Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

#CiscoLiveLA 2017 Presentacion de Miro Polakovic

603 views

Published on

#CiscoLiveLA 2017 Presentacion de Miro Polakovic

Published in: Technology
  • Be the first to comment

  • Be the first to like this

#CiscoLiveLA 2017 Presentacion de Miro Polakovic

  1. 1. Presentation Title Presenter Name and Title Session ID
  2. 2. Cisco Spark Platform & On Premise Security Explained Miro Polakovic Technical Marketing Engineer Cisco Collaboration Technology Group BRKCOL-2030
  3. 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Spark Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space How cs.co/ciscolivebot#BRKCOL-2030Cisco Spark spaces will be available until November 17, 2017.
  4. 4. Agenda Introduction – Cisco Spark Security Realms of Separation and Identity Obfuscation Cloud based Data Security and Data Services Synchronizing User IDs with Cisco Spark Platform & Single Sign On Support Secure Cloud Connection, Data Encryption, secure search indexing Compliance & E-Discovery Services, Retention Policies, Data ownership Hybrid Data Security (HDS) KMS on premise, Architecture, Search, Firewalls, Federation Firewalls and Proxies Support WebEx update Management, Pro-Pack, SSO, Best Practices
  5. 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Business Messaging Over Time… BRKCOL-2030
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Lock rooms to moderate room participants and content* *Not included in free User Access Controls IT Management Add Single Sign-On, directory sync, and view analytics End-to-end encryption in the cloud, and in-transit and media encryption Encryption Business Class Security Features BRKCOL-2030
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Security and Compliance Challenge Shadow IT vs. Corporate IT Open Collaboration Secured Anywhere Access Fully Searchable Data, App Integrated Cloud Managed Discoverable Enterprise Integrated Encrypted Compliant No Compromise Collaboration BRKCOL-2030
  8. 8. Cloud Based Security and Data Services
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Spark Platform End to End Encryption + Key Management Hybrid Data Security Advanced Analytics ü Operational ü Behavioral ü Productivity ü Utilization Enterprise Identity & Access Management Retention Policies eDiscovery Search Data Loss Prevention Security, Compliance & Analytics IT Requirements Meetings Business Messaging Cisco Spark Devices Bots, Integrations Calling File Sharing
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Collaboration Cloud Security - Realms of Separation 10BRKCOL-2030 Identity Service Content Server Key Mgmt Service Indexing Service Compliance Service Cisco Spark logically and physically separates functional components within the cloud Identity Services holding real user Identity (e.g. email addresses) are separated from : Encryption, Indexing and Compliance Services, which are in turn separated from : Data Storage Services Data Center A Data Center B Data Center C
  11. 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Realms of Separation – Encryption and Storage 11BRKCOL-2030 Identity Service Content Server Key Mgmt Service Indexing Service Compliance Service Cisco Spark logically and physically separates functional components within the cloud Data Services such as Encryption Key Generation, Secure Message Indexing for Data Search, and Data Compliance functions operate in different Data Centers from the Data Center that encrypted content is stored in Data Storage services never have access to Encryption Keys Data Center A Data Center B Data Center C xxxxxxxxmessage
  12. 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Realms of Separation – Identity Obfuscation 12BRKCOL-2030 Identity Service Content Server Key Mgmt Service Indexing Service Compliance Service Outside of the Identity Service - Real Identity information is obfuscated : For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User’s obfuscated identity No real identity information transits, or is stored elsewhere in the cloud Data Center A Data Center B Data Center C jsmith@abc.comhtzb2n78jdbc9e
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Spark – User Identity Sync and Authentication 13BRKCOL-2030 Directory Sync User Info can be synchronized from the Enterprise Active Directory Multiple User attributes can be synchronized Scheduled sync tracks employee changes Passwords are not synchronized - User : 1) Creates a password or 2) Uses SSO for Auth Identity Service
