BRKCOL-2030 Cisco Spark Cloud and On Premise Security Explained

Transcription

1

2 Cisco Spark Cloud and On Premise Security Explained Tony Mulchrone Technical Marketing Engineer Cisco Collaboration Technology Group

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

4 Spark Cloud Security and Hybrid Data Security

5 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 5

6 Spark Cloud Security - Realms of Separation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C Spark logically and physically separates functional components within the cloud Identity Services holding real user Identity (e.g. addresses) are separated from : Encryption, Indexing and E-Discovery Services, which are in turn separated from : Data Storage Services 6

7 Realms of Separation Identity Obfuscation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C 8

8 Realms of Separation Identity Obfuscation htzb2n78jdbc9e Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C Outside of the Identity Service - Real Identity information is obfuscated : For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User s obfuscated identity No real identity information transits the cloud 9

9 Spark User Identity Sync and Authentication User Info can be synchronized to Spark from the Enterprise Active Directory Identity Service Multiple User attributes can be synchronized Scheduled sync tracks employee changes Directory Sync Passwords are not synchronized - User : 1) Creates a Spark password or 2) Uses SSO for Auth 10

10 Spark SAML SSO Authentication Identity Service SSO for User Authentication : Administrators can configure Spark to work with their existing SSO solution Directory Sync SAML SSO Spark supports Identity Providers using Security Assertion Markup Language (SAML) 2.0 and OAuth 2.0 IdP See Notes for list of supported IdPs 11

11 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 12

12 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 13

13 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 14

14 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 15

15 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 16

16 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 17

17 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 18

18 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 19

19 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 20

20 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 21

21 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 22

22 Cloud Based Security and Data Services

23 Cloud Based Security : Secure Messages and Content

24 Spark - Encrypting Messages and Content Key Management Service Content Server Key Mgmt Service Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Spark App request a conversation encryption key from the Key Management Service Each Spark Room uses a different Conversation Encryption key 25

25 Spark - Encrypting Messages and Content Key Management Service Content Server Key Mgmt Service Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Spark App request a conversation encryption key from the Key Management Service Each Spark Room uses a different Conversation Encryption key AES256-GCM cipher used for Encryption 26

26 Spark - Decrypting Messages and Content Key Management Service Content Server Key Mgmt Service Encrypted messages sent by the App are stored in the Spark Cloud and also sent on to every other App in the Spark Room The encrypted message also contains a link to the conversation encryption key If needed, Spark Apps can retrieve encryption keys from the Key Management Service 27

27 Spark - Decrypting Messages and Content Key Management Service Content Server message Key Mgmt Service message Encrypted messages sent by the App are stored in the Spark Cloud and also sent on to every other App in the Spark Room The encrypted message also contains a link to the conversation encryption key If needed, Spark Apps can retrieve encryption keys from the Key Management Service 28

28 Cloud Based Security : Secure Search and Indexing

29 Searching Spark Rooms : Building a Search Index Indexing Service Search Service Content Server Indexing Service Key Mgmt Service The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content A Search Index is built by creating a fixed length hash* of each word in each message within a Room The hashed indexes for each Spark Room are stored by the Content Service

30 Searching Spark Rooms : Building a Search Index Indexing Service message Spark Hash the IS Algorithm Search Service Content Server ################### Indexing Service Key Mgmt Service The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content B9 57 FE 48 A Search Index is built by creating a fixed length hash* of each word in each message within a Room * A new (SHA-256 HMAC) hashing key (Search Key) is used for each room The hashed indexes for each Spark Room are stored by the Content Service

31 Searching Spark Rooms : Querying a Search Index Search for the word Spark Hash FE Algorithm Indexing Service Search Service Content Server Indexing Service Key Mgmt Service App sends search request over a secure connection to the Indexing Service The Indexing Service uses ################### Per Room search keys to B9 57 FE 48 hash the search terms The Search Service searches the for a match in the hash tables and returns matching content to the App * 32

32 Searching Spark Rooms : Querying a Search Index Search for the word Spark Spark Hash FE Algorithm Indexing Service Search Service App sends search request over a secure connection to the Indexing Service Content Server ################### B9 57 FE 48 Indexing Service Key Mgmt Service The Indexing Service uses Per Room search keys to hash the search terms Spark IS the Message *A link to Conversation Encryption Key is sent with encrypted message The Search Service searches the for a match in the hash tables and returns matching content to the App * 33

