Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network

Transcription

1

2 Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network Marc Dionysius Technical Solutions Architect

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Introduction and Objectives Current challenges How to address the existing network architecture? Why are Cloud Ready Network Concepts relevant? A different angle to Cloud Security Conclusion

5 Objectives Cloud Collaboration services continue to grow and present customers and partners with both opportunities and challenges to deploy those services in today s customer environments. This session will review design and deployment considerations for secure Cloud Collaboration solutions in the context of current customer network architectures including proxies, centralized internet breakouts and future evolutions towards cloud-ready networks. It is designed for individuals looking to understand the various aspects, benefits and challenges of moving solutions towards Cisco Collaboration Cloud and Cisco Spark Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Current challenges

7 Cloud and Security are mutually exclusive! Undisclosed customer quote 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 The New Normal More targeted attacks More than 100 targeted breach attempts every year Shortage of cybersecurity expertise 1.5 million job openings by 2019 Attacks are faster than ever but still take too long to find 82% of compromises measured in minutes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

9 Are Cloud and Security Mutually really mutually exclusive? Source: Gartner Highlights the Top 10 Cloud Myths 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

10 We expect your solution to fit into our existing security framework. Undisclosed customer quote 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

11 Collaboration Security a History tour into Cisco and/or its affiliates. All rights reserved. Cisco Public 12

12 How to address the existing network architecture?

13 What topology we typically see in a customer s network? Internal DMZ Internet IdP Datacenter Cisco Collaboration Cloud Cloud Remote Site IP WAN Voice Video Endpoints IdP Desktops/Laptops Teleworker Wireless Devices 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

14 Cisco Spark - Types of Traffic Spark Clients Messages, Media Signalization, notifications, Control and Analytics Traffic HTTPS and WSS Spark Services Voice, Video and Content Share SRTP and STUN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15 Traffic Flow Scenario 1 - Security relaxed customer, policies only enforced in the FW Internal DMZ Internet 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

16 Traffic Flow Scenario 2 - Security aware customer, policies enforced in the FW and Proxy Internal DMZ Internet Proxy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

17 Traffic Flow Scenario 3 - Security focus customer, policies enforced in the FW and Proxy plus no direct connection to internet Internal DMZ Internet Proxy HMN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

18 What is a proxy? Proxy is a machine or groups of machines that allow computers in the internal LAN of the customer to reach to the internet. Mainly they deliver services for HTTP/HTTPS Protocol but other services are also supported ( FTP, Gopher, etc. ) Typically we see them in customer network that don t give direct access to the internet/outside Cisco and/or its affiliates. All rights reserved. Cisco Public 20

19 Objective of proxies? Caching To allow the speed of downloading content from the internet, assuming that most of the times many user in the same organization access to the same sites. Filtering Limiting to which sites the user of a specific organization can have access to. Authentication Making sure that only valid users from a specific organization are allowed to access to the internet. Inspect Some proxies also allow for inspection of HTTP/HTTPS traffic to make sure it is legit 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

20 Proxy Hot to configure Manually user needs to manually configure the proxy in the web bowser or OS, it is a process that is unpractical in mid size to big organization GPO Using Widows Group policy, Active Directory administrators can push to the Windows desktops the configuration for the proxies. PAC Allow for administrators to create a file, to be store in a web Server, that specifies the proxies and exceptions. Easier to manage, since only requires that the user configure an URL WPAD - The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods Cisco and/or its affiliates. All rights reserved. Cisco Public 22

21 Proxy How to authenticate? No Authentication User or Endpoint does not need to authenticate against the proxy. Basic Defined in RFC 2617, in Basic Authentication the client sends the username and password as unencrypted base64 encoded text. Digest Same as Basic, but instead of passing the password in clear text, uses a hash based on the password and several other parameters. Only very few proxy servers support Digest authentication and if so, it can t use User password in Active Directory NTLM - is a protocol that is used in several Microsoft network implementations to enable single sign-on across different services and use a Challenge/Response mechanisms for delivering authentication, password is never travels over the network. Negotiate - Microsoft release Simple And Protected Negotiate ( SPNEGO ) authentication method. In this method the server asked for Negotiate in the proxy Authentication, the clients will reply with a Kerberos ticket but can fallback to NTLM credentials. (First appear part of RFC 1510 but become obsolete by RFC 4120) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

22 Proxy Inspection using TLS intercept How does TLS works? client Server Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are key components of secure communications in insecure medias. The privacy, integrity, and authenticity provided by these protocols are extremely important to transmit data. Modern implementations generally support both TLSv1.0 and TLSv1.1, with TLSv1.2. All communications relies on the validation of the certificates exchange TLS intercept acts as a MiTM, will open the possibility of such attacks to the clients, need to be carefully planned. Verify Server Certificate Client Hello Server Hello Server Certificate Cipher Suite Request client Certificate Client Certificate Cipher suite Client Finished Message Server Finished Message Encrypted Data 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

23 Proxy Inspection using TLS intercept How does proxy do TLS intercept? Client Proxy Server Intercept proxies can be deployed in several ways, depending on their purpose and what type of inspection they do. Intercept proxies can be Deep Packet Inspection devices, can be included in next-generation firewalls, or do data loss prevention (DLP). Verify Server Certificate Client Hello Server Hello Server Certificate Cipher Suite Request client Certificate Client Certificate Cipher suite Client Finished Message Server Finished Message Data Verify Server Certificate Client Hello Server Hello Server Certificate Cipher Suite Request client Certificate Client Certificate Cipher suite Client Finished Message Server Finished Message Data Unencrypted Data 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

24 TLS intercept How to validate? In TLS, Clients needs to validate Server components. So our Client needs to validate the Certificate used by the proxy, so it needs to trust the Enterprise or Public CA that sign it. But since the proxy itself is also a client for the second segment, so it needs to validate the Public CA that sign the Server. Client Certificate TrustStore Enterprise CA DMZ Proxy Certificate TrustStore Public CA Server Certificate TrustStore There isn t much point of doing TLS intercept to Spark traffic since inside the TLS packets there is another layer of encryption that proxies can t decrypt, so the only advance would be to know the full URL s used by Spark Service 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

25 Spark Security Architecture End to End Secure Communication Transport Key Management Establish TLS connection Mutual TLS connection OAuth to authorize services Inter service message transport Establish end to end ECDHE communication channel Client verifies KMS identity through PKI certificate Crypto Key operations (key material) not visible to other cloud components Establish TLS connection Inter service message transport Secure TLS REST interfaces Interaction between services based on certificate based MTLS Service components authorization by OAuth Tokens Secure client connection to service over TLS End to End Client to Key Management channel negotiated ECDHE Identity of Key Management Service verified by PKI certificate Client to Key Management crypto key operations E2E secured over transport layer JSON Web Encryption (JWE, RFC 7516) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

26 Proxy exceptions for Spark traffic An alternative to TCP Intercept Most of the Proxy can create rules base on destinations. There are rules like TLS intercept bypass, authentication bypass, etc. For Spark we published the URLs that we require for the Spark service to work. Some proxies like the Cisco WSA have the capabilities of getting all this URL s from a single live feed: /assets/docs/spark_wsa.csv Cisco and/or its affiliates. All rights reserved. Cisco Public

27 Recommendations regarding Proxies Spark traffic has encrypted traffic inside HTTPS connections, so even TLS delivers Hop by Hop encryption for the connections we add end-to-end encryption for the Spark traffic: In fact the only advantage of TLS Intercept is just to understand the destination URL (not only the domain information that the TLS connections provides by default), the traffic is complete opaque to the proxy Alternatively, create an exception in the proxy to exclude Spark traffic from the TLS Intercept and/or Authentication as described on the previous slide. We are absolutely NOT recommending to turn off TLS Intercept in general!! Spark Devices: recommendation is by using Destination (Cisco Spark domains) and User Agent of the HTTP request, to create rules where the Spark devices (CE and SparkBoard) will use a specific policy with exceptions for Cisco Spark, with no Authentication or TLS intercept configured Cisco and/or its affiliates. All rights reserved. Cisco Public 30

28 WSA Proxy authentication using ISE with.1x Some endpoints like CE and SB devices have no easy way of delivering secure authentication against proxies. If there is the need to authenticate on multiple OSI layers ( network, application ) why not use one to provide authentication to the other? Enterprise CA ISE Switch WSA Web Service Sign certificate from a CA Access to network, switch will redirect to the ISE ISE will ask for.1x certificate base authentication Endpoint with proxy configuration will request access to web services WSA using pxgrid will check is device did successful.1x authentication Endpoint connect securely to the Web Service using authenticated proxies without user interaction 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

29 Proxy support - what does it means? When we talk about proxy support we only talking HTTPS and WSS traffic. Media over proxies isn t recommended, proxies were not designed to handle media, their performance is really bad and doesn t scale. Spark Clients Messages, Media Signalization, notifications, Control and Analytics Traffic HTTPS and WSS Voice, Video and Content Share SRTP and STUN Spark Services 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

30 Firewall Requirements

31 Spark Clients Message, Signalization, Notification and Control Messages, Media Signalization, notifications, Control and Analytics Traffic HTTPS and WSS Spark Services Internal DMZ Internet Media goes directly to the internet using HTTPS WSS protocol. Internal DMZ Internet Signalization goes through Proxy (rules already in place in the firewall). Proxy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

32 Protocol and Ports used by Spark Assuming the most simple scenario with direct connection to the internet Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443 Internal DMZ Internet Protocol : UDP Source IP : Internal LAN IP Source Port : Voice Video Destination IP : Any IP Destination Port : 5004 Fallback Protocol : TCP Source IP : Internal LAN IP Source Port : Ephemeral Destination IP : Any IP Destination Port : Cisco and/or its affiliates. All rights reserved. Cisco Public

33 Protocol and Ports used by Spark From a Media perspective Spark clients always try to use UDP but will fallback to TCP if UDP is closed. TCP might impact media quality and it can t guarantee quality for Real Time Media. As last case scenario for the software clients (Win, MAC, ios and Android ) we can use HTTPS proxies for media, but it isn t recommended. Cisco can t help much if there will be quality issues with media. Spark Boards in old versions of SW need to access NTP ( port 123 ), but in new versions Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443 will use DHCP. Internal DMZ Internet Protocol : UDP Fallback Source IP : Internal LAN IP Source Port : Voice Video Destination IP : Any IP Destination Port : 5004 Protocol : TCP Source IP : Internal LAN IP Source Port : Ephemeral Destination IP : Any IP Destination Port : Cisco and/or its affiliates. All rights reserved. Cisco Public 36

34 Internal DMZ Internet Firewall rules for Media HMN Option 1 Access to the Spark Service through Hybrid Media Node. All clients inside the customer network would connect to the Hybrid Media Node, if there will be participants outside the customer network then HMN would cascade the media flow to the cloud. Unique sources, very well defines, if necessary in special DMZ s to protect to connect to the Spark services in the Cloud. Will open UDP connection to a destination port 5004, few additional ports needed, please review reference slides in the Appendix Cisco and/or its affiliates. All rights reserved. Cisco Public 37

35 Internal DMZ Internet Firewall rules for Media Option 2 Using firewalls with STUN support Defined in RFC3489. Uses UDP from any Spark client inside the customer network using source ports Voice Video Where the destination might be any IP address in the internet with destination port 5004 STUN allow to open up pinholes only if the system is WebRTC compliant, and there is an external recipient expecting the traffic (prevents enterprise from being source of DDoS). From a security perspective this is the recommended model but require Firewalls that use STUN for WebRTC traffic like Cisco ASA Cisco and/or its affiliates. All rights reserved. Cisco Public 38

36 Internal DMZ Internet Firewall rules for Media Option 3 Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Spark client inside the customer network using source ports Voice Video Where the destination might be two /19 prefixed in the internet with destination port 5004 This is EFT today, will be GA soon Cisco and/or its affiliates. All rights reserved. Cisco Public 39

37 Internal DMZ Internet Firewall rules for Media Option 4 Direct access to the Spark Service using UDP protocol for media. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Spark client inside the customer network using source ports Voice Video Where the destination might be any IP address in the internet with destination port Cisco and/or its affiliates. All rights reserved. Cisco Public 40

38 Spark Clients Media for Voice, Video and Content Sharing Voice, Video and Content Share SRTP and STUN Spark Services Option 1 Access to the Spark Service through Hybrid Media Node. Option 2 Direct access to the Spark Service using firewalls with STUN support. Option 3 Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses. Option 4 Direct access to the Spark Service using UDP protocol for media. Option 5 Direct access to the Spark Service using TCP protocol for media. Option 6 Access to the Spark Service using Proxy Cisco and/or its affiliates. All rights reserved. Cisco Public 43

39 Why are Cloud Ready Network Concepts relevant?

40 With the growing number of Cloud Services consumed by our organization, we have to re-think our current Internet Breakout strategy! Undisclosed customer Manager Solution Architecture Network & Unified Communications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

41 Why are enterprises thinking about SD-WAN? 50% of Apps accessed via Internet 58% Of IT budgets spent on WAN Connectivity 32.4% Cite management of connectivity at branch as a challenge 48.6% Cite poor application performance and latency as corporate WAN concern 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

42 Secure SD-WAN and Cloud Access Optimized Hybrid WAN Branch MPLS (IP-VPN) 3G/4G-LTE Private Cloud Virtual Private V Cloud DirectAccess Cloud Internet Public Cloud 1. IWAN Secure VPN for private and virtual private cloud access 2. Leverage local Internet path for public cloud and Internet access Increase WAN transport capacity and app performance cost effectively! Improve application performance (right flows to right places) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

43 SD-WAN: Secure Connectivity Secure WAN Transport Branch MPLS (IP-VPN) Private Cloud Virtual Private Cloud Secure Internet Access Internet Public Cloud Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing, 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

44 SD-WAN: Direct Cloud Access MPLS (IP-VPN) Private Cloud Virtual Private Cloud Branch Internet Direct Cloud Access Umbrella Public Cloud Leverage Local Internet path for Public Cloud and Internet access Improve application performance (right flows to right places) Solutions On Premise Zone Based Firewall Cloud Based Cloud Umbrella Branch 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

45 Cisco Umbrella Any device User request patterns Used to detect: Compromised systems Command and control callbacks Malware and phishing attempts Algorithm-generated domains Domain co-occurrences Newly registered domains Authoritative DNS logs Used to find: Newly staged infrastructures Malicious domains, IPs, ASNs DNS hijacking Fast flux domains Related domains Authoritative DNS root com. domain.com Cisco and/or its affiliates. All rights reserved. Cisco Public 50

46 Improving Cloud User Experience and Security Cloudlock vprivate Cloud Internet DMZ Secure Direct Cloud Access From the DC From the Branch From a Colocation Facility (Colo) From within a Cloud Service (AWS, Azure,..) Colo MPLS INET MPLS V vprivate Cloud V MPLS Internet INET DC Pervasive Security User, Transport, Cloud, Internet & Compliance AVC OpenDNS Umbrella R14 Branch Site 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

47 A different angle to Cloud Security

48 Cisco Cloudlock Discover and Control Compromised Accounts Data Exposures and Leakages Cloud Malware Insider Threats Privacy and Compliance Violations Shadow IT/OAuth Discovery and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

49 More of a proactive approach Events API for Data Loss Prevention, Archival, ediscovery API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data Cisco Spark Events API Third party DLP or CASB Integrations Third-party vendor software Corrective actions policies Delete content Alert user / admin 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

50 More of a proactive approach cont. Cloud Access Security Broker (CASB) Unmanaged Users Unmanaged Devices Cisco Spark PUBLIC ADMIN OAUTH API ACCESS ACCES Authorized S Unmanaged Network (Cisco?) NGFW/Umbrella Managed Users Managed Devices Managed Network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

51 More of a proactive approach cont. Vendors for Compliance and Data Loss Prevention (DLP) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

52 Conclusions

53 Conclusions Cloud and Security can be absolutely working hand in hand. In order to deploy Cisco Collaboration Cloud in a current customer network we may need to elaborate that a different approach is NOT less secure. Understand the bigger picture and the change that Cloud Applications bring to all aspects of a customer network and try to address customer demands and concerns in a cross-architecture approach. Leverage the full capabilities of Cisco s Collaboration Cloud to include it into a general framework for secure Cloud Application Access to address both, the technical requirements and the user side Cisco and/or its affiliates. All rights reserved. Cisco Public 58

54 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

55 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

56 Continue Your Education Technical Seminar Cloud Security unveiled - all aspects of Network, Data-Security, Compliance and Data Leakage Prevention in Cisco Spark Breakout Sessions BRKCOL-2030 Cisco Spark - Cloud and On Premise Security explained Recommended reading Spark Security Whitepaper Spark Firewall Traversal Whitepaper Demos in the Cisco campus Meet the Engineer 1:1 meetings 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

57 Thank you

58

59 Appendix

60 Cisco Spark Clients Proxy configuration Config Type CE SparkBoard Spark Windows Spark Mac Spark ios Spark Android Manual Config GPO PAC WPAD 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

61 Cisco Spark Clients Proxy Authentication Support Config Type CE SparkBoard Spark Windows Spark Mac Spark ios Spark Android No Auth Basic Digest NTLM Negotiate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

62 Cisco Spark Clients Other Security Features Config Type CE SparkBoard Spark Windows Spark Mac Spark ios Spark Android 802.1X Auth TLS intercept CDP Media over HTTPS Content Sharing over UDP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

63 Hybrid Media Node Internal DMZ Internet HMN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

64 Expressway Connectors Internal User devices Internal Servers DMZ Internet Expressway C Proxy If customer has proxies we support only No Auth and Basic Authentication, TLS intercept is also supported. Internal User devices Internal Servers DMZ Internet Expressway C If there isn t any proxy we will use HTTPS to send traffic to the Spark cloud Cisco and/or its affiliates. All rights reserved. Cisco Public 69

65 Directory Connector Internal User devices Internal Servers DMZ Internet Proxy If Windows OS is configured for Proxies we will use it and send all traffic there Internal User devices Internal Servers DMZ Internet If there isn t any proxies configured in the systems we will use HTTPS to send traffic to the Spark cloud Cisco and/or its affiliates. All rights reserved. Cisco Public 70

66 Hybrid Data Security Internal User devices Internal Servers DMZ Internet HDS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

67 Hybrid Media Node Media Considerations Source IP Address Destination IP Address Source UDP Ports Destinations UDP Ports Media Type Clients/endpoints Hybrid Media Node Audio Clients/endpoints Hybrid Media Node Video Hybrid Media Node Collaboration Cloud Audio Hybrid Media Node Collaboration Cloud Video Hybrid Media Node Hybrid Media Node , 5006 Voice, Video Hybrid Media Node Hybrid Media Node 5004, Voice, Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

68 Hybrid Media Node Management Considerations Source Destination Transport Protocol Destinations Ports Destination IP Computer Management Hybrid Media Node TCP 443 Any UDP -> NTP 123 Hybrid Media Node Collaboration Cloud UDP -> DNS 53 Any TCP -> HTTPS 444 Hybrid Media Node Hybrid Media Node TCP -> HTTPS 5000 Any Hybrid Media Node Collaboration Cloud TCP -> HTTPS 443 *.wbx2.com *.idbroker.webex.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

69 Cisco Spark Port Usage Summary (Endpoints -> Cloud Direction Shown) Source IP Address Destination IP Address Source UDP Ports Destinations UDP Ports Recommended DSCP Media Type Clients/endpoints Collaboration Cloud EF Audio Clients/endpoints Collaboration Cloud AF41 Video Clients/endpoints Hybrid Media Node EF Audio Clients/endpoints Hybrid Media Node AF41 Video Hybrid Media Node Collaboration Cloud EF Audio Hybrid Media Node Collaboration Cloud AF41 Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

70