BRKCOL-2930.Pdf

BRKCOL-2930

Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network

Marc Dionysius – Technical Solutions Architect Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2930

• Introduction and Objectives

• Current challenges

• How to address the existing network architecture?

• Why are Cloud Ready Network Concepts relevant?

• A different angle to Cloud Security

• Conclusion Objectives Cloud Collaboration services continue to grow and present customers and partners with both opportunities and challenges to deploy those services in today’s customer environments. This session will review design and deployment considerations for secure Cloud Collaboration solutions in the context of current customer network architectures including proxies, centralized internet breakouts and future evolutions towards cloud-ready networks. It is designed for individuals looking to understand the various aspects, benefits and challenges of moving solutions towards Cisco Collaboration Cloud and Cisco Spark.

Undisclosed customer quote

More targeted attacks

More than 100 targeted breach attempts every year

Attacks are faster than ever but still take too long to find Shortage of cybersecurity expertise 82% of compromises measured in 1.5 million job openings by 2019 minutes

Source: Gartner Highlights the Top 10 Cloud Myths

Undisclosed customer quote

BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 How to address the existing network architecture? What topology we typically see in a customer‘s network? Internal DMZ Internet

IdP Cisco Collaboration Cloud Datacenter Cloud

IdP Remote Site Voice Video Endpoints IP WAN

Desktops/Laptops

Teleworker

Spark Clients

Messages, Media Signalization, notifications, Spark Services Control and Analytics Traffic HTTPS and WSS

Voice, Video and Content Share

SRTP and STUN

Internal DMZ Internet

Proxy

BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Traffic Flow Scenario 3 - Security focus customer, policies enforced in the FW and Proxy plus no direct connection to internet

Internal DMZ Internet

Proxy

HMN

• Proxy is a machine or groups of machines that allow computers in the internal LAN of the customer to reach to the internet.

• Mainly they deliver services for HTTP/HTTPS Protocol but other services are also supported ( FTP, Gopher, etc. )

• Typically we see them in customer network that don’t give direct access to the internet/outside.

• Caching – To allow the speed of downloading content from the internet, assuming that most of the times many user in the same organization access to the same sites.

• Filtering – Limiting to which sites the user of a specific organization can have access to.

• Authentication – Making sure that only valid users from a specific organization are allowed to access to the internet.

• Inspect – Some proxies also allow for inspection of HTTP/HTTPS traffic to make sure it is legit

• Manually – user needs to manually configure the proxy in the web bowser or OS, it is a process that is unpractical in mid size to big organization

• GPO – Using Widows Group policy, Active Directory administrators can push to the Windows desktops the configuration for the proxies.

• PAC – Allow for administrators to create a file, to be store in a web Server, that specifies the proxies and exceptions. Easier to manage, since only requires that the user configure an URL

• WPAD - The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods.

• No Authentication – User or Endpoint does not need to authenticate against the proxy.

• Basic – Defined in RFC 2617, in Basic Authentication the client sends the username and password as unencrypted base64 encoded text.

• Digest – Same as Basic, but instead of passing the password in clear text, uses a hash based on the password and several other parameters. Only very few proxy servers support Digest authentication and if so, it can’t use User password in Active Directory

• NTLM - is a protocol that is used in several Microsoft network implementations to enable single sign-on across different services and use a Challenge/Response mechanisms for delivering authentication, password is never travels over the network.

• Negotiate - Microsoft release Simple And Protected Negotiate ( SPNEGO ) authentication method. In this method the server asked for Negotiate in the proxy Authentication, the clients will reply with a Kerberos ticket but can fallback to NTLM credentials. (First appear part of RFC 1510 but become obsolete by RFC 4120)

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are key components of secure Client Hello communications in insecure medias. Server Hello Server Certificate The privacy, integrity, and authenticity provided by these Cipher Suite protocols are extremely important to transmit data. Request client Certificate Verify Client Certificate Server Cipher suite Modern implementations generally support both TLSv1.0 Certificate Client Finished Message and TLSv1.1, with TLSv1.2. All communications relies on the validation of the Server Finished Message certificates exchange Encrypted Data TLS intercept acts as a MiTM, will open the possibility of such attacks to the clients, need to be carefully planned.

