#ciscolivela 2017 presentacion de miro polakovic
Post on 21-Jan-2018
76 Views
Preview:
TRANSCRIPT
Presentation Title
Presenter Name and TitleSession ID
Cisco Spark Platform & On Premise Security Explained
Miro Polakovic
Technical Marketing Engineer
Cisco Collaboration Technology Group
BRKCOL-2030
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SparkQuestions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App2. Click “Join the Discussion”3. Install Spark or go directly to the space4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOL-2030Cisco Spark spaces will be available until November 17, 2017.
AgendaIntroduction – Cisco Spark Security
Realms of Separation and Identity Obfuscation
Cloud based Data Security and Data ServicesSynchronizing User IDs with Cisco Spark Platform & Single Sign On Support
Secure Cloud Connection, Data Encryption, secure search indexing
Compliance & E-Discovery Services, Retention Policies, Data ownership
Hybrid Data Security (HDS)KMS on premise, Architecture, Search, Firewalls, Federation
Firewalls and Proxies SupportWebEx update
Management, Pro-Pack, SSO, Best Practices
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Messaging Over Time…
BRKCOL-2030
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Lock rooms to moderate room participants and content*
*Not included in free
User Access Controls IT Management
Add Single Sign-On, directory sync, and view analytics
End-to-end encryption in the cloud, and in-transit and media encryption
Encryption
Business Class Security Features
BRKCOL-2030
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security and Compliance ChallengeShadow IT vs. Corporate IT
Open Collaboration Secured
Anywhere Access
Fully Searchable
Data, App IntegratedCloud Managed
DiscoverableEnterprise Integrated
EncryptedCompliant
No CompromiseCollaboration
BRKCOL-2030
Cloud Based Security and Data Services
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark Platform
EndtoEndEncryption+KeyManagement
HybridDataSecurity
AdvancedAnalytics
ü Operationalü Behavioralü Productivityü Utilization
EnterpriseIdentity&AccessManagement
RetentionPolicies
eDiscoverySearch
DataLossPrevention
Security, Compliance & AnalyticsIT Requirements
Meetings
Business Messaging
Cisco Spark Devices
Bots,Integrations
Calling
FileSharing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Collaboration Cloud Security - Realms of Separation
10BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Cisco Spark logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses) are separated from :
Encryption, Indexing and Compliance Services, which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Realms of Separation – Encryption and Storage
11BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Cisco Spark logically and physically separates functional components within the cloud
Data Services such as Encryption Key Generation, Secure Message Indexing for Data Search, and Data Compliance functions operate in different Data Centers from the Data Center that encrypted content is
stored in
Data Storage services never have access to Encryption Keys
Data Center A Data Center B Data Center C
xxxxxxxxmessage
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Realms of Separation – Identity Obfuscation
12BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User’s obfuscated identity
No real identity information transits, or is stored elsewhere in the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark – User Identity Sync and Authentication
13BRKCOL-2030
Directory Sync
User Info can be synchronized from the Enterprise Active Directory
Multiple User attributes can be synchronized
Scheduled sync tracks employee changes
Passwords are not synchronized - User :1) Creates a password
or2) Uses SSO for Auth
Identity Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark – SAML SSO Authentication
14BRKCOL-2030
Directory Sync
SAML SSO
SSO for User Authentication :
Administrators can work with their existing SSO solution
Identity Providers are using Security Assertion MarkupLanguage (SAML) 2.0 and OAuth 2.0
Identity Service
IdP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On - Premise Identity as a Service
Cisco Collaboration Identity PartnersCisco Spark Integrates to Enterprise IDP’s on Premise or in Cloud
Cloud Based SecuritySecure Messages and Content
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCOL-2030
Direct Internet access – Cisco Spark app connection
Cisco Spark Services
IdP
Identity Service
1) Customer downloads and installs Cisco Spark application (with Trust anchors)
2) Cisco Spark Client establishes a secure TLS connection with Cisco Spark Platform
3) Cisco Spark Identity Service prompts for an e-mail ID
4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created and sent to Cisco Spark app
• The Access Tokens contain details of the Spark resources the User is authorized to access
5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCOL-2030
Direct Internet access – Cisco Spark Device connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code received via e-mail from the Spark provisioning service
2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established)
3) OAuth Access and Refresh Tokens created and sent to Spark Client
• The Access Tokens contain details of the Spark resources the User is authorized to access
5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel
1234567890123456
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Server Key Mgmt Service
message messagemessagefilefilemessage
Cisco Spark - Encrypting Messages and Content
19BRKCOL-2030
Spark Clients request a conversation encryption key from
the Key Management Service
Any messages or files sent by a Client are encrypted before being sent to the Cisco Spark Platform
Each Spark Room uses a different Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted messages sent by a Client are stored in the Cisco Spark
Platform and also sent on to every other Client in the Spark Space
Key Mgmt Service
messagemessagemessage
Content Server
message messagemessage
Cisco Spark - Decrypting Messages and Content
20BRKCOL-2030
If needed, Cisco Spark app can retrieve encryption keys from the Key
Management Service
Key Management Service
The encrypted message also contains a link to the conversation encryption
key
Cloud Based SecuritySecure Search, Indexing & eDiscovery
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
Searching Spaces: Building a Search Index
22BRKCOL-2030
The Indexing Service : Enables users to search for
names and words in the encrypted messages stored
in the Content Server
A Search Index is built by creating a fixed length
hash* of each word in each message within a Space
###################
B957FE48
B9 57 FE 48
Hash Algorithm
###################
Indexing Service
The hashes for each Spark Space are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indexing Service
“Spark”Spark
Content Server Key Mgmt Service
###################
Searching Space: Querying a Search IndexSearch for the word “Spark”
23BRKCOL-2030
Client sends search request over a secure connection to
the Indexing Service
The Content Server searches for a match in it’s
Hash tables and returns matching content to the
client *###################
B957FE48
B9 57 FE 48
Hash Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9 The Indexing Service uses Per Space Search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message
Enterprise Compliance - eDiscovery Search§ Compliance Console and eDiscovery features support investigating DLP and
other compliance events with speed and accuracy§ Events API allows integration with systems for IT governance (CASB, DLP)
Value to Enterprise§ Meet HR, GRC & Legal compliance mandates§ Only authorized members of the DLP, HR and
GRC teams can investigate events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Organization (org)
• Collection of users under the administrative domain of a single entity and has rights to the content of users.
Spaces
• Ownership falls on the org of the user that creates the space.
• Space properties, content, events
Teams• Ownership falls on the org of the user that creates the team.• This organization also owns all spaces created under the team.
Cisco Spark Content Ownership
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What does Content Ownership get you?Owning Organization Participating
OrganizationCREATEPost content into the space No NoREADRead content (messages and files) posted by its own users into the space Yes Yes
Read content posted by any user in the space Yes No
UPDATE
Modify content posted by users into the space No No
DELETE
Delete content posted by its own users in the space Yes Yes
Delete content posted by any user in the space Yes No
Define retention policies for the space Yes No
Protect the End user!
Compliance Officer role
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Search Spark Space Activity
Cisco Spark Search and Extraction ConsoleEnable legal discovery and incident investigation
Extension of Cisco Cloud Collaboration
Management
Compliance Officer Role
Search on email ID, Room ID, keywords
Extraction of texts, Files and
contextual data
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicCloud Collaboration Management Portal
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
###################
Cisco Spark Compliance Service : E-Discovery (1)
Compliance Officer selects a group of messages and files to be retrieved for E-Discovery e.g. : based on date range/ content type/
user(s)
The Content Server returns matching content to the
Compliance Service
###################
X1GFT5YYHash Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
###################
X1GFT5YY
The Indexing Service searches Content Server for
related content
Compliance Service
###################
Jo Smith’s Content
###################
Jo Smith’s Content
###################
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
E-Discov. Storage
Compliance ServiceContent Server Key Mgmt Service
Cisco Spark Compliance Service : E-Discovery (2)
The Compliance Service :Decrypts content from the
Content Server, then compresses and re-
encrypts it before sending it to the E-Discovery Storage
ServiceThe E-Discovery Storage
Service : Sends the compressed and
encrypted content to Compliance Officer
Compliance Service
Cloud Collaboration Management Portal
Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################
Jo Smith’s Messages and Files
######################################################
######################################################
Jo Smith’s Messages and Files
E-Discovery Content Ready
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event API for Data Loss Prevention (DLP) Integrate with DLP, Cloud Access Security Broker (CASB), Archival and eDiscovery solutions
Provides a stream of events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data
Third party DLP or CASB
Cisco Spark Stream of events
policiesCorrective actions
Delete contentRemove user
Delete title
Content Server
Key Management
Server
Retention Policies§ Match message, meeting record and file storage for corporate risk management§ Includes white board records§ Content is deleted -- including backups
Value to Enterprise§ Control exposure by limiting amount of content in the cloud§ Align and unify policies across email, message products
Customer Controlled SecurityHybrid Data Security
Hybrid Data Security§ Creates a secure enclave in the customer data center to manage and provide
visibility to the keys that secure the content, actions, & data within Spark
Value to Enterprise§ Ownership & Control of key management § Assist enterprises in more highly regulated industries with meeting highest standards of
encryption and data loss prevention
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
Key Mgmt Service
Cisco Spark – Hybrid Data Security (HDS)
34BRKCOL-2030
Compliance ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services =
On Premise :Key Management Server
Indexing ServerE-Discovery Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server Key Mgmt Server
Cisco Spark – Hybrid Data Security: Key Management
35BRKCOL-2030
The Hybrid Key Management Server performs the same
functions as the Cloud based Key Management Server
Now all of the keys for messages and content are owned and managed by the Customer
BUT
Key Management Service
Key Mgmt Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
36BRKCOL-2030
Compliance ServiceIndexing Service
Hybrid Data Servicesmake outbound connections only from the Enterprise to Cisco Spark Platform, using
HTTPS and Secure WebSockets (WSS)
No special Firewall configuration required
FirewallHybrid Data Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
The Hybrid Data Security is managed and upgraded from the
cloud
Customer’s can access usage information for the HDS Servers via the cloud management portal
Multiple HDS servers can be provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability
Hybrid Data Security
Hybrid Data Security
Hybrid Data Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
38BRKCOL-2030
Cisco Spark app request an encryption key from the Hybrid Key Management
Server
Any messages or files sent by a Client are encrypted before being sent to the
Cisco Spark Platform
Encrypted messages and content stored in the cloud
Key Management Service
Encryption Keys stored locally
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are stored in Cisco Spark Platform
Key Mgmt Service
message
Content Server
message messagemessage
Cisco Spark App will retrieve encryption keys from the Hybrid Key
Management Server
Key Management Service
These messages are sent to every other Client in the Spark Room and
contain a link to their encryption key on the Hybrid Key Management
Server
HDS - Decrypting Messages & Content
39BRKCOL-2030
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the messageKey Mgmt Service
###################
The Indexing Service : Enables users to search for
names and words in the encrypted messages stored
in the Content Server
###################
B957FE48
B9 57 FE 48
Hash Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Hybrid Data Security: Search Indexing Service
40BRKCOL-2030
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search Index
41BRKCOL-2030
Client sends its search request over a secure
connection to the Indexing Service
###################
B9
B9 57 FE 48
Hash Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
Content Server
Cisco Spark Compliance Service : E-Discovery (1)
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceCompliance Service
Cloud Collaboration Management Portal
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash Algorithm
Admin selects a group of messages and files to be retrieved for E-Discovery
e.g. : based on date range/ content type/ user(s)
The Content Server returns matching content to the
Compliance Service
The Indexing Service searches the Content
Server for selected content
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt ServiceCompliance Service
Cloud Collaboration Management Portal
E-Discov. StorageContent Server
Cisco Spark Compliance Service : E-Discovery (2)The Compliance Service :Decrypts content from the
Content Server, then compresses and re-encrypts it
before sending it to the E-Discovery Storage Service
E-Discovery Storage Service : Sends the compressed and
encrypted content to the Administrator on request
Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################
Jo Smith’s Messages and Files
######################################################
######################################################
Jo Smith’s Messages and Files
E-Discovery Content Ready
Customer Controlled SecurityKey Management Server Federation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hybrid Key Management Servers
in different Enterprises establish
a Mutual TLS* connection via Cisco
Spark Platform
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
45BRKCOL-2030
Enterprise A Enterprise B
Hybrid Key Management Servers
make outbound connections only :
HTTPS, Web Socket Secure (WSS)
*AllconnectionstoandwithinCiscoSparkPlatformuseECDHtogeneratesymmetricEncryptionKeys
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
With a secure connection between
Hybrid KMSs…
Users can be added to rooms created by each
Enterprise
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
46BRKCOL-2030
Enterprise A Enterprise B
Mutually Authenticated Hybrid
KMSs can request Room Encryption
Keys from one another on behalf of their
Users
Customer Controlled SecurityArchitecture and considerations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center A
Hybrid Data Security Architecture
vSphereHybrid Data Services Node (VM)
Docker
ECP MgmtContainer
HDSContainers
Hybrid Data Services Node (VM)
Docker
ECP MgmtContainer
HDSContainersHDS Cluster
Config File
IDE Mount
IDE Mount
ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions such as sending health checks and checking for new versions of HDS.HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services.HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection settings, Database Master Encryption key, etc. IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.
Customer Provided Services
PostgresDatabaseSyslogd
DatabaseBack Up
System Back Up
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HDS includes:ü KMSü Search indexerü eDiscovery backend
Whilst HDS offers unique security features to customers in that they, and they alone, can store and own the encryption keys for their messages and content….
These benefits also come with significant responsibilities :
A HDS Deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys…
Complete loss of either the configuration ISO or the Postgres Database will result in loss of the decryption keys stored in HDS. This will prevent users from decrypting space content and other encrypted data. If this happens, an empty HDS can be restored, however, only new content will be visible.
49BRKCOL-2030
Hybrid Data Security – Positioning :HDS may not be desirable for all customers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HDS Install PrerequisitesSee prerequisites in https://www.cisco.com/go/hybrid-data-security
X.509 Certificate, Intermediates and Private KeyPKI is used for KMS to KMS federation (Public Key Infrastructure)Common Name signed by member of Mozzila Trusted Root StoreNo SHA1 signaturesPKCS12 format
2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 maxMinimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per serverkms://cisco.com easily supports 15K users per HDS.
1 Postgres 9.6.1 Database Instance (Key datastore)8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database.
1 Syslog Hosthostname and port required to centralize syslog output from the three HDS instances and management containers
A secure backup locationThe HDS system requires organization administrators to securely backup two key pieces of information. 1) A configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will result in loss of customer data. See <Section on Disaster Recovery>.
NetworkOutbound HTTPS on TCP port 443 from HDS hostBi-directional WSS on TCP port 443 from HDS hostTCP connectivity from HDS host to Postgres database host, syslog host and statsd host
50BRKCOL-2030
Cisco Spark Platform & Enterprise Firewalls
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 52
Whitelisted Ports and Destinations :
Media Port Ranges: Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)Destination UDP/ TCP/ HTTP Port : 5004, 5006Destination IP Addresses : Any
• Spark Call (7800, 8800 Phones)• Spark Desk and Room Devices• Spark Clients• See following slides for details
SignallingMedia
Supported by most devices today, remaining devices on roadmap
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Voice and Video Classification and MarkingSource Range Summary – Endpoints and Clients
BRKCOL-2030 53
Audio:52000-52099
Spark Soft Clients Spark Devices
Video:52100-52299
52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Apps : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination
PortsDestination Function
Spark applications :
Windows, Mac, iOS,Android, Web
UDP Voice 52000 – 52049 Video 52100 – 52199
Exception - Windows (OS Firewall issue) Ephemeral source ports used today (Fix due by Q3 CY '17)
5004 &5006
Any IP Address SRTP over UDP to Cisco Spark Media Nodes
TCP Ephemeral 5004 & 5006
Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes
TCP Ephemeral 443identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*.appsflyer.com*.adobetm.com*.omtrdc.net*.optimizely.com
HTTPSSpark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous AnalyticsMobile Clients only - Ad AnalyticsWeb Clients only - AnalyticsWeb Clients only - TelemetryWeb Clients only - Metrics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Devices : Network Port and Whitelist Requirements
Spark Device Protocol Source Ports Destination Ports
Destination Function
Desktop and Room Systems :
SX SeriesDX SeriesMX SeriesRoom KitsSpark Boards*
UDP Voice 52050 – 52099Video 52200 – 52299
5004 &5006
Any IP Address SRTP over UDP to Cisco Spark Media Nodes
TCP Ephemeral 5004 & 5006
Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes* (Not Spark Board)
TCP Ephemeral 443
identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com
HTTPS
Spark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous Analytics
Spark Board TCP Ephemeral 80 www.cisco.com orwww.ciscospark.com orwww.google.com orwww.amazon.co.uk
HTTTP for time synchronization
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 56
Media Port Ranges: Source UDP Ports : Voice and Video 34000 - 34999Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)Destination UDP/ TCP/ sRTP Port : 5004, 5006Destination IP Addresses : Any
Hybrid Media Node (HMN) :• Can be used to limit source IP address range to HMNs only• Hybrid Media Node Source UDP ports for voice and video are different to
those used by endpoints – Used for cascade links to Cisco Spark Platform• Voice and Video use a common UDP source port range : 33434 - 33598
SignallingMedia
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 57
Hybrid Data Security Node (HDS) :• Key Management Service• Indexing (Search) Service• E-Discovery Service
SignallingMedia
Hybrid Data Services
• HDS Signaling Traffic Only• Outbound HTTPS and WSS Signaling Only
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HMN & HDS Nodes: Network Port & Whitelist Requirements
BRKCOL-2030 58
Spark Device Protocol Source Ports Destination Ports
Destination Function
Hybrid Media Node (HMN)
UDP Voice and Video use a common UDP source port range :
34000 - 34999
5004, 5006 Cascade Destination
Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes
TCP Ephemeral 5004Cascade Destination
Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes
TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS
TCP Ephemeral 443 *wbx2.com*idbroker.webex.com
HTTPS Configuration Services
Hybrid Data Security Node (HDS)
TCP Ephemeral 443 *.wbx2.comidbroker.webex.comidentity.webex.comindex.docker.io
Outbound HTTPS and WSS
Cisco Spark Platform &Enterprise Proxies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Address given to Device/Application……….
Connecting from the Enterprise - Proxy Types
BRKCOL-2030 60
Proxy Types:
• Transparent Proxy (Device/Application is unaware of Proxy existence)
• In Line Proxies (e.g. Combined Proxy and Firewall)
• Traffic Redirection (e.g. Using Cisco WCCP)
SignallingUDP Media
HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Detection (Proxy Address given to Device/Application)
Connecting from the Enterprise – Proxy Detection
BRKCOL-2030 61
• Manual Configuration
• Auto Configuration (Proxy Auto-Config (PAC) files)
Proxy Address
Proxy Address
Proxy Address
PACPACPAC
SignallingUDP Media
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Capabilities Spark Devices – Proxy Detection
BRKCOL-2030 62
Spark Device Protocol Software Train Proxy Detection Granular Configuration
Windows, Mac, iOS, Android, Web
HTTPS WME Yes : Manual Yes : PAC Files
Manually Configure Proxy Address or Use PAC files (or Windows GPO)
DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface
Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address
7800 Phones SIPHTTPS
Synergy Lite SIP – N/AHTTPS – No (Planned)
Deploy In Line Proxy or Traffic Redirection (WCCP)
8800 Phones SIPHTTPS
Synergy Lite SIP – N/AHTTPS – No (Planned)
Deploy In Line Proxy or Traffic Redirection (WCCP)
ATA SIP ATA SIP - N/A N/A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Authentication
Connecting from the Enterprise – Proxy Authentication
BRKCOL-2030 63
• Proxy intercepts outbound HTTP request
• Authenticates the User (Username & Password)• Authenticated User’s traffic forwarded• Unauthenticated User’s traffic dropped/blocked
SignallingUDP Media
Proxy Authentication is not mandatory, Many Enterprises do No Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Basic Authentication
Common Proxy Authentication Methods
BRKCOL-2030 64
• Digest Authentication
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
SignallingUDP Media
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Proxy Authentication Bypass Methods
BRKCOL-2030 65
Manually Configure Proxy Server with :• Device IP Address
IP Address 10.100.200.1
SignallingUDP Media
10.100.200.3
identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.crashlytics.com*.mixpanel.com*.rackcdn.com
• Whitelisted Destinations (e.g. *ciscospark.com)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Capabilities Spark Devices – Proxy Authentication
BRKCOL-2030 66
Spark Device Protocol Software Train Proxy Authentication Granular Configuration
Windows, Mac, iOS, Android, Web
HTTPS WME Basic - NoDigest - NoNTLM - Yes (Windows)Kerberos - No
Windows Only TodayOthers OSs use Authentication By Pass(Basic/ Digest/ Kerberos – Planned)
DX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
SX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
MX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
Room Kits HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned
Configure Username and Password for Proxy Authentication (Basic Auth)
Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for Proxy Authentication (Basic Auth)
7800 Phones SIPHTTPS
Synergy Lite SIP – N/AHTTPS – No (Planned)
Authentication Bypass
8800 Phones SIPHTTPS
Synergy Lite SIP – N/AHTTPS – No (Planned)
Authentication Bypass
ATA SIP ATA SIP – N/A N/A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What do we send to Third Party sites?
BRKCOL-2030 67
Site Clients that Access It What is sent there UserPII?
AnonymizedUsage info?
EncryptedUser GeneratedContent
*.clouddrive.com Win, Mac, iOS, Android, Web, Spark Board
Encrypted files for Spark file sharing.Part of Rackspace content system.
N N Y
*.rackcdn.com Win, Mac, iOS, Android, Web, Spark Board
Encrypted files for Spark file sharing.Part of Rackspace content system.
N N Y
*.mixpanel.com Win, Mac, iOS, Android, Web
Anonymous usage data N Y N
*.appsflyer.com iOS, Android Anonymous usage data related to onboarding
N Y N
*.adobedtm.com Web Anonymous usage data N Y N
*.omtrdc.net Web Anonymous usage data N Y N
*.optimizely.com Web Anonymous usage data for AB testing
N Y N
WebEx update
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should a new WebEx site be managed?
Choose Cisco Spark Control Hub:
• Customer is rolling out both WebEx and Cisco Spark and they desire a unified management experience across both
• When the customer doesn’t need the following features:
1. Extensive WebEx site branding and customization2. Tracking Codes for intra-company billing3. Group-level feature assignment
Choose WebEx Site Administration:
• The customer requires 1 or more of the advanced management features (1-3listed to the left)
• The customer can accept segregated management of WebEx and Cisco Spark
Document with detail on how to choose and feature differences will be linked in the UX and available at: https://goo.gl/EAK9ZY
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco Spark linking is a process to enable WebEx sites WBS31 or above that are managed by WebEx Site Administration to leverage improved WebEx analytics on Cisco Spark Control Hub, and if the customer has purchased Pro Pack for Cisco Spark Control Hub can also leverage diagnostics.
• Note: WebEx sites that are already managed using Cisco Spark Control Hub do not need Cisco Spark linking
When should I use Cisco Spark linking? WebEx site is WBS31 or above & managed by WebEx Site Administrationand
1. wants WebEx analytics that are available through Cisco Spark Control Hub - OR -2. wants to easily roll out Cisco Spark for WebEx users
What is Cisco Spark Linking?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pro-Pack for Cisco Spark Control Hub
Engagement, performance, diagnostics
Topline metrics
Visualization of trends / patterns (down to the individual user)
Key usage & user behavior
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WebEx Analytics via the Pro Pack for Cisco Spark Control Hub
Identify recurring anomalies within historical trends
Easily see and drill down on problem areas
Explore detailed quality data(at the meeting and user level)
Search meetings in real-time
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Sign-On (SSO) EnhancementsAdd Attendance Security to Internal Meetings
Feature Highlights• Identify or “tag” attendees in Participant list as
SSO authenticated: “Internal” or “Guest”• Require all participants to authenticate with SSO• Set up invite-only meetings and require internal
participants to authenticate with SSO(no forwarding of invite allowed)
• Available in Cisco WebEx® Meeting Center, Training Center, and Event Center
BRKCOL-2160 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
SAML Session TokensIdP Session Token TTL
Generally less than one business day or 8 hours2nd Factor may or may not be stored or cached
WebEx SP Session Token TTLBrowser: 90 minutes (default)Mobile/Client: 336 hours or 14 days (default)TTL values can be customized upon request
SAML Session Tokens can expire before their TTL expiresUser closes browser or signs-outLoss of network connectionTokens have be revoked
74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distinguish User Type in Lobby
• List of users in lobby sorted by signed in/non-signed in user
• Security feature of differentiating between internal and external users
• Option to select who can join
Remember Home Page
• Remembers signed-in user’s previously visited page
• Returns to previous visited page when app is relaunched
Mobile Improvements
BRKCOL-2160 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Audio devices or Video end points do not have lobby experience. Hence these devices do not obey the new settings and unauthenticated users are still placed directly into open rooms.
Note: Video devices can be completely blocked today from Personal Room when this setting is on, but hurts the user experience. (Not Recommended)
Limitations and Caveats
BRKCOL-2160 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
WebEx: Secure as You Want it to BeSite level settings- Decline to list meeting on WebEx public site- Block Guest Access and ‘Join Before Host’- Exclude the meeting password from invitations (we do this by default now)- Control audio privileges (global call back, toll and toll free options) - Restrict mobile device access types- Press ‘1’ to connect on audio- Control global session types [chat/desktop share/remote control/file xfer/etc]Authentication based- Require meeting password, set password length/complexity requirements- Manually approve account sign-ups- Require Attendees to login. SSO even better- Leverage ‘guest’ vs ‘internal’ user labels. Inform hosts that on a per-meeting basis
they can exclude non-internal users- Speak with each call-in user in the meeting, and verify identity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
WebEx: Secure as You Want it to BePersonal Room Settings- Force unauthorized users to Personal Room lobby- Autolock Personal Room after [n] minutesTelePresence Settings- Require TelePresence authentication/Meeting Pin- Enforce TLS for TelePresence participants In-Meeting Settings- Control in-meeting session types [chat/desktop share/remote control/file xfer/etc]- Eject/remove users that aren’t behaving properly, followup w/TAC InfoSEC if necessaryRecording Policy- Enforce recording passwords and authentication to retrieve.- Pull recordings from the site after (n) days
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 79
CMR Cloud (WebEx Video) Security Features
Cisco Spark Platform & On Premise Security Summary
What you’ve learnedCisco Spark have multiple data stores, Obfuscated User Identity
Cloud based Data Security and Data ServicesOption to sync user data and enable SSO
Traffic is always encrypted, Data-at-rest stored encrypted as well with Secure Search
Compliance & E-Discovery Services, Retention Policies, Data ownership
Hybrid Data Security (HDS)KMS on premise, Architecture, Search, Firewalls, Federation
Firewalls and Proxies Support
WebEx updateManagement, Pro-Pack, SSO, Best Practices
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education• Demos in the Cisco campus
• Meet the Engineer 1:1 meetings
• Related sessions• BRKCOL-2699 Authorization and Authentication concepts for Collaboration• BRKCOL-2607 Understanding Cloud and Hybrid Cloud Collaboration Deployment• BRKCOL-2444 Evolution of Core Collaboration: Cloud and Hybrid Architectural Design• BRKCOL-2281 Steps to Successfully deploy Cisco Spark along with a media strategy
82BRKCOL-2030
Thank you
top related