BRKCOL-2930.Pdf

BRKCOL-2930

Why Collaboration Experts should care about cloud-ready networks

Marc Dionysius – Technical Solutions Architect Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKCOL-2930

• Current challenges

• How to address the existing network architecture? • Traditional concepts no longer work! (?) • Proxy Support • Firewall Requirements

• Why are Cloud Ready Network Concepts relevant?

• How Collaboration may help to get there

• Conclusion

Cloud Collaboration services continue to grow and present customers and partners with both opportunities and challenges to deploy those services in today’s customer environments. This session will review design and deployment considerations for secure Cloud Collaboration solutions in the context of current customer network architectures including proxies, centralized internet breakouts but also future evolutions towards cloud-ready networks and SD-WAN technologies. It will NOT deliver deep technical knowledge for Cisco SD-WAN or Cisco Security solutions as it is designed for individuals interested in Collaboration and looking to understand the various aspects, benefits and challenges of moving Collaboration solutions towards Cisco Collaboration Cloud and Cisco Webex.

Devices & Things

Campus & Branch Users

Mobile Users

More targeted attacks

More than 100 targeted breach attempts every year

Attacks are faster than ever but still take too long to find Shortage of cybersecurity expertise 82% of compromises measured in 1.5 million job openings by 2019 minutes

of end users use software not cleared by 80% IT*

cloud services used 1,220 by average large org*

of enterprise attacks will come 33% from shadow IT by 2020**

*Cisco Cloudlock CyberLab ** Gartner’s Top 10 Security Predictions (ref)

BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Users and apps have adopted the cloud… …security must, too. 49% 82% of the workforce admit to not 1 2 is mobile using the VPN Security controls must shift to the cloud 70% 70% increase in of branch SaaS usage3 offices have DIA4

Sources: 1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015 3. “Keeping SaaS Secure” Gartner, 2016

2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016 4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015

Source: Gartner Highlights the Top 10 Cloud Myths

BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 “We expect your solution to fit into the security framework we have built and used the last 6+ years.” Undisclosed customer quote

BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 How to address the existing network architecture? What topology we typically see in a customer‘s network? Internal DMZ Internet

IdP Cisco Collaboration Cloud Datacenter Cloud

IdP Remote Site Voice Video Endpoints IP WAN

Desktops/Laptops

Teleworker

Webex Clients

Messages, Media Signalization, notifications, Control and Analytics Traffic HTTPS and WSS

Voice, Video and Content Share

SRTP and STUN

Internal DMZ Internet

Proxy

BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Traffic Flow Scenario 3 - Security focus customer, policies enforced in the FW and Proxy plus no direct connection to internet

Internal DMZ Internet

Proxy

VMN

• When we talk about proxy support Teams Clients we only talking HTTPS and WSS traffic.

Messages, Media Signalization, • Media over proxies isn’t notifications, Control and Analytics Traffic recommended, proxies were not HTTPS and WSS

designed to handle media, their Voice, Video and Content Share

performance is really bad and SRTP and STUN doesn’t scale.

2 2 Proxy – Inspection using TLS intercept How does TLS work ? Client Server Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are key components of secure Client Hello communications in insecure medias. Server Hello Server Certificate The privacy, integrity, and authenticity provided by these Cipher Suite Request client Certificate protocols are extremely important to transmit data. Verify Client Certificate Server Cipher suite Modern implementations generally support TLSv1.0, Certificate Client Finished Message TLSv1.1, TLSv1.2 and most recently TLSv1.3 (RFC published in Marc 2018). Server Finished Message All communications relies on the validation of the certificates exchange Encrypted Data

Interception proxies can be deployed in several ways, depending on their purpose Client Hello Client Hello and what type of inspection they do. Server Hello Server Hello Server Certificate Server Certificate Intercept proxies can do Deep Packet Cipher Suite Cipher Suite Inspection devices, can be included in Request client Certificate Request client Certificate next-generation firewalls, or do data loss Verify Client Certificate Verify Client Certificate prevention (DLP). Server Cipher suite Server Cipher suite Certificate Client Finished Message Certificate Client Finished Message There isn’t much point of doing TLS intercept to Cisco Webex Teams traffic Server Finished Message Server Finished Message since inside the TLS packets there is Data another layer of encryption that proxies Data can’t decrypt, so the only advance would Unencrypted be to know the full URL’s used by Cisco Data Webex Service

Transport Key Management

Mutual TLS connection • Secure TLS REST interfaces OAuth to authorize services • Interaction between services based on Inter service message certificate based MTLS transport • Service components authorization by OAuth Establish TLS connection Tokens • Secure client connection to service over TLS Establish end to end ECDHE communication channel • End to End Client to Key Management Client verifies KMS identity through PKI certificate channel negotiated ECDHE Crypto Key operations (key material) not visible to other • Identity of Key Management Service verified cloud components by PKI certificate • Client to Key Management crypto key Establish TLS connection Inter service message operations E2E secured over transport layer transport JSON Web Encryption (JWE, RFC 7516)

Most of the Proxy can create rules base on destinations. There are rules like TLS intercept bypass, authentication bypass, etc. For Webex it is public publish the URL’s that we require for the service to work. Some proxies like the Cisco WSA have the capabilities of getting all this URL’s from a single live https://collaborationhelp.cisco.com/article/en- us/n4vzhkx feed: https://www.ciscoSpark.com/content/dam/ciscoSpark/eopi/gl obal/assets/Docs/Spark_wsa.csv

Source: https://docs.microsoft.com/en-us/microsoft- 365/enterprise/networking-configure-proxies-firewalls

Source: https://support.bluejeans.com/knowledge/tcp-udp-ports BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Firewall Requirements Teams Clients Message, Signalization, Notification

Messages, Media Signalization, notifications, Control and Analytics Traffic and Control HTTPS and WSS

Internal DMZ Internet

• Media goes directly to the internet using HTTPS WSS protocol.

Internal DMZ Internet

• Signalization goes through Proxy (rules already in place in the firewall). Proxy

Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443

Internal DMZ Internet

Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100-52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 Destination PortBRKCOL : 5004-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Protocol and Ports used by Webex Teams

• From a Media perspective Webex Teams clients always try to use UDP but will fallback to TCP if UDP is close. TCP might impact media quality and it can’t guarantee quality for Real Time Media.

• As last case scenario for the software clients Protocol : TCP (Win, MAC, iOS and Android ) we can use Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP HTTP proxies for media, but it isn’t Destination Port : 443

recommended. Cisco can’t help much if there Internal DMZ Internet will be quality issues with media.

Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100 - 52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 BRKCOL-2930 © 2019 Cisco and/orDestination its affiliates. Port All : rights5004 reserved. Cisco Public 37 Protocols and Ports used by Webex Meetings Assuming the most simple scenario with direct connection to the internet :

Protocol : TCP Source IP : Internal LAN IP address Range Source Port : 443 Destination IP : Any IP Destination Port : 443

Internal DMZ Internet

Protocol : TCP/UDP Source IP : Internal LAN IP Source Port : Voice/Video UDP 48000-65535 Sharing/Whiteboard/Media fallback TCP 443 Destination IP : Any IP Destination PortBRKCOL : TCP-2930 443 / UDP 9000© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 I n ternal DMZ I n ternet

Firewall rules for Media

VMN

Option 1 – Access to the Webex Service through Video Mesh Node. All clients inside the customer network would connect to the Video Mesh Node, if there will be participants outside the customer network then VMN would cascade the media flow to the cloud. Unique sources, very well defines, if necessary in special DMZ’s to protect to connect to the Webex services in the Cloud. Will open UDP connection to a destination port 5004, few additional ports needed, please review reference slides in the Appendix.

Firewall rules for Media

Option 2 – Using firewalls with STUN support Defined in RFC3489. Uses UDP from any Webex Teams client inside the customer network using source ports

Voice 52000-52099

Video 52100-52299 Where the destination might be any IP address in the internet with destination port 5004 STUN allow to open up pinholes only if the system is WebRTC compliant, and there is an external recipient expecting the traffic (prevents enterprise from being source of DDoS). From a security perspective this is the recommended model but require Firewalls that use STUN for WebRTC traffic like Cisco ASA.

Firewall rules for Media

Option 3 – Direct access to the Webex Teams Service using UDP protocol for media using specific destination IP addresses. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow.

Uses UDP from any Webex Teams client inside the customer network using source ports

Voice 52000-52099

Video 52100-52299 Where the destination might be two /19 prefixed in the internet with destination port 5004

US West US East Sydney Frankfurt Singapore GA GA GA GA GA

Media NodeMedia Node Media NodeMedia Node

Media Node Media Node Network Requirements Media NodeMedia Node

Media Node https://collaborationhelp.cisco.com/article/en- Media NodeMedia Node us/WBX000028782 Cisco Webex IP subnets forMedia media Node Media NodeMedia Node 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range) 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range) Media Node 66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range) Configuration recommendation 173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range) 173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range) Add all ranges to your firewalls, so there is automatic 207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range) 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range) failover with minimal disruption 216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range) 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range) Webex Meetings is by region 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range) 62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range) Webex Teams – not specified by region. 69.26.160.0/19 (CIDR) or 69.26.160.0 - 69.26.191.255 (net range)

Firewall rules for Media

Option 4 – Direct access to the Webex Teams Service using UDP protocol for media. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Webex Teams client inside the customer network using source ports

Voice 52000-52099

Video 52100-52299 Where the destination might be any IP address in the internet with destination port 5004

• Option 1 – Access to the Webex Service through Hybrid Media Node.

• Option 2 – Direct access to the Webex Service using firewalls with STUN support.

• Option 3 – Direct access to the Webex Service using UDP protocol for media using specific destination IP addresses.

• Option 4 – Direct access to the Webex Service using UDP protocol for media.

• Option 5 – Direct access to the Webex Service using TCP protocol for media.

• Option 6 – Access to the Webex Service (Software Clients only) using Proxy.

