cisco webex security
TRANSCRIPT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco WebEx SolutionsTechnical overview- security
Thomas Flambeaux Cisco WebEx SE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Existing Hub
Cisco WebEx Collaboration Cloud
New Hub
Global Distribution Meeting (GDM) and Content Delivery Network (CDN) optimize user experience
GDM local switching eliminates traffic congestion to a single hub. Provides optimal in-meeting experience with
low round trip time/latency and high bandwidth
GDM
GDM
GDMGDM
GDM
GDM
Pre and post meeting experience enhanced by leveraging CDN
Closest hub is selected with Global Distributed Meeting
GDM
GDM
GDM
GDM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Client Download with CDN configuredcustomer.webex.com
1. https://customer.webex.com
2. Web page response
3. Start meeting request4. Response parameter
WebEx client download server: https://customer.cdn.webex.comWebEx client version directory(e.g. T27LBSP17_4567)(Actual package name used for single download origin)
5. Client download request to: customer.webex.com
7. WebEx client download
AttendeeEdge server
6. CDN edge server gets client package from WebEx server.Cache the package for later use.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
CDN enables WebEx to offer the fastest join times
Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, Miercom Sept 2010
WebEx Citrix Netviewer Adobe Microsoft
East Coast
First-time Presenter First-time Attendee
West Coast
First-time Presenter First-time Attendee
W C N A M0
25
50
75
100
125
150
175
200
225
30.8
54.2
121.1
25.1
120.2
Join
Tim
e (
sec)
W C N A M0
25
50
75
100
125
150
175
200
225
24.641.9
20.929.7
96.8
W C N A M0
25
50
75
100
125
150
175
200
225
61.646
120.5
58.4
203.8
Join
Tim
e (
sec)
W C N A M0
25
50
75
100
125
150
175
200
225
77.2
51.937
58.9
160.4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
WebEx Plug-in• ActiveX
• Java applet
• TFS
• Flash (Event center)
• MSI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
1) Users access site URL with browser, joins/starts meeting
2) Meeting Manager grants access, registers user, logs access
3) Ping Server identifies optimum CB reports info to client
4) Client establishes connection to best Collaboration Server
5) CB checks with Meeting Manager, grants access, establishes privileges
1
2
3
4
5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
GDM switch architecture
Cluster A
CBCB
CB
MZM
WWP
WebDB
Zone1
Zone2
Virtual MMP pool
MCSMCS
MCS
MCC
MCSMCS
MCSMMPDB
CBCB
CB
MZM
San Jose Data Center UK Data Center
Cluster B
CBCB
CB
MZMZone1
Zone2
CBCB
CB
MZM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
GDM enables lowest desktop sharing latency
Cisco WebEx Meeting Center
Adobe Connect Pro
Citrix Go To Meet-ing
Microsoft Live Meeting
Netviewer View0
10
20
30
40
50
6.2
35.5
8.5
38.7
16.117.4
47.6
23.8
49
38.3
East Coast West Coast
Avera
ge T
ota
l Late
ncy
(s
eco
nd
s)
Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, Miercom Sept 2010 . Tests were conducted in 2 different locations with different network access points. Total latency was calculated over a 13 slide PPT deck with various animations and transitions.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
CDN Content Delivery Network
GDM Global Distributed Meeting
Summary of CDN and GDM Benefits
CDN improves the join/start meeting experienceCDN enables faster download of the Meeting Client binary to the attendee/host computer
GDM enhances the in-meeting experienceGDM connects the attendee/host to the closest WebEx data center for faster communication in the meeting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Cisco multi-layer security model
Cisco WebExCollaboration Cloud
MULTI-LAYER SECURITY MODEL
Site Security
Customer-DefinedService Administration
Collaboration Security
Access ControlsPolicy Management
Network Security
SSL/AES Encryption User Authentication
Physical Security
Data Center Secure Facility
Third Party Audits
SAS-70Type II
ISO27001 (planned)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Physical security
Cisco CSG Applications
Intrusion Detection & Response24/7 Response Capabilities
Vulnerability ManagementDaily Scan Schedule
Documented Patching Process
High Availability24/7 Service Monitoring
Geographic Failover
Hardened NetworksFirewalls
Secure Device Configuration Baselines
Hardened SystemsSTIG Derived Hardening Standards
Application White Listing
Strict Access Controls 2-Factor Authentication
