White Paper

Citrix Security

Citrix provides true end-to-end data security measures that address both passive and active attacks against confidentiality, integrity and availability when using GoToMeeting, GoToWebinar and GoToTraining.

gotomeeting.com White Paper Web Conferencing Security

Citrix GoToMeeting, GoToWebinar and GoToTraining tools are the most secure web conferencing products available. For each solution, standards-based cryptography with true end-to-end , a high-availability hosted service infrastructure and an intuitive user interface combine to maximize confidentiality, integrity and availability.

This document provides a technical and phone conferencing for ease of use and description of the security features built into solution completeness. GoToMeeting, GoToWebinar and GoToTraining. It has been written for technical evaluators and Business needs for secure collaboration security specialists who are responsible for Easy-to-use online business collaboration ensuring the safety of their company’s tools like GoToMeeting, GoToWebinar and network and the privacy and integrity of GoToTraining can help companies increase business communications. productivity by enabling them to communicate and interact more effectively with co-workers, GoToMeeting, GoToWebinar and GoToTraining business partners and customers. But such are web conferencing tools that allow multiple tools vary greatly when it comes to embedded PC and Mac users to interact using screen security features. Moreover, it is essential to sharing, remote keyboard/mouse control, text understand the security implications of chat and other features. GoToMeeting is online collaboration and comply with safe ideal for sales demos and collaborative usage guidelines. online meetings. Built for larger audiences, GoToWebinar is great for marketing Using any web conferencing solution requires presentations and company events. And careful consideration of potential threats and GoToTraining provides features specifically resulting business risks. Business security needs for web-based training, such as online that must typically be addressed when adopting access to tests and materials and a hosted a web conferencing product include: course catalog. • Preventing unauthorized use of the service These products are hosted services, delivered and its features so that only legitimate users via web browsers, downloadable client and invited participants can schedule and par- executables and a network of multicast ticipate in online sessions communication servers operated by Citrix. • Avoiding any compromise of company assets, Sessions are scheduled, convened and including client computers and the private moderated using the Citrix website and client networks to which they are attached software. GoToMeeting, GoToWebinar and GoToTraining automatically integrate with VoIP

gotomeeting.com 2 White Paper Web Conferencing Security

• Protecting the privacy and integrity of • Internal administrators are Citrix staff confidential communication, including members authorized to manage screen sharing, text messages, email and GoToMeeting, GoToWebinar and GoToTraining voice interaction services and accounts. • Ensuring availability and reliability of the ser- • External administrators are individuals from a vice itself, so that business communications customer site authorized to manage multi- cannot be denied or disrupted user accounts. External administrators can • Integrating seamlessly with other network/ configure account features, authorize orga- computer security measures, so that web con- nizers and access a variety of reporting tools. ferencing services can leverage (not degrade) an organization’s existing safeguards The GoToMeeting, GoToWebinar and GoToTraining user interfaces provide intuitive Our web conferencing tools were developed session controls and status indicators that from the ground up to satisfy these common facilitate productive and safe online sessions. business security needs. By incorporating security features and making them easy to Controls and privileges available to each user administer and use, GoToMeeting, depend on the currently assigned role: GoToWebinar and GoToTraining enable organizer, active presenter or general attendee. effective and safe online business collaboration. Organizer privileges Role-based security features Organizers (or trainers) have the most control in To enable account owners to enforce company a session and the ability to grant and revoke access policies related to service and feature various privileges for the other participants. use, every GoToMeeting, GoToWebinar and GoToTraining user is assigned one of several Specific organizer privileges include: application-defined roles. • The ability to invite attendees, before or dur- • Organizers (or trainers) are authorized to ing the session, so that only authorized schedule meetings, webinars and/or training participants can join a given session sessions. An organizer sets up each session, • The ability to see the complete list of attend- invites other users to participate, initiates and ees and their current roles and privileges, so ends the session and designates the current the organizer remains aware of those present presenter. at all times • Attendees are authorized to participate in ses- • The ability to start and end the session, which sions. Attendees can view the trainer’s or prevents others from disrupting the session presenter’s screen, chat with other attendees accidentally or otherwise or view the attendee list. • The ability to make any attendee the active • Presenters are attendees who are able to presenter, controlling which desktop can share their computer screens with other be viewed at any point in time throughout attendees. Presenters also decide which the session other attendees, if any, are permitted to con- • The ability to disallow the use of chat by one trol the keyboard and mouse of the or more attendees, and permitting sidebar presenters’ computers. discussions only when appropriate

gotomeeting.com 3 White Paper Web Conferencing Security

• The ability to disconnect attendees • The ability to view the presenter’s screen • The ability to transfer the organizer role to unless the presenter has paused or disabled another attendee (a privilege that cannot be screen sharing revoked) so the session can continue if the • If granted, the ability to remotely control the organizer must leave early presenter’s keyboard and mouse (a privilege that is automatically revoked whenever the Presenter privileges active presenter role is changed) A presenter is the user actively sharing his or her • The ability to use chat to send text messages desktop screen with other attendees. Only one to all other attendees or to one specific attendee at a time within a session may be attendee (features that can be disabled by an granted the active presenter role. Presenters organizer) have the following controls available to them: • The ability to leave a session at any time

• The ability to enable, disable or pause screen Basing access rights and privileges on assigned sharing, which can be helpful to avoid display- roles allows flexible sessions that facilitate ing confidential data that might otherwise highly dynamic interaction between attendees, appear on the presenter’s desktop (e.g., while without sacrificing either control or visibility. searching files or folders) Organizers can easily add attendees or • The ability to grant/revoke remote keyboard change the presenter as needed throughout and mouse control to another attendee, the session. Presenters remain in complete which facilitates efficient communication control of their own desktops, and organizers through desktop interaction have everything required to manage the • The ability to make another attendee the pre- session effectively. senter, providing for a flexible, dynamic flow during sessions Account and session authentication features Whenever a presenter is sharing his or her Role-based authorization depends upon the screen with other attendees, an “On Air” ability to correctly identify and authenticate indicator is displayed on the presenter’s each and every user. To ensure that each control panel. To share his or her screen, the organizer, presenter and attendee is in fact who presenter must click the Screen button on the he or she claims to be, GoToMeeting, control panel. These features ensure that GoToWebinar and GoToTraining incorporate presenters always know when desktop sharing robust account and session authentication is active so that desktop screens are never features. shared accidentally. Website account login Attendee privileges To access a user account on the GoToMeeting, Users with the basic attendee role have the GoToWebinar and GoToTraining website, users following privileges: must supply a valid email address and corresponding user account password. To make • The ability to join any session to which they them hard to guess, all passwords must contain have been invited at or after the session’s at least eight characters and include both start time letters and numbers. Too many failed log-in

gotomeeting.com 4 White Paper Web Conferencing Security

attempts cause the website account to be presented by the downloaded GoToMeeting, temporarily locked to protect against password GoToWebinar or GoToTraining client. guessing. Passwords stored in the service database are encrypted and checked using a Whenever a valid session ID is presented, the cryptographically secured verifier that is highly service broker returns a set of unique resilient to offline dictionary attacks. session credentials to the GoToMeeting, GoToWebinar or GoToTraining client. These Session information disclosure session credentials are never seen by the Unlike some competing solutions, information attendee, but are used by the software to describing scheduled GoToMeeting, connect to one or more communication GoToWebinar and GoToTraining sessions is only servers. Credentials include a 64-bit session ID, available to the organizer and invited a short role ID and an optional 64-bit role participants. Because session descriptions are token. These are used to identify the only displayed after users have successfully appropriate session and transparently authenticated, and then only to those users authenticate the user as either an organizer or authorized to view it, potentially sensitive attendee. All sensitive communications take information such as the session subject, place over SSL-protected connections to organizer name and session time are never prevent disclosure of session credentials. exposed for casual perusal by hackers, curious web surfers or your competition. In addition, attendees must authenticate end to end with the session’s organizer. This is based Authentication of session attendees on a secret random value provided by the Because most organizations hold many service broker and an optional password that sessions with restricted attendance, it is not the organizer chooses and communicates to enough to let any user associated with a given attendees. To provide maximum assurance GoToMeeting, GoToWebinar or GoToTraining against unauthorized access and ensure session account view session descriptions or attend confidentiality, Citrix strongly encourages the sessions. Instead, authorization to join each use of the password feature. session is based on a unique session ID and an optional password. It is important to note that the optional password is never transmitted to Citrix at any Whenever a session is scheduled, a unique time. This provides added assurance that no nine-digit session ID, created by the unauthorized parties, including Citrix GoToMeeting, GoToWebinar or GoToTraining operations personnel, can join and participate service broker using a pseudorandom number in the session. generator, is returned to the organizer. The session ID is then communicated to all invited By providing two levels of attendee attendees using email, instant messaging, a authentication, GoToMeeting, GoToWebinar telephone or other communication methods. and GoToTraining ensure that only authorized attendees can join sessions to which To join the session, each attendee must present they have been invited and that each user is the session ID to the service broker by either granted privileges in accordance with his or her clicking on a URL that contains the session ID or assigned role. by manually entering the value into a form

gotomeeting.com 5 White Paper Web Conferencing Security

Administration-site security encrypted and accessible only by authorized Like all connections to the GoToMeeting, session participants. GoToWebinar and GoToTraining website, connections to the administration portal are Screen-sharing data, keyboard/mouse protected using SSL/TLS. Administrative control data and text chat information are functions are protected using strong passwords, never exposed in unencrypted form while activity logging, regular audits and a variety of temporarily resident within Citrix internal physical and network security controls. communication servers or during transmission across public or private networks. Communications security features Communications between participants in a Communications security controls based on GoToMeeting, GoToWebinar or GoToTraining strong cryptography are implemented at two session occurs via an overlay multicast layers: the TCP layer and the multicast packet networking stack that logically sits on top of the security layer (MPSL). conventional TCP/IP stack within each user’s PC. This network is realized by a collection of TCP layer security multicast communications servers (MCS) IETF-standard secure sockets layer (SSL) and operated by Citrix. (TLS) protocols are used to protect all communication between Participants (session endpoints) communicate endpoints. To provide maximum protection with Citrix infrastructure communication servers against eavesdropping, modification or replay and gateways using outbound TCP/IP attacks, the only SSL cipher suite supported for connections on ports 8200, 443 and 80. non-website TCP connections is 1024-bit RSA Because GoToMeeting, GoToWebinar and with 128-bit AES-CBC and HMAC-SHA1. GoToTraining are hosted web-based services, However, for maximum compatibility with participants can be located anywhere on the nearly any web browser on any user’s — at a remote office, at home, at a desktop, the GoToMeeting, GoToWebinar and business center or connected to another GoToTraining website supports in-bound company’s network. Anytime, anywhere connections using most supported SSL access to the GoToMeeting, GoToWebinar and cipher suites. GoToTraining services provides maximum flexibility and connectivity. However, to For the customers’ own protection, Citrix preserve the confidentiality and integrity of recommends that customers configure their private business communication, these tools browsers to use strong cryptography by also incorporate robust communication default whenever possible and to always install security features. the latest operating system and browser security patches. Communications confidentiality and integrity GoToMeeting, GoToWebinar and GoToTraining When SSL/TLS connections are established to provide true end-to-end data security the website and between GoToMeeting, measures that address both passive and active GoToWebinar or GoToTraining components, attacks against confidentiality, integrity and Citrix servers authenticate themselves to clients availability. All connections are end-to-end using VeriSign/Thawte public key certificates.

gotomeeting.com 6 White Paper Web Conferencing Security

For added protection against infrastructure value generated with the HMAC-SHA-1 attacks, mutual certificate-based authentication algorithm. Because GoToMeeting, is used on all server-to-server links (e.g., MCS- GoToWebinar and GoToTraining use very strong, to-MCS, MCS-to-Broker). These strong industry-standard cryptographic measures, authentication measures prevent would-be customers can have a high degree of attackers from masquerading as infrastructure confidence that multicast session data is servers or inserting themselves into the middle protected against unauthorized disclosure or of session communications. undetected modification.

Multicast layer security Furthermore, there is no additional cost, Additional features provide complete end-to- performance degradation or usability burden end security for multicast packet data, associated with these essential communication independent of those provided by SSL/TLS. security features. High performance and Specifically, all multicast session data is standards-based data security is a built-in protected by end-to-end encryption and feature of every session. integrity mechanisms that prevent anyone with access to our communications servers (whether Firewall and proxy compatibility friendly or hostile) from eavesdropping on a Like other Citrix products, GoToMeeting, session or manipulating data without detection. GoToWebinar and GoToTraining include built-in The MPSL provides an added level of proxy detection and connection management communication confidentiality and integrity logic that helps automate software installation, and is unique to our products. Company avoid the need for complex network (re) communications are never visible to any third configuration and maximize user productivity. party, including both users who are not invited Firewalls and proxies already present in your to a given session and Citrix itself. network generally do not need any special configuration to enable use of our web MPSL key establishment is accomplished by conferencing tools. using a randomly generated 128-bit seed value selected by the GoToMeeting service broker When GoToMeeting, GoToWebinar or that is distributed to all endpoints over TLS and GoToTraining endpoint software is started, it used as the input to a NIST-approved HMAC- attempts to contact the service broker via the SHA1 key-derivation function. The seed value is endpoint gateway (EGW) by initiating one or erased from the GoToMeeting service broker’s more outbound SSL-protected TCP connections memory when the session ends. on ports 8200, 443 and/or 80. Whichever connection responds first will be used and the MPSL further protects multicast packet data others will be dropped. This connection from eavesdropping using 128-bit AES provides the foundation for participating in all encryption in counter mode. Plain-text data is future sessions by enabling communication typically compressed before encryption using between hosted servers and the user’s desktop. proprietary, high-performance techniques to optimize bandwidth. Data integrity protection is When the user attempts to join a session, the accomplished by including an integrity check endpoint software establishes one or more

gotomeeting.com 7 White Paper Web Conferencing Security

additional connections to Citrix Video security communications servers, again using SSL- Citrix provides integrated video conferencing protected TCP connections on ports 8200, 443 for GoToMeeting, GoToWebinar and and/or 80. These connections carry data GoToTraining sessions over the Internet. To during an active session. protect the confidentiality and integrity of video connections from the endpoints to the In addition, for connectivity optimization tasks, video servers, we use an SRTP with AES-128- the endpoint software initiates one or more HMAC-SHA1-based protocol. Keys are short-lived TCP connections on ports 8200, 443 exchanged by the client and server over a TLS- or 80 that are not SSL protected. These network protected TCP connection. probes do not contain any sensitive or exploitable information and present no risk of Endpoint system security features sensitive information disclosure. Web conferencing software must be compatible with a wide variety of desktop By automatically adjusting the local network environments, yet create a secure endpoint on conditions using only outbound connections each user’s desktop. GoToMeeting, and choosing a port that is already open in GoToWebinar and GoToTraining accomplish this most firewalls and proxies, GoToMeeting, using web-downloadable executables that GoToWebinar and GoToTraining provide a high employ strong cryptographic measures. degree of compatibility with existing network security measures. Unlike some other products, Signed endpoint software ours do not require companies to disable All Citrix executables are digitally signed for existing security measures to allow web integrity protection. Strict quality control and conferencing communication. These features configuration management procedures are maximize both compatibility and overall followed by Citrix during development and network security. deployment to ensure software safety. The endpoint software exposes no externally Voice security available network interfaces and cannot be Citrix provides integrated audio conferencing used by malware or viruses to exploit or infect for GoToMeeting, GoToWebinar and remote systems. This protects other desktops GoToTraining sessions through the telephone participating in a session from being infected by network (PSTN) as well as Voice over Internet a compromised host used by another attendee. Protocol (VoIP). The PSTN already provides for the confidentiality and integrity of voice Cryptographic subsystem implementation communications. To protect the confidentiality All cryptographic functions and security and integrity of VoIP connections from the protocols employed by GoToMeeting, endpoints to the voice servers, we use an SRTP GoToWebinar and GoToTraining client endpoint with AES-128-HMAC-SHA1-based protocol software are implemented using open source over UDP and TLS-RSA-1024-AES-128-HMAC- OpenSSL cryptographic libraries. SHA1 over TCP.

gotomeeting.com 8 White Paper Web Conferencing Security

Use of the cryptographic libraries is restricted to across geographically distributed the GoToMeeting, GoToWebinar and communication servers. GoToTraining endpoint applications; no external APIs are exposed for access by other software Physical security running on that desktop. All encryption and Citrix web, application, communication and integrity algorithms, key size and other database servers are housed in secure cryptographic policy parameters are statically co-location datacenters. Physical access to encoded when the application is compiled. servers is tightly restricted and continuously Because there are no end-user-configurable monitored. All facilities have redundant power cryptographic settings, it is impossible for users and environmental controls. to weaken our security through accidental or intentional misconfiguration. A company that Network security uses GoToMeeting, GoToWebinar and/or Citrix employs firewall, router and VPN-based GoToTraining can be certain that the same level access controls to secure our private-service of web conferencing security is present on all networks and backend servers. Infrastructure participating endpoints, regardless of who owns security is continuously monitored and or operates each desktop. vulnerability testing is conducted regularly by internal staff and outside third-party auditors. Hosted infrastructure security features Citrix delivers GoToMeeting, GoToWebinar and Customer privacy GoToTraining using an application service Because maintaining the trust of our users is a provider (ASP) model designed expressly to priority for us, Citrix is committed to respecting ensure robust and secure operation while your privacy. A copy of the current privacy policy integrating seamlessly with a company’s can be found online at www.citrix.com/about/ existing network and security infrastructure. legal/citrix-online-privacy-policy-overview-en. html.tmpl. Scalable and reliable infrastructure The Citrix service architecture has been Conclusion designed for maximum performance, reliability With GoToMeeting, GoToWebinar and and scalability. The GoToMeeting, GoToWebinar GoToTraining, it’s easy to conduct meetings, and GoToTraining solutions are driven by present information and demonstrate products industry-standard, high-capacity servers and online to improve business communication. network equipment with the latest security These tools’ intuitive and secure interfaces and patches in place. Redundant switches and feature sets make them the most effective routers are built into the architecture to ensure solutions for conducting and attending web that there is never one single point of failure. conferencing sessions. Clustered servers and backup systems help guarantee a seamless flow of application Behind the scenes, the Citrix hosted service processes — even in the event of a heavy load architecture transparently supports multi-point or system failure. For optimal performance, the collaboration by providing a secure, reliable GoToMeeting, GoToWebinar and GoToTraining environment. As this paper shows, brokers load balance the client/server sessions GoToMeeting, GoToWebinar and

gotomeeting.com 9 White Paper Web Conferencing Security

GoToTraining promote ease of use and flexibility without compromising the integrity, privacy or administrative control of business communication.

Appendix: Security standards compliance GoToMeeting, GoToWebinar and GoToTraining are compliant with the following industry and U.S. government standards for cryptographic algorithms and security protocols:

• The TLS/SSL Protocol, Version 1.0 IETF RFC 2246 • Advanced Encryption Standard (AES), FIPS 197 • AES Cipher suites for TLS, IETF RFC 3268 • RSA, PKCS #1 • SHA-1, FIPS 180-1 • HMAC-SHA-1, IETF RFC 2104 • MD5, IETF RFC 1321 • Pseudorandom Number Generation, ANSI X9.62 and FIPS 140-2

Corporate Headquarters India Development Center Latin America Headquarters Fort Lauderdale, FL, USA Bangalore, India Coral Gables, FL, USA

Silicon Valley Headquarters Online Division Headquarters UK Development Center Santa Clara, CA, USA Santa Barbara, CA, USA Chalfont, United Kingdom

EMEA Headquarters Pacific Headquarters Schaffhausen, Switzerland Hong Kong, China

About Citrix Citrix (NASDAQ:CTXS) is a leader in virtualization, networking and cloud services to enable new ways for people to work better. Citrix solutions help IT and service providers to build, manage and secure, virtual and mobile workspaces that seamlessly deliver apps, desktops, data and services to anyone, on any device, over any network or cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive with mobile workstyles. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million people globally. Learn more at www.citrix.com.

Copyright ©2014 , Inc. All rights reserved. Citrix, GoToAssist, GoToMeeting, GoToMyPC, GoToTraining, GoToWebinar, OpenVoice, and ShareFile are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

10.06.14/286395/PDF gotomeeting.com 10