User / Consumer Application / Provider

Branch Internet

Extranet MPLS / Private User

HQ Private VPN DC

Applications running in the DC, Mobile predictable traffic patterns and User volumes

58% 32.4% Of IT budgets spent on Cite management of connectivity WAN Connectivity at branch as a challenge

48.6% Cite poor application performance and latency as corporate WAN concern BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Todays cloudy world – highly flexible DCs

Private Geographically distributed Geographically Branches Cloud

Mobile Hybrid WAN Users Cloud Providers Internet IOT

HQ Extranet Partners Extranet Partner Users IOT

BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public “With the growing number of Cloud Services consumed by our organization, we have to re-think our current Internet Breakout strategy!” Undisclosed customer – Manager Solution Architecture Network & Unified Communications

Users

Internet

Branch/Campus Data Center

One way

Users

Internet

Branch/Campus Gateway

One way

Users

Internet

Branch/Campus Colocation

One way

Users

Gateway

Data Center Branch/Campus

Colocation

Branches

DC/Private Cloud

Mobile Users Internet connectivity becomes IOT business critical SaaS

Extranet Partner Users IaaS

Branches

DC/Private Cloud

Mobile Users Cloud Edge

IOT SaaS

Extranet Partner Users IaaS

Branches Cloud Edge DC/Private Cloud

Mobile Security Users Networking IOT SaaS Cloud HQ

Extranet Partner Users IaaS

Branches Cloud Edge DC/Private Cloud

Mobile Different risk exposure Users Inconsistent user experience IOT SaaS Increasing complexity HQ

Extranet Partner Users IaaS

DMZ

CoLo • Secure Direct Cloud Access DC • From the DC MPLS INET V V MPLS INET • From the Branch • From a Colocation Facility (Colo) • From within a Cloud Service (AWS, Internet Azure,..) MPLS OpenDNS Umbrella • Pervasive Security • User, Transport, Cloud, Internet & AVC Compliance R14

MFA

Data Center/ Devices & Things Private Cloud

Campus & SaaS Branch Users

Mobile Users IaaS

Network and endpoint First line It all starts with DNS

Network and endpoint Precedes file execution and IP connection Endpoint Used by all devices

Port agnostic

HQ / Campus Branches Mobile/ Roaming Device BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 How Collaboration may help to get there What‘s the ideal target architecture? It depends! An extreme example – Microsoft‘s recommendation “In the majority of cases, the best user experience is achieved by allowing the customer network to route user requests to the closest Office 365 service entry point, rather than connecting to Office 365 through an egress point in a central location or region.”

“The local egress architecture has the following benefits over the traditional model: • Provides optimal Office 365 performance by optimizing route length. End user connections are dynamically routed to the nearest Office 365 entry point by the Distributed Service Front Door infrastructure. • Reduces the load on corporate network infrastructure by allowing local egress. • Secures connections on both ends by Source: https://docs.microsoft.com/en-us/office365/enterprise/office-365-networking-overview leveraging client endpoint security and cloud security features.”

Regional WAN: Americas

Source: Cisco Live US 2018 - BRKCOC-1002 Inside Cisco IT: Cisco MulticloudBRKCOL-2930 Backbone Securely© 2019 Cisco Inter and/or its-connecting affiliates. All rights reserved.Clouds Cisco Public 63 A potential first step – Direct Peering

Webex Edge Connect • A direct peering at Equinix data centers • Bypasses the Internet by providing a direct connection1 to the Webex data center • All Webex media traffic traverses the dedicated link to the meeting (VoIP, video, content sharing) • Can be used in combination with Video Mesh

• Media flows via Equinix Internal DMZ Internet peering connection.

• Webex Meetings app Webex Teams signaling and media Proxy Signaling only use the peering connection

• Signaling for cloud registered devices and Internet Webex Teams uses the public Internet

• Video Mesh cascades use the peering connection

• Third party services accessed via the Internet

Unmanaged Users

ADMINPUBLIC Unmanaged API Devices OAUTH ACCESSACCESS Authorized Unmanaged Network

(Cisco?) NGFW/Umbrella DNS

Central Policy Management

North America 9:00 AM ET Login

. Distance from the US Africa 10:00 AM ET to the Central African Data export Republic: 7362 miles . At a speed of 800 mph, it would take 9.2 hours to travel between them

PII Education General PHI PCI

. SSN/ID . Inappropriate . Email address . HIPAA . Credit card numbers content . IP address . Health numbers . Driver license . Student loan . Passwords/ identification . Bank account numbers application login numbers numbers . Passport information information (global) . SWIFT codes numbers . FERPA . Medical compliance prescriptions

Integrations

Cisco Webex Teams Events API*

Policies Corrective actions

Delete content Alert user / admin

*API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data

• Cloud and Security can be absolutely working hand in hand.

• In order to deploy Cisco Collaboration Cloud in a current customer network we may need to elaborate that some things work different but are NOT automatically less secure.

• Understand the bigger picture and the change that Cloud Applications bring to all aspects of a customer network and try to address customer demands and concerns in a cross-architecture approach.

• Leverage the full capabilities of Cisco‘s Collaboration Cloud to include it into a general framework for secure Cloud Application Access to address both, the technical requirements and the user side.

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings