Cisco Connect Halifax 2018 cloud and on premises collaboration security explained

© 2017 Cisco and/or its affiliates. All rights reserved. 1
Cloud and On
Premises Collaboration
Security explained
Jeff Corcoran
Technology Solutions Architect - Collaboration
April 3rd 2018
Cisco
Connect

Agenda
• Review of Identity Management
Authentication
Authorization
• Cisco Spark Cloud Security
Realms of separation
Identity obfuscation
Client connection
Secure search/indexing/E-Discovery
• Cisco Spark Hybrid Data Security
• Reference material
Cloud Collaboration Network Security
Enterprise Security Features for Cloud
Jabbed Enhanced Authorization

3© 2017 Cisco and/or its affiliates. All rights reserved.
Review of Identity Management

Guest
4
Authentication and Authorization
After authentication, the
receptionist gives you a
room key
Your room key is your
authorization token for
your room and any other
relevant hotel services
You do not need your passport to enter your room. Your
room key authorizes you to enter your room only.
The room key does not identify the holder of the key.
Authentication verifies that
“you are who you say you are”
Authorization verifies that
“you are permitted to do what you are trying to do”
Authentication
The receptionist
authenticates you by
checking your passport
Authorization

Authentication and Authorization
(SAML and OAuth)
Authorization
Clients
Services
IdP
Authentication

SAML v2.0 In Action
SP-initiated Web Browser SSO Flow
User Authentication (per IdP policy)
Service Provider:
CUCM, CUC,
Webex, Spark
Application ABC
User
SAML Response (with Assertion and cookie)
POST with SAML Assertion
Redirect w/Authentication Request
Resource Request
Metadata
Exchange
1
2
3
4
5
SAML Authentication Request
Identity Provider
(IdP)
0
0
Protected Resource
6
IdP
Web
Browser

SAML v2.0 In Action
IdP Cookies Avoid Re-authentication
IdP
Service Provider:
CUCM, CUC,
Webex, Spark
User
Web
Browser
SAML Response (with Assertion)
POST with SAML Assertion
Redirect w/Authentication Request
Resource Request
Metadata
Exchange
1
2
3
4
SAML Authentication Request (with cookie)
Identity Provider
(IdP)
0
0
Protected Resource
5
No authentication
needed if cookie is
valid

Which IdP Does Cisco Supports ?
Cisco supports any IdP vendor that is compliant with the
SAMLv2 Oasis Standard.
Internally in our development test cycles, we test our
products against selected authentication methods of the
follow IdP’s :
§ Microsoft Active Directory Federation Services (ADFS) 2.0
§ Open Access Manager (OpenAM) 11.0
§ PingFederate 6.10.0.4

API Authorization Challenges
API/Service 1
API/Service 2
API/Service 3
API/Service N
Identity Provider
(IdP) IdP

OAuth Authorization Framework
• The OAuth 2.0 standard (RFC 6749) defines a
framework to enable third-party applications to obtain
limited access to a service or API on behalf of a user
Users authorize client applications to securely access
protected resources without sharing their credentials
(access delegation)
Defines authorization tokens: valet key concept
Clients can be web apps, native desktop/mobile apps,
javascript in browser…
• Does not deal with user authentication
• Broad adoption in API-driven world (cloud,
microservices, integrations, …)
Source:
https://www.programmableweb.com/apis/directory/1?auth=OAuth

Issues Token
OAuth 2.0 In Action
Roles and Generic Flow
Resource Server
CUCM, IM&P,
Expressway,
Unity Connection,
Webex, Spark
Authorization
Server
Resource Owner
(the user)
Client
(the application)
User Agent
(the web browser)
Authentication
(outside OAuth scope)
Requests Resource (with Token)
Sends Protected Resource
Grants
Authorization
Requests
Authorization
Trust relationship1
2
3
4
5
IdP

Authorization Code Grant
Access Tokens and Refresh Tokens
Access Token
A token that authorizes a bearer to access a protected resource
Access Tokens are typically issued to a particular user with a
particular scope and with a specific expiry time
Refresh Token
A token that an OAuth client can use to request a new Access
Token on expiry of an existing Access Token

OAuth
Spark
Service
Customer IdP
Access Service
Common IdentityCisco Spark
Spark
Thick Client
Embedded
Browser
Redirect to Authorization Service’
Provides SAML cookie and UID to OAuth Service
AuthZ URL
Redirect to the AuthN
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
Redirect to the Oauth Service with SAML cookie and UID of the user
Identity Broker
Send back OAuth Token
Access_token
Access to the Spark Service
Authz URL
AuthN Request
Provide IdP URL for SAML Exchange
Validates Assertion
and create the
SAML SP cookie
Verifies Entitlement and Scope for the user and
generate OAuth Token

Cisco Spark Cloud Security

Spark Cloud Security - Realms of Separation
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Spark logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses)
are separated from :
Encryption, Indexing and Compliance Services,
which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C

Realms of Separation – Identity Obfuscation
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Spark generates a random 128-bit Universally Unique
Identifier (UUID) = The User’s obfuscated identity
No real identity information transits, or is stored elsewhere in the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e

Directory
Sync
User Info can be
synchronized to Spark
from the Enterprise
Active Directory
Multiple User attributes
can be synchronized
Scheduled sync tracks
employee changes
Passwords are not
synchronized - User :
1) Creates a Spark
password or
2) Uses SSO for Auth
Identity Service
Spark – User Identity Sync and Authentication

Directory
Sync
SAML
SSO
SSO for User
Authentication :
Administrators can
configure Spark to
work with their existing
SSO solution
Spark supports Identity
Providers using
Security Assertion
Markup Language
(SAML) 2.0 and OAuth
2.0
See Notes for list of
supported IdPs
Identity Service
IdP
Spark – SAML SSO Authentication

Spark App – Cloud connection
Spark Service
IdP
Identity Service
1) Customer downloads and installs Spark
App (with Trust anchors)
2) Spark Client establishes a secure TLS
connection with the Spark Cloud
3) Spark Identity Service prompts for an e-
mail ID
4) User Authenticated by Spark Identity
Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created
and sent to Spark App
• The Access Tokens contain details of the
Spark resources the User is authorized to
access
5) Spark App presents its Access Tokens to
register with Spark Services over a secure
channel

Spark Device – Cloud connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code
received via e-mail from the Spark
provisioning service
2) Device authenticated by Identity
Service (Trust anchors sent to device
and secure connection established)
3) OAuth Access and Refresh Tokens
created and sent to Spark Client
• The Access Tokens contain details of
the Spark resources the User is
authorized to access
5) Spark Client presents its Access
Tokens to register with Spark
Services over a secure channel
1234567890123456

Content Server Key Mgmt Service
message messagemessage
filefilemessage
Spark - Encrypting Messages and Content
Spark Clients request a
conversation encryption key from
the Key Management Service
Any messages or files sent by a
Client are encrypted before being
sent to the Spark Cloud
Each Spark Room uses a different
Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption

Encrypted messages sent by a Client
are stored in the Spark Cloud and also
sent on to every other Client in the
Spark Room
Key Mgmt Service
messagemessagemessage
Content Server
Spark - Decrypting Messages and Content
If needed, Spark Clients can retrieve
encryption keys from the Key
Management Service
The encrypted message also contains
a link to the conversation encryption
key

Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored in
the Content Server without
decrypting content
A Search Index is built by
creating a fixed length hash*
of each word in each
message within a Room
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
The hashed indexes for each
Spark Room are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room
Search Service
Searching Spark Rooms : Building a Search Index

Indexing Service
“Spark”Spark
###################
Searching Spark Rooms : Querying a Search Index
Search for the word “Spark”
App sends search request
over a secure connection to
the Indexing Service
The Search Service
searches the for a match in
the hash tables and returns
matching content to the
App *
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9
The Indexing Service uses
Per Room search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message
Search Service

Spark Control Hub
Indexing Service
Jo Smith’s ContentJo Smith’s Content
###################
Compliance Officer selects a
group of messages and files
to be retrieved for E-
Discovery e.g. : based on
date range/ content type/
username(s)
The Content Server returns
matching content to the E-
Discovery Service
###################
X1GFT5YYHash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
###################
X1GFT5YY
The Indexing Service
requests a search of related
hashed content
E-Discovery Service
###################
###################
###################
Search Service
Spark E-Discovery Service : (1)

E-Discov. Storage
E-Discovery ServiceContent Server Key Mgmt Service
The E-Discovery Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts
it before sending it to the E-
Discovery Storage Service
The E-Discovery Storage
Service :
Sends the compressed and
encrypted content to the
Administrator on request
E-Discovery Service
Spark Control Hub
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
###################
###################
################
###################
###################
################
and Files
E-Discovery
Content Ready
Search Service

3rd Party Integrations
Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance,
archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:
Compliance and Archiving
Archive content to comply with retention
requirements and enable eDiscovery
Data Loss Prevention
Apply policies to content, violation
alerts, and take remediation actions
Identity Management
Single Sign-On via SAML, Mobile Device
Management (MDM), SCIM user
provisioning and deactivation

Spark Hybrid Data Security

Secure Data Center
Content Server
Key Mgmt Service
Spark – Hybrid Data Security (HDS)
E_Discovery ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service

Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
Compliance ServiceIndexing Service
make outbound connections
only from the Enterprise to the
Spark cloud, using HTTPS and
Secure WebSockets (WSS)
No special Firewall
configuration required
Firewall

