Upload
cisco-canada
View
337
Download
0
Embed Size (px)
Citation preview
© 2016 Cisco and/or its affiliates. All rights reserved. 1
CiscoConnect
Cloud and On Premises Collaboration Security explainedJoseph BassalyArchitect
Oct 12th 2017
© 2016 Cisco and/or its affiliates. All rights reserved. 2
What will we cover today ?
• Cisco Collaboration Elements
• Managing Identity
• Cisco Spark Security and Compliance
• Cisco Spark Network Security
© 2016 Cisco and/or its affiliates. All rights reserved. 3
Continuous Workstreams
© 2016 Cisco and/or its affiliates. All rights reserved. 4
Messaging Call ControlMeetings
Seamless Collaboration Experience
Link on-premises assets to the cloud
© 2016 Cisco and/or its affiliates. All rights reserved. 5
Cisco Spark
© 2016 Cisco and/or its affiliates. All rights reserved. 6
Hybrid Call Service
Hybrid Calendar Service
Hybrid Directory Service
Directory ConnectorCisco Expressway
Cisco Call Control
Call Connector Calendar Connector
Hybrid Collaboration
Hybrid Media Service
MEDIANODES
MEDIANODES
7© 2016 Cisco and/or its affiliates. All rights reserved.
Managing Identity
© 2016 Cisco and/or its affiliates. All rights reserved. 8
IdP – Identity Provider: RP – Relying Party
Users
Explicit Initial Trust Agreement
Identity Framework
8
© 2016 Cisco and/or its affiliates. All rights reserved. 9
Paulo
Authentication and Authorization (AuthN and AuthZ)
Authentication
When you enter a hotel and walk up to reception, the receptionist authenticates you by checking your passport
Authorization
After authentication has taken place, the receptionist gives you a room key
Your room key is your authorization token to enter your room and any resource that you are entitled to in the Hotel
You do not need your passport to enter your room. Your room key authorizes you to enter your room only, and not any other rooms. The room key (authorization token) does not identify the holder of the key/token.
9
Authentication verifies that “you are who you say you are”
Authorization verifies that “you are permitted to do what you are trying to do”
© 2016 Cisco and/or its affiliates. All rights reserved. 10
Authentication and Authorization (SAML and OAuth)
Authorization
Client Services IdP
Authentication
© 2016 Cisco and/or its affiliates. All rights reserved. 11
SAML 2.0 Cookies to prevent re-authentication
CUCM
Identity Provider
2. Redirect with SAML authentication request
6. POST signed response
3.GET with SAML authentication request
1. Resource Request
Cisco Jabber
5. Signed response in hiden HTML form with IdP cookie
IdPCookie
7. Supply resource with cookie
CUCM Cookie
4. Authentication method define by IdP
IdPCookie
WebEx MCUnity Connections
© 2016 Cisco and/or its affiliates. All rights reserved. 12
SAML 2.0 Cookies to prevent re-authentication
CUCM
Identity Provider
2. Redirect with SAML authentication request
5. POST signed response
1. Resource Request
Cisco Jabber
4. Signed response in hidden HTML form
IdPCookie
CUCM Cookie
3.GET with SAML authentication request with IdP Cookie
IdPCookie
No Authentication needed since IdP Cookie is valid
6. Supply resource with cookie
WebEx Cookie
WebEx MCUnity Connections
© 2016 Cisco and/or its affiliates. All rights reserved. 13
An application would like to connect to your account
The application “XYZ” would like to access your basic account information.
Allow application “XYZ” access?
AllowDeny
Do these look familiar?
Authorize “XYZ” Application?This application will be able to:• Access your basic account information• Read your posts• See your list of contacts
Authorize app No, thanks
“XYZ” ApplicationThis application would like to:• Read and manage your files and documents• View your email address
AcceptCancel
OAuth
Spark Service
Customer IdP
Access Service
Common IdentityCisco SparkSpark
Thick ClientEmbedded
Browser
Redirect to Authorization Service’
Provides SAML cookie and UID to OAuth Service
AuthZ URL
Redirect to the AuthN
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
Redirect to the Oauth Service with SAML cookie and UID of the user
Identity Broker
Send back OAuth TokenAccess_token
Access to the Spark Service
Authz URL
AuthN Request
Provide IdP URL for SAML Exchange
Validates Assertion and create the SAML SP cookie
Verifies Entitlement and Scope for the user and generate OAuth Token
15© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Spark Security
© 2016 Cisco and/or its affiliates. All rights reserved. 16
Spark Clients
The scenario
Spark Board Video End Points
MEDIANODES
Expressway
Existing Services
Hybrid Calendar Service
Hybrid Call Service
Hybrid Directory Service
Hybrid Media Service
© 2016 Cisco and/or its affiliates. All rights reserved. 17
Spark – User Identity Sync and Authentication
Directory Sync
User Info can be synchronized to Spark from the Enterprise Active Directory
Multiple User attributes can be synchronized
Passwords are not synchronized - User :1) Creates a Spark
password or2) Uses SSO for Auth
Identity Service
© 2016 Cisco and/or its affiliates. All rights reserved. 18
Spark – SAML SSO Authentication
Directory Sync
SAML SSO
Administrators can configure Spark to work with their existing SSO solution
Spark supports Identity Providers using SAML 2.0 and OAuth 2.0
Identity Service
IdP
© 2016 Cisco and/or its affiliates. All rights reserved. 19
Client Connection
Spark Service
IdP
Identity Service
1) Customer downloads and installs Spark Client (with Trust anchors)
2) Spark Client establishes a secure TLS connection with the Spark Cloud
3) Spark Identity Service prompts for an e-mail ID
4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created and sent to Spark Client
• The Access Tokens contain details of the Spark resources the User is authorized to access
5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel
© 2016 Cisco and/or its affiliates. All rights reserved. 20
Spark Device connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code received via e-mail from the Spark provisioning service
2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established)
3) OAuth Access and Refresh Tokens created and sent to Spark Client
• The Access Tokens contain details of the Spark resources the User is authorized to access
5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel
1234567890123456
21© 2016 Cisco and/or its affiliates. All rights reserved.
SparkSecure Messages and Content
© 2016 Cisco and/or its affiliates. All rights reserved. 22
Content Server Key Mgmt Service
message messagemessagefilefilemessage
Spark - Encrypting Messages and Content
Spark Clients request a conversation encryption key from
the Key Management Service
Any messages or files sent by a Client are encrypted before being
sent to the Spark Cloud
Each Spark Room uses a different Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption
© 2016 Cisco and/or its affiliates. All rights reserved. 23
Encrypted messages sent by a Client are stored in the Spark Cloud and also
sent on to every other Client in the Spark Room
Key Mgmt Service
messagemessagemessage
Content Server
message messagemessage
Spark - Decrypting Messages and Content
If needed, Spark Clients can retrieve encryption keys from the Key
Management Service
Key Management Service
The encrypted message also contains a link to the conversation encryption
key
24© 2016 Cisco and/or its affiliates. All rights reserved.
SparkSecure Search and Indexing
© 2016 Cisco and/or its affiliates. All rights reserved. 25
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
Searching Spark Rooms : Building a Search Index
The Indexing Service : Enables users to search for
names and words in the encrypted messages stored
in the Content Server
A Search Index is built by creating a fixed length
hash* of each word in each message within a Room
###################
B957FE48
B9 57 FE 48
Hash Algorithm
###################
Indexing Service
The hashes for each Spark Room are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room
© 2016 Cisco and/or its affiliates. All rights reserved. 26
Indexing Service
“Spark”Spark
Content Server Key Mgmt Service
###################
Searching Spark Rooms : Querying a Search IndexSearch for the word “Spark”
Client sends search request over a secure connection to
the Indexing Service
The Content Server searches for a match in it’s
Hash tables and returns matching content to the
client *###################
B957FE48
B9 57 FE 48
Hash Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9 The Indexing Service uses Per Room Search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message
27© 2016 Cisco and/or its affiliates. All rights reserved.
Spark E-Discovery
© 2016 Cisco and/or its affiliates. All rights reserved. 28
Cloud Collaboration Management Portal
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
###################
Spark Compliance Service : E-Discovery
Administrator selects a group of messages and files
to be retrieved for E-Discovery e.g. : based on date range/ content type/
user(s)
The Content Server returns matching content to the
Compliance Service
###################
X1GFT5YYHash Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
###################
X1GFT5YY
The Indexing Service searches Content Server for
related content
Compliance Service
###################
Jo Smith’s Content
###################
Jo Smith’s Content
###################
© 2016 Cisco and/or its affiliates. All rights reserved. 29
E-Discov. Storage
Compliance ServiceContent Server Key Mgmt Service
Spark Compliance Service : E-Discovery
The Compliance Service :Decrypts content from the
Content Server, then compresses and re-encrypts it before sending it to the E-Discovery Storage Service
The E-Discovery Storage Service :
Sends the compressed and encrypted content to the Administrator on request
Compliance Service
Cloud Collaboration Management Portal
Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################
Jo Smith’s Messages and Files
######################################
################
######################################
################
Jo Smith’s Messages and Files
E-Discovery Content Ready
© 2016 Cisco and/or its affiliates. All rights reserved. 30
3rd Party Integrations
Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance, archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:
Compliance and Archiving
Archive content to comply with retention requirements and enable eDiscovery
Data Loss Prevention
Apply policies to content, violation alerts, and take remediation actions
Identity Management
Single Sign-On via SAML, Mobile Device Management (MDM), SCIM user provisioning and deactivation
31© 2016 Cisco and/or its affiliates. All rights reserved.
Spark Hybrid Data Security
© 2016 Cisco and/or its affiliates. All rights reserved. 32
Secure Data Center
Content Server
Key Mgmt Service
Spark – Hybrid Data Security (HDS)
Compliance ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services =
On Premise :Key Management Server
Indexing ServerE-Discovery Service
© 2016 Cisco and/or its affiliates. All rights reserved. 33
Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
Compliance ServiceIndexing Service
Hybrid Data Servicesmake outbound connections
only from the Enterprise to the Spark cloud, using HTTPS and
Secure WebSockets (WSS)
No special Firewall configuration required
FirewallHybrid Data Security
© 2016 Cisco and/or its affiliates. All rights reserved. 34
Secure Data Center
Content Server Key Mgmt Server
Spark – Hybrid Data Security: Key Management
The Hybrid Key Management Server performs the same
functions as the Cloud based Key Management Server
Now all of the keys for messages and content are owned and managed by the Customer
BUT
Key Management Service
Key Mgmt Service
© 2016 Cisco and/or its affiliates. All rights reserved. 35
Secure Data Center
Content Server
The Hybrid Data Security is managed and upgraded from the
cloud
Customer’s can access usage information for the HDS Servers via the cloud management portal
Multiple HDS servers can be provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability
Hybrid Data Security
Hybrid Data Security
Hybrid Data Security
© 2016 Cisco and/or its affiliates. All rights reserved. 36
Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
Spark Clients request an encryption key from the Hybrid Key Management
Server
Any messages or files sent by a Client are encrypted before being sent to the
Spark Cloud
Encrypted messages and content stored in the cloud
Key Management Service
Encryption Keys stored locally
© 2016 Cisco and/or its affiliates. All rights reserved. 37
Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are stored in the Spark Cloud
Key Mgmt Service
message
Content Server
message messagemessage
If needed, Spark Clients can retrieve encryption keys from the Hybrid Key
Management Server
Key Management Service
These messages are sent to every other Client in the Spark Room and
contain a link to their encryption key on the Hybrid Key Management Server
HDS - Decrypting Messages & Content
© 2016 Cisco and/or its affiliates. All rights reserved. 38
Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the messageKey Mgmt Service
###################
The Indexing Service : Enables users to search for
names and words in the encrypted messages stored
in the Content Server
###################
B957FE48
B9 57 FE 48
Hash Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Hybrid Data Security: Search Indexing Service
© 2016 Cisco and/or its affiliates. All rights reserved. 39
Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search IndexSearch for the word “Spark”
Client sends its search request over a secure
connection to the Indexing Service
###################
B9
B9 57 FE 48
Hash Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message
© 2016 Cisco and/or its affiliates. All rights reserved. 40
Secure Data Center
Indexing Service
Content Server
Spark Compliance Service : E-Discovery
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceCompliance Service
Cloud Collaboration Management Portal
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash Algorithm
Admin selects a group of messages and files to be retrieved for E-Discovery
e.g. : based on date range/ content type/ user(s)
The Content Server returns matching content to the
Compliance Service
The Indexing Service searches the Content
Server for selected content
© 2016 Cisco and/or its affiliates. All rights reserved. 41
Secure Data Center
Key Mgmt ServiceCompliance Service
Cloud Collaboration Management Portal
E-Discov. StorageContent Server
Spark Compliance Service : E-DiscoveryThe Compliance Service :Decrypts content from the
Content Server, then compresses and re-encrypts it
before sending it to the E-Discovery Storage Service
E-Discovery Storage Service : Sends the compressed and
encrypted content to the Administrator on request
Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################
Jo Smith’s Messages and Files
######################################
################
######################################
################
Jo Smith’s Messages and Files
E-Discovery Content Ready
42© 2016 Cisco and/or its affiliates. All rights reserved.
Key Management Server Federation
© 2016 Cisco and/or its affiliates. All rights reserved. 43
Hybrid Key Management Servers
in different Enterprises establish a Mutual
TLS* connection via the Spark Cloud
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
Enterprise A Enterprise B
Hybrid Key Management Servers
make outbound connections only :
HTTPS, Web Socket Secure (WSS)
*All connections to and within the Spark Cloud use ECDH to generate symmetric Encryption Keys
© 2016 Cisco and/or its affiliates. All rights reserved. 44
With a secure connection between
Hybrid KMSs…
Users can be added to rooms created by each
Enterprise
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
Enterprise A Enterprise B
Mutually Authenticated Hybrid KMSs can
request Room Encryption Keys from one another on behalf
of their Users
45© 2016 Cisco and/or its affiliates. All rights reserved.
Cloud Collaboration Network Security
© 2016 Cisco and/or its affiliates. All rights reserved. 46
• VLANs• Switch Port VLAN configuration and device requirements
• Firewalls • Whitelists for Spark clients, devices and Services
• Media support – UDP/TCP/HTTP
• HTTP Proxies• Proxy Types and Proxy Detection
• Proxy Authentication Methods ( Basic/Digest/ NTLM/ Negotiate/Kerberos) Auth Bypass
• Proxy TLS/ HTTPS traffic inspection – Certificate Pinning
• 802.1X – Authentication Methods EAP-FAST/ EAP-TLS, MAC Address Bypass
Cloud Collaboration Network Security Primer
47© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Spark Cloud AccessEnterprise VLANs
© 2016 Cisco and/or its affiliates. All rights reserved. 48
Connecting from the Enterprise - VLANs
How are the switch ports configured ?
Minimum Enterprise Network Requirements :
Internet Access
DHCP, DNS server access
Internal TCP connectivity and ICMP to devices for support
???
• Single static untagged VLAN ?
• Dynamic VLAN assignment based on CDP/LLDP TLV values ?
• Multiple static VLANs (e.g. Data VLAN & Aux VLAN) ? –802.1Q VLAN tagging required for the Auxiliary VLAN
© 2016 Cisco and/or its affiliates. All rights reserved. 49
Network Capabilities Spark Devices – CDP/LLDP, 802.1Q
Spark Device Protocol Software Train CDP/ LLDP 802.1Q Ethernet PC Port
Granular Configuration
Windows, Mac, iOS, Android, Web
HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN
DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q Tagging, Connected PC supported
Room Kit, MX, SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging
Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging
© 2016 Cisco and/or its affiliates. All rights reserved. 50
Connecting from the Enterprise - Firewalls
Whitelisted Ports and Destinations :
Media Port Ranges: Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004, 5006Destination IP Addresses : Any
• Spark Call (7800, 8800 Phones)• Spark Desk and Room Devices• Spark Clients• See following slides for details
SignallingMedia
© 2016 Cisco and/or its affiliates. All rights reserved. 51
Voice and Video Classification and MarkingPort Range Summary – Endpoints and Clients
Audio:52000-52099
Spark Soft Clients Spark Devices
Video:52100-52299
52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299
© 2016 Cisco and/or its affiliates. All rights reserved. 52
Spark Apps : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination
PortsDestination Function
Spark applications :
Windows, Mac, iOS,Android, Web
UDP Voice 52000 – 52049 Video 52100 – 52199
Exception - Windows (OS Firewall issue) Ephemeral source ports used today (Fix due by Q3 CY '17)
5004 &5006
Any IP Address SRTP over UDP to Spark Cloud Media Nodes
TCP Ephemeral 5004 & 5006
Any IP Address SRTP over TCP or HTTP to Spark Cloud Media Nodes
TCP Ephemeral 443identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*.appsflyer.com*.adobetm.com*.omtrdc.net*.optimizely.com
HTTPSSpark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous AnalyticsMobile Clients only - Ad AnalyticsWeb Clients only - AnalyticsWeb Clients only - TelemetryWeb Clients only - Metrics
© 2016 Cisco and/or its affiliates. All rights reserved. 53
Spark Devices : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination
PortsDestination Function
Desktop and Room Systems :
SX SeriesDX SeriesMX SeriesRoom KitsSpark Boards*
UDP Voice 52050 – 52099Video 52200 – 52299
EFT TodayGA Q3 CY '17
5004 &5006
Any IP Address SRTP over UDP to Spark Cloud Media Nodes
TCP Ephemeral 5004 & 5006
Any IP Address SRTP over TCP or HTTP to Spark Cloud Media Nodes* (Not Spark Board)
TCP Ephemeral 443
identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*dropboxusercontent.com
HTTPS
Spark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous Analytics*Spark Board (firmware updates)
© 2016 Cisco and/or its affiliates. All rights reserved. 54
Connecting from the Enterprise - Firewalls
Media Port Ranges: Source UDP Ports : Voice and Video 33434 - 33598
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004Destination IP Addresses : Any
Hybrid Media Node (HMN) :• Can be used to limit source IP address range to HMNs only• Hybrid Media Node Source UDP ports for voice and video are different to
those used by endpoints – Used for cascade links to the Spark Cloud• Voice and Video use a common UDP source port range : 33434 - 33598
SignallingMedia
© 2016 Cisco and/or its affiliates. All rights reserved. 55
Connecting from the Enterprise - Firewalls
Hybrid Data Security Node (HDS) :• Key Management Service• Indexing (Search) Service• E-Discovery Service
SignallingMedia
Hybrid Data Services
• HDS Signaling Traffic Only• Outbound HTTPS and WSS Signaling Only
© 2016 Cisco and/or its affiliates. All rights reserved. 56
HMN & HDS Nodes: Network Port & Whitelist RequirementsSpark Device Protocol Source Ports Destination
PortsDestination Function
Hybrid Media Node (HMN)
UDP Voice and Video use a common UDP source port range : 33434 - 33598
5004 Cascade Destination
Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes
TCP Ephemeral 5004 Cascade Destination
Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes
TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS
TCP Ephemeral 443 *wbx2.com*idbroker.webex.com
HTTPS Configuration Services
Hybrid Data Security Node (HDS)
TCP Ephemeral 443 *.wbx2.comidbroker.webex.comidentity.webex.comindex.docker.io
Outbound HTTPS and WSS
© 2016 Cisco and/or its affiliates. All rights reserved. 57
What do we send to Third Party sites?Site Clients that Access It What is sent there User
PII?AnonymizedUsage info?
EncryptedUser GeneratedContent
*.clouddrive.com Win, Mac, iOS, Android, Web, Spark Board
Encrypted files for Spark file sharing.Part of Rackspace content system.
N N Y
*.rackcdn.com Win, Mac, iOS, Android, Web, Spark Board
Encrypted files for Spark file sharing.Part of Rackspace content system.
N N Y
*.mixpanel.com Win, Mac, iOS, Android, Web
Anonymous usage data N Y N
*.appsflyer.com iOS, Android Anonymous usage data related to onboarding
N Y N
*.adobedtm.com Web Anonymous usage data N Y N
*.omtrdc.net Web Anonymous usage data N Y N
*.optimizely.com Web Anonymous usage data for AB testing
N Y N
58© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Spark Cloud AccessEnterprise Proxies
© 2016 Cisco and/or its affiliates. All rights reserved. 59
• Proxy Address given to Device/Application……….
Connecting from the Enterprise - Proxy Types
Proxy Types:
• Transparent Proxy (Device/Application is unaware of Proxy existence)
• In Line Proxies (e.g. Combined Proxy and Firewall)
• Traffic Redirection (e.g. Using Cisco WCCP)
SignallingUDP Media
HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443
© 2016 Cisco and/or its affiliates. All rights reserved. 60
• Proxy Detection (Proxy Address given to Device/Application)
Connecting from the Enterprise – Proxy Detection
• Manual Configuration
• Auto Configuration (Proxy Auto Conf (PAC) files)
Proxy Address
Proxy Address
Proxy Address
PACPACPAC
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 61
Network Capabilities Spark Devices – Proxy Detection
Spark Device Protocol Software Train Proxy Detection Granular Configuration
Windows, Mac, iOS, Android, Web
HTTPS WME Yes : Manual Yes : PAC Files
Manually Configure Proxy Address or Use PAC files (or Windows GPO)
DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address
© 2016 Cisco and/or its affiliates. All rights reserved. 62
• Proxy Authentication
Connecting from the Enterprise – Proxy Authentication
• Proxy intercepts outbound HTTP request
• Authenticates the User (Username & Password)• Authenticated User’s traffic forwarded• Unauthenticated User’s traffic dropped/blocked
SignallingUDP Media
Proxy Authentication is not mandatory, Many Enterprises do No Authentication
© 2016 Cisco and/or its affiliates. All rights reserved. 63
• Basic Authentication
Common Proxy Authentication Methods
• Digest Authentication• NTLMv2 Authentication
• Negotiate Authentication• Kerberos
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 64
• Basic Authentication
Proxy Authentication Methods – Basic Authentication
• Uses standard HTTP Headers
• Username and Password Base64 encoded• Username and Password are NOT
encrypted or hashed
• Basic Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)
• Create one account (e.g. LDAP account) for all devices
• Create an account per device• No Password Expiration
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 65
• Digest Authentication
Proxy Authentication Methods – Digest Authentication
• Uses standard HTTP Headers• Username and Password are not sent• A Hash of the Username and Password is
sent instead
• Basic Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)
• Create one account (e.g. LDAP account) for all devices
• Or create an account per device• No Password Expiration
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 66
• NT LAN Manager (NTLM) Authentication
Proxy Authentication Methods – NTLMv2 (Windows Only)
• Microsoft Challenge/Response AuthN. protocol• Username sent in plain text
• Challenge/Nonce sent from the server• Password hash used to encrypt the
challenge and return it to the server
• Password hashed but not sent
• Windows based Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)
• Create one account (AD account) for all devices
• Or create an account per device• No Password Expiration
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 67
Proxy Authentication Methods – Negotiate/IWA (Windows Only) • Negotiate Authentication
• Microsoft implementation of SPNEGO• Simple and Protected GSSAPI Negotiation
Mechanism. (Generic Security Service API)
• Kerberos or fallback to• NTLM
• Negotiates the use of either :
• Windows based Username and Password challenge for devices• i.e. Devices are not Users (no human interaction)
• Create one account (AD account) for all devices
• Or create an account per device• No Password Expiration
SignallingUDP Media
IWA - Integrated Windows Access
© 2016 Cisco and/or its affiliates. All rights reserved. 68
• Kerberos Authentication
Proxy Authentication Methods – Kerberos
• Strongest Security
• Client, Authentication Key Distribution Service, Ticket Granting Service, Application Server
• Encrypted communication based on shared Secrets
• Client authenticates with the Authentication service• Once authenticated, receives a Ticket Granting Ticket (TGT)
• Client requests access to a service (e.g. the Proxy) by presenting the TGT to the Ticket Granting Service – the TGS authenticates the client and returns an encrypted Service Ticket
• The Client presents the Service Ticket to Proxy which validates the user (using the shared secret)
• HTTPS connection proceeds
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 69
Proxy Authentication Bypass Methods
Manually Configure Proxy Server with :• Device IP Address
IP Address 10.100.200.1
SignallingUDP Media
10.100.200.3
identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.crashlytics.com*.mixpanel.com*.rackcdn.com
• Whitelisted Destinations (e.g. *ciscospark.com)
© 2016 Cisco and/or its affiliates. All rights reserved. 70
Network Capabilities Spark Devices – Proxy Authentication
Spark Device Protocol Software Train Proxy Authentication Granular Configuration
Windows, Mac, iOS,Android, Web
HTTPS WME Basic - NoDigest - NoNTLM - Yes (Windows)Kerberos - No
Windows Only TodayOthers OSs use Authentication By Pass(Basic/ Digest/ Kerberos – Planned)
DX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
SX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
MX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
Room Kits HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for Proxy Authentication (Basic Auth)
© 2016 Cisco and/or its affiliates. All rights reserved. 71
• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps (1)
• Private CA signed Certificate sent to client on connection establishment
• Client compares Private CA Root Cert with those received in Cert Chain
• If they match – accept and proceed with the TLS connection
Private CA Root Certificate sent to client
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 72
• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps (2)
• Proxy starts new HTTPS/TLS connection to Web/Cloud Service
• Proxy receives Certificate from Web/Cloud Service
• Proxy uses the Certificate to establish Secure TLS/HTTPS connection
• Proxy can now Decrypt, Inspect and Re-Encrypt session traffic
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 73
• Certificate Pinning
HTTP Proxy - No HTTPS Inspection – Spark Certificate Pinning
• CA signed Cisco Spark Certificate sent by HTTPS/TLS server
• Client creates a hash of the Cert’s Public Key
• If they match – accept and proceed with the TLS connection
Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=• Client compares the hash with the Certificate Pin in its Trust Store
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 74
• Certificate Pinning
Proxy - HTTPS Inspection – Spark Certificate Pinning
• Proxy sends Private CA signed Certificate during HTTPS/TLS set up
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO NOT Match : TLS connection terminated• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
SignallingUDP Media
© 2016 Cisco and/or its affiliates. All rights reserved. 75
• Certificate Pinning
HTTPS Inspection – Spark Devices Cert. Pinning Fix
• Proxy sends Private CA signed Certificate during HTTPS/TLS set up
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO Match : Proceed with TLS connection• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin = SHA 256 Hash of Private CA Root Certificate Public KeyVjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
• HTTPS/TLS Inspection possible
SignallingUDP Media
• Private CA Cert copied to Spark Cloud
© 2016 Cisco and/or its affiliates. All rights reserved. 76
• Certificate Pinning
HTTPS Inspection – Spark Clients Cert. Pinning Fix
• Proxy sends Private CA signed Certificate during HTTPS/TLS set up• Spark App checks to see if a copy of the Private CA Cert exists in
the OS Trust Store
• Proceed with TLS connection• If the Cert exists – skip Certificate pinning process
Certificate Pin = SHA 256 Hash of Spark CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
• HTTPS/TLS Inspection possible
SignallingUDP Media
• Private CA Cert copied to Client OS Trust Store
© 2016 Cisco and/or its affiliates. All rights reserved. 77
Network Capabilities Spark Devices – HTTPS Inspection
Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method
Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass Certificate Pinning process
iOS, Android HTTPS WME No : iOS Android HTTPS Inspection By-Pass
DX HTTPS Room OS Yes – Requires Per Org Config of Identity Service
Load Private CA Certs in Spark Service Download Trust List with Private Certs
SX HTTPS Room OS Yes – Requires Per Org Config of Identity Service
Load Private CA Certs in Spark Service Download Trust List with Private Certs
MX HTTPS Room OS Yes – Requires Per Org Config of Identity Service
Load Private CA Certs in Spark Service Download Trust List with Private Certs
Room Kits HTTPS Room OS Yes – Requires Per Org Config of Identity Service
Load Private CA Certs in Spark Service Download Trust List with Private Certs
Spark Board HTTPS Spark Board OS No (Planned Q3 CY '17) HTTPS Inspection By-Pass
78© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Spark Cloud AccessNetwork Access Control 802.1X
© 2016 Cisco and/or its affiliates. All rights reserved. 79
Connecting from the Enterprise – 802.1X
802.1X Operation
???
• Switch port network access restricted• Client presents credentials to Authentication Server• After successful Authentication – switch port configured for the
Device e.g. VLAN(s), ACLs
Authentication Server
© 2016 Cisco and/or its affiliates. All rights reserved. 80
802.1X Network Authentication Methods
802.1X Network Authentication Methods :
?
• There are many options….• Two key Authentication methods :• EAP-FAST• EAP-TLS
Authentication Server
UsernamePassword
© 2016 Cisco and/or its affiliates. All rights reserved. 81
802.1X Network Authentication : EAP-FAST
802.1X Extensible Authentication Protocol - FAST
?
• Flexible Authentication via Secure Tunneling• Username and Password based• Does not require Certificates
UsernamePassword
UsernamePassword
Authentication Server
© 2016 Cisco and/or its affiliates. All rights reserved. 82
802.1X Network Authentication : EAP-TLS
802.1X Extensible Authentication Protocol - TLS
?
• Transport Layer Security• Requires Digital Certificates• Mutual Client - Server Authentication
Authentication Server
© 2016 Cisco and/or its affiliates. All rights reserved. 83
802.1X Fallback - MAC Address Bypass (MAB)
Bypasses 802.1X Authentication Mechanisms
?
• Uses the Device MAC Address• Commonly used for Non 802.1X capable devices• MAC address manually entered into Auth. Server
Phone 1 MAC AA:BB:CC:11:22:33
Authentication Server
Phone 1
AA:BB:CC:11:22:33
© 2016 Cisco and/or its affiliates. All rights reserved. 84
Network Capabilities Spark Devices – 802.1X
Spark Device Protocol SoftwareTrain
EAP-FAST EAP-TLS MIC Non CUCM LSC
Certificate Installation Capability
Granular Configuration
Windows, Mac, iOS,Android, Web
HTTPS WME Wi-Fi - YesWired - Yes
Wi-Fi - YesWired - Yes
N/A Yes Yes Manually Install LSC (Windows GPO, Mac – Configuration Profiles)
DX HTTPS Room OS Wi-Fi - YesWired - Yes
Wi-Fi - YesWired – Yes
2H CY17
Yes Yes Web Based
Install Enterprise LSC via device Web Interface
SX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes Web Based
Install Enterprise LSC via device Web Interface
MX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes Web Based
Install Enterprise LSC via device Web Interface
Room Kits HTTPS Room OS Wi-Fi - YesWired - Yes
Wi-Fi - YesWired – Yes
Yes Yes Yes Web Based
Install Enterprise LSC via device Web Interface
Spark Board HTTPS Spark Board OS
No (Planned Q3 CY '17)
No (Planned Q3 CY '17)
No No (Planned Q3 CY '17)
Use MAC Address By-Pass
Thank you.