Client Hello Client Hello Intercept proxies can be deployed in Server Hello Server Hello several ways, depending on their Server Certificate Server Certificate Cipher Suite Cipher Suite purpose and what type of inspection they Request client Certificate Request client Certificate

do. Verify Server Client Certificate Verify Client Certificate Certificate Cipher suite Server Cipher suite Intercept proxies can be Deep Packet Client Finished Message Certificate Client Finished Message Inspection devices, can be included in

next-generation firewalls, or do data loss Server Finished Message Server Finished Message prevention (DLP). Data Data

Unencrypted Data

In TLS, Clients needs to validate Server components. DMZ Public CA Client Enterprise Server So our Client needs to validate the CA Certificate used by the proxy, so it needs to trust the Enterprise or Public CA that sign it. Proxy Certificate Certificate Certificate But since the proxy itself is also a client TrustStore TrustStore TrustStore for the second segment, so it needs to validate the Public CA that sign the Server. There isn’t much point of doing TLS intercept to Spark traffic since inside the TLS packets there is another layer of encryption that proxies can’t decrypt, so the only advance would be to know the full URL’s used by Spark Service

Transport Key Management

Mutual TLS connection • Secure TLS REST interfaces • Interaction between services based on OAuth to authorize services certificate based MTLS Inter service message transport • Service components authorization by OAuth Tokens Establish TLS connection • Secure client connection to service over TLS Establish end to end ECDHE communication channel • End to End Client to Key Management channel negotiated ECDHE Client verifies KMS identity through PKI certificate • Identity of Key Management Service verified Crypto Key operations (key material) not visible to other cloud components by PKI certificate • Client to Key Management crypto key Establish TLS connection Inter service message operations E2E secured over transport layer transport JSON Web Encryption (JWE, RFC 7516)

Most of the Proxy can create rules base on destinations. There are rules like TLS intercept bypass, authentication bypass, etc. For Spark we published the URLs that we require for the Spark service to work.

Some proxies like the Cisco WSA have the capabilities https://collaborationhelp.cisco.com/article/en-us/n4vzhkx of getting all this URL’s from a single live feed: https://www.ciscoSpark.com/content/dam/ciscoSpark/eopi/global /assets/Docs/Spark_wsa.csv

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Recommendations regarding Proxies • Spark traffic has encrypted traffic inside HTTPS connections, so even TLS delivers Hop by Hop encryption for the connections we add end-to-end encryption for the Spark traffic: In fact the only advantage of TLS Intercept is just to understand the destination URL (not only the domain information that the TLS connections provides by default), the traffic is complete opaque to the proxy

• Alternatively, create an exception in the proxy to exclude Spark traffic from the TLS Intercept and/or Authentication as described on the previous slide. We are absolutely NOT recommending to turn off TLS Intercept in general!!

• Spark Devices: recommendation is by using Destination (Cisco Spark domains) and User Agent of the HTTP request, to create rules where the Spark devices (CE and SparkBoard) will use a specific policy with exceptions for Cisco Spark, with no Authentication or TLS intercept configured.

BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 WSA Proxy authentication using ISE with .1x Some endpoints like CE and SB devices have no easy way of delivering secure authentication against proxies. If there is the need to authenticate on multiple OSI layers ( network, application ) why not use one to provide authentication to the other ?

Enterprise ISE Switch CA WSA Web Service

Sign certificate from a CA

Access to network, switch will redirect to the ISE

ISE will ask for .1x certificate base authentication

Endpoint with proxy configuration will request access to web services

WSA using pxGrid will check is device did successful .1x authentication

Endpoint connect securely to the Web Service using authenticated proxies without user interaction

• When we talk about proxy support we Spark Clients only talking HTTPS and WSS traffic. • Media over proxies isn’t Messages, Media Signalization, Spark Services recommended, proxies were not notifications, Control and Analytics Traffic designed to handle media, their HTTPS and WSS

performance is really bad and doesn’t Voice, Video and Content Share

scale. SRTP and STUN

Spark Services

Messages, Media Signalization, notifications, Control Message, Signalization, Notification and Control and Analytics Traffic HTTPS and WSS

Internal DMZ Internet

• Media goes directly to the internet using HTTPS WSS protocol.

Internal DMZ Internet

• Signalization goes through Proxy (rules already in place in the firewall). Proxy

Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443

Internal DMZ Internet

Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100 - 52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 Destination Port : 5004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Protocol and Ports used by Spark

• From a Media perspective Spark clients always try to use UDP but will fallback to TCP if UDP is closed. TCP might impact media quality and it can’t guarantee quality for Real Time Media.

• As last case scenario for the software clients (Win, MAC, iOS and Android ) we can use HTTPS proxies for media, but it isn’t recommended. Cisco can’t help much if there will be quality issues with media.

Protocol : TCP • Spark Boards in old versions of SW need to Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP access NTP ( port 123 ) , but in new versions Destination Port : 443

will use DHCP. Internal DMZ Internet

Firewall rules for Media

HMN

Option 1 – Access to the Spark Service through Hybrid Media Node. All clients inside the customer network would connect to the Hybrid Media Node, if there will be participants outside the customer network then HMN would cascade the media flow to the cloud. Unique sources, very well defines, if necessary in special DMZ’s to protect to connect to the Spark services in the Cloud. Will open UDP connection to a destination port 5004, few additional ports needed, please review reference slides in the Appendix.

Firewall rules for Media

Option 2 – Using firewalls with STUN support Defined in RFC3489.

Uses UDP from any Spark client inside the customer network using source ports

Voice 52000-52099

Video 52100 - 52299

Where the destination might be any IP address in the internet with destination port 5004 STUN allow to open up pinholes only if the system is WebRTC compliant, and there is an external recipient expecting the traffic (prevents enterprise from being source of DDoS). From a security perspective this is the recommended model but require Firewalls that use STUN for WebRTC traffic like Cisco ASA.

Firewall rules for Media

Option 3 – Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow.

Uses UDP from any Spark client inside the customer network using source ports

Voice 52000-52099

Video 52100 - 52299

Where the destination might be two /19 prefixed in the internet with destination port 5004 This is EFT today, will be GA soon.

Firewall rules for Media

Option 4 – Direct access to the Spark Service using UDP protocol for media. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Spark client inside the customer network using source ports

Voice 52000-52099

Video 52100 - 52299

Where the destination might be any IP address in the internet with destination port 5004

Spark Services

Voice, Video and Content Share Media for Voice, Video and Content Sharing SRTP and STUN

• Option 1 – Access to the Spark Service through Hybrid Media Node.

• Option 2 – Direct access to the Spark Service using firewalls with STUN support.

• Option 3 – Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses.

• Option 4 – Direct access to the Spark Service using UDP protocol for media.

• Option 5 – Direct access to the Spark Service using TCP protocol for media.

• Option 6 – Access to the Spark Service using Proxy.

BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Why are Cloud Ready Network Concepts relevant? “With the growing number of Cloud Services consumed by our organization, we have to re-think our current Internet Breakout strategy!”

Undisclosed customer – Manager Solution Architecture Network & Unified Communications

58% 32.4% Of IT budgets spent on Cite management of WAN Connectivity connectivity at branch as a challenge

48.6% Cite poor application performance and latency as corporate WAN concern

Optimized Hybrid WAN Private MPLS (IP-VPN) Cloud Virtual 3G/4G-LTE Private V Cloud Branch

Internet DirectAccess Public Cloud Cloud

1. IWAN Secure VPN for private  Increase WAN transport capacity and and virtual private cloud access app performance cost effectively!

2. Leverage local Internet path for  Improve application performance public cloud and Internet access (right flows to right places)

Secure WAN Transport MPLS (IP-VPN) Private Cloud Virtual Private Cloud Branch

Internet Secure Public Internet Cloud Access Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…

MPLS (IP-VPN) Private Cloud Virtual Private Cloud

Branch Internet

Direct Cloud Public Access Umbrella Cloud

Solutions • Leverage Local Internet path for Public Cloud and Internet access On Premise – Zone Based Firewall • Improve application performance (right flows to right places) Cloud Based – Cloud Umbrella Branch

Any device Authoritative DNS root com. domain.com. User request patterns Authoritative DNS logs Used to detect: Used to find: • Compromised systems . Newly staged infrastructures • Command and control callbacks . Malicious domains, IPs, ASNs • Malware and phishing attempts . DNS hijacking • Algorithm-generated domains . Fast flux domains • Domain co-occurrences . Related domains • Newly registered domains

vPrivate Cloud • Secure Direct Cloud Access Colo DC • From the DC MPLS INET V V MPLS INET • From the Branch • From a Colocation Facility (Colo) • From within a Cloud Service (AWS, Azure,..) Internet MPLS

OpenDNS • Pervasive Security Umbrella • User, Transport, Cloud, Internet & Compliance AVC

R14

Branch Site

Discover and Control

Compromised Data Exposures Cloud Malware Accounts and Leakages

Privacy and Shadow IT/OAuth Insider Threats Compliance Violations Discovery and Control

User and Entity Cloud Data Loss Apps Firewall Behavior Analytics Prevention (DLP)

API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data

Third party Integrations DLP or CASB Cisco Spark Events API Third-party vendor software

policies Corrective actions

Delete content Alert user / admin

Unmanaged Users PUBLICADMIN OAUTHAPI Unmanaged ACCESSACCES Devices AuthorizedS Cisco Spark

Unmanaged Network

(Cisco?) NGFW/Umbrella

Managed Managed Managed Users Devices Network

• Cloud and Security can be absolutely working hand in hand.

• In order to deploy Cisco Collaboration Cloud in a current customer network we may need to elaborate that a different approach is NOT less secure.

• Understand the bigger picture and the change that Cloud Applications bring to all aspects of a customer network and try to address customer demands and concerns in a cross-architecture approach.

• Leverage the full capabilities of Cisco‘s Collaboration Cloud to include it into a general framework for secure Cloud Application Access to address both, the technical requirements and the user side.

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2930

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

• Technical Seminar • BRKCOL-2930 Cloud Security unveiled - all aspects of Network, Data-Security, Compliance and Data Leakage Prevention in Cisco Spark

• Breakout Sessions • BRKCOL-2030 Cisco Spark - Cloud and On Premise Security explained

• Recommended reading • Spark Security Whitepaper https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/whitepapers/ciscospark-firewall-traversal-white-paper.pdf • Spark Firewall Traversal Whitepaper https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/whitepapers/ciscospark-firewall-traversal-white-paper.pdf

• Demos in the Cisco campus

• Meet the Engineer 1:1 meetings

Appendix Cisco Spark Clients Proxy configuration

Config Spark Spark Spark Spark CE SparkBoard Type Windows Mac iOS Android

Manual Config

GPO

PAC

WPAD

Config Spark Spark Spark Spark CE SparkBoard Type Windows Mac iOS Android

No Auth

Basic

Digest

NTLM

Negotiate

Spark Spark Spark Spark Config Type CE SparkBoard Windows Mac iOS Android

802.1X Auth

TLS intercept

CDP

Media over HTTPS Content Sharing over UDP

Internal DMZ Internet

HMN

Internal User Internal devices Servers DMZ Internet

Proxy • If customer has proxies we Expressway C support only No Auth and Basic Authentication, TLS intercept is also supported.

Internal User Internal devices Servers DMZ Internet

• If there isn’t any proxy we will Expressway C use HTTPS to send traffic to the Spark cloud.

Internal User Internal DMZ Internet devices Servers

Proxy • If Windows OS is configured for Proxies we will use it and send all traffic there

Internal User Internal DMZ Internet devices Servers

• If there isn’t any proxies configured in the systems we will use HTTPS to send traffic to the Spark cloud.

Internal User Internal DMZ Internet devices Servers

HDS

Source IP Destination IP Source Destinations Media Address Address UDP Ports UDP Ports Type

Clients/endpoints Hybrid Media Node 52000-52099 53000-62999 Audio

Clients/endpoints Hybrid Media Node 52100-52299 63000-64999 Video

Hybrid Media Node Collaboration Cloud 53000-62999 5004 Audio

Hybrid Media Node Collaboration Cloud 63000-64999 5004 Video

Hybrid Media Node Hybrid Media Node 34000-34999 5004, 5006 Voice, Video

Hybrid Media Node Hybrid Media Node 5004,5006 34000-34999 Voice, Video

Transport Destinations Source Destination Destination IP Protocol Ports

Computer Management Hybrid Media Node TCP 443 Any

UDP -> NTP 123

Hybrid Media Node Collaboration Cloud UDP -> DNS 53 Any

TCP -> HTTPS 444

Hybrid Media Node Hybrid Media Node TCP -> HTTPS 5000 Any

*.wbx2.com Hybrid Media Node Collaboration Cloud TCP -> HTTPS 443 *.idbroker.webex.com

Source IP Destination IP Source Destinations Recommended Media Address Address UDP Ports UDP Ports DSCP Type

Clients/endpoints Collaboration Cloud 52000-52099 5004 EF Audio

Clients/endpoints Collaboration Cloud 52100-52299 5004 AF41 Video

Clients/endpoints Hybrid Media Node 52000-52099 53000-62999 EF Audio

Clients/endpoints Hybrid Media Node 52100-52299 63000-64999 AF41 Video

Hybrid Media Node Collaboration Cloud 52000-52099 5004 EF Audio

Hybrid Media Node Collaboration Cloud 52000-52099 5004 AF41 Video