33 Cloud Based Security : E Discovery Services

34 Spark E-Discovery Service : (1) Indexing Service Hash Algorithm Search Service Content Server ################### Indexing Service E-Discovery Service Key Mgmt Service Compliance Officer selects a group of messages and files to be retrieved for E- Discovery e.g. : based on date range/ content type/ username(s) The Indexing Service requests a search of related hashed content Spark Control Hub The Content Server returns matching content to the E-Discovery Service

35 Spark E-Discovery Service : (1) Indexing Service Hash Algorithm Search Service Content Server ################### Indexing Service E-Discovery Service ################### ################### ################### Key Mgmt Service Compliance Officer selects a group of messages and files to be retrieved for E- Discovery e.g. : based on date range/ content type/ username(s) The Indexing Service requests a search of related hashed content Spark Control Hub The Content Server returns matching content to the E-Discovery Service

36 Spark E-Discovery Service : (2) E-Discovery Service E-Discov. Storage Search Service Content Server E-Discovery Service ################### ################### ################### Key Mgmt Service The E-Discovery Service : Decrypts content from the Content Server, then compresses and reencrypts it before sending it to the E-Discovery Storage Service Spark Control Hub The E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request

37 Spark E-Discovery Service : (2) E-Discovery Service E-Discov. Storage Search Service Content Server E-Discovery Service Key Mgmt Service The E-Discovery Service : Decrypts content from the Content Server, then compresses and reencrypts it before sending it to the E-Discovery Storage Service E-Discovery Content Ready Spark Control Hub ################## Jo ################## Smith s Messages ################## and Files The E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request

38 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 39

39 Customer Controlled Security : Hybrid Data Security Part of Pro Pack for Cisco Spark Control Hub

40 Spark Hybrid Data Security (HDS) Content Server Key Mgmt Service Indexing Service E-Discovery Service Secure Data Center 41

41 Spark Hybrid Data Security (HDS) Content Server Hybrid Data Services = On Premise : Key Management Server Indexing Server E-Discovery Service Secure Data Center Hybrid Data Security 42

42 Hybrid Data Security traffic and Firewalls Content Server Hybrid Data Services make outbound connections only from the Enterprise to the Spark cloud, using HTTPS and Secure WebSockets (WSS) Key Mgmt Service Indexing Service E-Discovery Service No special Firewall configuration required Firewall Secure Data Center Hybrid Data Security 43

43 Hybrid Data Security - Scalability Hybrid Data Security Content Server Key Mgmt Service Server Secure Data Center Hybrid Data Security Multiple HDS servers can be provisioned for Scalability & Load Sharing The Hybrid Data Security is managed and upgraded from the cloud Hybrid Data Security Customer s can access usage information for the HDS Servers via the Spark Control Hub

44 Spark Hybrid Data Security: Key Management Key Management Service Content Server Key Mgmt Server Secure Data Center Key Mgmt Service The Hybrid Key Management Server performs the same functions as the Cloud based Key Management Server BUT Now all of the keys for messages and content are owned and managed by the Customer 45

45 HDS - Encrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service 46

46 HDS - Encrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service Spark Apps request an encryption key from the HDS Key Management Server Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Encrypted messages and content stored in the cloud Encryption Keys stored locally 47

47 HDS - Decrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service 48

48 HDS - Decrypting Messages & Content Key Management Service Content Server Key Mgmt Service Encrypted messages from Apps are stored in the Spark Cloud message Secure Data Center Key Mgmt Service These messages are sent to every other App in the Spark Room and contain a link to their encryption key on the HDS Key Management Server If needed, Spark Apps can retrieve encryption keys from the HDS Key Management Server 49

49 Hybrid Data Security Secure App Connections Search Service Spark Service Spark Apps establish a direct TLS connection to the On Premise HDS node and KMS service Content Server This encrypted peer to peer session traverses the Spark Cloud Secure Data Center Hybrid Data Security Node App to Cloud TLS connection App to HDS TLS connection 50

50 Hybrid Data Security: Search Indexing Service Indexing Service Search Service Content Server The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content Secure Data Center Indexing Service Key Mgmt Service 51

51 Hybrid Data Security: Search Indexing Service Indexing Service Search Service Content Server ################### B9 57 FE 48 The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content Secure Data Center message Hash Spark ISthe Algorithm Indexing Service Key Mgmt Service * A new hashing key (Search Key) is used for each room 52

52 Hybrid Data Security: Querying a Search Index Search for the word Spark Search Service Indexing Service Content Server ################### B9 57 FE 48 The Indexing Service sends a hashed index of the App s search request to the Search Service Secure Data Center Indexing Service Key Mgmt Service 53

53 Hybrid Data Security: Querying a Search Index Search for the word Spark Search Service Indexing Service Content Server ################### B9 57 FE 48 The Indexing Service sends a hashed index of the App s search request to the Search Service Secure Data Center Hash Spark Algorithm Indexing Service Key Mgmt Service Spark IS the Message *A link to Conversation Encryption Key is sent with the encrypted message 54

54 Spark E-Discovery Service : (1) Indexing Service Search Service Content Server ################### Secure Data Center Spark Control Hub Hash Algorithm E-Discovery Service Indexing Service Key Mgmt Service

55 Spark E-Discovery Service : (1) Indexing Service Search Service Content Server Jo ################### Smith s Content The Indexing Service sends hashed search criteria to the Search Service The Content Server returns matching content to the E-Discovery Service Secure Data Center Spark Control Hub Hash Algorithm E-Discovery Service Indexing Service Key Mgmt Service ################### ################### ###################

56 Spark E-Discovery Service : (2) Search Service Content Server E-Discov. Storage Secure Data Center Spark Control Hub E-Discovery Service ################### ################### ################### Key Mgmt Service

57 Spark E-Discovery Service : (2) Search Service Content Server E-Discov. Storage E-Discovery Service : Decrypts content from the Content Server, then compresses and re-encrypts it before sending it to the E- Discovery Storage Service E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request Secure Data Center Spark Control Hub E-Discovery Content Ready ################## Jo Smith s ################## Messages ################## and Files E-Discovery Service Key Mgmt Service

58 Customer Controlled Security : Key Management Server Federation

59 HDS: Encryption Keys & Users in other Organizations Content Server Key Mgmt Service Key Mgmt Service Key Mgmt Service Organization A Organization B 60

60 HDS: Encryption Keys & Users in other Organizations Spark Spaces with users from multiple Organizations can share encrypted messages and content Content Server Key Mgmt Service How do external users retrieve encryption keys from the KMS of the Organization that owns the Spark Space? message? message Key Mgmt Service Key Mgmt Service Organization A Organization B 61

61 HDS: Key Management Server Federation Content Server Key Mgmt Service message message Key Mgmt Service Key Mgmt Service Organization A Organization B 62

62 HDS: Key Management Server Federation Hybrid Key Management Servers in different Organizations can establish a Mutual TLS connection via the Spark Cloud Content Server Key Mgmt Service Hybrid Key Management Servers make outbound connections only : HTTPS, Web Socket Secure (WSS) message message Key Mgmt Service Key Mgmt Service Organization A Organization B 63

63 HDS: Key Management Server Federation Content Server Key Mgmt Service message message Key Mgmt Service Key Mgmt Service Organization A Organization B 64

64 HDS: Key Management Server Federation With a secure connection between Key Management Servers Content Server Key Mgmt Service Mutually Authenticated KMSs can request Room Encryption Keys from one another on behalf of their Users message message Key Mgmt Service Key Mgmt Service Organization A Organization B 65

65 Customer Controlled Security : HDS Deployment Considerations

66 HDS System Architecture Hybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers Secure Data Center A IDE Mount vsphere HDS Cluster Config File IDE Mount Hybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers Syslogd Postgres Database Database Back Up Customer Provided Services System Back Up ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions such as sending health checks and checking for new versions of HDS. HDS (Hybrid Data Security): Key Management Server, Search Indexer, and ediscovery Services. HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection settings, Database Master Encryption key, etc. IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.

67 HDS Deployment Considerations BYO : VM for deploying the HDS appliance, Postgres Database and syslogd servers. Customer manages backup and recovery of the Postgres Database and the local configuration ISO. Customer should perform quick disaster recovery in the event of a catastrophe (complete database disk failures, datacenter disaster) HDS application nodes and database need to be co-located in the same data center A HDS Deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys Complete loss of either the configuration ISO or the Postgres Database will result in loss of the decryption keys stored in HDS. This will prevent users from decrypting space content and other encrypted data. If this happens, an empty HDS can be restored, however, only new content will be visible. 68

68 HDS Install Prerequisites See prerequisites in X.509 Certificate, Intermediates and Private Key PKI is used for KMS to KMS federation (Public Key Infrastructure) Common Name signed by member of Mozzila Trusted Root Store No SHA1 signatures PKCS12 format 2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max Minimum 4 vcpus, 8-GB main memory, 50-GB local hard disk space per server kms://cisco.com easily supports 15K users per HDS. 1 Postgres Database Instance (Key datastore) 8 vcpu, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database. 1 Syslog Host hostname and port required to centralize syslog output from the three HDS instances and management containers A secure backup location The HDS system requires organization administrators to securely backup two key pieces of information. 1) A configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will result in loss of customer data. See <Section on Disaster Recovery>. Network Outbound HTTPS on TCP port 443 from HDS host Bi-directional WSS on TCP port 443 from HDS host TCP connectivity from HDS host to Postgres database host, syslog host and statsd host HTTPS proxies are unsupported 69

69 Cisco Spark and Enterprise Network Security

70 Agenda VLANs Switch Port VLAN configuration and device requirements Firewalls Whitelists for Spark Apps, devices and Services Media support UDP/TCP/HTTP HTTP Proxies Proxy Types and Proxy Detection Proxy Authentication Methods (Basic/ NTLM/ Negotiate/ Kerberos) Auth Bypass Proxy TLS/ HTTPS traffic inspection Certificate Pinning 802.1X Authentication Methods EAP-FAST/ EAP-TLS, MAC Address Bypass 71

71 Cisco Spark Cloud Access : Enterprise VLANs

72 Connecting from the Enterprise - VLANs How are the switch ports configured? Single static untagged VLAN? Dynamic VLAN assignment based on CDP/LLDP TLV values? Multiple static VLANs (e.g. Data VLAN & Aux VLAN)? 802.1Q VLAN tagging required for the Auxiliary VLAN??? Minimum Enterprise Network Requirements : Internet Access DHCP, DNS server access Internal TCP connectivity and ICMP to devices for support 73

73 Network Capabilities Spark Devices CDP/LLDP, 802.1Q Spark Device Protocol Software Train CDP/ LLDP Windows, Mac, ios, Android, Web 802.1Q Ethernet PC Port Granular Configuration HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q Tagging, Connected PC supported SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging MX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging Room Kits HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging 74

74 Cisco Spark Cloud Access : Enterprise Firewalls

75 Connecting from the Enterprise - Firewalls Signalling Media Whitelisted Ports and Destinations : Spark Desk and Room Devices Spark Apps See following slides for details Media Port Ranges: Source UDP Ports : Voice , Video Source TCP/ HTTP Ports : Ephemeral (=> No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004, 5006 Destination IP Addresses : Any 76

76 Voice and Video Classification and Marking Port Range Summary Endpoints and Apps Spark Apps Spark Devices Audio: Video:

77 Spark Applications : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Spark applications : Windows, Mac, ios, Android, Web UDP Voice Video & 5006 TCP Ephemeral 5004 & 5006 TCP Ephemeral 443 Any IP Address Any IP Address identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com *.mixpanel.com *.rackcdn.com *.appsflyer.com *.adobetm.com *.omtrdc.net *.optimizely.com SRTP over UDP to Spark Cloud Media Nodes SRTP over TCP or HTTP to Spark Cloud Media Nodes HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Anonymous crash data Anonymous Analytics Content and Space Storage Mobile Apps only - Ad Analytics Web Apps only - Analytics Web Apps only - Telemetry Web Apps only - Metrics 78

78 Spark Devices : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Desktop and Room Systems : UDP Voice Video & 5006 Any IP Address SRTP over UDP to Spark Cloud Media Nodes SX Series DX Series MX Series Room Kits Spark Boards* TCP Ephemeral 5004 & 5006 TCP Ephemeral 443 Any IP Address identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com *.mixpanel.com *.rackcdn.com *.dropbox.com SRTP over TCP to Spark Cloud Media Nodes* (Not Spark Board) HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Anonymous crash data Anonymous Analytics Content and Space Storage *Sparkboard (firmware updates) UDP Ephemeral 123 *.2.android.pool.ntp.org *Sparkboard NTP Time Sync. 79

79 Connecting from the Enterprise - Firewalls Signalling Media Hybrid Media Node (HMN) : Can be used to limit source IP address range to HMNs only Hybrid Media Node Source UDP ports for voice and video are different to those used by endpoints Used for cascade links to the Spark Cloud Voice and Video use a common UDP source port range : Media Port Ranges: Source UDP Ports : Voice and Video Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004 Destination IP Addresses : Any 80

80 Connecting from the Enterprise - Firewalls Signalling Media Hybrid Data Security Node (HDS) : Key Management Service Indexing (Search) Service E-Discovery Service Hybrid Data Services HDS Signaling Traffic Only Outbound HTTPS and WSS Signaling Only 81

81 HMN and HDS Nodes: Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Hybrid Media Node (HMN) UDP Voice and Video use a common UDP source port range : Cascade Destination Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes TCP Ephemeral 5004 Cascade Destination Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS Hybrid Data Security Node (HDS) TCP Ephemeral 443 *wbx2.com *idbroker.webex.com TCP Ephemeral 443 *.wbx2.com idbroker.webex.com identity.webex.com index.docker.io HTTPS Configuration Services Outbound HTTPS and WSS 82

82 What do we send to Third Party sites? Site Apps that Access It What is sent there User PII? *.aws.com Win, Mac, ios, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. Anonymized Usage info? N N Y Encrypted User Generated Content *.rackcdn.com Win, Mac, ios, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. N N Y *.mixpanel.com Win, Mac, ios, Android, Web Anonymous usage data N Y N *.appsflyer.com ios, Android Anonymous usage data related to onboarding N Y N *.adobedtm.com Web Anonymous usage data N Y N *.omtrdc.net Web Anonymous usage data N Y N *.optimizely.com Web Anonymous usage data for AB testing N Y N 83

83 Cisco Spark Cloud Access : Enterprise Proxies

84 Connecting from the Enterprise - Proxy Types Signalling UDP Media HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443 Proxy Types: Transparent Proxy (Device/Application is unaware of Proxy existence) In Line Proxies (e.g. Combined Proxy and Firewall) Traffic Redirection (e.g. Using Cisco WCCP) Proxy Address given to Device/Application. 85

85 Connecting from the Enterprise Proxy Detection Signalling UDP Media PAC Proxy Detection (Proxy Address given to Device/Application) Manual Configuration Auto Configuration Proxy Address Proxy Address Proxy Address Web Proxy Auto Discovery (WPAD) Proxy Auto Conf (PAC) files 86

86 Network Capabilities Spark Devices Proxy Detection Spark Device Protocol Software Train Proxy Detection Granular Configuration Windows, Mac, ios, Android, Web HTTPS WME Yes : Manual Yes : PAC Files Manually Configure Proxy Address or Use WPAD and PAC files (or Windows GPO) DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address 87

87 Connecting from the Enterprise Proxy Authentication Signalling UDP Media Proxy Authentication is not mandatory, Many Enterprises do No Authentication Proxy Authentication Proxy intercepts outbound HTTP request Authenticates the User (Username & Password) Authenticated User s traffic forwarded Unauthenticated User s traffic dropped/blocked 88

88 Common Proxy Authentication Methods Basic Authentication Signalling UDP Media Digest Authentication NTLMv2 Authentication Negotiate Authentication Kerberos 89

89 Proxy Authentication Methods Basic Authentication Signalling UDP Media Basic Authentication Uses standard HTTP Headers Username and Password Base64 encoded Username and Password are NOT encrypted or hashed Basic Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (e.g. LDAP account) for all devices Create an account per device No Password Expiration 90

90 Proxy Authentication Methods Digest Authentication Signalling UDP Media Digest Authentication Uses standard HTTP Headers Username and Password are not sent A Hash of the Username and Password is sent instead Basic Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (e.g. LDAP account) for all devices Create an account per device No Password Expiration 91

91 Proxy Authentication Methods NTLMv2 Signalling UDP Media NT LAN Manager (NTLM) Authentication Microsoft Challenge/Response AuthN. protocol Username sent in plain text Password hashed but not sent Challenge/Nonce sent from the server Password hash used to encrypt the challenge and return it to the server Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (AD account) for all devices Or create an account per device No Password Expiration 92

92 Proxy Authentication Methods Negotiate/IWA (Windows Only) Signalling UDP Media IWA - Integrated Windows Access Negotiate Authentication Microsoft implementation of SPNEGO Simple and Protected GSSAPI Negotiation Mechanism. (Generic Security Service API) Negotiates the use of either : Kerberos or fallback to NTLM Windows based Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (AD account) for all devices Or create an account per device No Password Expiration 93

93 Proxy Authentication Methods Kerberos Kerberos Authentication Signalling UDP Media Strongest Security Client, Authentication Key Distribution Service, Ticket Granting Service, Application Server Encrypted communication based on shared Secrets Client authenticates with the Authentication service Once authenticated, receives a Tickets Granting Ticket (TGT) Client requests access to a service (e.g. the Proxy) by presenting the TGT to the Ticket Granting Service the TGS authenticates the client and returns an encrypted Service Ticket The Client presents the Service Ticket to Proxy which validates the user (using the shared secret) HTTPS connection proceeds 94

94 Proxy Authentication Bypass Methods Signalling UDP Media identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com IP Address *.mixpanel.com *.rackcdn.com Manually Configure Proxy Server with : Device IP Address Whitelisted Destinations (e.g. *ciscospark.com) 95

95 Network Capabilities Spark Devices Proxy Authentication Spark Device Protocol Software Train Proxy Authentication Granular Configuration Windows, Mac, ios, Android, Web HTTPS WME No Auth - Yes Basic - Yes Digest - Planned NTLM - Yes (Windows) Kerberos No DX/SX/MX HTTPS Room OS No Auth Yes Basic Q1 CY 2018 Digest - Yes Room Kits HTTPS Room OS No Auth Yes Basic Q1 CY 2018 Digest - Yes Spark Board HTTPS Spark Board OS No Auth Yes Basic Yes Digest - Yes No Auth : (ios and Android in EFT) Basic : (ios and Android in EFT) 96

96 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media 97

97 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media HTTPS/TLS Inspection Private CA Root Certificate sent to client 98

98 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media HTTPS/TLS Inspection Private CA signed Certificate sent to client on connection establishment Client compares Private CA Root Cert with those received in Cert Chain If they match accept and proceed with the TLS connection 99

99 Proxy TLS/HTTPS Inspection Non Spark Apps (2) Signalling UDP Media 100

100 Proxy TLS/HTTPS Inspection Non Spark Apps (2) Signalling UDP Media HTTPS/TLS Inspection Proxy starts new HTTPS/TLS connection to Web/Cloud Service Proxy receives Certificate from Web/Cloud Service Proxy uses the Certificate to establish Secure TLS/HTTPS connection Proxy can now Decrypt, Inspect and Re-Encrypt session traffic 101

101 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media 102

102 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= 103

103 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning CA signed Cisco Spark Certificate sent by HTTPS/TLS server App creates a hash of the Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store If they match accept and proceed with the TLS connection 104

104 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media 105

105 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up App creates a hash of the Private CA signed Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store They DO NOT Match : TLS connection terminated 106

106 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up App creates a hash of the Private CA signed Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store They DO NOT Match : TLS connection terminated 107

107 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling UDP Media 108

108 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to App OS Trust Store 109

109 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling Private CA Cert copied to App OS Trust Store UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up Spark App checks to see if a copy of the Private CA Cert exists in the OS Trust Store If the Cert exists skip Certificate pinning process Proceed with TLS connection HTTPS/TLS Inspection possible 110

110 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media 111

111 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to Spark Cloud 112

112 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to Spark Cloud Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up Client creates a hash of the Private CA signed Cert s Public Key Client compares the hash with the Certificate Pin in its Trust Store They DO Match : Proceed with TLS connection HTTPS/TLS Inspection possible 113

113 Network Capabilities Spark Devices HTTPS Inspection Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass Certificate Pinning process ios, Android HTTPS WME No : ios Android HTTPS Inspection By-Pass DX HTTPS Room OS Yes Requires Per Org Config of Identity Service Load Private CA Certs in Spark Service Download Trust List with Private Certs SX HTTPS Room OS Yes Requires Per Org Config of Identity Service MX HTTPS Room OS Yes Requires Per Org Config of Identity Service Room Kits HTTPS Room OS Yes Requires Per Org Config of Identity Service Load Private CA Certs in Spark Service Download Trust List with Private Certs Load Private CA Certs in Spark Service Download Trust List with Private Certs Load Private CA Certs in Spark Service Download Trust List with Private Certs Spark Board HTTPS Spark Board OS No (Planned Q1 CY 18) HTTPS Inspection By-Pass 114

114 Cisco Spark Cloud Access : Network Access Control 802.1X

115 Connecting from the Enterprise 802.1X Authentication Server 116

116 Connecting from the Enterprise 802.1X Authentication Server 802.1X Operation Switch port network access restricted Client presents credentials to Authentication Server After successful Authentication switch port configured for the Device e.g. VLAN(s), ACLs 117

117 802.1X Network Authentication Methods Authentication Server? 118

118 802.1X Network Authentication Methods Authentication Server 802.1X Network Authentication Methods : There are many options. Two key Authentication methods : EAP-FAST EAP-TLS 119

119 802.1X Network Authentication : EAP-FAST Authentication Server? 120

120 802.1X Network Authentication : EAP-FAST Authentication Server 802.1X Extensible Authentication Protocol - FAST Flexible Authentication via Secure Tunneling Username and Password based Does not require Certificates 121

121 802.1X Network Authentication : EAP-TLS Authentication Server? 122

122 802.1X Network Authentication : EAP-TLS Authentication Server 802.1X Extensible Authentication Protocol - TLS Transport Layer Security Requires Digital Certificates Mutual Client - Server Authentication 123

123 802.1X Fallback - MAC Address Bypass (MAB) Authentication Server? 124

124 802.1X Fallback - MAC Address Bypass (MAB) Authentication Server Device 1 Bypasses 802.1X Authentication Mechanisms Uses the Device MAC Address Commonly used for Non 802.1X capable devices MAC address manually entered into Auth. Server 125

125 Network Capabilities Spark Devices 802.1X Spark Device Windows, Mac, ios, Android, Web Protocol Software Train HTTPS WME Wi-Fi - Yes Wired - Yes DX HTTPS Room OS Wi-Fi - Yes Wired - Yes SX HTTPS Room OS Wired - Yes MX HTTPS Room OS Wired - Yes Room Kits HTTPS Room OS Wi-Fi - Yes Wired - Yes Spark Board HTTPS Spark Board OS EAP-FAST EAP-TLS MIC Non CUCM LSC No (Planned Q2 CY 18) Wi-Fi - Yes Wired - Yes Wi-Fi - Yes Wired Yes Wired Yes Wired Yes Wi-Fi - Yes Wired Yes No (Planned Q2 CY 18) Certificate Installation Capability Granular Configuration N/A Yes Yes Manually Install LSC (Windows GPO, Mac Configuration Profiles) Q4 CY17 Yes Yes Web Based No Yes Yes Web Based No Yes Yes Web Based Yes Yes Yes Web Based No No (Planned Q2 CY 18) Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Use MAC Address By-Pass 126

126 Cisco Spark Cloud Access : Summary

127 Spark Device Configuration Recommendations 1) Determine your customer s network environment Switch port configuration VLANs Firewall Deployment Proxy Type Proxy Feature Usage 2) Check the capabilities of the Spark devices you plan to deploy and use the features as required 3) For Spark devices that do not support specific features today There are bypass methods available Feature support is coming soon 128

128 Cisco Spark Cloud Access : Roadmap

129 Spark Device Configuration Roadmap Configuration of all Spark devices via the Spark Control Hub Use a staging VLAN with internet access Proxy and Firewalls allow all Spark connections Onboard device Username/Password, Activation Code Cisco Spark cloud downloads Device Configuration information and Trust Anchors 130

130 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

131 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at

132 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 133

133 Design and Deployment Best Practices for Cisco Collaboration What you would tell your best friend, if they asked you how to design their Cisco collaboration deployment? Preferred Architectures (PA) Prescriptive design and deployment best practices within a well-defined architecture containing common Cisco collaboration portfolio components Collaboration Solution Reference Network Design (SRND) Design guidance across the Cisco collaboration portfolio with a focus on enterprise, on-premises deployments Three preferred architectures (PAs) covering a wide range of customer deployment types and sizes:» On-Premises (Enterprise, Midmarket)» Cloud (Midmarket)» Hybrid (Enterprise) Versions aligning with major Collaboration System Releases (CSRs): 9.x, 10.x, 11.x, and 12.x* * Coming soon. Target Q1 CY2018

134 Thank you

135