Secure Service Platform
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Network SecurityLeveraging best-in-class technologies
• Data-in-motion protection:128-bit SSL encryption standard
256-bit AES end-to-end encryption
PKI optional
• Data-at-rest protection:Strict access control
Data is switched, not stored
Network Based Recording (NBR)
Data Protection for Conferencing, IM, Spaces
Secure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Meeting Switches SSL Accelerator
Internet
Default SSL encryption• All WebEx meeting traffic is encrypted with 128-bit
SSL encryption
• All traffic is secured and transported over HTTPS (port 443) while on the public network
• SSL-enabled meetings are implemented by default in the WebEx environment
MeetingData
SSL
Co
ntr
ol
Encrypt/Decrypt
Meeting Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Meeting Switches SSL Accelerator
Internet
End to end encryption• Meeting data is encrypted using AES at the client
• Meeting data remains encrypted over the entire network
• 256 bit cipher strength
• Random key generation
• Self-signed X.509 certificates used to exchange key
• Control data remains unencrypted to optimize switching of meeting traffic between attendees
MeetingData
AES
SSL
Co
ntr
ol
Meeting Data Remains
Encrypted
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Meeting Switches SSL Accelerator
Internet
PKI identity validation• Use of PKI provides identify validation and authorization
of attendees
• AES encryption keys secured by digital certificates
• Certificate access support through Microsoft Crypto Libraries or Apple Macintosh Key Chains
• Support for multiple certificate authorities for each site
• WebEx will not provide Certificate authority services
Host certificate used tovalidate against CA
Attendee certificate used to validate against CA
CA’s uploaded by Admin:
MeetingData
AES
SSL
PKI
Co
ntr
ol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Layered encryption model• SSL supported for all Webex Enterprise meeting services
• The “End to End Encryption Session Type” needs to be enabled on the Webex Site
AES/PKI is only supported on Meeting Centre
• AES/PKI does not support Network Based Recording
• Join before Host or Hybrid Audio
• PKI deployment is restricted to the Windows and MAC OS
• PKI requires an existing X.509 certificate infrastructure to be in place
SSL SSL
AES AES
AES AES
PKI PKI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
NBR Security • Administrator can set recording policies for each session
Disable recording
Disable download
Password protect downloads
Disable forwarding links to recording
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Policy management• Policies can be used to manage and
enforce corporate rules governing all aspects of collaboration
• Policies can be used to:
Enable/disable features
Manage collaboration privileges
Enforce enterprise security policies
• During a meeting, the host can:
Lock the meeting
Eject attendees
Assign presenter and annotation privileges
Re-assign host role
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Collaboration security
• Set meeting password
• Lock down meeting
• Eject attendees
• Disable share
• Host privileges
• Audio dial-in/dial-out control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Rigorous audits by independent parties
• Customer/Site audits
On an “as needed” basis • Internal audits
Performed “as needed” for Cisco’s internal audit group• SAS70 Type II audit
Targeted for completion in Feb 2011 • ISO27001 compliance
Targeted for completion end of 2011• Infrastructure and application security assessments
Code assisted Pen tests by iSec Partners
Type II
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
TSP API XML API URL API
Provisioning& Usage
Collection
Login/SSOJoin/Start Meeting
PageAuthentication
WebEx offers 3 basic APIs as integration points
SAML is also available
Integration points
In-MeetingIntegrationActive Talker
Mute/Un-muteEtc.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
In-Meeting integration TSP API architecture
INTERNET
WebEx Firewall Partner Firewall
Telephony Server TSP PartnerHosted Adaptor Server
XML Communication to take place between WebEx Telephony Server and
TSP Partner Adaptor Server
Meeting Server Audio Bridge
Meeting Attendee
Data Conference Audio Conference
Adaptor uses Bridge API to manage low level communication
to audio bridge
PSTN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Thank you.