Secure Data Center
Content Server
The Hybrid Data Security is
managed and upgraded from the
cloud
Customer’s can access usage
information for the HDS Servers
via the Spark Control Hub
Multiple HDS servers can be
provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability

Secure Data Center
Content Server Key Mgmt Server
Spark – Hybrid Data Security: Key Management
The Hybrid Key Management
Server performs the same
functions as the Cloud based Key
Management Server
Now all of the keys for messages
and content are owned and
managed by the Customer
BUT
Key Mgmt Service

Secure Data Center
Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
Spark Clients request an encryption
key from the Hybrid Key Management
Server
Any messages or files sent by a Client
are encrypted before being sent to the
Spark Cloud
Encrypted messages and content
stored in the cloud
Encryption Keys stored locally

Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are
stored in the Spark Cloud
Key Mgmt Service
message
Content Server
If needed, Spark Clients can retrieve
encryption keys from the HDS Key
Management Server
These messages are sent to every
other Client in the Spark Room and
contain a link to their encryption key
on the HDS Key Management Server
HDS - Decrypting Messages & Content

Hybrid Data Security – Secure App Connections
Secure Data Center
Content Server
Search Service
Hybrid Data Security Node
App to Cloud TLS connection App to HDS TLS connection
Spark Service
Spark Apps establish a
direct TLS connection to
the On Premise HDS node
and KMS service
This encrypted peer to
peer session traverses the
Spark Cloud

Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
The Indexing Service : Enables
users to search for names and
words in the encrypted
messages stored in the Content
Server without decrypting
content
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Search Service
Hybrid Data Security: Search Indexing Service

Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search Index
The Indexing Service sends
a hashed index of the App’s
search request to the
Search Service
###################
B9
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message
Search Service

Secure Data Center
Indexing Service
Content Server
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceE-Discovery Service
Spark Control Hub
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash
Algorithm
Compliance Officer selects
a group of messages and
files to be retrieved for E-
Discovery e.g. : based on
date range/ content type/
username(s)
The Content Server returns
matching content to the E-
Discovery Service
The Indexing Service sends
hashed search criteria to
the Search Service
Search Service

Secure Data Center
Key Mgmt ServiceE-Discovery Service
Spark Control Hub
E-Discov. StorageContent Server
E-Discovery Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts it
before sending it to the E-
Discovery Storage Service
E-Discovery Storage Service :
Sends the compressed and
encrypted content to the
Administrator on request
and Files
###################
###################
################
###################
###################
################
Jo Smith’s
Messages and Files
E-Discovery
Content Ready
Search Service

message
Spark Spaces with
users from multiple
Organizations can
share encrypted
messages and
content
Key Mgmt ServiceKey Mgmt Service
Organization A Organization B
messagemessage message message
How do external
users retrieve
encryption keys
from the KMS of the
Organization that
owns the Spark
Space ?
?
HDS: Encryption Keys & Users in other Organizations

Hybrid Key
Management
Servers in different
Organizations can
establish a Mutual
TLS connection via
the Spark Cloud
Hybrid Key
Management
Servers make
outbound
connections only :
HTTPS, Web Socket
Secure (WSS)
messagemessage
HDS: Key Management Server Federation

With a secure
connection between
Key Management
Servers…
Mutually
Authenticated KMSs
can request Room
Encryption Keys
from one another on
behalf of their Users
HDS: Key Management Server Federation

Secure Data Center A
Hybrid Data Security Architecture
vSphereHybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
Hybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
HDS Cluster
Config File
IDE
Mount
IDE
Mount
ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions
such as sending health checks and checking for new versions of HDS.
HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services.
HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection
settings, Database Master Encryption key, etc.
IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.
Customer Provided Services
Postgres
Database
Syslogd
Database
Back Up
System Back Up

BYO : VM for deploying the HDS appliance, Postgres Database and syslogd servers.
Customer manages backup and recovery of the Postgres Database and the local
configuration ISO.
Customer should perform quick disaster recovery in the event of a catastrophe
(complete database disk failures, datacenter disaster)
HDS application nodes and database need to be co-located in the same data center
A HDS Deployment requires significant customer commitment and an awareness of the
risks that come with owning encryption keys…
Complete loss of either the configuration ISO or the Postgres Database will result
in loss of the decryption keys stored in HDS. This will prevent users from
decrypting space content and other encrypted data. If this happens, an empty
HDS can be restored, however, only new content will be visible.
HDS Deployment Considerations

See prerequisites in https://www.cisco.com/go/hybrid-data-security
X.509 Certificate, Intermediates and Private Key
PKI is used for KMS to KMS federation (Public Key Infrastructure)
Common Name signed by member of Mozzila Trusted Root Store
No SHA1 signatures
PKCS12 format
2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max
Minimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per server
kms://cisco.com easily supports 15K users per HDS.
1 Postgres 9.6.1 Database Instance (Key datastore)
8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database.
1 Syslog Host
hostname and port required to centralize syslog output from the three HDS instances and management containers
A secure backup location
The HDS system requires organization administrators to securely backup two key pieces of information. 1) A
configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will
result in loss of customer data. See <Section on Disaster Recovery>.
Network
Outbound HTTPS on TCP port 443 from HDS host
Bi-directional WSS on TCP port 443 from HDS host
TCP connectivity from HDS host to Postgres database host, syslog host and statsd host
HTTPS proxies are unsupported
HDS Installation Prerequisites

References
• Cisco Spark - Cloud and On Premise Security explained
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2030#/session/1484039969829001YwFb
• Cisco Spark Hybrid Services Architectural Design
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2202#/session/1485462759889001X5bX
• Authentication and Authorization in Collaboration Deployments: concepts and architecture
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2699#/session/1485462759687001XTYU
• Authentication and Authorization in Collaboration Deployments: implementation and troubleshooting
https://www.ciscolive.com/global/on-demand-library/?search=brkucc-2444#/session/1488238596662001CLEl
• Cisco Spark Security and Privacy Whitepaper
https://help.webex.com/docs/DOC-9095

Cloud Collaboration Network
Security

• Firewalls
• Whitelists for Spark clients, devices and Services
• Media support – UDP/TCP/HTTP
• HTTP Proxies
• Proxy Types and Proxy Detection
• Proxy Authentication Methods ( Basic/Digest/ NTLM/ Negotiate/Kerberos) Auth Bypass
• Proxy TLS/ HTTPS traffic inspection – Certificate Pinning
Cloud Collaboration Network Security Primer

Cisco Spark Cloud Access
Enterprise VLANs

Connecting from the Enterprise - Firewalls
Whitelisted Ports and Destinations :
Media Port Ranges:
Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004, 5006
Destination IP Addresses : Any
• Spark Desk and Room Devices
• Spark Clients
• See following slides for details
Signalling
Media

Voice and Video Classification and Marking
Port Range Summary – Endpoints and Clients
Audio:
52000-52099
Spark Soft Clients Spark Devices
Video:
52100-52299
52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299

Spark Apps : Network Port and Whitelist Requirements
Spark Device Protocol Source Ports Destination
Ports
Destination Function
Spark applications :
Windows,
Mac,
iOS,
Android,
Web
UDP Voice 52000 – 52049
Video 52100 – 52199
Exception - Windows
(OS Firewall issue)
Ephemeral source ports
used today (Fix due by
Q3 CY '17)
5004 &
5006
Any IP Address SRTP over UDP to Spark Cloud Media
Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Spark Cloud
Media Nodes
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
*.appsflyer.com
*.adobetm.com
*.omtrdc.net
*.optimizely.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Content and Space Storage
Anonymous crash data
Anonymous Analytics
Mobile Clients only - Ad Analytics
Web Clients only - Analytics
Web Clients only - Telemetry
Web Clients only - Metrics

Spark Devices : Network Port and Whitelist Requirements
Ports
Desktop and Room
Systems :
SX Series
DX Series
MX Series
Room Kits
Spark Boards*
UDP Voice 52050 – 52099
Video 52200 – 52299
EFT Today
GA Q3 CY '17
5004 &
5006
Any IP Address SRTP over UDP to Spark Cloud
Media Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Spark
Cloud Media Nodes* (Not Spark
Board)
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
*dropboxusercontent.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Anonymous crash data
Anonymous Analytics
*Spark Board (firmware updates)

Media Port Ranges:
Source UDP Ports : Voice and Video 33434 - 33598
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004
Destination IP Addresses : Any
Hybrid Media Node (HMN) :
• Can be used to limit source IP address range to HMNs only
• Hybrid Media Node Source UDP ports for voice and video are different to
those used by endpoints – Used for cascade links to the Spark Cloud
• Voice and Video use a common UDP source port range : 33434 - 33598
Signalling
Media

Hybrid Data Security Node (HDS) :
• Key Management Service
• Indexing (Search) Service
• E-Discovery Service
Signalling
Media
• HDS Signaling Traffic Only
• Outbound HTTPS and WSS Signaling Only

HMN & HDS Nodes: Network Port & Whitelist Requirements
Ports
Hybrid Media
Node (HMN)
UDP Voice and Video use a
common UDP source port
range :
33434 - 33598
5004
Cascade
Destination
Any IP Address Cascaded SRTP over UDP
Media Streams to Cloud Media
Nodes
TCP Ephemeral 5004
Cascade
Destination
Any IP Address Cascaded SRTP over
TCP/HTTP Media Streams to
Cloud Media Nodes
TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS
TCP Ephemeral 443 *wbx2.com
*idbroker.webex.com
HTTPS Configuration Services
Hybrid Data
Security Node
(HDS)
TCP Ephemeral 443 *.wbx2.com
idbroker.webex.com
identity.webex.com
index.docker.io
Outbound HTTPS and WSS

Enterprise Proxies

• Proxy Address given to Device/Application……….
Connecting from the Enterprise - Proxy Types
Proxy Types:
• Transparent Proxy (Device/Application is unaware of Proxy existence)
• In Line Proxies (e.g. Combined Proxy and Firewall)
• Traffic Redirection (e.g. Using Cisco WCCP)
Signalling
UDP Media
HTTP/HTTPS traffic only sent to the Proxy server e.g.
Destination ports 443

Network Capabilities Spark Devices – Proxy Detection
Spark Device Protocol Software Train Proxy Detection Granular Configuration
Windows, Mac,
iOS, Android, Web
HTTPS WME Yes : Manual
Yes : PAC Files
Manually Configure Proxy Address or
Use PAC files (or Windows GPO)
DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy
Address

• Proxy Authentication
Connecting from the Enterprise – Proxy Authentication
• Proxy intercepts outbound HTTP request
• Authenticates the User (Username & Password)
• Authenticated User’s traffic forwarded
• Unauthenticated User’s traffic dropped/blocked
Signalling
UDP Media
Proxy Authentication is not mandatory, Many
Enterprises do No Authentication

• Basic Authentication
Common Proxy Authentication Methods
• Digest Authentication
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
Signalling
UDP Media

• Basic Authentication
Proxy Authentication Methods – Basic Authentication
• Uses standard HTTP Headers
• Username and Password Base64 encoded
• Username and Password are NOT
encrypted or hashed
• Basic Username and Password challenge for devices
• i.e. Devices are not Users (no human interaction)
• Create one account (e.g. LDAP account) for all devices
• Create an account per device
• No Password Expiration
Signalling
UDP Media

• Kerberos Authentication
Proxy Authentication Methods – Kerberos
• Strongest Security
• Client, Authentication Key Distribution Service, Ticket
Granting Service, Application Server
• Encrypted communication based on shared Secrets
• Client authenticates with the Authentication service
• Once authenticated, receives a Ticket Granting Ticket (TGT)
• Client requests access to a service (e.g. the Proxy) by presenting the TGT to
the Ticket Granting Service – the TGS authenticates the client and returns an
encrypted Service Ticket
• The Client presents the Service Ticket to Proxy which validates the user
(using the shared secret)
• HTTPS connection proceeds
Signalling
UDP Media

Proxy Authentication Bypass Methods
Manually Configure Proxy Server with :
• Device IP Address
IP Address 10.100.200.1
Signalling
UDP Media
10.100.200.3
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.crashlytics.com
*.mixpanel.com
*.rackcdn.com
• Whitelisted Destinations (e.g. *ciscospark.com)

Network Capabilities Spark Devices – Proxy Authentication
Spark Device Protocol Software Train Proxy Authentication Granular Configuration
Windows, Mac, iOS,
Android, Web
HTTPS WME Basic - No
Digest - No
NTLM - Yes (Windows)
Kerberos - No
Windows Only Today
Others OSs use Authentication By Pass
(Basic/ Digest/ Kerberos – Planned)
DX HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
SX HTTPS Room OS Yes : Basic Auth – Web based Config
MX HTTPS Room OS Yes : Basic Auth – Web based Config
Room Kits HTTPS Room OS Yes : Basic Auth – Web based Config
Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for

Network Capabilities Spark Devices – HTTPS Inspection
Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method
Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass
Certificate Pinning process
iOS, Android HTTPS WME No : iOS Android HTTPS Inspection By-Pass
DX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Load Private CA Certs in Spark Service Download
Trust List with Private Certs
SX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Load Private CA Certs in Spark Service
Download Trust List with Private Certs
MX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Room Kits HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Spark Board HTTPS Spark Board OS No (Planned Q3 CY '17) HTTPS Inspection By-Pass

Network Capabilities Spark Devices – 802.1X
Spark Device Protocol Software
Train
EAP-FAST EAP-TLS MIC Non CUCM
LSC
Certificate
Installation
Capability
Granular Configuration
Windows,
Mac, iOS,
Android, Web
HTTPS WME Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired - Yes
N/A Yes Yes Manually Install LSC (Windows
GPO, Mac – Configuration
Profiles)
DX HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
2H
CY17
Yes Yes
Web Based
Install Enterprise LSC via
device Web Interface
SX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
MX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
Room Kits HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
Yes Yes Yes
Web Based
Spark Board HTTPS Spark Board
OS
No (Planned
Q3 CY '17)
No (Planned
Q3 CY '17)
No No (Planned
Q3 CY '17)
Use MAC Address By-Pass

Connecting from the Enterprise - VLANs
How are the switch ports configured ?
Minimum Enterprise Network Requirements :
Internet Access
DHCP, DNS server access
Internal TCP connectivity and ICMP to devices for support
???
• Single static untagged VLAN ?
• Dynamic VLAN assignment based on CDP/LLDP TLV values ?
• Multiple static VLANs (e.g. Data VLAN & Aux VLAN) ? –
802.1Q VLAN tagging required for the Auxiliary VLAN

Network Capabilities Spark Devices – CDP/LLDP, 802.1Q
Spark Device Protocol Software Train CDP/ LLDP 802.1Q Ethernet
PC Port
Windows, Mac,
iOS, Android, Web
HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN
DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q
Tagging, Connected PC supported
Room Kit, MX, SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q
Tagging
Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q
Tagging

What do we send to Third Party sites?
Site Clients that Access It What is sent there User
PII?
Anonymized
Usage info?
Encrypted
User
Generated
Content
*.clouddrive.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.rackcdn.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.mixpanel.com Win, Mac, iOS, Android,
Web
Anonymous usage data N Y N
*.appsflyer.com iOS, Android Anonymous usage data related to
onboarding
N Y N
*.adobedtm.com Web Anonymous usage data N Y N
*.omtrdc.net Web Anonymous usage data N Y N
*.optimizely.com Web Anonymous usage data for AB
testing
N Y N

• Proxy Detection (Proxy Address given to Device/Application)
Connecting from the Enterprise – Proxy Detection
• Manual Configuration
• Auto Configuration (Proxy Auto Conf (PAC) files)
Proxy
Address
Proxy
Address
Proxy
Address
PACPACPAC
Signalling
UDP Media

Network Access Control 802.1X

Connecting from the Enterprise – 802.1X
802.1X Operation
???
• Switch port network access restricted
• Client presents credentials to Authentication Server
• After successful Authentication – switch port configured for the
Device e.g. VLAN(s), ACLs
Authentication
Server

802.1X Network Authentication Methods
802.1X Network Authentication Methods :
?
• There are many options….
• Two key Authentication methods :
• EAP-FAST
• EAP-TLS
Authentication
Server
Username
Password

802.1X Network Authentication : EAP-FAST
802.1X Extensible Authentication Protocol - FAST
?
• Flexible Authentication via Secure Tunneling
• Username and Password based
• Does not require Certificates
Username
Password
Username
Password
Authentication
Server

802.1X Network Authentication : EAP-TLS
802.1X Extensible Authentication Protocol - TLS
?
• Transport Layer Security
• Requires Digital Certificates
• Mutual Client - Server Authentication
Authentication
Server

802.1X Fallback - MAC Address Bypass (MAB)
Bypasses 802.1X Authentication Mechanisms
?
• Uses the Device MAC Address
• Commonly used for Non 802.1X capable devices
• MAC address manually entered into Auth. Server
Phone 1 MAC AA:BB:CC:11:22:33
Authentication
Server
Phone 1
AA:BB:CC:11:22:33

Network Capabilities Spark Devices – 802.1X
Spark Device Protocol Software
Train
EAP-FAST EAP-TLS MIC Non CUCM
LSC
Certificate
Installation
Capability
Windows,
Mac, iOS,
Android, Web
HTTPS WME Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired - Yes
N/A Yes Yes Manually Install LSC (Windows
GPO, Mac – Configuration
Profiles)
DX HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
2H
CY17
Yes Yes
Web Based
SX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
MX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
Room Kits HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
Yes Yes Yes
Web Based
Spark Board HTTPS Spark Board
OS
No (Planned
Q3 CY '17)
No (Planned
Q3 CY '17)
No No (Planned
Q3 CY '17)
Use MAC Address By-Pass

• Digest Authentication
Proxy Authentication Methods – Digest Authentication
• Uses standard HTTP Headers
• Username and Password are not sent
• A Hash of the Username and Password is
sent instead
• Basic Username and Password challenge for devices
• Create one account (e.g. LDAP account) for all devices
Signalling
UDP Media

• NT LAN Manager (NTLM) Authentication
Proxy Authentication Methods – NTLMv2 (Windows Only)
• Microsoft Challenge/Response AuthN. protocol
• Username sent in plain text
• Challenge/Nonce sent from the server
• Password hash used to encrypt the
challenge and return it to the server
• Password hashed but not sent
• Windows based Username and Password challenge for devices
• Create one account (AD account) for all devices
Signalling
UDP Media

Proxy Authentication Methods – Negotiate/IWA (Windows
Only) • Negotiate Authentication
• Microsoft implementation of SPNEGO
• Simple and Protected GSSAPI Negotiation
Mechanism. (Generic Security Service API)
• Kerberos or fallback to
• NTLM
• Negotiates the use of either :
• Windows based Username and Password challenge for devices
• Create one account (AD account) for all devices
• Or create an account per device
Signalling
UDP Media
IWA - Integrated Windows Access

• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps
• Private CA signed Certificate sent to client on connection establishment
• Client compares Private CA Root Cert with those received in Cert Chain
• If they match – accept and proceed with the TLS connection
Private CA Root Certificate sent to client
Signalling
UDP Media

• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps (2)
• Proxy starts new HTTPS/TLS connection to Web/Cloud Service
• Proxy receives Certificate from Web/Cloud Service
• Proxy uses the Certificate to establish Secure TLS/HTTPS connection
• Proxy can now Decrypt, Inspect and Re-Encrypt session traffic
Signalling
UDP Media

• Certificate Pinning
HTTP Proxy - No HTTPS Inspection – Spark
Certificate Pinning
• CA signed Cisco Spark Certificate sent by HTTPS/TLS server
• Client creates a hash of the Cert’s Public Key
• If they match – accept and proceed with the TLS connection
Certificate Pin =
SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=• Client compares the hash with the Certificate Pin in its Trust Store
Signalling
UDP Media

Proxy - HTTPS Inspection – Spark Certificate Pinning
• Proxy sends Private CA signed Certificate during HTTPS/TLS set up
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO NOT Match : TLS connection terminated
• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin =
SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Signalling
UDP Media

HTTPS Inspection – Spark Devices Cert. Pinning Fix
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO Match : Proceed with TLS connection
• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin =
SHA 256 Hash of Private CA Root Certificate Public Key
• HTTPS/TLS Inspection possible
Signalling
UDP Media
• Private CA Cert copied to Spark Cloud

HTTPS Inspection – Spark Clients Cert. Pinning Fix
• Spark App checks to see if a copy of the Private CA Cert exists in
the OS Trust Store
• Proceed with TLS connection
• If the Cert exists – skip Certificate pinning process
Certificate Pin =
SHA 256 Hash of Spark CA Root Certificate Public Key
• HTTPS/TLS Inspection possible
Signalling
UDP Media
• Private CA Cert copied to Client OS Trust Store

Enterprise Security Features for
Cloud

Premium Visibility & Control
advanced role based capabilities
Cisco Spark Control Hub
full lifecycle management and security
Pro Pack
premium capabilities1
1 for administrators, security professionals, or compliance officers
who desire greater visibility and control or specific capabilities
Provisioning, Admin, Management
Security
Compliance
Analytics

Standard Pro Pack
Security
• End to end encryption
• Hybrid Data Security (on-prem KMS)
• Custom security settings
Compliance
• eDiscovery console: search and extraction 90 Days Unlimited
• Compliance (Events) API for DLP, Archival and eDiscovery
Integration
90 Days Unlimited
• Flexible retention policy
Analytics
• Basic reporting 90 Days 365 Days *
• Customized reports with drill down & multi-dimensional pivots *
• Real-time meeting diagnostics *
• Metrics API for reporting integration Coming soon **
Pro Pack Capabilities at
August GA
* August will be WebEx usage data only, Cisco Spark data will follow in September
** API availability target Sept/Oct

Mobile PIN Enforcement
& Remote Content Wipe
(for Cisco Spark Content)
Web idle
session timeouts
Cisco Spark Pro Pack – Security Capabilities

Compliance Solution Strategy
DLP eDiscovery Archival Legal Hold

Role Users Policies Analytics Logs Licenses Config Discovery
Full Admin ✔ ✔ ✔ ✔ ✔ ✔
User Admin ✔ ✔
Business
Admin
✔ ✔
Support
Admin
✔ ✔ ✔
Compliance
Admin
✔
Cisco Spark Roles

Retention Policies
• Purge
Activities
Messages
Files
• Default: Indefinite subject to
storage limits
• Content irretrievable

eDiscovery reports console supports investigating DLP and other compliance events
with speed and accuracy
§ Meet HR, GRC & Legal compliance mandates
§ Only authorized members of the legal, HR and GRC teams
can investigate events
§ Will allow to export report to eDiscovery products
Indexing Service
Enterprise Compliance – eDiscovery Reports

Extension of
Cisco Spark
Control Hub
Search on email ID,
space ID, keywords
Designed for
Compliance
Officer
90-day in Cisco Spark base offer
Any time period in Pro Pack for Cisco Spark Control Hub
eDiscovery Search and Extraction

eDiscovery information
Console
Generate JSON report

Archival Strategy
Ø DIY: Use favorite SI or self integrate Events API with Archival software
Ø Out-of-the-box Solution: Integrations with Archival partners e.g. Actiance
Ø E2E Custom Solution: Cisco Advanced Services software packages & services
• Benefits
• Sophisticated eDiscovery
• Legal Hold
• Retention policies based on groups
Archival System
Events API E-Discovery

