cisco webex security

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco WebEx SolutionsTechnical overview- security

Thomas Flambeaux Cisco WebEx SE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Existing Hub

Cisco WebEx Collaboration Cloud

New Hub

Global Distribution Meeting (GDM) and Content Delivery Network (CDN) optimize user experience

GDM local switching eliminates traffic congestion to a single hub. Provides optimal in-meeting experience with

low round trip time/latency and high bandwidth

GDM

GDM

GDMGDM

GDM

GDM

Pre and post meeting experience enhanced by leveraging CDN

Closest hub is selected with Global Distributed Meeting

GDM

GDM

GDM

GDM


Client Download with CDN configuredcustomer.webex.com

1. https://customer.webex.com

2. Web page response

3. Start meeting request4. Response parameter

WebEx client download server: https://customer.cdn.webex.comWebEx client version directory(e.g. T27LBSP17_4567)(Actual package name used for single download origin)

5. Client download request to: customer.webex.com

7. WebEx client download

AttendeeEdge server

6. CDN edge server gets client package from WebEx server.Cache the package for later use.

https://customer.cdn.webex.com/


CDN enables WebEx to offer the fastest join times

Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, Miercom Sept 2010

WebEx Citrix Netviewer Adobe Microsoft

East Coast

First-time Presenter First-time Attendee

West Coast

First-time Presenter First-time Attendee

W C N A M0

25

50

75

100

125

150

175

200

225

30.8

54.2

121.1

25.1

120.2

Join

Tim

e (

sec)

W C N A M0

25

50

75

100

125

150

175

200

225

24.641.9

20.929.7

96.8

W C N A M0

25

50

75

100

125

150

175

200

225

61.646

120.5

58.4

203.8

Join

Tim

e (

sec)

W C N A M0

25

50

75

100

125

150

175

200

225

77.2

51.937

58.9

160.4


WebEx Plug-in• ActiveX

• Java applet

• TFS

• Flash (Event center)

• MSI


1) Users access site URL with browser, joins/starts meeting

2) Meeting Manager grants access, registers user, logs access

3) Ping Server identifies optimum CB reports info to client

4) Client establishes connection to best Collaboration Server

5) CB checks with Meeting Manager, grants access, establishes privileges

1

2

3

4

5


GDM switch architecture

Cluster A

CBCB

CB

MZM

WWP

WebDB

Zone1

Zone2

Virtual MMP pool

MCSMCS

MCS

MCC

MCSMCS

MCSMMPDB

CBCB

CB

MZM

San Jose Data Center UK Data Center

Cluster B

CBCB

CB

MZMZone1

Zone2

CBCB

CB

MZM


GDM enables lowest desktop sharing latency

Cisco WebEx Meeting Center

Adobe Connect Pro

Citrix Go To Meet-ing

Microsoft Live Meeting

Netviewer View0

10

20

30

40

50

6.2

35.5

8.5

38.7

16.117.4

47.6

23.8

49

38.3

East Coast West Coast

Avera

ge T

ota

l Late

ncy

(s

eco

nd

s)

Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, Miercom Sept 2010 . Tests were conducted in 2 different locations with different network access points. Total latency was calculated over a 13 slide PPT deck with various animations and transitions.


CDN Content Delivery Network

GDM Global Distributed Meeting

Summary of CDN and GDM Benefits

CDN improves the join/start meeting experienceCDN enables faster download of the Meeting Client binary to the attendee/host computer

GDM enhances the in-meeting experienceGDM connects the attendee/host to the closest WebEx data center for faster communication in the meeting


Cisco multi-layer security model

Cisco WebExCollaboration Cloud

MULTI-LAYER SECURITY MODEL

Site Security

Customer-DefinedService Administration

Collaboration Security

Access ControlsPolicy Management

Network Security

SSL/AES Encryption User Authentication

Physical Security

Data Center Secure Facility

Third Party Audits

SAS-70Type II

ISO27001 (planned)