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Spark – SAML SSO Authentication 14BRKCOL-2030 Directory Sync SAML SSO SSO for User Authentication : Administrators can work with their existing SSO solution Identity Providers are using Security Assertion Markup Language (SAML) 2.0 and OAuth 2.0 Identity Service IdP
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public On - Premise Identity as a Service Cisco Collaboration Identity Partners Cisco Spark Integrates to Enterprise IDP’s on Premise or in Cloud
  16. 16. Cloud Based Security Secure Messages and Content
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCOL-2030 Direct Internet access – Cisco Spark app connection Cisco Spark Services IdP Identity Service 1) Customer downloads and installs Cisco Spark application (with Trust anchors) 2) Cisco Spark Client establishes a secure TLS connection with Cisco Spark Platform 3) Cisco Spark Identity Service prompts for an e-mail ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Cisco Spark app • The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCOL-2030 Direct Internet access – Cisco Spark Device connection Spark ServiceIdentity Service 1) User enters 16 digit activation code received via e-mail from the Spark provisioning service 2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Spark Client • The Access Tokens contain details of the Spark resources the User is authorized to access 5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel 1234567890123456
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Content Server Key Mgmt Service message messagemessage filefilemessage Cisco Spark - Encrypting Messages and Content 19BRKCOL-2030 Spark Clients request a conversation encryption key from the Key Management Service Any messages or files sent by a Client are encrypted before being sent to the Cisco Spark Platform Each Spark Room uses a different Conversation Encryption key Key Management Service AES256-GCM cipher used for Encryption
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Encrypted messages sent by a Client are stored in the Cisco Spark Platform and also sent on to every other Client in the Spark Space Key Mgmt Service messagemessagemessage Content Server message messagemessage Cisco Spark - Decrypting Messages and Content 20BRKCOL-2030 If needed, Cisco Spark app can retrieve encryption keys from the Key Management Service Key Management Service The encrypted message also contains a link to the conversation encryption key
  21. 21. Cloud Based Security Secure Search, Indexing & eDiscovery
  22. 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Indexing Service Spark IS the messageSparkIS themessage Content Server Spark IS the message Key Mgmt Service ################### Searching Spaces: Building a Search Index 22BRKCOL-2030 The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server A Search Index is built by creating a fixed length hash* of each word in each message within a Space ################### B957FE48 B9 57 FE 48 Hash Algorithm ################### Indexing Service The hashes for each Spark Space are stored by the Content Service ################### * A new (SHA-256 HMAC) hashing key (Search Key) is used for each room
  23. 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Indexing Service “Spark”Spark Content Server Key Mgmt Service ################### Searching Space: Querying a Search Index Search for the word “Spark” 23BRKCOL-2030 Client sends search request over a secure connection to the Indexing Service The Content Server searches for a match in it’s Hash tables and returns matching content to the client * ################### B957FE48 B9 57 FE 48 Hash Algorithm Indexing Service “Spark” Search for the word “Spark” “B9” B9 57 FE 48 ###################################### Spark IS the Message B9 The Indexing Service uses Per Space Search keys to hash the search terms *A link to Conversation Encryption Key is sent with encrypted message
  24. 24. Enterprise Compliance - eDiscovery Search § Compliance Console and eDiscovery features support investigating DLP and other compliance events with speed and accuracy § Events API allows integration with systems for IT governance (CASB, DLP) Value to Enterprise § Meet HR, GRC & Legal compliance mandates § Only authorized members of the DLP, HR and GRC teams can investigate events
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Organization (org) • Collection of users under the administrative domain of a single entity and has rights to the content of users. Spaces • Ownership falls on the org of the user that creates the space. • Space properties, content, events Teams • Ownership falls on the org of the user that creates the team. • This organization also owns all spaces created under the team. Cisco Spark Content Ownership
  26. 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public What does Content Ownership get you? Owning Organization Participating Organization CREATE Post content into the space No No READ Read content (messages and files) posted by its own users into the space Yes Yes Read content posted by any user in the space Yes No UPDATE Modify content posted by users into the space No No DELETE Delete content posted by its own users in the space Yes Yes Delete content posted by any user in the space Yes No Define retention policies for the space Yes No Protect the End user! Compliance Officer role
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Search Spark Space Activity Cisco Spark Search and Extraction Console Enable legal discovery and incident investigation Extension of Cisco Cloud Collaboration Management Compliance Officer Role Search on email ID, Room ID, keywords Extraction of texts, Files and contextual data
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cloud Collaboration Management Portal Indexing Service Jo Smith’s ContentJo Smith’s Content Content Server Key Mgmt Service ################### Cisco Spark Compliance Service : E-Discovery (1) Compliance Officer selects a group of messages and files to be retrieved for E- Discovery e.g. : based on date range/ content type/ user(s) The Content Server returns matching content to the Compliance Service ################### X1GFT5YYHash Algorithm Indexing Service Jo Smith’s Content “X1GFT5YY” Jo Smith’s Content ################### X1GFT5YY The Indexing Service searches Content Server for related content Compliance Service ################### Jo Smith’s Content ################### Jo Smith’s Content ###################
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public E-Discov. Storage Compliance ServiceContent Server Key Mgmt Service Cisco Spark Compliance Service : E-Discovery (2) The Compliance Service : Decrypts content from the Content Server, then compresses and re- encrypts it before sending it to the E-Discovery Storage Service The E-Discovery Storage Service : Sends the compressed and encrypted content to Compliance Officer Compliance Service Cloud Collaboration Management Portal Jo Smith’s Content################### Jo Smith’s Content################### Jo Smith’s Content################### Jo Smith’s Messages and Files ################## ################## ################## ################## ################## ################## Jo Smith’s Messages and Files E-Discovery Content Ready
  30. 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Event API for Data Loss Prevention (DLP) Integrate with DLP, Cloud Access Security Broker (CASB), Archival and eDiscovery solutions Provides a stream of events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data Third party DLP or CASB Cisco Spark Stream of events policies Corrective actions Delete content Remove user Delete title Content Server Key Management Server
  31. 31. Retention Policies § Match message, meeting record and file storage for corporate risk management § Includes white board records § Content is deleted -- including backups Value to Enterprise § Control exposure by limiting amount of content in the cloud § Align and unify policies across email, message products
  32. 32. Customer Controlled Security Hybrid Data Security
  33. 33. Hybrid Data Security § Creates a secure enclave in the customer data center to manage and provide visibility to the keys that secure the content, actions, & data within Spark Value to Enterprise § Ownership & Control of key management § Assist enterprises in more highly regulated industries with meeting highest standards of encryption and data loss prevention
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Content Server Key Mgmt Service Cisco Spark – Hybrid Data Security (HDS) 34BRKCOL-2030 Compliance ServiceIndexing Service Hybrid Data Security Hybrid Data Services = On Premise : Key Management Server Indexing Server E-Discovery Service
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Content Server Key Mgmt Server Cisco Spark – Hybrid Data Security: Key Management 35BRKCOL-2030 The Hybrid Key Management Server performs the same functions as the Cloud based Key Management Server Now all of the keys for messages and content are owned and managed by the Customer BUT Key Management Service Key Mgmt Service
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Content Server Key Mgmt Service Hybrid Data Security traffic and Firewalls 36BRKCOL-2030 Compliance ServiceIndexing Service Hybrid Data Services make outbound connections only from the Enterprise to Cisco Spark Platform, using HTTPS and Secure WebSockets (WSS) No special Firewall configuration required Firewall Hybrid Data Security
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Content Server The Hybrid Data Security is managed and upgraded from the cloud Customer’s can access usage information for the HDS Servers via the cloud management portal Multiple HDS servers can be provisioned for Scalability & Load Sharing Key Mgmt ServerKey Mgmt Service Hybrid Data Security - Scalability Hybrid Data Security Hybrid Data Security Hybrid Data Security
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Key Mgmt Service Content Server Key Mgmt Service message messagemessagemessage HDS - Encrypting Messages & Content 38BRKCOL-2030 Cisco Spark app request an encryption key from the Hybrid Key Management Server Any messages or files sent by a Client are encrypted before being sent to the Cisco Spark Platform Encrypted messages and content stored in the cloud Key Management Service Encryption Keys stored locally
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Key Mgmt Service Encrypted messages from Clients are stored in Cisco Spark Platform Key Mgmt Service message Content Server message messagemessage Cisco Spark App will retrieve encryption keys from the Hybrid Key Management Server Key Management Service These messages are sent to every other Client in the Spark Room and contain a link to their encryption key on the Hybrid Key Management Server HDS - Decrypting Messages & Content 39BRKCOL-2030
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Indexing Service Spark IS the messageSparkIS themessage Content Server Spark IS the message Key Mgmt Service ################### The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server ################### B957FE48 B9 57 FE 48 Hash Algorithm ################### Indexing Service ################### * A new hashing key (Search Key) is used for each room Hybrid Data Security: Search Indexing Service 40BRKCOL-2030
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Indexing Service “Spark”Spark Content Server Key Mgmt Service ################### Hybrid Data Security: Querying a Search Index 41BRKCOL-2030 Client sends its search request over a secure connection to the Indexing Service ################### B9 B9 57 FE 48 Hash Algorithm Indexing Service “Spark” Search for the word “Spark” “B9” B9 57 FE 48 ###################################### Spark IS the Message B9 *A link to Conversation Encryption Key is sent with the encrypted message
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Indexing Service Content Server Cisco Spark Compliance Service : E-Discovery (1) X1GFT5YY Indexing Service Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content Key Mgmt ServiceCompliance Service Cloud Collaboration Management Portal ############################################################################ ######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY Hash Algorithm Admin selects a group of messages and files to be retrieved for E-Discovery e.g. : based on date range/ content type/ user(s) The Content Server returns matching content to the Compliance Service The Indexing Service searches the Content Server for selected content
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center Key Mgmt ServiceCompliance Service Cloud Collaboration Management Portal E-Discov. StorageContent Server Cisco Spark Compliance Service : E-Discovery (2) The Compliance Service : Decrypts content from the Content Server, then compresses and re-encrypts it before sending it to the E- Discovery Storage Service E-Discovery Storage Service : Sends the compressed and encrypted content to the Administrator on request Jo Smith’s Content################### Jo Smith’s Content################### Jo Smith’s Content################### Jo Smith’s Messages and Files ################## ################## ################## ################## ################## ################## Jo Smith’s Messages and Files E-Discovery Content Ready
  44. 44. Customer Controlled Security Key Management Server Federation
  45. 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Hybrid Key Management Servers in different Enterprises establish a Mutual TLS* connection via Cisco Spark Platform Key Mgmt ServiceKey Mgmt Service Content Server Key Mgmt Service HDS: Key Management Server Federation 45BRKCOL-2030 Enterprise A Enterprise B Hybrid Key Management Servers make outbound connections only : HTTPS, Web Socket Secure (WSS) *All connections to and within Cisco Spark Platform use ECDH to generate symmetric Encryption Keys
  46. 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public With a secure connection between Hybrid KMSs… Users can be added to rooms created by each Enterprise Key Mgmt ServiceKey Mgmt Service Content Server Key Mgmt Service HDS: Key Management Server Federation 46BRKCOL-2030 Enterprise A Enterprise B Mutually Authenticated Hybrid KMSs can request Room Encryption Keys from one another on behalf of their Users
  47. 47. Customer Controlled Security Architecture and considerations
  48. 48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Data Center A Hybrid Data Security Architecture vSphereHybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers Hybrid Data Services Node (VM) Docker ECP Mgmt Container HDS Containers HDS Cluster Config File IDE Mount IDE Mount ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions such as sending health checks and checking for new versions of HDS. HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services. HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection settings, Database Master Encryption key, etc. IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system. Customer Provided Services Postgres Database Syslogd Database Back Up System Back Up
  49. 49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public HDS includes: ü KMS ü Search indexer ü eDiscovery backend Whilst HDS offers unique security features to customers in that they, and they alone, can store and own the encryption keys for their messages and content…. These benefits also come with significant responsibilities : A HDS Deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys… Complete loss of either the configuration ISO or the Postgres Database will result in loss of the decryption keys stored in HDS. This will prevent users from decrypting space content and other encrypted data. If this happens, an empty HDS can be restored, however, only new content will be visible. 49BRKCOL-2030 Hybrid Data Security – Positioning : HDS may not be desirable for all customers
  50. 50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public HDS Install Prerequisites See prerequisites in https://www.cisco.com/go/hybrid-data-security X.509 Certificate, Intermediates and Private Key PKI is used for KMS to KMS federation (Public Key Infrastructure) Common Name signed by member of Mozzila Trusted Root Store No SHA1 signatures PKCS12 format 2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max Minimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per server kms://cisco.com easily supports 15K users per HDS. 1 Postgres 9.6.1 Database Instance (Key datastore) 8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database. 1 Syslog Host hostname and port required to centralize syslog output from the three HDS instances and management containers A secure backup location The HDS system requires organization administrators to securely backup two key pieces of information. 1) A configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will result in loss of customer data. See <Section on Disaster Recovery>. Network Outbound HTTPS on TCP port 443 from HDS host Bi-directional WSS on TCP port 443 from HDS host TCP connectivity from HDS host to Postgres database host, syslog host and statsd host 50BRKCOL-2030
  51. 51. Cisco Spark Platform & Enterprise Firewalls
  52. 52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Connecting from the Enterprise - Firewalls BRKCOL-2030 52 Whitelisted Ports and Destinations : Media Port Ranges: Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299 Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004, 5006 Destination IP Addresses : Any • Spark Call (7800, 8800 Phones) • Spark Desk and Room Devices • Spark Clients • See following slides for details Signalling Media Supported by most devices today, remaining devices on roadmap
  53. 53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Voice and Video Classification and Marking Source Range Summary – Endpoints and Clients BRKCOL-2030 53 Audio: 52000-52099 Spark Soft Clients Spark Devices Video: 52100-52299 52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299
  54. 54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Spark Apps : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Spark applications : Windows, Mac, iOS, Android, Web UDP Voice 52000 – 52049 Video 52100 – 52199 Exception - Windows (OS Firewall issue) Ephemeral source ports used today (Fix due by Q3 CY '17) 5004 & 5006 Any IP Address SRTP over UDP to Cisco Spark Media Nodes TCP Ephemeral 5004 & 5006 Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes TCP Ephemeral 443 identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.rackcdn.com *.crashlytics.com *.mixpanel.com *.appsflyer.com *.adobetm.com *.omtrdc.net *.optimizely.com HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Content and Space Storage Anonymous crash data Anonymous Analytics Mobile Clients only - Ad Analytics Web Clients only - Analytics Web Clients only - Telemetry Web Clients only - Metrics
  55. 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Spark Devices : Network Port and Whitelist Requirements Spark Device Protocol Source Ports Destination Ports Destination Function Desktop and Room Systems : SX Series DX Series MX Series Room Kits Spark Boards* UDP Voice 52050 – 52099 Video 52200 – 52299 5004 & 5006 Any IP Address SRTP over UDP to Cisco Spark Media Nodes TCP Ephemeral 5004 & 5006 Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes* (Not Spark Board) TCP Ephemeral 443 identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.rackcdn.com *.crashlytics.com *.mixpanel.com HTTPS Spark Identity Service OAuth Service Core Spark Services Identity management Core Spark Services Content and Space Storage Content and Space Storage Anonymous crash data Anonymous Analytics Spark Board TCP Ephemeral 80 www.cisco.com or www.ciscospark.com or www.google.com or www.amazon.co.uk HTTTP for time synchronization
  56. 56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Connecting from the Enterprise - Firewalls BRKCOL-2030 56 Media Port Ranges: Source UDP Ports : Voice and Video 34000 - 34999 Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking) Destination UDP/ TCP/ sRTP Port : 5004, 5006 Destination IP Addresses : Any Hybrid Media Node (HMN) : • Can be used to limit source IP address range to HMNs only • Hybrid Media Node Source UDP ports for voice and video are different to those used by endpoints – Used for cascade links to Cisco Spark Platform • Voice and Video use a common UDP source port range : 33434 - 33598 Signalling Media
  57. 57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Connecting from the Enterprise - Firewalls BRKCOL-2030 57 Hybrid Data Security Node (HDS) : • Key Management Service • Indexing (Search) Service • E-Discovery Service Signalling Media Hybrid Data Services • HDS Signaling Traffic Only • Outbound HTTPS and WSS Signaling Only
  58. 58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public HMN & HDS Nodes: Network Port & Whitelist Requirements BRKCOL-2030 58 Spark Device Protocol Source Ports Destination Ports Destination Function Hybrid Media Node (HMN) UDP Voice and Video use a common UDP source port range : 34000 - 34999 5004, 5006 Cascade Destination Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes TCP Ephemeral 5004 Cascade Destination Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS TCP Ephemeral 443 *wbx2.com *idbroker.webex.com HTTPS Configuration Services Hybrid Data Security Node (HDS) TCP Ephemeral 443 *.wbx2.com idbroker.webex.com identity.webex.com index.docker.io Outbound HTTPS and WSS
  59. 59. Cisco Spark Platform & Enterprise Proxies
  60. 60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Proxy Address given to Device/Application………. Connecting from the Enterprise - Proxy Types BRKCOL-2030 60 Proxy Types: • Transparent Proxy (Device/Application is unaware of Proxy existence) • In Line Proxies (e.g. Combined Proxy and Firewall) • Traffic Redirection (e.g. Using Cisco WCCP) Signalling UDP Media HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443
  61. 61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Proxy Detection (Proxy Address given to Device/Application) Connecting from the Enterprise – Proxy Detection BRKCOL-2030 61 • Manual Configuration • Auto Configuration (Proxy Auto-Config (PAC) files) Proxy Address Proxy Address Proxy Address PACPACPAC Signalling UDP Media
  62. 62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Network Capabilities Spark Devices – Proxy Detection BRKCOL-2030 62 Spark Device Protocol Software Train Proxy Detection Granular Configuration Windows, Mac, iOS, Android, Web HTTPS WME Yes : Manual Yes : PAC Files Manually Configure Proxy Address or Use PAC files (or Windows GPO) DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address 7800 Phones SIP HTTPS Synergy Lite SIP – N/A HTTPS – No (Planned) Deploy In Line Proxy or Traffic Redirection (WCCP) 8800 Phones SIP HTTPS Synergy Lite SIP – N/A HTTPS – No (Planned) Deploy In Line Proxy or Traffic Redirection (WCCP) ATA SIP ATA SIP - N/A N/A
  63. 63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Proxy Authentication Connecting from the Enterprise – Proxy Authentication BRKCOL-2030 63 • Proxy intercepts outbound HTTP request • Authenticates the User (Username & Password) • Authenticated User’s traffic forwarded • Unauthenticated User’s traffic dropped/blocked Signalling UDP Media Proxy Authentication is not mandatory, Many Enterprises do No Authentication
  64. 64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Basic Authentication Common Proxy Authentication Methods BRKCOL-2030 64 • Digest Authentication • NTLMv2 Authentication • Negotiate Authentication • Kerberos Signalling UDP Media
  65. 65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Proxy Authentication Bypass Methods BRKCOL-2030 65 Manually Configure Proxy Server with : • Device IP Address IP Address 10.100.200.1 Signalling UDP Media 10.100.200.3 identity.webex.com idbroker.webex.com *.wbx2.com *.webex.com *.ciscospark.com *.clouddrive.com *.crashlytics.com *.mixpanel.com *.rackcdn.com • Whitelisted Destinations (e.g. *ciscospark.com)
  66. 66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Network Capabilities Spark Devices – Proxy Authentication BRKCOL-2030 66 Spark Device Protocol Software Train Proxy Authentication Granular Configuration Windows, Mac, iOS, Android, Web HTTPS WME Basic - No Digest - No NTLM - Yes (Windows) Kerberos - No Windows Only Today Others OSs use Authentication By Pass (Basic/ Digest/ Kerberos – Planned) DX HTTPS Room OS Yes : Basic Auth – Web based Config Digest Auth - planned Configure Username and Password for Proxy Authentication (Basic Auth) SX HTTPS Room OS Yes : Basic Auth – Web based Config Digest Auth - planned Configure Username and Password for Proxy Authentication (Basic Auth) MX HTTPS Room OS Yes : Basic Auth – Web based Config Digest Auth - planned Configure Username and Password for Proxy Authentication (Basic Auth) Room Kits HTTPS Room OS Yes : Basic Auth – Web based Config Digest Auth - planned Configure Username and Password for Proxy Authentication (Basic Auth) Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for Proxy Authentication (Basic Auth) 7800 Phones SIP HTTPS Synergy Lite SIP – N/A HTTPS – No (Planned) Authentication Bypass 8800 Phones SIP HTTPS Synergy Lite SIP – N/A HTTPS – No (Planned) Authentication Bypass ATA SIP ATA SIP – N/A N/A
  67. 67. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public What do we send to Third Party sites? BRKCOL-2030 67 Site Clients that Access It What is sent there User PII? Anonymized Usage info? Encrypted User Generated Content *.clouddrive.com Win, Mac, iOS, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. N N Y *.rackcdn.com Win, Mac, iOS, Android, Web, Spark Board Encrypted files for Spark file sharing. Part of Rackspace content system. N N Y *.mixpanel.com Win, Mac, iOS, Android, Web Anonymous usage data N Y N *.appsflyer.com iOS, Android Anonymous usage data related to onboarding N Y N *.adobedtm.com Web Anonymous usage data N Y N *.omtrdc.net Web Anonymous usage data N Y N *.optimizely.com Web Anonymous usage data for AB testing N Y N
  68. 68. WebEx update
  69. 69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Where should a new WebEx site be managed? Choose Cisco Spark Control Hub: • Customer is rolling out both WebEx and Cisco Spark and they desire a unified management experience across both • When the customer doesn’t need the following features: 1. Extensive WebEx site branding and customization 2. Tracking Codes for intra-company billing 3. Group-level feature assignment Choose WebEx Site Administration: • The customer requires 1 or more of the advanced management features (1-3 listed to the left) • The customer can accept segregated management of WebEx and Cisco Spark Document with detail on how to choose and feature differences will be linked in the UX and available at: https://goo.gl/EAK9ZY
  70. 70. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Cisco Spark linking is a process to enable WebEx sites WBS31 or above that are managed by WebEx Site Administration to leverage improved WebEx analytics on Cisco Spark Control Hub, and if the customer has purchased Pro Pack for Cisco Spark Control Hub can also leverage diagnostics. • Note: WebEx sites that are already managed using Cisco Spark Control Hub do not need Cisco Spark linking When should I use Cisco Spark linking? WebEx site is WBS31 or above & managed by WebEx Site Administration and 1. wants WebEx analytics that are available through Cisco Spark Control Hub - OR - 2. wants to easily roll out Cisco Spark for WebEx users What is Cisco Spark Linking?
  71. 71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Pro-Pack for Cisco Spark Control Hub Engagement, performance, diagnostics Topline metrics Visualization of trends / patterns (down to the individual user) Key usage & user behavior
  72. 72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public WebEx Analytics via the Pro Pack for Cisco Spark Control Hub Identify recurring anomalies within historical trends Easily see and drill down on problem areas Explore detailed quality data (at the meeting and user level) Search meetings in real-time
  73. 73. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Single Sign-On (SSO) Enhancements Add Attendance Security to Internal Meetings Feature Highlights • Identify or “tag” attendees in Participant list as SSO authenticated: “Internal” or “Guest” • Require all participants to authenticate with SSO • Set up invite-only meetings and require internal participants to authenticate with SSO (no forwarding of invite allowed) • Available in Cisco WebEx® Meeting Center, Training Center, and Event Center BRKCOL-2160 73
  74. 74. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 SAML Session Tokens IdP Session Token TTL Generally less than one business day or 8 hours 2nd Factor may or may not be stored or cached WebEx SP Session Token TTL Browser: 90 minutes (default) Mobile/Client: 336 hours or 14 days (default) TTL values can be customized upon request SAML Session Tokens can expire before their TTL expires User closes browser or signs-out Loss of network connection Tokens have be revoked 74
  75. 75. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Distinguish User Type in Lobby • List of users in lobby sorted by signed in/non-signed in user • Security feature of differentiating between internal and external users • Option to select who can join Remember Home Page • Remembers signed-in user’s previously visited page • Returns to previous visited page when app is relaunched Mobile Improvements BRKCOL-2160 75
  76. 76. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Audio devices or Video end points do not have lobby experience. Hence these devices do not obey the new settings and unauthenticated users are still placed directly into open rooms. Note: Video devices can be completely blocked today from Personal Room when this setting is on, but hurts the user experience. (Not Recommended) Limitations and Caveats BRKCOL-2160 76
  77. 77. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 WebEx: Secure as You Want it to Be Site level settings - Decline to list meeting on WebEx public site - Block Guest Access and ‘Join Before Host’ - Exclude the meeting password from invitations (we do this by default now) - Control audio privileges (global call back, toll and toll free options) - Restrict mobile device access types - Press ‘1’ to connect on audio - Control global session types [chat/desktop share/remote control/file xfer/etc] Authentication based - Require meeting password, set password length/complexity requirements - Manually approve account sign-ups - Require Attendees to login. SSO even better - Leverage ‘guest’ vs ‘internal’ user labels. Inform hosts that on a per-meeting basis they can exclude non-internal users - Speak with each call-in user in the meeting, and verify identity
  78. 78. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 WebEx: Secure as You Want it to Be Personal Room Settings - Force unauthorized users to Personal Room lobby - Autolock Personal Room after [n] minutes TelePresence Settings - Require TelePresence authentication/Meeting Pin - Enforce TLS for TelePresence participants In-Meeting Settings - Control in-meeting session types [chat/desktop share/remote control/file xfer/etc] - Eject/remove users that aren’t behaving properly, followup w/TAC InfoSEC if necessary Recording Policy - Enforce recording passwords and authentication to retrieve. - Pull recordings from the site after (n) days
  79. 79. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 79 CMR Cloud (WebEx Video) Security Features
  80. 80. Cisco Spark Platform & On Premise Security Summary
  81. 81. What you’ve learned Cisco Spark have multiple data stores, Obfuscated User Identity Cloud based Data Security and Data Services Option to sync user data and enable SSO Traffic is always encrypted, Data-at-rest stored encrypted as well with Secure Search Compliance & E-Discovery Services, Retention Policies, Data ownership Hybrid Data Security (HDS) KMS on premise, Architecture, Search, Firewalls, Federation Firewalls and Proxies Support WebEx update Management, Pro-Pack, SSO, Best Practices
  82. 82. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education • Demos in the Cisco campus • Meet the Engineer 1:1 meetings • Related sessions • BRKCOL-2699 Authorization and Authentication concepts for Collaboration • BRKCOL-2607 Understanding Cloud and Hybrid Cloud Collaboration Deployment • BRKCOL-2444 Evolution of Core Collaboration: Cloud and Hybrid Architectural Design • BRKCOL-2281 Steps to Successfully deploy Cisco Spark along with a media strategy 82BRKCOL-2030
  83. 83. Thank you

×