Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained

© 2016 Cisco and/or its affiliates. All rights reserved. 1
Cisco
Connect
Cloud and On Premises
Collaboration Security explained
Joseph Bassaly
Architect
Oct 12th 2017

What will we cover today ?
• Cisco Collaboration Elements
• Managing Identity
• Cisco Spark Security and Compliance
• Cisco Spark Network Security

Continuous Workstreams

Messaging Call ControlMeetings
Seamless Collaboration Experience
Link on-premises assets to the cloud

Cisco Spark

Hybrid Call
Service
Hybrid Calendar
Service
Hybrid Directory
Service
Directory Connector
Cisco Expressway
Cisco
Call
Control
Call Connector Calendar Connector
Hybrid Collaboration
Hybrid Media
Service
MEDIA
NODES
MEDIA
NODES

7© 2016 Cisco and/or its affiliates. All rights reserved.
Managing Identity

IdP – Identity Provider: RP – Relying Party
Users
Explicit Initial Trust
Agreement
Identity Framework
8

Paulo
Authentication and Authorization
(AuthN and AuthZ)
Authentication
When you enter a hotel and
walk up to reception, the
receptionist authenticates
you by checking your
passport
Authorization
After authentication has
taken place, the receptionist
gives you a room key
Your room key is your
authorization token to enter
your room and any resource
that you are entitled to in the
Hotel
You do not need your passport to enter your room.
Your room key authorizes you to enter your room
only, and not any other rooms. The room key
(authorization token) does not identify the holder of
the key/token.
9
Authentication verifies that
“you are who you say you are”
Authorization verifies that
“you are permitted to do what you are trying to do”

Authentication and Authorization
(SAML and OAuth)
Authorization
Client Services
IdP
Authentication

SAML 2.0 Cookies to prevent re-authentication
CUCM
Identity Provider
2. Redirect with SAML
authentication request
6. POST signed response
3.GET with SAML
1. Resource Request
Cisco Jabber
5. Signed response in hiden HTML form with IdP
cookie
IdP
Cookie
7. Supply resource
with cookie
CUCM Cookie
4. Authentication method
define by IdP
IdP
Cookie
WebEx MC
Unity Connections

SAML 2.0 Cookies to prevent re-authentication
CUCM
Identity Provider
2. Redirect with SAML
5. POST signed response
1. Resource Request
Cisco Jabber
4. Signed response in hidden HTML form
IdP
Cookie
CUCM Cookie
3.GET with SAML
with IdP Cookie
IdP
Cookie
No Authentication needed
since IdP Cookie is valid
6. Supply resource
with cookie
WebEx
Cookie
WebEx MC
Unity Connections

An application would like
to connect to your account
The application “XYZ” would like to access
your basic account information.
Allow application “XYZ” access?
AllowDeny
Do these look familiar?
Authorize “XYZ” Application?
This application will be able to:
• Access your basic account information
• Read your posts
• See your list of contacts
Authorize app No, thanks
“XYZ” Application
This application would like to:
• Read and manage your files and documents
• View your email address
AcceptCancel

OAuth
Spark
Service
Customer IdP
Access Service
Common IdentityCisco Spark
Spark
Thick Client
Embedded
Browser
Redirect to Authorization Service’
Provides SAML cookie and UID to OAuth Service
AuthZ URL
Redirect to the AuthN
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
Redirect to the Oauth Service with SAML cookie and UID of the user
Identity Broker
Send back OAuth Token
Access_token
Access to the Spark Service
Authz URL
AuthN Request
Provide IdP URL for SAML Exchange
Validates Assertion
and create the
SAML SP cookie
Verifies Entitlement and Scope for the user and
generate OAuth Token

Cisco Spark Security

Spark Clients
The scenario
Spark Board Video End Points
MEDIA
NODES
Expressway
Existing Services
Hybrid Calendar Service
Hybrid Call Service
Hybrid Directory Service
Hybrid Media Service

Spark – User Identity Sync and Authentication
Directory
Sync
User Info can be
synchronized to Spark
from the Enterprise
Active Directory
Multiple User attributes
can be synchronized
Passwords are not
synchronized - User :
1) Creates a Spark
password or
2) Uses SSO for Auth
Identity Service

Spark – SAML SSO Authentication
Directory
Sync
SAML
SSO
Administrators can
configure Spark to
work with their existing
SSO solution
Spark supports Identity
Providers using SAML
2.0 and OAuth 2.0
Identity Service
IdP