User information and propagation of Messages
Control Propagation
and Inform Users
• Ownership and Retention
• External Participant Indicator
• Enlisting Users
• Message Deletion
• Read Receipts
• Space Locks
• Moderator Inheritance

• Cisco will have the best solution here by combining our leading
edge Cloudlock DLP/CASB ( Data Loss Preventions / Cloud
Access Security Brokers ) product with Cisco Spark.
• Customers who don’t want Cloudlock can integrate with their
own DLP systems through an AS offer, or their own custom
development
• We will be integrating with other third party vendors, we are
evaluating Skyhigh and Symantec, but any DLP platform can be
supported by using our API’s. We have a AS offer to address
that space.
• We can support coarse grained and fine grained policies
DLP/CASB integration
Compliance Service

Third party
DLP or CASB
Cisco Spark Events API
policies
Corrective actions
Delete content
Alert user / admin
API enables polling for events and content that enables organizations to
monitor and correct user behavior, preventing the loss of sensitive data
Events API
for data loss prevention, archival, eDiscovery
Third-party
vendor software
Integrations

Cisco Spark Integrations
Compliance and Data Loss Prevention (DLP)

Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)
Apps Firewall
Cloud Malware
Shadow IT/OAuth
Discovery and Control
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
Cisco CloudLock

Jabber Enhanced Authorization

• Oauth v2 (Open Authorisation) is an open
standard for token based authentication
and authorisation
• UC Manager 11.5SU3+ provides OAuth
support with REFRESH tokens
• Once authenticated Jabber is issued with
access tokens which it uses to access
services.
• Token based authorisation provides
faster reconnect to services
Jabber 11.9 delivers
Enhanced Authorisation

UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail
Jabber 11.9 OAuth
Updated Jabber Authorisation flow…
Jabber 11.9
Client
Possible outcomes are
• UC Manager 9.x,10.x,11.0,(11.5,12.x optional)
• Username/password no refresh token
• SAML-SSO no refresh token
• UC Manager 12.0 (incl. 11.5 SU3+)
• OAuth 2.0 with refresh token
• OAuth 2.0 with SAML-SSO and refresh token
Jabber uses a discovery request to identify if
OAuth flow is available.
IMPORTANT: CUCM, IM&P, UnityC and
Expressway versions must be aligned to
support new flow.
Do I need to
get a token
Flow may be via expressway
Enable feature using following Service parameter

Jabber 11.9 OAuth
UC Manager
Authorisation
Jabber 11.9
Client
• Jabber discovers New Authorisation flow is being used.
• Authorisation Service redirects client to authentication
Service before authorisation can take place.
CUCM
User
LDAP
User
IDP
User
UC Manager
Authentication
Authorised
Users Only
(Token required)
UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail

Jabber 11.9 OAuth
UC Manager
Authorisation
CUCM
User
LDAP
User
IDP
User
Jabber 11.9
Client
• Jabber will authenticate with Authentication service.
• Authentication method is dependant on UC Manager
configuration
UC Manager
Authentication
Authorised
Users Only
(Token required)
UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail

Jabber 11.9 OAuth
UC Manager
Authorisation
CUCM
User
LDAP
User
IDP
User
Jabber 11.9
Client
• Authentication service refers
Jabber back to Authorisation
service
• Access and Refresh tokens issued
Authorised
Users Only
(Token required)
UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail

UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail
Jabber 11.9 OAuth
UC Manager
Authorisation
Jabber 11.9
Client
• Once issued Access token used for service access
• All CUCM services, IM&P services trust token
• Unity Connection can also trust CUCM token
CUCM
User
LDAP
User
IDP
User
UC Manager
Authentication

Jabber 11.9 OAuth
UC Manager
Authorisation
Jabber 11.9
Client
• Before access token life expires Jabber will use
Refresh token to request new Access token
from OAuth server.No need
To go back to
Authentication
CUCM
User
LDAP
User
IDP
User
UC Manager
Authentication
UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail
60
Mins

Jabber 11.9 OAuth
UC Manager
Authorisation
CUCM
User
LDAP
User
IDP
User
Jabber 11.9
Client
• When Refresh token expires full authentication
required again
UC Manager
Authentication
Authorised
Users Only
(Token required)
UC Manager
UDS Service
IM&P
Chat Service
Unity Connection
Voicemail
60
Days

Cisco Connect Halifax 2018 cloud and on premises collaboration security explained

Cisco Connect Halifax 2018 cloud and on premises collaboration security explained

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cisco Connect Halifax 2018 cloud and on premises collaboration security explained

Similaire à Cisco Connect Halifax 2018 cloud and on premises collaboration security explained (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Cisco Connect Halifax 2018 cloud and on premises collaboration security explained