Physical security

Cisco CSG Applications

Intrusion Detection & Response24/7 Response Capabilities

Vulnerability ManagementDaily Scan Schedule

Documented Patching Process

High Availability24/7 Service Monitoring

Geographic Failover

Hardened NetworksFirewalls

Secure Device Configuration Baselines

Hardened SystemsSTIG Derived Hardening Standards

Application White Listing

Strict Access Controls 2-Factor Authentication

Secure Service Platform


Network SecurityLeveraging best-in-class technologies

• Data-in-motion protection:128-bit SSL encryption standard

256-bit AES end-to-end encryption

PKI optional

• Data-at-rest protection:Strict access control

Data is switched, not stored

Network Based Recording (NBR)

Data Protection for Conferencing, IM, Spaces

Secure


Meeting Switches SSL Accelerator

Internet

Default SSL encryption• All WebEx meeting traffic is encrypted with 128-bit

SSL encryption

• All traffic is secured and transported over HTTPS (port 443) while on the public network

• SSL-enabled meetings are implemented by default in the WebEx environment

MeetingData

SSL

Co

ntr

ol

Encrypt/Decrypt

Meeting Data



Internet

End to end encryption• Meeting data is encrypted using AES at the client

• Meeting data remains encrypted over the entire network

• 256 bit cipher strength

• Random key generation

• Self-signed X.509 certificates used to exchange key

• Control data remains unencrypted to optimize switching of meeting traffic between attendees

MeetingData

AES

SSL

Co

ntr

ol

Meeting Data Remains

Encrypted



Internet

PKI identity validation• Use of PKI provides identify validation and authorization

of attendees

• AES encryption keys secured by digital certificates

• Certificate access support through Microsoft Crypto Libraries or Apple Macintosh Key Chains

• Support for multiple certificate authorities for each site

• WebEx will not provide Certificate authority services

Host certificate used tovalidate against CA

Attendee certificate used to validate against CA

CA’s uploaded by Admin:

MeetingData

AES

SSL

PKI

Co

ntr

ol


Layered encryption model• SSL supported for all Webex Enterprise meeting services

• The “End to End Encryption Session Type” needs to be enabled on the Webex Site

AES/PKI is only supported on Meeting Centre

• AES/PKI does not support Network Based Recording

• Join before Host or Hybrid Audio

• PKI deployment is restricted to the Windows and MAC OS

• PKI requires an existing X.509 certificate infrastructure to be in place

SSL SSL

AES AES

AES AES

PKI PKI


NBR Security • Administrator can set recording policies for each session

Disable recording

Disable download

Password protect downloads

Disable forwarding links to recording


Policy management• Policies can be used to manage and

enforce corporate rules governing all aspects of collaboration

• Policies can be used to:

Enable/disable features

Manage collaboration privileges

Enforce enterprise security policies

• During a meeting, the host can:

Lock the meeting

Eject attendees

Assign presenter and annotation privileges

Re-assign host role


Collaboration security

• Set meeting password

• Lock down meeting

• Eject attendees

• Disable share

• Host privileges

• Audio dial-in/dial-out control


Rigorous audits by independent parties

• Customer/Site audits

On an “as needed” basis • Internal audits

Performed “as needed” for Cisco’s internal audit group• SAS70 Type II audit

Targeted for completion in Feb 2011 • ISO27001 compliance

Targeted for completion end of 2011• Infrastructure and application security assessments

Code assisted Pen tests by iSec Partners

Type II


TSP API XML API URL API

Provisioning& Usage

Collection

Login/SSOJoin/Start Meeting

PageAuthentication

WebEx offers 3 basic APIs as integration points

SAML is also available

Integration points

In-MeetingIntegrationActive Talker

Mute/Un-muteEtc.


In-Meeting integration TSP API architecture

INTERNET

WebEx Firewall Partner Firewall

Telephony Server TSP PartnerHosted Adaptor Server

XML Communication to take place between WebEx Telephony Server and

TSP Partner Adaptor Server

Meeting Server Audio Bridge

Meeting Attendee

Data Conference Audio Conference

Adaptor uses Bridge API to manage low level communication

to audio bridge

PSTN


Thank you.

cisco webex security

Documents