Client Connection
Spark Service
IdP
Identity Service
1) Customer downloads and installs Spark
Client (with Trust anchors)
2) Spark Client establishes a secure TLS
connection with the Spark Cloud
3) Spark Identity Service prompts for an e-
mail ID
4) User Authenticated by Spark Identity
Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created
and sent to Spark Client
• The Access Tokens contain details of the
Spark resources the User is authorized to
access
5) Spark Client presents its Access Tokens to
register with Spark Services over a secure
channel

Spark Device connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code
received via e-mail from the Spark
provisioning service
2) Device authenticated by Identity
Service (Trust anchors sent to device
and secure connection established)
3) OAuth Access and Refresh Tokens
created and sent to Spark Client
• The Access Tokens contain details of
the Spark resources the User is
authorized to access
5) Spark Client presents its Access
Tokens to register with Spark
Services over a secure channel
1234567890123456

Spark
Secure Messages and Content

Content Server Key Mgmt Service
message messagemessage
filefile
message
Spark - Encrypting Messages and Content
Spark Clients request a
conversation encryption key from
the Key Management Service
Any messages or files sent by a
Client are encrypted before being
sent to the Spark Cloud
Each Spark Room uses a different
Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption

Encrypted messages sent by a Client
are stored in the Spark Cloud and also
sent on to every other Client in the
Spark Room
Key Mgmt Service
messagemessagemessage
Content Server
Spark - Decrypting Messages and Content
If needed, Spark Clients can retrieve
encryption keys from the Key
Management Service
The encrypted message also contains
a link to the conversation encryption
key

Spark
Secure Search and Indexing

Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
Searching Spark Rooms : Building a Search Index
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
A Search Index is built by
creating a fixed length
hash* of each word in each
message within a Room
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
The hashes for each Spark
Room are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room

Indexing Service
“Spark”Spark
###################
Searching Spark Rooms : Querying a Search Index
Search for the word “Spark”
Client sends search request
over a secure connection to
the Indexing Service
The Content Server
searches for a match in it’s
Hash tables and returns
matching content to the
client *
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9
The Indexing Service uses
Per Room Search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message

Spark E-Discovery

Cloud Collaboration
Management Portal
Indexing Service
Jo Smith’s ContentJo Smith’s Content
###################
Spark Compliance Service : E-Discovery
Administrator selects a
group of messages and files
to be retrieved for E-
Discovery e.g. : based on
date range/ content type/
user(s)
The Content Server returns
Compliance Service
###################
X1GFT5YYHash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
###################
X1GFT5YY
The Indexing Service
searches Content Server for
related content
Compliance Service
###################
###################
###################

E-Discov. Storage
Compliance ServiceContent Server Key Mgmt Service
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts
it before sending it to the E-
Discovery Storage Service
The E-Discovery Storage
Service :
Sends the compressed and
encrypted content to the
Administrator on request
Compliance Service
Cloud Collaboration
Management Portal
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
###################
###################
################
###################
###################
################
and Files
E-Discovery
Content Ready

3rd Party Integrations
Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance,
archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:
Compliance and Archiving
Archive content to comply with retention
requirements and enable eDiscovery
Data Loss Prevention
Apply policies to content, violation
alerts, and take remediation actions
Identity Management
Single Sign-On via SAML, Mobile Device
Management (MDM), SCIM user
provisioning and deactivation

Spark Hybrid Data Security

Secure Data Center
Content Server
Key Mgmt Service
Spark – Hybrid Data Security (HDS)
Compliance ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service

Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
Compliance ServiceIndexing Service
make outbound connections
only from the Enterprise to the
Spark cloud, using HTTPS and
Secure WebSockets (WSS)
No special Firewall
configuration required
Firewall

Secure Data Center
Content Server Key Mgmt Server
Spark – Hybrid Data Security: Key Management
The Hybrid Key Management
Server performs the same
functions as the Cloud based Key
Management Server
Now all of the keys for messages
and content are owned and
managed by the Customer
BUT
Key Mgmt Service

Secure Data Center
Content Server
The Hybrid Data Security is
managed and upgraded from the
cloud
Customer’s can access usage
information for the HDS Servers
via the cloud management portal
Multiple HDS servers can be
provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability

Secure Data Center
Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
Spark Clients request an encryption
key from the Hybrid Key Management
Server
Any messages or files sent by a Client
are encrypted before being sent to the
Spark Cloud
Encrypted messages and content
stored in the cloud
Encryption Keys stored locally

Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are
stored in the Spark Cloud
Key Mgmt Service
message
Content Server
If needed, Spark Clients can retrieve
encryption keys from the Hybrid Key
Management Server
These messages are sent to every
other Client in the Spark Room and
contain a link to their encryption key
on the Hybrid Key Management Server
HDS - Decrypting Messages & Content

Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Hybrid Data Security: Search Indexing Service

Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search Index
Client sends its search
request over a secure
connection to the Indexing
Service
###################
B9
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message

Secure Data Center
Indexing Service
Content Server
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash
Algorithm
Admin selects a group of
messages and files to be
retrieved for E-Discovery
e.g. : based on date range/
content type/ user(s)
The Content Server returns
Compliance Service
The Indexing Service
searches the Content
Server for selected content

Secure Data Center
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
E-Discov. StorageContent Server
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts it
before sending it to the E-
Discovery Storage Service
E-Discovery Storage Service :
Sends the compressed and
encrypted content to the
Administrator on request
and Files
###################
###################
################
###################
###################
################
Jo Smith’s
Messages and Files
E-Discovery
Content Ready

Key Management Server
Federation

Hybrid Key
Management Servers
in different Enterprises
establish a Mutual
TLS* connection via
the Spark Cloud
Key Mgmt ServiceKey Mgmt Service
HDS: Key Management Server Federation
Enterprise A Enterprise B
Hybrid Key
Management Servers
make outbound
connections only :
HTTPS, Web Socket
Secure (WSS)
*All connections to and within the Spark Cloud use ECDH to generate symmetric Encryption Keys

With a secure
connection between
Hybrid KMSs…
Users can be added to
rooms created by each
Enterprise
Key Mgmt ServiceKey Mgmt Service
HDS: Key Management Server Federation
Enterprise A Enterprise B
Mutually Authenticated
Hybrid KMSs can
request Room
Encryption Keys from
one another on behalf
of their Users

Cloud Collaboration Network
Security

• VLANs
• Switch Port VLAN configuration and device requirements
• Firewalls
• Whitelists for Spark clients, devices and Services
• Media support – UDP/TCP/HTTP
• HTTP Proxies
• Proxy Types and Proxy Detection
• Proxy Authentication Methods ( Basic/Digest/ NTLM/ Negotiate/Kerberos) Auth Bypass
• Proxy TLS/ HTTPS traffic inspection – Certificate Pinning
• 802.1X – Authentication Methods EAP-FAST/ EAP-TLS, MAC Address Bypass
Cloud Collaboration Network Security Primer

Cisco Spark Cloud Access
Enterprise VLANs

Connecting from the Enterprise - VLANs
How are the switch ports configured ?
Minimum Enterprise Network Requirements :
Internet Access
DHCP, DNS server access
Internal TCP connectivity and ICMP to devices for support
???
• Single static untagged VLAN ?
• Dynamic VLAN assignment based on CDP/LLDP TLV values ?
• Multiple static VLANs (e.g. Data VLAN & Aux VLAN) ? –
802.1Q VLAN tagging required for the Auxiliary VLAN

Network Capabilities Spark Devices – CDP/LLDP, 802.1Q
Spark Device Protocol Software Train CDP/ LLDP 802.1Q Ethernet
PC Port
Granular Configuration
Windows, Mac,
iOS, Android, Web
HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN
DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q
Tagging, Connected PC supported
Room Kit, MX, SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q
Tagging
Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q
Tagging

Connecting from the Enterprise - Firewalls
Whitelisted Ports and Destinations :
Media Port Ranges:
Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004, 5006
Destination IP Addresses : Any
• Spark Call (7800, 8800 Phones)
• Spark Desk and Room Devices
• Spark Clients
• See following slides for details
Signalling
Media

Voice and Video Classification and Marking
Port Range Summary – Endpoints and Clients
Audio:
52000-52099
Spark Soft Clients Spark Devices
Video:
52100-52299
52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299

Spark Apps : Network Port and Whitelist Requirements
Spark Device Protocol Source Ports Destination
Ports
Destination Function
Spark applications :
Windows,
Mac,
iOS,
Android,
Web
UDP Voice 52000 – 52049
Video 52100 – 52199
Exception - Windows
(OS Firewall issue)
Ephemeral source ports
used today (Fix due by
Q3 CY '17)
5004 &
5006
Any IP Address SRTP over UDP to Spark Cloud Media
Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Spark Cloud
Media Nodes
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
*.appsflyer.com
*.adobetm.com
*.omtrdc.net
*.optimizely.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Content and Space Storage
Anonymous crash data
Anonymous Analytics
Mobile Clients only - Ad Analytics
Web Clients only - Analytics
Web Clients only - Telemetry
Web Clients only - Metrics

Spark Devices : Network Port and Whitelist Requirements
Ports
Desktop and Room
Systems :
SX Series
DX Series
MX Series
Room Kits
Spark Boards*
UDP Voice 52050 – 52099
Video 52200 – 52299
EFT Today
GA Q3 CY '17
5004 &
5006
Any IP Address SRTP over UDP to Spark Cloud
Media Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Spark
Cloud Media Nodes* (Not Spark
Board)
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
*dropboxusercontent.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Anonymous crash data
Anonymous Analytics
*Spark Board (firmware updates)

Media Port Ranges:
Source UDP Ports : Voice and Video 33434 - 33598
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004
Destination IP Addresses : Any
Hybrid Media Node (HMN) :
• Can be used to limit source IP address range to HMNs only
• Hybrid Media Node Source UDP ports for voice and video are different to
those used by endpoints – Used for cascade links to the Spark Cloud
• Voice and Video use a common UDP source port range : 33434 - 33598
Signalling
Media

Hybrid Data Security Node (HDS) :
• Key Management Service
• Indexing (Search) Service
• E-Discovery Service
Signalling
Media
• HDS Signaling Traffic Only
• Outbound HTTPS and WSS Signaling Only

HMN & HDS Nodes: Network Port & Whitelist Requirements
Ports
Hybrid Media
Node (HMN)
UDP Voice and Video use a
common UDP source port
range :
33434 - 33598
5004
Cascade
Destination
Any IP Address Cascaded SRTP over UDP
Media Streams to Cloud Media
Nodes
TCP Ephemeral 5004
Cascade
Destination
Any IP Address Cascaded SRTP over
TCP/HTTP Media Streams to
Cloud Media Nodes
TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS
TCP Ephemeral 443 *wbx2.com
*idbroker.webex.com
HTTPS Configuration Services
Hybrid Data
Security Node
(HDS)
TCP Ephemeral 443 *.wbx2.com
idbroker.webex.com
identity.webex.com
index.docker.io
Outbound HTTPS and WSS

What do we send to Third Party sites?
Site Clients that Access It What is sent there User
PII?
Anonymized
Usage info?
Encrypted
User
Generated
Content
*.clouddrive.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.rackcdn.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.mixpanel.com Win, Mac, iOS, Android,
Web
Anonymous usage data N Y N
*.appsflyer.com iOS, Android Anonymous usage data related to
onboarding
N Y N
*.adobedtm.com Web Anonymous usage data N Y N
*.omtrdc.net Web Anonymous usage data N Y N
*.optimizely.com Web Anonymous usage data for AB
testing
N Y N

Enterprise Proxies

• Proxy Address given to Device/Application……….
Connecting from the Enterprise - Proxy Types
Proxy Types:
• Transparent Proxy (Device/Application is unaware of Proxy existence)
• In Line Proxies (e.g. Combined Proxy and Firewall)
• Traffic Redirection (e.g. Using Cisco WCCP)
Signalling
UDP Media
HTTP/HTTPS traffic only sent to the Proxy server e.g.
Destination ports 80, 443, 8080, 8443

• Proxy Detection (Proxy Address given to Device/Application)
Connecting from the Enterprise – Proxy Detection
• Manual Configuration
• Auto Configuration (Proxy Auto Conf (PAC) files)
Proxy
Address
Proxy
Address
Proxy
Address
PACPACPAC
Signalling
UDP Media

Network Capabilities Spark Devices – Proxy Detection
Spark Device Protocol Software Train Proxy Detection Granular Configuration
Windows, Mac,
iOS, Android, Web
HTTPS WME Yes : Manual
Yes : PAC Files
Manually Configure Proxy Address or
Use PAC files (or Windows GPO)
DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy
Address

• Proxy Authentication
Connecting from the Enterprise – Proxy Authentication
• Proxy intercepts outbound HTTP request
• Authenticates the User (Username & Password)
• Authenticated User’s traffic forwarded
• Unauthenticated User’s traffic dropped/blocked
Signalling
UDP Media
Proxy Authentication is not mandatory, Many
Enterprises do No Authentication

• Basic Authentication
Common Proxy Authentication Methods
• Digest Authentication
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
Signalling
UDP Media

• Basic Authentication
Proxy Authentication Methods – Basic Authentication
• Uses standard HTTP Headers
• Username and Password Base64 encoded
• Username and Password are NOT
encrypted or hashed
• Basic Username and Password challenge for devices
• i.e. Devices are not Users (no human interaction)
• Create one account (e.g. LDAP account) for all devices
• Create an account per device
• No Password Expiration
Signalling
UDP Media

• Digest Authentication
Proxy Authentication Methods – Digest Authentication
• Uses standard HTTP Headers
• Username and Password are not sent
• A Hash of the Username and Password is
sent instead
• Basic Username and Password challenge for devices
• Create one account (e.g. LDAP account) for all devices
• Or create an account per device
Signalling
UDP Media

• NT LAN Manager (NTLM) Authentication
Proxy Authentication Methods – NTLMv2 (Windows Only)
• Microsoft Challenge/Response AuthN. protocol
• Username sent in plain text
• Challenge/Nonce sent from the server
• Password hash used to encrypt the
challenge and return it to the server
• Password hashed but not sent
• Windows based Username and Password challenge for devices
• Create one account (AD account) for all devices
Signalling
UDP Media

Proxy Authentication Methods – Negotiate/IWA (Windows
Only) • Negotiate Authentication
• Microsoft implementation of SPNEGO
• Simple and Protected GSSAPI Negotiation
Mechanism. (Generic Security Service API)
• Kerberos or fallback to
• NTLM
• Negotiates the use of either :
• Windows based Username and Password challenge for devices
• Create one account (AD account) for all devices
Signalling
UDP Media
IWA - Integrated Windows Access

• Kerberos Authentication
Proxy Authentication Methods – Kerberos
• Strongest Security
• Client, Authentication Key Distribution Service, Ticket
Granting Service, Application Server
• Encrypted communication based on shared Secrets
• Client authenticates with the Authentication service
• Once authenticated, receives a Ticket Granting Ticket (TGT)
• Client requests access to a service (e.g. the Proxy) by presenting the TGT to
the Ticket Granting Service – the TGS authenticates the client and returns an
encrypted Service Ticket
• The Client presents the Service Ticket to Proxy which validates the user
(using the shared secret)
• HTTPS connection proceeds
Signalling
UDP Media

Proxy Authentication Bypass Methods
Manually Configure Proxy Server with :
• Device IP Address
IP Address 10.100.200.1
Signalling
UDP Media
10.100.200.3
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.crashlytics.com
*.mixpanel.com
*.rackcdn.com
• Whitelisted Destinations (e.g. *ciscospark.com)

Network Capabilities Spark Devices – Proxy Authentication
Spark Device Protocol Software Train Proxy Authentication Granular Configuration
Windows, Mac, iOS,
Android, Web
HTTPS WME Basic - No
Digest - No
NTLM - Yes (Windows)
Kerberos - No
Windows Only Today
Others OSs use Authentication By Pass
(Basic/ Digest/ Kerberos – Planned)
DX HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
SX HTTPS Room OS Yes : Basic Auth – Web based Config
MX HTTPS Room OS Yes : Basic Auth – Web based Config
Room Kits HTTPS Room OS Yes : Basic Auth – Web based Config
Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for

• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps (1)
• Private CA signed Certificate sent to client on connection establishment
• Client compares Private CA Root Cert with those received in Cert Chain
• If they match – accept and proceed with the TLS connection
Private CA Root Certificate sent to client
Signalling
UDP Media

• HTTPS/TLS Inspection
Proxy TLS/HTTPS Inspection – Non Spark Apps (2)
• Proxy starts new HTTPS/TLS connection to Web/Cloud Service
• Proxy receives Certificate from Web/Cloud Service
• Proxy uses the Certificate to establish Secure TLS/HTTPS connection
• Proxy can now Decrypt, Inspect and Re-Encrypt session traffic
Signalling
UDP Media

• Certificate Pinning
HTTP Proxy - No HTTPS Inspection – Spark
Certificate Pinning
• CA signed Cisco Spark Certificate sent by HTTPS/TLS server
• Client creates a hash of the Cert’s Public Key
• If they match – accept and proceed with the TLS connection
Certificate Pin =
SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=• Client compares the hash with the Certificate Pin in its Trust Store
Signalling
UDP Media

Proxy - HTTPS Inspection – Spark Certificate Pinning
• Proxy sends Private CA signed Certificate during HTTPS/TLS set up
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO NOT Match : TLS connection terminated
• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin =
SHA 256 Hash of CA Root Certificate Public Key
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Signalling
UDP Media

HTTPS Inspection – Spark Devices Cert. Pinning Fix
• Client creates a hash of the Private CA signed Cert’s Public Key
• They DO Match : Proceed with TLS connection
• Client compares the hash with the Certificate Pin in its Trust Store
Certificate Pin =
SHA 256 Hash of Private CA Root Certificate Public Key
• HTTPS/TLS Inspection possible
Signalling
UDP Media
• Private CA Cert copied to Spark Cloud

HTTPS Inspection – Spark Clients Cert. Pinning Fix
• Spark App checks to see if a copy of the Private CA Cert exists in
the OS Trust Store
• Proceed with TLS connection
• If the Cert exists – skip Certificate pinning process
Certificate Pin =
SHA 256 Hash of Spark CA Root Certificate Public Key
• HTTPS/TLS Inspection possible
Signalling
UDP Media
• Private CA Cert copied to Client OS Trust Store

Network Capabilities Spark Devices – HTTPS Inspection
Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method
Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass
Certificate Pinning process
iOS, Android HTTPS WME No : iOS Android HTTPS Inspection By-Pass
DX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Load Private CA Certs in Spark Service Download
Trust List with Private Certs
SX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Load Private CA Certs in Spark Service
Download Trust List with Private Certs
MX HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Room Kits HTTPS Room OS Yes – Requires Per Org Config of
Identity Service
Spark Board HTTPS Spark Board OS No (Planned Q3 CY '17) HTTPS Inspection By-Pass

Network Access Control 802.1X

Connecting from the Enterprise – 802.1X
802.1X Operation
???
• Switch port network access restricted
• Client presents credentials to Authentication Server
• After successful Authentication – switch port configured for the
Device e.g. VLAN(s), ACLs
Authentication
Server

802.1X Network Authentication Methods
802.1X Network Authentication Methods :
?
• There are many options….
• Two key Authentication methods :
• EAP-FAST
• EAP-TLS
Authentication
Server
Username
Password

802.1X Network Authentication : EAP-FAST
802.1X Extensible Authentication Protocol - FAST
?
• Flexible Authentication via Secure Tunneling
• Username and Password based
• Does not require Certificates
Username
Password
Username
Password
Authentication
Server

802.1X Network Authentication : EAP-TLS
802.1X Extensible Authentication Protocol - TLS
?
• Transport Layer Security
• Requires Digital Certificates
• Mutual Client - Server Authentication
Authentication
Server

802.1X Fallback - MAC Address Bypass (MAB)
Bypasses 802.1X Authentication Mechanisms
?
• Uses the Device MAC Address
• Commonly used for Non 802.1X capable devices
• MAC address manually entered into Auth. Server
Phone 1 MAC AA:BB:CC:11:22:33
Authentication
Server
Phone 1
AA:BB:CC:11:22:33

Network Capabilities Spark Devices – 802.1X
Spark Device Protocol Software
Train
EAP-FAST EAP-TLS MIC Non CUCM
LSC
Certificate
Installation
Capability
Granular Configuration
Windows,
Mac, iOS,
Android, Web
HTTPS WME Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired - Yes
N/A Yes Yes Manually Install LSC (Windows
GPO, Mac – Configuration
Profiles)
DX HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
2H
CY17
Yes Yes
Web Based
Install Enterprise LSC via
device Web Interface
SX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
MX HTTPS Room OS Wired - Yes Wired – Yes No Yes Yes
Web Based
Room Kits HTTPS Room OS Wi-Fi - Yes
Wired - Yes
Wi-Fi - Yes
Wired – Yes
Yes Yes Yes
Web Based
Spark Board HTTPS Spark Board
OS
No (Planned
Q3 CY '17)
No (Planned
Q3 CY '17)
No No (Planned
Q3 CY '17)
Use MAC Address By-Pass

Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (12)

Similaire à Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained

Similaire à Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Explained