Configuration


HTTPS WME Wi-Fi - YesWired - Yes

Wi-Fi - YesWired - Yes

N/A Yes Yes Manually Install LSC (Windows GPO, Mac – Configuration Profiles)

DX HTTPS Room OS Wi-Fi - YesWired - Yes

Wi-Fi - YesWired – Yes

2H CY17

Yes Yes Web Based

Install Enterprise LSC via device Web Interface

SX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes Web Based


MX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes Web Based


Room Kits HTTPS Room OS Wi-Fi - YesWired - Yes

Wi-Fi - YesWired – Yes

Yes Yes Yes Web Based


Spark Board HTTPS Spark Board OS

No (Planned Q3 CY '17)

No (Planned Q3 CY '17)

No No (Planned Q3 CY '17)

Use MAC Address By-Pass

Thank you.

Technology

Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained