BRKCOL-2030 Cisco Spark Cloud and On Premise Security Explained
|
|
- Melvyn Waters
- 6 years ago
- Views:
Transcription
1
2 Cisco Spark Cloud and On Premise Security Explained Tony Mulchrone Technical Marketing Engineer Cisco Collaboration Technology Group
3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#
4 Spark Cloud Security and Hybrid Data Security
5 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 5
6 Spark Cloud Security - Realms of Separation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C Spark logically and physically separates functional components within the cloud Identity Services holding real user Identity (e.g. addresses) are separated from : Encryption, Indexing and E-Discovery Services, which are in turn separated from : Data Storage Services 6
7 Realms of Separation Identity Obfuscation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C 8
8 Realms of Separation Identity Obfuscation htzb2n78jdbc9e Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Data Center A Data Center B Data Center C Outside of the Identity Service - Real Identity information is obfuscated : For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User s obfuscated identity No real identity information transits the cloud 9
9 Spark User Identity Sync and Authentication User Info can be synchronized to Spark from the Enterprise Active Directory Identity Service Multiple User attributes can be synchronized Scheduled sync tracks employee changes Directory Sync Passwords are not synchronized - User : 1) Creates a Spark password or 2) Uses SSO for Auth 10
10 Spark SAML SSO Authentication Identity Service SSO for User Authentication : Administrators can configure Spark to work with their existing SSO solution Directory Sync SAML SSO Spark supports Identity Providers using Security Assertion Markup Language (SAML) 2.0 and OAuth 2.0 IdP See Notes for list of supported IdPs 11
11 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 12
12 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 13
13 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 14
14 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 15
15 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 16
16 Spark App Cloud connection Identity Service IdP Spark Service 1) Customer downloads and installs Spark App (with Trust anchors) 2) Spark App establishes a secure TLS connection with the Spark Cloud 3) Spark Identity Service prompts User for an ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Spark App The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark App presents its Access Tokens to register with Spark Services over a secure channel 17
17 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 18
18 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 19
19 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 20
20 Spark Device cloud connection Identity Service Spark Service 1) User enters 16 digit activation code received via from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Device The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Device presents its Access Tokens to register with Spark Services over a secure channel 21
21 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 22
22 Cloud Based Security and Data Services
23 Cloud Based Security : Secure Messages and Content
24 Spark - Encrypting Messages and Content Key Management Service Content Server Key Mgmt Service Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Spark App request a conversation encryption key from the Key Management Service Each Spark Room uses a different Conversation Encryption key 25
25 Spark - Encrypting Messages and Content Key Management Service Content Server Key Mgmt Service Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Spark App request a conversation encryption key from the Key Management Service Each Spark Room uses a different Conversation Encryption key AES256-GCM cipher used for Encryption 26
26 Spark - Decrypting Messages and Content Key Management Service Content Server Key Mgmt Service Encrypted messages sent by the App are stored in the Spark Cloud and also sent on to every other App in the Spark Room The encrypted message also contains a link to the conversation encryption key If needed, Spark Apps can retrieve encryption keys from the Key Management Service 27
27 Spark - Decrypting Messages and Content Key Management Service Content Server message Key Mgmt Service message Encrypted messages sent by the App are stored in the Spark Cloud and also sent on to every other App in the Spark Room The encrypted message also contains a link to the conversation encryption key If needed, Spark Apps can retrieve encryption keys from the Key Management Service 28
28 Cloud Based Security : Secure Search and Indexing
29 Searching Spark Rooms : Building a Search Index Indexing Service Search Service Content Server Indexing Service Key Mgmt Service The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content A Search Index is built by creating a fixed length hash* of each word in each message within a Room The hashed indexes for each Spark Room are stored by the Content Service
30 Searching Spark Rooms : Building a Search Index Indexing Service message Spark Hash the IS Algorithm Search Service Content Server ################### Indexing Service Key Mgmt Service The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content B9 57 FE 48 A Search Index is built by creating a fixed length hash* of each word in each message within a Room * A new (SHA-256 HMAC) hashing key (Search Key) is used for each room The hashed indexes for each Spark Room are stored by the Content Service
31 Searching Spark Rooms : Querying a Search Index Search for the word Spark Hash FE Algorithm Indexing Service Search Service Content Server Indexing Service Key Mgmt Service App sends search request over a secure connection to the Indexing Service The Indexing Service uses ################### Per Room search keys to B9 57 FE 48 hash the search terms The Search Service searches the for a match in the hash tables and returns matching content to the App * 32
32 Searching Spark Rooms : Querying a Search Index Search for the word Spark Spark Hash FE Algorithm Indexing Service Search Service App sends search request over a secure connection to the Indexing Service Content Server ################### B9 57 FE 48 Indexing Service Key Mgmt Service The Indexing Service uses Per Room search keys to hash the search terms Spark IS the Message *A link to Conversation Encryption Key is sent with encrypted message The Search Service searches the for a match in the hash tables and returns matching content to the App * 33
33 Cloud Based Security : E Discovery Services
34 Spark E-Discovery Service : (1) Indexing Service Hash Algorithm Search Service Content Server ################### Indexing Service E-Discovery Service Key Mgmt Service Compliance Officer selects a group of messages and files to be retrieved for E- Discovery e.g. : based on date range/ content type/ username(s) The Indexing Service requests a search of related hashed content Spark Control Hub The Content Server returns matching content to the E-Discovery Service
35 Spark E-Discovery Service : (1) Indexing Service Hash Algorithm Search Service Content Server ################### Indexing Service E-Discovery Service ################### ################### ################### Key Mgmt Service Compliance Officer selects a group of messages and files to be retrieved for E- Discovery e.g. : based on date range/ content type/ username(s) The Indexing Service requests a search of related hashed content Spark Control Hub The Content Server returns matching content to the E-Discovery Service
36 Spark E-Discovery Service : (2) E-Discovery Service E-Discov. Storage Search Service Content Server E-Discovery Service ################### ################### ################### Key Mgmt Service The E-Discovery Service : Decrypts content from the Content Server, then compresses and reencrypts it before sending it to the E-Discovery Storage Service Spark Control Hub The E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request
37 Spark E-Discovery Service : (2) E-Discovery Service E-Discov. Storage Search Service Content Server E-Discovery Service Key Mgmt Service The E-Discovery Service : Decrypts content from the Content Server, then compresses and reencrypts it before sending it to the E-Discovery Storage Service E-Discovery Content Ready Spark Control Hub ################## Jo ################## Smith s Messages ################## and Files The E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request
38 Agenda Introduction Spark Cloud Security Realms of Separation Identity Obfuscation Synchronizing User IDs with the Spark Cloud & Single Sign On Support Secure App and Device Connections Cloud based Data Security and Data Services Secure Messages and Content Secure Search and Indexing E-Discovery Services Customer controlled Security On Premise Hybrid Data Security Key Management Server Federation Deployment Considerations 39
39 Customer Controlled Security : Hybrid Data Security Part of Pro Pack for Cisco Spark Control Hub
40 Spark Hybrid Data Security (HDS) Content Server Key Mgmt Service Indexing Service E-Discovery Service Secure Data Center 41
41 Spark Hybrid Data Security (HDS) Content Server Hybrid Data Services = On Premise : Key Management Server Indexing Server E-Discovery Service Secure Data Center Hybrid Data Security 42
42 Hybrid Data Security traffic and Firewalls Content Server Hybrid Data Services make outbound connections only from the Enterprise to the Spark cloud, using HTTPS and Secure WebSockets (WSS) Key Mgmt Service Indexing Service E-Discovery Service No special Firewall configuration required Firewall Secure Data Center Hybrid Data Security 43
43 Hybrid Data Security - Scalability Hybrid Data Security Content Server Key Mgmt Service Server Secure Data Center Hybrid Data Security Multiple HDS servers can be provisioned for Scalability & Load Sharing The Hybrid Data Security is managed and upgraded from the cloud Hybrid Data Security Customer s can access usage information for the HDS Servers via the Spark Control Hub
44 Spark Hybrid Data Security: Key Management Key Management Service Content Server Key Mgmt Server Secure Data Center Key Mgmt Service The Hybrid Key Management Server performs the same functions as the Cloud based Key Management Server BUT Now all of the keys for messages and content are owned and managed by the Customer 45
45 HDS - Encrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service 46
46 HDS - Encrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service Spark Apps request an encryption key from the HDS Key Management Server Any messages or files sent by an App are encrypted before being sent to the Spark Cloud Encrypted messages and content stored in the cloud Encryption Keys stored locally 47
47 HDS - Decrypting Messages & Content Key Management Service Content Server Key Mgmt Service Secure Data Center Key Mgmt Service 48
48 HDS - Decrypting Messages & Content Key Management Service Content Server Key Mgmt Service Encrypted messages from Apps are stored in the Spark Cloud message Secure Data Center Key Mgmt Service These messages are sent to every other App in the Spark Room and contain a link to their encryption key on the HDS Key Management Server If needed, Spark Apps can retrieve encryption keys from the HDS Key Management Server 49
49 Hybrid Data Security Secure App Connections Search Service Spark Service Spark Apps establish a direct TLS connection to the On Premise HDS node and KMS service Content Server This encrypted peer to peer session traverses the Spark Cloud Secure Data Center Hybrid Data Security Node App to Cloud TLS connection App to HDS TLS connection 50
50 Hybrid Data Security: Search Indexing Service Indexing Service Search Service Content Server The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content Secure Data Center Indexing Service Key Mgmt Service 51
51 Hybrid Data Security: Search Indexing Service Indexing Service Search Service Content Server ################### B9 57 FE 48 The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting content Secure Data Center message Hash Spark ISthe Algorithm Indexing Service Key Mgmt Service * A new hashing key (Search Key) is used for each room 52
52 Hybrid Data Security: Querying a Search Index Search for the word Spark Search Service Indexing Service Content Server ################### B9 57 FE 48 The Indexing Service sends a hashed index of the App s search request to the Search Service Secure Data Center Indexing Service Key Mgmt Service 53
53 Hybrid Data Security: Querying a Search Index Search for the word Spark Search Service Indexing Service Content Server ################### B9 57 FE 48 The Indexing Service sends a hashed index of the App s search request to the Search Service Secure Data Center Hash Spark Algorithm Indexing Service Key Mgmt Service Spark IS the Message *A link to Conversation Encryption Key is sent with the encrypted message 54
54 Spark E-Discovery Service : (1) Indexing Service Search Service Content Server ################### Secure Data Center Spark Control Hub Hash Algorithm E-Discovery Service Indexing Service Key Mgmt Service
55 Spark E-Discovery Service : (1) Indexing Service Search Service Content Server Jo ################### Smith s Content The Indexing Service sends hashed search criteria to the Search Service The Content Server returns matching content to the E-Discovery Service Secure Data Center Spark Control Hub Hash Algorithm E-Discovery Service Indexing Service Key Mgmt Service ################### ################### ###################
56 Spark E-Discovery Service : (2) Search Service Content Server E-Discov. Storage Secure Data Center Spark Control Hub E-Discovery Service ################### ################### ################### Key Mgmt Service
57 Spark E-Discovery Service : (2) Search Service Content Server E-Discov. Storage E-Discovery Service : Decrypts content from the Content Server, then compresses and re-encrypts it before sending it to the E- Discovery Storage Service E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request Secure Data Center Spark Control Hub E-Discovery Content Ready ################## Jo Smith s ################## Messages ################## and Files E-Discovery Service Key Mgmt Service
58 Customer Controlled Security : Key Management Server Federation
59 HDS: Encryption Keys & Users in other Organizations Content Server Key Mgmt Service Key Mgmt Service Key Mgmt Service Organization A Organization B 60
60 HDS: Encryption Keys & Users in other Organizations Spark Spaces with users from multiple Organizations can share encrypted messages and content Content Server Key Mgmt Service How do external users retrieve encryption keys from the KMS of the Organization that owns the Spark Space? message? message Key Mgmt Service Key Mgmt Service Organization A Organization B 61
61 HDS: Key Management Server Federation Content Server Key Mgmt Service message message Key Mgmt Service Key Mgmt Service Organization A Organization B 62
62 HDS: Key Management Server Federation Hybrid Key Management Servers in different Organizations can establish a Mutual TLS connection via the Spark Cloud Content Server Key Mgmt Service Hybrid Key Management Servers make outbound connections only : HTTPS, Web Socket Secure (WSS) message message Key Mgmt Service Key Mgmt Service Organization A Organization B 63
63 HDS: Key Management Server Federation Content Server Key Mgmt Service message message Key Mgmt Service Key Mgmt Service Organization A Organization B 64
64 HDS: Key Management Server Federation With a secure connection between Key Management Servers Content Server Key Mgmt Service Mutually Authenticated KMSs can request Room Encryption Keys from one another on behalf of their Users message message Key Mgmt Service Key Mgmt Service Organization A Organization B 65
65 Customer Controlled Security : HDS Deployment Considerations
66 HDS System Architecture Hybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers Secure Data Center A IDE Mount vsphere HDS Cluster Config File IDE Mount Hybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers Syslogd Postgres Database Database Back Up Customer Provided Services System Back Up ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions such as sending health checks and checking for new versions of HDS. HDS (Hybrid Data Security): Key Management Server, Search Indexer, and ediscovery Services. HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection settings, Database Master Encryption key, etc. IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.
67 HDS Deployment Considerations BYO : VM for deploying the HDS appliance, Postgres Database and syslogd servers. Customer manages backup and recovery of the Postgres Database and the local configuration ISO. Customer should perform quick disaster recovery in the event of a catastrophe (complete database disk failures, datacenter disaster) HDS application nodes and database need to be co-located in the same data center A HDS Deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys Complete loss of either the configuration ISO or the Postgres Database will result in loss of the decryption keys stored in HDS. This will prevent users from decrypting space content and other encrypted data. If this happens, an empty HDS can be restored, however, only new content will be visible. 68
68 HDS Install Prerequisites See prerequisites in X.509 Certificate, Intermediates and Private Key PKI is used for KMS to KMS federation (Public Key Infrastructure) Common Name signed by member of Mozzila Trusted Root Store No SHA1 signatures PKCS12 format 2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max Minimum 4 vcpus, 8-GB main memory, 50-GB local hard disk space per server kms://cisco.com easily supports 15K users per HDS. 1 Postgres Database Instance (Key datastore) 8 vcpu, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database. 1 Syslog Host hostname and port required to centralize syslog output from the three HDS instances and management containers A secure backup location The HDS system requires organization administrators to securely backup two key pieces of information. 1) A configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will result in loss of customer data. See <Section on Disaster Recovery>. Network Outbound HTTPS on TCP port 443 from HDS host Bi-directional WSS on TCP port 443 from HDS host TCP connectivity from HDS host to Postgres database host, syslog host and statsd host HTTPS proxies are unsupported 69
69 Cisco Spark and Enterprise Network Security
70 Agenda VLANs Switch Port VLAN configuration and device requirements Firewalls Whitelists for Spark Apps, devices and Services Media support UDP/TCP/HTTP HTTP Proxies Proxy Types and Proxy Detection Proxy Authentication Methods (Basic/ NTLM/ Negotiate/ Kerberos) Auth Bypass Proxy TLS/ HTTPS traffic inspection Certificate Pinning 802.1X Authentication Methods EAP-FAST/ EAP-TLS, MAC Address Bypass 71
71 Cisco Spark Cloud Access : Enterprise VLANs
72 Connecting from the Enterprise - VLANs How are the switch ports configured? Single static untagged VLAN? Dynamic VLAN assignment based on CDP/LLDP TLV values? Multiple static VLANs (e.g. Data VLAN & Aux VLAN)? 802.1Q VLAN tagging required for the Auxiliary VLAN??? Minimum Enterprise Network Requirements : Internet Access DHCP, DNS server access Internal TCP connectivity and ICMP to devices for support 73
73 Network Capabilities Spark Devices CDP/LLDP, 802.1Q Spark Device Protocol Software Train CDP/ LLDP Windows, Mac, ios, Android, Web 802.1Q Ethernet PC Port Granular Configuration HTTPS WME No/ No N/A N/A Static Untagged (Data) VLAN DX HTTPS Room OS Yes/ No Yes Yes Dynamic VLAN assignment, 802.1Q Tagging, Connected PC supported SX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging MX HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging Room Kits HTTPS Room OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging Spark Board HTTPS Spark Board OS Yes/ No Yes No Dynamic VLAN assignment, 802.1Q Tagging 74
74 Cisco Spark Cloud Access : Enterprise Firewalls
75 Connecting from the Enterprise - Firewalls Signalling Media Whitelisted Ports and Destinations : Spark Desk and Room Devices Spark Apps See following slides for details Media Port Ranges: Source UDP Ports : Voice , Video Source TCP/ HTTP Ports : Ephemeral (=> No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004, 5006 Destination IP Addresses : Any 76
76 Voice and Video Classification and Marking Port Range Summary Endpoints and Apps Spark Apps Spark Devices Audio: Video:
77 Spark Applications : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Spark applications : Windows, Mac, ios, Android, Web UDP Voice Video & 5006 TCP Ephemeral 5004 & 5006 TCP Ephemeral 443 Any IP Address Any IP Address identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com *.mixpanel.com *.rackcdn.com *.appsflyer.com *.adobetm.com *.omtrdc.net *.optimizely.com SRTP over UDP to Spark Cloud Media Nodes SRTP over TCP or HTTP to Spark Cloud Media Nodes HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Anonymous crash data Anonymous Analytics Content and Space Storage Mobile Apps only - Ad Analytics Web Apps only - Analytics Web Apps only - Telemetry Web Apps only - Metrics 78
78 Spark Devices : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Desktop and Room Systems : UDP Voice Video & 5006 Any IP Address SRTP over UDP to Spark Cloud Media Nodes SX Series DX Series MX Series Room Kits Spark Boards* TCP Ephemeral 5004 & 5006 TCP Ephemeral 443 Any IP Address identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com *.mixpanel.com *.rackcdn.com *.dropbox.com SRTP over TCP to Spark Cloud Media Nodes* (Not Spark Board) HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Anonymous crash data Anonymous Analytics Content and Space Storage *Sparkboard (firmware updates) UDP Ephemeral 123 *.2.android.pool.ntp.org *Sparkboard NTP Time Sync. 79
79 Connecting from the Enterprise - Firewalls Signalling Media Hybrid Media Node (HMN) : Can be used to limit source IP address range to HMNs only Hybrid Media Node Source UDP ports for voice and video are different to those used by endpoints Used for cascade links to the Spark Cloud Voice and Video use a common UDP source port range : Media Port Ranges: Source UDP Ports : Voice and Video Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004 Destination IP Addresses : Any 80
80 Connecting from the Enterprise - Firewalls Signalling Media Hybrid Data Security Node (HDS) : Key Management Service Indexing (Search) Service E-Discovery Service Hybrid Data Services HDS Signaling Traffic Only Outbound HTTPS and WSS Signaling Only 81
81 HMN and HDS Nodes: Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Hybrid Media Node (HMN) UDP Voice and Video use a common UDP source port range : Cascade Destination Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes TCP Ephemeral 5004 Cascade Destination Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS Hybrid Data Security Node (HDS) TCP Ephemeral 443 *wbx2.com *idbroker.webex.com TCP Ephemeral 443 *.wbx2.com idbroker.webex.com identity.webex.com index.docker.io HTTPS Configuration Services Outbound HTTPS and WSS 82
82 What do we send to Third Party sites? Site Apps that Access It What is sent there User PII? *.aws.com Win, Mac, ios, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. Anonymized Usage info? N N Y Encrypted User Generated Content *.rackcdn.com Win, Mac, ios, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. N N Y *.mixpanel.com Win, Mac, ios, Android, Web Anonymous usage data N Y N *.appsflyer.com ios, Android Anonymous usage data related to onboarding N Y N *.adobedtm.com Web Anonymous usage data N Y N *.omtrdc.net Web Anonymous usage data N Y N *.optimizely.com Web Anonymous usage data for AB testing N Y N 83
83 Cisco Spark Cloud Access : Enterprise Proxies
84 Connecting from the Enterprise - Proxy Types Signalling UDP Media HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443 Proxy Types: Transparent Proxy (Device/Application is unaware of Proxy existence) In Line Proxies (e.g. Combined Proxy and Firewall) Traffic Redirection (e.g. Using Cisco WCCP) Proxy Address given to Device/Application. 85
85 Connecting from the Enterprise Proxy Detection Signalling UDP Media PAC Proxy Detection (Proxy Address given to Device/Application) Manual Configuration Auto Configuration Proxy Address Proxy Address Proxy Address Web Proxy Auto Discovery (WPAD) Proxy Auto Conf (PAC) files 86
86 Network Capabilities Spark Devices Proxy Detection Spark Device Protocol Software Train Proxy Detection Granular Configuration Windows, Mac, ios, Android, Web HTTPS WME Yes : Manual Yes : PAC Files Manually Configure Proxy Address or Use WPAD and PAC files (or Windows GPO) DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address 87
87 Connecting from the Enterprise Proxy Authentication Signalling UDP Media Proxy Authentication is not mandatory, Many Enterprises do No Authentication Proxy Authentication Proxy intercepts outbound HTTP request Authenticates the User (Username & Password) Authenticated User s traffic forwarded Unauthenticated User s traffic dropped/blocked 88
88 Common Proxy Authentication Methods Basic Authentication Signalling UDP Media Digest Authentication NTLMv2 Authentication Negotiate Authentication Kerberos 89
89 Proxy Authentication Methods Basic Authentication Signalling UDP Media Basic Authentication Uses standard HTTP Headers Username and Password Base64 encoded Username and Password are NOT encrypted or hashed Basic Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (e.g. LDAP account) for all devices Create an account per device No Password Expiration 90
90 Proxy Authentication Methods Digest Authentication Signalling UDP Media Digest Authentication Uses standard HTTP Headers Username and Password are not sent A Hash of the Username and Password is sent instead Basic Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (e.g. LDAP account) for all devices Create an account per device No Password Expiration 91
91 Proxy Authentication Methods NTLMv2 Signalling UDP Media NT LAN Manager (NTLM) Authentication Microsoft Challenge/Response AuthN. protocol Username sent in plain text Password hashed but not sent Challenge/Nonce sent from the server Password hash used to encrypt the challenge and return it to the server Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (AD account) for all devices Or create an account per device No Password Expiration 92
92 Proxy Authentication Methods Negotiate/IWA (Windows Only) Signalling UDP Media IWA - Integrated Windows Access Negotiate Authentication Microsoft implementation of SPNEGO Simple and Protected GSSAPI Negotiation Mechanism. (Generic Security Service API) Negotiates the use of either : Kerberos or fallback to NTLM Windows based Username and Password challenge for devices i.e. Devices are not Users (no human interaction) Create one account (AD account) for all devices Or create an account per device No Password Expiration 93
93 Proxy Authentication Methods Kerberos Kerberos Authentication Signalling UDP Media Strongest Security Client, Authentication Key Distribution Service, Ticket Granting Service, Application Server Encrypted communication based on shared Secrets Client authenticates with the Authentication service Once authenticated, receives a Tickets Granting Ticket (TGT) Client requests access to a service (e.g. the Proxy) by presenting the TGT to the Ticket Granting Service the TGS authenticates the client and returns an encrypted Service Ticket The Client presents the Service Ticket to Proxy which validates the user (using the shared secret) HTTPS connection proceeds 94
94 Proxy Authentication Bypass Methods Signalling UDP Media identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com IP Address *.mixpanel.com *.rackcdn.com Manually Configure Proxy Server with : Device IP Address Whitelisted Destinations (e.g. *ciscospark.com) 95
95 Network Capabilities Spark Devices Proxy Authentication Spark Device Protocol Software Train Proxy Authentication Granular Configuration Windows, Mac, ios, Android, Web HTTPS WME No Auth - Yes Basic - Yes Digest - Planned NTLM - Yes (Windows) Kerberos No DX/SX/MX HTTPS Room OS No Auth Yes Basic Q1 CY 2018 Digest - Yes Room Kits HTTPS Room OS No Auth Yes Basic Q1 CY 2018 Digest - Yes Spark Board HTTPS Spark Board OS No Auth Yes Basic Yes Digest - Yes No Auth : (ios and Android in EFT) Basic : (ios and Android in EFT) 96
96 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media 97
97 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media HTTPS/TLS Inspection Private CA Root Certificate sent to client 98
98 Proxy TLS/HTTPS Inspection Non Spark Apps (1) Signalling UDP Media HTTPS/TLS Inspection Private CA signed Certificate sent to client on connection establishment Client compares Private CA Root Cert with those received in Cert Chain If they match accept and proceed with the TLS connection 99
99 Proxy TLS/HTTPS Inspection Non Spark Apps (2) Signalling UDP Media 100
100 Proxy TLS/HTTPS Inspection Non Spark Apps (2) Signalling UDP Media HTTPS/TLS Inspection Proxy starts new HTTPS/TLS connection to Web/Cloud Service Proxy receives Certificate from Web/Cloud Service Proxy uses the Certificate to establish Secure TLS/HTTPS connection Proxy can now Decrypt, Inspect and Re-Encrypt session traffic 101
101 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media 102
102 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Certificate Pin = SHA 256 Hash of CA Root Certificate Public Key VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= 103
103 Proxy - No HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning CA signed Cisco Spark Certificate sent by HTTPS/TLS server App creates a hash of the Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store If they match accept and proceed with the TLS connection 104
104 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media 105
105 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up App creates a hash of the Private CA signed Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store They DO NOT Match : TLS connection terminated 106
106 Proxy - HTTPS Inspection Spark Certificate Pinning Signalling UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up App creates a hash of the Private CA signed Cert s Public Key App compares the hash with the Certificate Pin in its Trust Store They DO NOT Match : TLS connection terminated 107
107 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling UDP Media 108
108 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to App OS Trust Store 109
109 HTTPS Inspection Spark Apps Cert. Pinning Fix Signalling Private CA Cert copied to App OS Trust Store UDP Media Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up Spark App checks to see if a copy of the Private CA Cert exists in the OS Trust Store If the Cert exists skip Certificate pinning process Proceed with TLS connection HTTPS/TLS Inspection possible 110
110 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media 111
111 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to Spark Cloud 112
112 HTTPS Inspection Spark Devices Cert. Pinning Fix Signalling UDP Media Private CA Cert copied to Spark Cloud Certificate Pinning Proxy sends Private CA signed Certificate during HTTPS/TLS set up Client creates a hash of the Private CA signed Cert s Public Key Client compares the hash with the Certificate Pin in its Trust Store They DO Match : Proceed with TLS connection HTTPS/TLS Inspection possible 113
113 Network Capabilities Spark Devices HTTPS Inspection Spark Device Protocol Software Train Supports TLS /HTTPS Inspection Cert Validation Method Windows, Mac, Web HTTPS WME Yes : Win/Mac/Browser If Enterprise Certificate exists, then bypass Certificate Pinning process ios, Android HTTPS WME No : ios Android HTTPS Inspection By-Pass DX HTTPS Room OS Yes Requires Per Org Config of Identity Service Load Private CA Certs in Spark Service Download Trust List with Private Certs SX HTTPS Room OS Yes Requires Per Org Config of Identity Service MX HTTPS Room OS Yes Requires Per Org Config of Identity Service Room Kits HTTPS Room OS Yes Requires Per Org Config of Identity Service Load Private CA Certs in Spark Service Download Trust List with Private Certs Load Private CA Certs in Spark Service Download Trust List with Private Certs Load Private CA Certs in Spark Service Download Trust List with Private Certs Spark Board HTTPS Spark Board OS No (Planned Q1 CY 18) HTTPS Inspection By-Pass 114
114 Cisco Spark Cloud Access : Network Access Control 802.1X
115 Connecting from the Enterprise 802.1X Authentication Server 116
116 Connecting from the Enterprise 802.1X Authentication Server 802.1X Operation Switch port network access restricted Client presents credentials to Authentication Server After successful Authentication switch port configured for the Device e.g. VLAN(s), ACLs 117
117 802.1X Network Authentication Methods Authentication Server? 118
118 802.1X Network Authentication Methods Authentication Server 802.1X Network Authentication Methods : There are many options. Two key Authentication methods : EAP-FAST EAP-TLS 119
119 802.1X Network Authentication : EAP-FAST Authentication Server? 120
120 802.1X Network Authentication : EAP-FAST Authentication Server 802.1X Extensible Authentication Protocol - FAST Flexible Authentication via Secure Tunneling Username and Password based Does not require Certificates 121
121 802.1X Network Authentication : EAP-TLS Authentication Server? 122
122 802.1X Network Authentication : EAP-TLS Authentication Server 802.1X Extensible Authentication Protocol - TLS Transport Layer Security Requires Digital Certificates Mutual Client - Server Authentication 123
123 802.1X Fallback - MAC Address Bypass (MAB) Authentication Server? 124
124 802.1X Fallback - MAC Address Bypass (MAB) Authentication Server Device 1 Bypasses 802.1X Authentication Mechanisms Uses the Device MAC Address Commonly used for Non 802.1X capable devices MAC address manually entered into Auth. Server 125
125 Network Capabilities Spark Devices 802.1X Spark Device Windows, Mac, ios, Android, Web Protocol Software Train HTTPS WME Wi-Fi - Yes Wired - Yes DX HTTPS Room OS Wi-Fi - Yes Wired - Yes SX HTTPS Room OS Wired - Yes MX HTTPS Room OS Wired - Yes Room Kits HTTPS Room OS Wi-Fi - Yes Wired - Yes Spark Board HTTPS Spark Board OS EAP-FAST EAP-TLS MIC Non CUCM LSC No (Planned Q2 CY 18) Wi-Fi - Yes Wired - Yes Wi-Fi - Yes Wired Yes Wired Yes Wired Yes Wi-Fi - Yes Wired Yes No (Planned Q2 CY 18) Certificate Installation Capability Granular Configuration N/A Yes Yes Manually Install LSC (Windows GPO, Mac Configuration Profiles) Q4 CY17 Yes Yes Web Based No Yes Yes Web Based No Yes Yes Web Based Yes Yes Yes Web Based No No (Planned Q2 CY 18) Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Install Enterprise LSC via device Web Interface Use MAC Address By-Pass 126
126 Cisco Spark Cloud Access : Summary
127 Spark Device Configuration Recommendations 1) Determine your customer s network environment Switch port configuration VLANs Firewall Deployment Proxy Type Proxy Feature Usage 2) Check the capabilities of the Spark devices you plan to deploy and use the features as required 3) For Spark devices that do not support specific features today There are bypass methods available Feature support is coming soon 128
128 Cisco Spark Cloud Access : Roadmap
129 Spark Device Configuration Roadmap Configuration of all Spark devices via the Spark Control Hub Use a staging VLAN with internet access Proxy and Firewalls allow all Spark connections Onboard device Username/Password, Activation Code Cisco Spark cloud downloads Device Configuration information and Trust Anchors 130
130 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#
131 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at
132 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 133
133 Design and Deployment Best Practices for Cisco Collaboration What you would tell your best friend, if they asked you how to design their Cisco collaboration deployment? Preferred Architectures (PA) Prescriptive design and deployment best practices within a well-defined architecture containing common Cisco collaboration portfolio components Collaboration Solution Reference Network Design (SRND) Design guidance across the Cisco collaboration portfolio with a focus on enterprise, on-premises deployments Three preferred architectures (PAs) covering a wide range of customer deployment types and sizes:» On-Premises (Enterprise, Midmarket)» Cloud (Midmarket)» Hybrid (Enterprise) Versions aligning with major Collaboration System Releases (CSRs): 9.x, 10.x, 11.x, and 12.x* * Coming soon. Target Q1 CY2018
134 Thank you
135
Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network
Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network Marc Dionysius Technical Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationHybrid Data Security Overview
From day one, data security has been the primary focus in designing Cisco Webex Teams. The cornerstone of this security is end-to-end content encryption, enabled by Webex Teams clients interacting with
More informationCisco Spark Tech Ops and Security Frequently Asked Questions (FAQs)
Cisco Spark Tech Ops and Security Frequently Asked Questions (FAQs) First Published: November 3, 2017 Last Updated: November 3, 2017 Question: Can Cisco provide a detailed Cisco Spark architecture diagram?
More informationOffice 365 and Azure Active Directory Identities In-depth
Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM Agenda Introduction Identities Different forms of authentication
More informationDeployment Guide for Hybrid Data Security
First Published: 2017-08-18 Last Modified: 2017-11-02 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationDolby Conference Phone 3.1 configuration guide for West
Dolby Conference Phone 3.1 configuration guide for West 17 January 2017 Copyright 2017 Dolby Laboratories. All rights reserved. For information, contact: Dolby Laboratories, Inc. 1275 Market Street San
More informationArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationDeploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2
Deploying VMware Identity Manager in the DMZ JULY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have
More informationBRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments
Inside Cisco IT: Integrating Spark with existing large deployments Jan Seynaeve, Sr. Collaborations Engineer Luke Clifford, Sr. Collaborations Engineer Cisco Spark How Questions? Use Cisco Spark to communicate
More informationVMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager
VMware Identity Manager Cloud Deployment DEC 2017 VMware AirWatch 9.2 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationVMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager
VMware Identity Manager Cloud Deployment Modified on 01 OCT 2017 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The
More informationConfigure Mobile and Remote Access
Mobile and Remote Access Overview, on page 1 Mobile and Remote Access Prerequisites, on page 3 Mobile and Remote Access Configuration Task Flow, on page 4 Mobile and Remote Access Overview Cisco Unified
More informationMobile and Remote Access Through Cisco Expressway
Mobile and Remote Access Through Cisco Expressway Deployment Guide First Published: April 2014 Last Updated: April 2016 Cisco Expressway X8.7 Cisco Unified CM 9.1(2)SU1 or later Cisco Systems, Inc. www.cisco.com
More informationSecurity in Bomgar Remote Support
Security in Bomgar Remote Support 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationDeploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3
Deploying VMware Identity Manager in the DMZ SEPT 2018 VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have
More informationCisco TelePresence Conductor with Cisco Unified Communications Manager
Cisco TelePresence Conductor with Cisco Unified Communications Manager Deployment Guide TelePresence Conductor XC4.0 Unified CM 10.5(2) January 2016 Contents Introduction 6 About this document 6 Related
More informationConfigure Push Notifications for Cisco Jabber on iphone and ipad
Configure Push Notifications for Cisco Jabber on iphone and ipad Push Notifications Overview, page 1 Push Notifications Prerequisites, page 5 Push Notifications Configuration Task Flow, page 6 Push Notifications
More informationPush Notifications (On-Premises Deployments)
Push Notifications Overview, page 1 Push Notifications Prerequisites, page 5 Push Notifications Configuration Task Flow, page 6 Push Notifications Troubleshooting, page 15 Push Notifications Interactions
More informationVMware Identity Manager Connector Installation and Configuration (Legacy Mode)
VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until
More informationVMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1
VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June
More informationCisco Desktop Collaboration Experience DX650 Security Overview
White Paper Cisco Desktop Collaboration Experience DX650 Security Overview Cisco Desktop Collaboration Experience DX650 Security Overview The Cisco Desktop Collaboration Experience DX650 (Cisco DX650)
More informationCisco TelePresence Conductor with Unified CM
Cisco TelePresence Conductor with Unified CM Deployment Guide TelePresence Conductor XC3.0 Unified CM 10.x Revised February 2015 Contents Introduction 5 About this document 5 Related documentation 5 About
More informationBlackBerry UEM Configuration Guide
BlackBerry UEM Configuration Guide 12.9 2018-11-05Z 2 Contents Getting started... 7 Configuring BlackBerry UEM for the first time... 7 Configuration tasks for managing BlackBerry OS devices... 9 Administrator
More informationConfiguration Guide. BlackBerry UEM. Version 12.9
Configuration Guide BlackBerry UEM Version 12.9 Published: 2018-07-16 SWD-20180713083904821 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the first time...9 Configuration
More informationUnified Communications Mobile and Remote Access via Cisco VCS
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide Cisco VCS X8.5.2 Cisco Unified CM 9.1(2)SU1 or later April 2015 Contents Mobile and remote access overview 5 Jabber client
More informationUnified Communications Mobile and Remote Access via Cisco Expressway
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide Cisco Expressway X8.5.3 Cisco Unified CM 9.1(2)SU1 or later June 2015 Contents Mobile and remote access overview 5
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationSecurity and Certificates
Encryption, page 1 Voice and Video Encryption, page 6 Federal Information Processing Standards, page 6 Certificate Validation, page 6 Required Certificates for On-Premises Servers, page 7 Certificate Requirements
More informationUnified Communications Manager Version 10.5 SAML SSO Configuration Example
Unified Communications Manager Version 10.5 SAML SSO Configuration Example Contents Introduction Prerequisites Requirements Network Time Protocol (NTP) Setup Domain Name Server (DNS) Setup Components Used
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationCisco Spark Hybrid Media Service
BRKCOL-1120 Cisco Spark Hybrid Media Service Richard Murphy Technical Marketing Engineer ricmurph@cisco.com Abstract Cisco Spark is a constantly evolving cloud platform with innovation happening in the
More informationSAML-Based SSO Configuration
Prerequisites, page 1 SAML SSO Configuration Task Flow, page 5 Reconfigure OpenAM SSO to SAML SSO Following an Upgrade, page 9 SAML SSO Deployment Interactions and Restrictions, page 9 Prerequisites NTP
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationAndroid Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.
Android Mobile Single Sign-On to VMware Workspace ONE SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware
More informationCisco TelePresence Conductor with Cisco Unified Communications Manager
Cisco TelePresence Conductor with Cisco Unified Communications Manager Deployment Guide XC2.2 Unified CM 8.6.2 and 9.x D14998.09 Revised March 2014 Contents Introduction 4 About this document 4 Further
More informationUnity Connection Version 10.5 SAML SSO Configuration Example
Unity Connection Version 10.5 SAML SSO Configuration Example Document ID: 118772 Contributed by A.M.Mahesh Babu, Cisco TAC Engineer. Jan 21, 2015 Contents Introduction Prerequisites Requirements Network
More informationCertificate Enrollment for the Atlas Platform
Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps
More informationDolby Conference Phone. Configuration guide for Unify OpenScape Enterprise Express 8.0.x
Dolby Conference Phone Configuration guide for Unify OpenScape Enterprise Express 8.0.x Version 3.2 28 June 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market
More informationSAML-Based SSO Configuration
Prerequisites, page 1 SAML SSO Configuration Workflow, page 5 Reconfigure OpenAM SSO to SAML SSO After an Upgrade, page 9 Prerequisites NTP Setup In SAML SSO, Network Time Protocol (NTP) enables clock
More informationGet Hands On With DNA Center APIs for Managing Intent
DEVNET-3620 Get Hands On With DNA Center APIs for Managing Intent Adam Radford Distinguished Systems Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationTen most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com
Ten most common Mistakes with AD FS and Hybrid Identity Sander Berkouwer MVP, DirTeam.com Agenda Federation A small primer on the open protocols used today for federating identity and achieving hybrid
More informationIntegrating AirWatch and VMware Identity Manager
Integrating AirWatch and VMware Identity Manager VMware AirWatch 9.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a
More informationDolby Conference Phone. Configuration guide for Cisco Unified Communications Manager
Dolby Conference Phone Configuration guide for Cisco Unified Communications Manager Version 3.1 22 February 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationDolby Conference Phone. Configuration Guide for Unify OpenScape Enterprise Express 8.0.x
Dolby Conference Phone Configuration Guide for Unify OpenScape Enterprise Express 8.0.x Version 3.3 31 July 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market
More informationBIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0
BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web
More informationCloud Mobility: Meraki Wireless & EMM
BRKEWN-2002 Cloud Mobility: Meraki Wireless & EMM Emily Sporl Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationTetration Hands-on Lab from Deployment to Operations Support
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operations Support Furong Gisiger, Solutions Architect Lawrence Zhu, Sr. Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationBlueJeans Room with Dolby Conference Phone. Advanced Configuration Guide
BlueJeans Room with Dolby Conference Phone Advanced Configuration Guide Version 3.3 14 September 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market Street
More informationGuide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1
Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware
More informationVMware Tunnel on Linux. VMware Workspace ONE UEM 1811
VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationConfiguration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2
Configuration Guide BlackBerry UEM Version 12.7 Maintenance Release 2 Published: 2017-12-04 SWD-20171130134721747 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the
More informationArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young
ArcGIS Online A Security, Privacy, and Compliance Overview Andrea Rosso Michael Young ArcGIS Online A Multi-Tenant System Portal Portal Portal ArcGIS Online Agenda Online Platform Security Deployment Architecture
More informationHySecure Quick Start Guide. HySecure 5.0
HySecure Quick Start Guide HySecure 5.0 Last Updated: 25 May 2017 2012-2017 Propalms Technologies Private Limited. All rights reserved. The information contained in this document represents the current
More informationWebthority can provide single sign-on to web applications using one of the following authentication methods:
Webthority HOW TO Configure Web Single Sign-On Webthority can provide single sign-on to web applications using one of the following authentication methods: HTTP authentication (for example Kerberos, NTLM,
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationVMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018
VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018 Table of Contents Introduction to Horizon Cloud with Manager.... 3 Benefits of Integration.... 3 Single Sign-On....3
More informationDeploy Webex Video Mesh
Video Mesh Deployment Task Flow, on page 1 Install Webex Video Mesh Node Software, on page 2 Log in to the Webex Video Mesh Node Console, on page 4 Set the Network Configuration of the Webex Video Mesh
More informationUnified Communications Mobile and Remote Access via Cisco Expressway
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide Cisco Expressway X8.1.1 or later Cisco Unified CM 9.1(2)SU1 or later D15068.01 April 2014 Contents Mobile and remote
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationGuide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1
Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationVMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment
VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment AirWatch v9.3 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationVMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment
VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment AirWatch v9.1 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard
More information802.1x Port Based Authentication
802.1x Port Based Authentication Johan Loos Johan at accessdenied.be Who? Independent Information Security Consultant and Trainer Vulnerability Management and Assessment Wireless Security Next-Generation
More informationDATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz
Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz Osman Akagunduz Consultant @ InSpark Microsoft Country Partner Of The Year Twitter: @Osman_Akagunduz What s in this session The role of Azure
More informationvshield Administration Guide
vshield Manager 5.1 vshield App 5.1 vshield Edge 5.1 vshield Endpoint 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by
More informationArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT
ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication
More informationSecurity Guide Zoom Video Communications Inc.
Zoom unifies cloud video conferencing, simple online meetings, group messaging, and a softwaredefined conference room solution into one easy-to-use platform. Zoom offers the best video, audio, and wireless
More informationCisco Spark Hybrid Media service
Cisco Spark Hybrid Media service Richard Murphy Technical Marketing Engineer Abstract Cisco Spark is a constantly evolving cloud platform with innovation happening in the cloud and on the Cisco Spark app.
More informationPolycom RealPresence Access Director System
Release Notes Polycom RealPresence Access Director System 4.0 June 2014 3725-78700-001D Polycom announces the release of the Polycom RealPresence Access Director system, version 4.0. This document provides
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationVMware Tunnel Guide for Windows
VMware Tunnel Guide for Windows Installing the VMware Tunnel for your Workspace ONE UEM environment Workspace ONE UEM v9.5 Have documentation feedback? Submit a Documentation Feedback support ticket using
More informationVMware Tunnel Guide for Windows
VMware Tunnel Guide for Windows Installing the VMware Tunnel for your Workspace ONE UEM environment Workspace ONE UEM v1810 Have documentation feedback? Submit a Documentation Feedback support ticket using
More informationDolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x
Dolby Conference Phone Configuration guide for Avaya Aura Platform 6.x Version 3.1 22 February 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market Street San
More informationDolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x
Dolby Conference Phone Configuration guide for Avaya Aura Platform 6.x Version 3.2 28 June 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market Street San Francisco,
More informationWhat s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services
What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services September 2017 Introduction This document is a summary of what s new in ios 11, macos
More informationToday s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps
Today s workforce is Mobile Most applications are Web-based apps Cloud and SaaSbased applications are being deployed and used faster than ever Hybrid Cloud is the new normal. % plan to migrate >50% of
More informationGuide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE
Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationCisco IP Phone Security
Overview, page 1 Security Enhancements for Your Phone Network, page 2 View the Current Security Features on the Phone, page 2 View Security Profiles, page 3 Supported Security Features, page 3 Overview
More informationBlackBerry Dynamics Security White Paper. Version 1.6
BlackBerry Dynamics Security White Paper Version 1.6 Page 2 of 36 Overview...4 Components... 4 What's New... 5 Security Features... 6 How Data Is Protected... 6 On-Device Data... 6 In-Transit Data... 7
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationVMware Tunnel on Windows. VMware Workspace ONE UEM 1810
VMware Tunnel on Windows VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation,
More informationDolby Conference Phone. Configuration Guide for Microsoft Skype for Business
Dolby Conference Phone Configuration Guide for Microsoft Skype for Business Version 3.3 31 July 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market Street
More informationSecurity in the Privileged Remote Access Appliance
Security in the Privileged Remote Access Appliance 2003-2018 BeyondTrust, Inc. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust, Inc. Other trademarks are the property
More informationSalesforce1 Mobile Security White Paper. Revised: April 2014
Salesforce1 Mobile Security White Paper Revised: April 2014 Table of Contents Introduction Salesforce1 Architecture Overview Authorization and Permissions Communication Security Authentication OAuth Pairing
More informationDolby Conference Phone 3.0 configuration guide for Unify OpenScape Enterprise Express 8.0.x
Dolby Conference Phone 3.0 configuration guide for Unify OpenScape Enterprise Express 8.0.x 11 July 2016 Copyright 2016 Dolby Laboratories. All rights reserved. For information, contact: Dolby Laboratories,
More informationCisco SD-Access Building the Routed Underlay
Cisco SD-Access Building the Routed Underlay Rahul Kachalia Sr. Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationMobile and Remote Access Through Cisco Video Communication Server
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide First Published: April 2014 Last Updated: June 2017 Cisco VCS X8.8.n Cisco Unified Communications Manager 9.1(2)SU4 or
More informationVMware AirWatch Cloud Connector Guide ACC Installation and Integration
VMware AirWatch Cloud Connector Guide ACC Installation and Integration Workspace ONE UEM v1810 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationCLI users are not listed on the Cisco Prime Collaboration User Management page.
Cisco Prime Collaboration supports creation of user roles. A user can be assigned the Super Administrator role. A Super Administrator can perform tasks that both system administrator and network administrator
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationDell EMC OpenManage Mobile. Version 3.0 User s Guide (Android)
Dell EMC OpenManage Mobile Version 3.0 User s Guide (Android) Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More information