Secure VidyoConferencing

Transcription

1 Protecting your communications November 2015 ABSTRACT: Vidyo provides a platform that delivers unparalleled ease of use and high quality visual communications. Ease of use, however, does not mean security is compromised. The Vidyo platform was architected with hardened security features that allows participants to comfortably communicate securely.

2 Table of Contents A holistic approach to secured communication... 3 Security by design... 3 User login and database security... 4 Signaling Encryption... 5 Media Encryption... 5 Component Authentication (spoof prevention) & Session Security... 5 Component Access and Malware Protection... 6 Secure Firewall Traversal... 6 Fig 1: Firewall with UDP Port Range Opened... 6 Fig 2: Firewall with UDP Ports Closed... 7 Fig 3: Firewall with explicit IP-to-IP rules for communication between VidyoRouters... 7 Virtual Meeting Room Access... 8 Conclusion... 8 Frequently Asked Questions Resources Vidyo

3 A holistic approach to secured communication Vidyo has made visual communications both ubiquitous and affordable with its revolutionary platform that leverages patented VidyoRouter technology and Scalable Video Coding (SVC), enabling end users to participate in high quality Vidyo conferences from just about anywhere using standard broadband Internet connections. While this approach affords great flexibility in access and endpoints, we also recognize the importance of protecting sensitive information transmitted over this medium from would-be hackers with malicious intent. This document provides an overview of the features of our secure VidyoConferencing TM option, designed to guard the integrity of your network and keep your communication and private information safe. More than just encryption User authentication/ login Component authentication Component access protection Database protection Password protection Signaling encryption Media encryption Secure firewall traversal Key Security Features AES-128 bit media encryption FIPS cryptographic libraries Secure HTTPS login utilizing industry standard PKI TLS 1.0 and 1.2 using strong encryption ciphers for signaling Password hashing in database Component blocking for spoof prevention Hardened Linux-based appliances for component access control Optional firewall traversal using built-in VidyoProxy software or explicit IP-to-IP firewall traversal using networked VidyoRouter deployment Encrypted token technology for session security No login information retained on the client Graphic indication for encrypted calls on the call screen Security by design Security starts with sound processes. Vidyo has a Security Council that meets regularly to review and update the security policies and processes associated with Vidyo s offerings, and review potential threats and issues to drive security related requirements into the product and its development, delivery and maintenance processes. This council includes representatives from Vidyo s product management, development, QA, customer support, and sales engineering organizations. These individuals also act as security related liaisons within their respective organizations to ensure implementation of the policies and processes set by the Security Council, and bring back relevant feedback and knowledge accumulated within their organizations. Vidyo s Product Management team considers security related implications for every proposed product modification. Vidyo uses resources such as NIST National Security Database, MITRE, OWASP, etc. to monitor third party software provider vulnerabilities and updates prior to 3

4 their inclusion in Vidyo products. The Software Development team also performs regular code reviews to identify potential security vulnerabilities. Vidyo s Quality Assurance team utilizes industry-leading security scanning tools such as Tenable s Nessus, Rapid 7 s Nexpose, and a host of open-source OWASP tools. Vidyo also uses the third party Qualys SSL Labs utility to help qualify that its server-based solutions meet the high level of security targeted. User login and database security Protecting the login process from eavesdroppers and hackers is fundamental to securing the VidyoConferencing system. Vidyo protects this process by establishing a critical front line of defense in a similar manner to the way access to online banking is secured using TLS. Vidyo infrastructure supports using industry standard Public Key Infrastructure, whereby each component can be issued a digital certificate by a trusted third party certifying authority. This allows endpoints to verify the identity of a VidyoPortal as well preventing malicious users from eavesdropping on communication. With TLS security enabled, the VidyoPortal automatically establishes an encrypted HTTPS channel with each Vidyo endpoint or web administration user that attempts to access the system. Before transmitting any login information, the Vidyo endpoint or web browser validates the certificate of the VidyoPortal and verifies that it was issued by a trusted third party certifying authority. Once certificate verification is completed, login and password information is transmitted securely to the VidyoPortal over the same encrypted HTTPS channel. Visual indication that the connection is secure is provided to the end user as a lock icon in their web browser or Vidyo client. For HTTPS connections, the ciphers and key exchange method used are dependent on what the end user s browser can support, however Vidyo infrastructure components will prefer to use the strongest available ciphers and will reject use of known weak ciphers. To safeguard user login credentials, no login information is retained by the Vidyo soft clients. Password information is always hashed and salted using PBKDF2 in the database. Password policies can be enabled on the VidyoPortal to 1) prompt a user to change their password after period of inactivity, or 2) lock out the account after a specified number of failed login attempts. For organizations that use an external database for user account management, LDAP and Active Directory are supported. When LDAP / AD are utilized no passwords are stored within the VidyoPortal. Additionally, password policies are supported via LDAP integration with the corporate directory system (such as Microsoft Active Directory, Oracle, Novell, etc.) Users can be also be authenticated using SAML. The VidyoPortal acts as a service provider and can authenticate users via external SAML 2.0 identity providers. Depending on deployment topology, this may be an ideal method to authenticate users when the VidyoPortal is public facing but the user database is not. Leveraging SAML provides a secure way to authenticate users while keeping the user database behind the firewall. 4

5 The admin has complete control to set passwords at all levels including changing the default passwords for the VidyoConferencing servers. This is the first step recommended in commissioning any VidyoConferencing system. All web administration pages can be configured to use HTTPS and, starting with VidyoConferencing 3.0, all management applications can be moved to the Management Interface (a second NIC on the Vidyo server), allowing for segregation of management and production traffic. This prevents the escalation of privileges in the event that the user level web user interface is compromised. In addition to admin access via the web, as mentioned above, the Vidyo servers have console access for system configuration. Access to the console is password protected and only available via direct physical connection or via SSH access. The administrative accounts can be authenticated against the internal database or the server can be configured to off load authentication via RADIUS. Signaling Encryption Signaling is the way different components within the Vidyo architecture communicate with one another. Protecting the information that is passed in this machine-to-machine communication from would-be hackers is important for securing the network. The secure VidyoConferencing option leverages AES encryption over TLS for Vidyo endpoint and server communications with certificate support. Vidyo supports Elliptical Curve Diffe- Hellman (ECDH), Diffe-Hellman (DH) or RSA for key exchanges. The media encryption keys are also negotiated over this secure connection and are then used to encrypt the RTP media traffic. Media Encryption With the secure VidyoConferencing system option enabled, Vidyo employs AES encryption over SRTP for audio, video and shared content. This helps protect the content of your Vidyo conferences from being intercepted and decoded without your knowledge. Chat messages are transmitted over the secure signaling link when enabled and also use AES when the secure VidyoConferencing option is included. A set of keys is used for each form of media and each leg of the Vidyo conference. With media encryption enabled for the system, a single VidyoRouter is able to support up to 100 concurrent HD 1080p connections; significantly more capacity than MCU s costing 5 to 10 times as much. Component Authentication (spoof prevention) & Session Security Spoofing refers to a tactic used by hackers to steal the identity of a trusted component of a network in order to gain access. Vidyo prevents spoofing through a rigorous component authentication scheme. Each Vidyo machine in a network has a unique identifier that is communicated to the VidyoPortal over a secure link and is otherwise not accessible. New components added to the network go to the VidyoPortal for configuration. If the VidyoPortal doesn t have a configuration defined for that machine s specific ID, the machine is blocked from joining the network until the administrator accepts the new ID and 5

6 manually configures the component. On the client side, a unique token used to authenticate the endpoint to the VidyoPortal in lieu of the password. Component Access and Malware Protection The Vidyo infrastructure components are all Linux based and available as virtual appliances running on VMware or physical appliances running on standard Intel based servers. To help prevent hackers from accessing the server software itself, Vidyo leverages the security features of Linux while hardening the system by closing all ports and services that are not relevant or used and disabling access to the underlying system. Vidyo server components and VidyoRoom endpoints are locked down appliances or virtual appliances, allowing only Vidyo signed and validated software to be applied onto the system thus preventing malicious content from being introduced into the network. Secure Firewall Traversal Depending on the specific deployment model, Vidyo provides optional methods of secure firewall traversal, enabling organizations to leverage the public network to provide connectivity for end users outside of the firewall without compromising the integrity of the private network or requiring additional expensive equipment. For implementations where the necessary range of UDP ports are opened on the company network, the Vidyo endpoints uses industry standard ICE/STUN to negotiate UDP ports directly with the VidyoRouter. These same protocols are employed for NAT traversal. Fig 1: Firewall with UDP Port Range Opened For implementations where the UDP ports are closed on the company network, Vidyo s proxy solution overcomes these blocking issues in a secure fashion by tunneling on port 443 using industry standard TLS. The Vidyo endpoint is able to auto-detect if firewall blocking is taking place and automatically switch to Vidyo s proxy configuration as needed. If the firewall configuration is known, auto-detection can be easily overridden. VidyoProxy client software module is embedded with the Vidyo endpoint application and the VidyoProxy server software module is embedded with the VidyoRouter application. The same proxy client and server software modules are also able to traverse Web Proxies, enabling the Vidyo deployment to fully integrate with existing web proxy devices and follow established policies rather than working around them. 6

7 Fig 2: Firewall with UDP Ports Closed For deployments where multiple VidyoRouters are networked together, a single low cost VidyoRouter can be position on each side of the firewall. The combination of the robust component authentication described in the Component Authentication (spoof prevention) & Session Security section of this document and a set of explicit IP-to-IP rules on the firewall enable the VidyoRouters to communicate securely with one another without the performance impact that tunneling on port 443 may have and without compromising the security of the private network. Using this approach, it becomes easy to keep on premise Vidyo endpoints on the corporate network, behind the firewall, without sacrificing performance or accessibility to the public network, and without adding cost to deployment. Fig 3: Firewall with explicit IP-to-IP rules for communication between VidyoRouters Regardless of whether an organization deploys a DMZ, VPN or other network topology, Vidyo provides cost-effective firewall traversal solutions that integrate with the topology and extend the reach of your video communications infrastructure beyond the private network securely. 7

8 The VidyoConferencing architecture is designed to be deployed in a modular and flexible manner. This allows different components to deployed on different network segments affording the ability adhere to strict network security policies. Virtual Meeting Room Access All Vidyo endpoints connect through the VidyoRouter and are not directly accessible from another endpoint. Even on public networks, Vidyo endpoints are therefore protected from unauthorized direct access through an IP address. The VidyoRouter architecture inherently provides the endpoint with a layer of security from third party hacking and voyeurism with built-in technology for spoof prevention, such as: encrypted token technology for session security, HTTPS with certificate support on login and TLS with certification for signaling, as mentioned previously in this document. No matter what Vidyo endpoint you utilize, your Vidyo meeting room is the core of your virtual office. Just like with a physical office, you may want to have an open-door policy for your Vidyo meeting room where anyone with an account on your VidyoPortal can drop in any time, or you may wish to close the door to your Vidyo meeting room. Vidyo affords you the flexibility to do both. If you prefer open door, you need not do anything. If you wish to control access, you have the ability to define a PIN for your room and share it only with the people that you want to have access to your room. When unauthenticated users join a meeting, they are identified as guests in the participant list so all participants know when to not discuss sensitive topics. Every user has the ability to change their hashed hyperlink to their personal meeting space as frequently as desired. In addition to the personal virtual meeting room, Vidyo also supports a one time use meeting room for scheduled meetings. When a meeting is scheduled a new meeting room is created with unique guest link, PIN code, and meeting ID. The one time meeting room eliminates conflicts between two disparate meetings taking place in the same meeting room. This is yet another level of security to provide control of sensitive information and make meetings more convenient. You also have moderation controls over your virtual meeting room when conferences are in session. As the meeting room owner you are also the moderator and, as the moderator you have advanced capabilities. This includes the ability to lock the meeting room preventing new participants from joining your meeting room. You can also control each participant s ability to send audio and video by using the mute buttons or you can disconnect anyone from the call with a simple click of a button. If desired, meeting rooms can be configured with a waiting room capability which prevents participants from seeing or hearing each other until the moderator joins the call. Conclusion Securing customer communications and private information without inhibiting the value and capability of the collaboration solution is a priority for Vidyo. With security in mind at the design stage of every new product developed, and a process in place for continuous monitoring, qualification and action to address new and emerging security threats, Vidyo delivers a visual collaboration platform that leverages industry standard and proven technologies with the goal of securing its users communications and private information. 8

9 For more information about Communications refer to the documentation located at or or contact your Vidyo sales representative or Vidyo Support. 9

10 Frequently Asked Questions Question 1 Question 2 Question 3 Does Vidyo perform security audits on its Vidyo servers and VidyoRoom solutions? Yes. Vidyo runs internal security scanners against its systems prior to software release. These internal scanners include Nexpose (Rapid7), Nessus (Tenable) and various OWASP tools. In addition, the external SSL Labs utility (Qualys) is run against Vidyo server components. Vidyo continuously evaluates new tools in this space to ensure that systems are tested with the utmost rigor. Vidyo periodically utilizes third parties to audit our products. Does Vidyo have any security certifications/compliance? Versions of VidyoPortal, VidyoRouter, VidyoGateway, VidyoRoom and VidyoDesktop have been tested and achieved JITC certification. Vidyo is now an approved vendor on the United States Department of Defense s Approved Products List (APL). What are the steps Vidyo takes to make sure that their Vidyo infrastructure components appliances are protected from hackers and virus attacks? The Vidyo infrastructure components are all Linux based. To prevent hackers from accessing the boxes themselves, Vidyo leverages the security features of Linux while hardening the box by closing all ports and services that are not used and disabling access to the underlying system without valid administrator credentials. Vidyo infrastructure components and VidyoRoom endpoints are locked down appliances with the goal of enabling only Vidyo validated software to be applied onto the system, preventing malicious content from being introduced into the network. Question 4 Question 5 Vidyo also works with customers to ensure they deploy their systems in a secure manner - for example, using firewalls, NAT's and management interfaces. How does Vidyo check that Vidyo infrastructure components and VidyoRoom systems are up to date with third party software security fixes? Vidyo has a multi-discipline Security Council that regularly monitors the latest vulnerabilities for the third party software elements used in the Vidyo solution and determines whether a particular Security Update is needed. Some resources that are monitored include Apache, Ubuntu Security Notices, NIST National Security Database, MITRE, OWASP, etc. Security patches are issued in a timely manner and all patches are rolled into the following system release. What is Vidyo s strategy when a security breach is identified in the 10

11 Question 6 Question 7 Question 8 code or in a 3rd party library that is used by Vidyo? When a potential security vulnerability is identified (whether it is within Vidyo's software or a third-party library), our Security Council immediately assesses the exploitability, impact and severity of the vulnerability. Based on these criteria, if/when it determines that it is appropriate Vidyo will: Issue a Security Bulletin with steps to mitigate the vulnerability and/or Issue a Security Update that permanently patches the vulnerability. Which SSL/TLS versions are supported or have been forced? Vidyo products support the following (in order of preference): TLS 1.2 TLS 1.1 TLS 1.0 Note: For Vidyo-to-Vidyo component communications, TLS is always used. For security reasons Vidyo no longer supports SSL 3.0. Does Vidyo use HTTPS connections for all infrastructure components and VidyoRoom systems? All web administration pages in Vidyo s infrastructure can be configured to use HTTPS. Does Vidyo have the ability to limit access to the Vidyo server appliances administrative functions to authorized network addresses only? As of VidyoPortal 3.0, all Management applications can be moved to the Management Interface (a second NIC on the VidyoPortal, VidyoRouter and VidyoGateway). This allows for segregation of Management and Production traffic. Customers can restrict access to the Management Network via ACL's on their firewalls, routers or switches. 11

12 Resources Find more information about the VidyoWorks platform and the Vidyo products described in this paper by using the links listed below. Vidyo Vidyo web site: Vidyo Support Center: Vidyo Resources (White Papers, Case Studies, Data Sheets, etc.): 12

13 Vidyo, Inc. (Corporate Headquarters) 433 Hackensack Ave., Hackensack, NJ 07601, USA Tel: Toll-free: EMEA +33 (0) APAC INDIA Vidyo, Inc. All rights reserved. Vidyo and other trademarks used herein are trademarks or registered trademarks of Vidyo, Inc. or their respective owners. All specifications subject to change without notice, system specifics may vary. Vidyo products are covered by one or more issued and/or pending US or foreign patents or patent applications. Visit for more information. Rev: