More Related Content Similar to #CiscoLiveLA 2017 Presentacion de Miro Polakovic (20) More from ITSitio.com (20) #CiscoLiveLA 2017 Presentacion de Miro Polakovic 2. Cisco Spark Platform &
On Premise Security
Explained
Miro Polakovic
Technical Marketing Engineer
Cisco Collaboration Technology Group
BRKCOL-2030
3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOL-2030Cisco Spark spaces will be
available until November 17, 2017.
4. Agenda
Introduction – Cisco Spark Security
Realms of Separation and Identity Obfuscation
Cloud based Data Security and Data Services
Synchronizing User IDs with Cisco Spark Platform & Single Sign On Support
Secure Cloud Connection, Data Encryption, secure search indexing
Compliance & E-Discovery Services, Retention Policies, Data ownership
Hybrid Data Security (HDS)
KMS on premise, Architecture, Search, Firewalls, Federation
Firewalls and Proxies Support
WebEx update
Management, Pro-Pack, SSO, Best Practices
5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Messaging Over Time…
BRKCOL-2030
6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Lock rooms to
moderate room
participants and
content*
*Not included in free
User Access Controls IT Management
Add Single Sign-On, directory sync,
and view analytics
End-to-end
encryption in the
cloud, and in-transit
and media encryption
Encryption
Business Class Security Features
BRKCOL-2030
7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security and Compliance Challenge
Shadow IT vs. Corporate IT
Open Collaboration Secured
Anywhere Access
Fully Searchable
Data, App Integrated
Cloud Managed
Discoverable
Enterprise Integrated
Encrypted
Compliant
No Compromise
Collaboration
BRKCOL-2030
9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark Platform
End to End Encryption + Key Management
Hybrid Data Security
Advanced
Analytics
ü Operational
ü Behavioral
ü Productivity
ü Utilization
Enterprise Identity
& Access Management
Retention Policies
eDiscovery Search
Data Loss Prevention
Security, Compliance & Analytics
IT Requirements
Meetings
Business
Messaging
Cisco Spark
Devices
Bots, Integrations
Calling
File Sharing
10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Collaboration Cloud Security - Realms of Separation
10BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Cisco Spark logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses)
are separated from :
Encryption, Indexing and Compliance Services,
which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C
11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Realms of Separation – Encryption and Storage
11BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Cisco Spark logically and physically separates functional components within the cloud
Data Services such as Encryption Key Generation, Secure Message Indexing for Data Search, and Data
Compliance functions operate in different Data Centers from the Data Center that encrypted content is
stored in
Data Storage services never have access to Encryption Keys
Data Center A Data Center B Data Center C
xxxxxxxxmessage
12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Realms of Separation – Identity Obfuscation
12BRKCOL-2030
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User’s
obfuscated identity
No real identity information transits, or is stored elsewhere in the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e
13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark – User Identity Sync and Authentication
13BRKCOL-2030
Directory
Sync
User Info can be
synchronized from the
Enterprise Active
Directory
Multiple User attributes
can be synchronized
Scheduled sync tracks
employee changes
Passwords are not
synchronized - User :
1) Creates a password
or
2) Uses SSO for Auth
Identity Service
14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark – SAML SSO Authentication
14BRKCOL-2030
Directory
Sync
SAML
SSO
SSO for User
Authentication :
Administrators can
work with their
existing SSO solution
Identity Providers are
using Security
Assertion Markup
Language (SAML) 2.0
and OAuth 2.0
Identity Service
IdP
15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On - Premise Identity as a Service
Cisco Collaboration Identity Partners
Cisco Spark Integrates to Enterprise IDP’s on Premise or in Cloud
17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCOL-2030
Direct Internet access – Cisco Spark app connection
Cisco Spark Services
IdP
Identity Service
1) Customer downloads and installs Cisco
Spark application (with Trust anchors)
2) Cisco Spark Client establishes a secure
TLS connection with Cisco Spark Platform
3) Cisco Spark Identity Service prompts for
an e-mail ID
4) User Authenticated by Spark Identity
Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created
and sent to Cisco Spark app
• The Access Tokens contain details of the
Spark resources the User is authorized to
access
5) Spark Client presents its Access Tokens to
register with Spark Services over a secure
channel
18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCOL-2030
Direct Internet access – Cisco Spark Device connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code
received via e-mail from the Spark
provisioning service
2) Device authenticated by Identity
Service (Trust anchors sent to device
and secure connection established)
3) OAuth Access and Refresh Tokens
created and sent to Spark Client
• The Access Tokens contain details of
the Spark resources the User is
authorized to access
5) Spark Client presents its Access
Tokens to register with Spark
Services over a secure channel
1234567890123456
19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Server Key Mgmt Service
message messagemessage
filefilemessage
Cisco Spark - Encrypting Messages and Content
19BRKCOL-2030
Spark Clients request a
conversation encryption key from
the Key Management Service
Any messages or files sent by a
Client are encrypted before being
sent to the Cisco Spark Platform
Each Spark Room uses a different
Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption
20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted messages sent by a Client
are stored in the Cisco Spark
Platform and also sent on to every
other Client in the Spark Space
Key Mgmt Service
messagemessagemessage
Content Server
message messagemessage
Cisco Spark - Decrypting Messages and Content
20BRKCOL-2030
If needed, Cisco Spark app can
retrieve encryption keys from the Key
Management Service
Key Management Service
The encrypted message also contains
a link to the conversation encryption
key
22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
Searching Spaces: Building a Search Index
22BRKCOL-2030
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
A Search Index is built by
creating a fixed length
hash* of each word in each
message within a Space
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
The hashes for each Spark
Space are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room
23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indexing Service
“Spark”Spark
Content Server Key Mgmt Service
###################
Searching Space: Querying a Search Index
Search for the word “Spark”
23BRKCOL-2030
Client sends search request
over a secure connection to
the Indexing Service
The Content Server
searches for a match in it’s
Hash tables and returns
matching content to the
client *
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9
The Indexing Service uses
Per Space Search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message
24. Enterprise Compliance - eDiscovery Search
§ Compliance Console and eDiscovery features support investigating DLP and
other compliance events with speed and accuracy
§ Events API allows integration with systems for IT governance (CASB, DLP)
Value to Enterprise
§ Meet HR, GRC & Legal compliance mandates
§ Only authorized members of the DLP, HR and
GRC teams can investigate events
25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Organization (org)
• Collection of users under the administrative domain of a single entity and
has rights to the content of users.
Spaces
• Ownership falls on the org of the user that creates the space.
• Space properties, content, events
Teams
• Ownership falls on the org of the user that creates the team.
• This organization also owns all spaces created under the team.
Cisco Spark Content Ownership
26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What does Content Ownership get you?
Owning Organization
Participating
Organization
CREATE
Post content into the space No No
READ
Read content (messages and files) posted by its own
users into the space
Yes Yes
Read content posted by any user in the space Yes No
UPDATE
Modify content posted by users into the space No No
DELETE
Delete content posted by its own users in the space Yes Yes
Delete content posted by any user in the space Yes No
Define retention policies for the space Yes No
Protect the End user!
Compliance Officer role
27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Search Spark Space Activity
Cisco Spark Search and Extraction Console
Enable legal discovery and incident investigation
Extension of Cisco
Cloud Collaboration
Management
Compliance Officer
Role
Search on email ID,
Room ID, keywords
Extraction of texts,
Files and
contextual data
28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Collaboration
Management Portal
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
###################
Cisco Spark Compliance Service : E-Discovery (1)
Compliance Officer selects
a group of messages and
files to be retrieved for E-
Discovery e.g. : based on
date range/ content type/
user(s)
The Content Server returns
matching content to the
Compliance Service
###################
X1GFT5YYHash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
###################
X1GFT5YY
The Indexing Service
searches Content Server for
related content
Compliance Service
###################
Jo Smith’s Content
###################
Jo Smith’s Content
###################
29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
E-Discov. Storage
Compliance ServiceContent Server Key Mgmt Service
Cisco Spark Compliance Service : E-Discovery (2)
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-
encrypts it before sending it
to the E-Discovery Storage
Service
The E-Discovery Storage
Service :
Sends the compressed and
encrypted content to
Compliance Officer
Compliance Service
Cloud Collaboration
Management Portal
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
##################
##################
##################
##################
##################
##################
Jo Smith’s Messages
and Files
E-Discovery
Content Ready
30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event API for Data Loss Prevention (DLP)
Integrate with DLP, Cloud Access Security Broker (CASB), Archival and eDiscovery solutions
Provides a stream of events and
content that enables
organizations to monitor and
correct user behavior, preventing
the loss of sensitive data
Third party
DLP or CASB
Cisco Spark Stream of events
policies
Corrective actions
Delete content
Remove user
Delete title
Content
Server
Key
Management
Server
31. Retention Policies
§ Match message, meeting record and file storage for corporate risk management
§ Includes white board records
§ Content is deleted -- including backups
Value to Enterprise
§ Control exposure by limiting amount of content in the cloud
§ Align and unify policies across email, message products
33. Hybrid Data Security
§ Creates a secure enclave in the customer data center to manage and provide
visibility to the keys that secure the content, actions, & data within Spark
Value to Enterprise
§ Ownership & Control of key management
§ Assist enterprises in more highly regulated industries with meeting highest standards of
encryption and data loss prevention
34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
Key Mgmt Service
Cisco Spark – Hybrid Data Security (HDS)
34BRKCOL-2030
Compliance ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service
35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server Key Mgmt Server
Cisco Spark – Hybrid Data Security: Key Management
35BRKCOL-2030
The Hybrid Key Management
Server performs the same
functions as the Cloud based Key
Management Server
Now all of the keys for messages
and content are owned and
managed by the Customer
BUT
Key Management Service
Key Mgmt Service
36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
36BRKCOL-2030
Compliance ServiceIndexing Service
Hybrid Data Services
make outbound connections
only from the Enterprise to
Cisco Spark Platform, using
HTTPS and Secure
WebSockets (WSS)
No special Firewall
configuration required
Firewall
Hybrid Data Security
37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Content Server
The Hybrid Data Security is
managed and upgraded from the
cloud
Customer’s can access usage
information for the HDS Servers
via the cloud management portal
Multiple HDS servers can be
provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability
Hybrid Data Security
Hybrid Data Security
Hybrid Data Security
38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
38BRKCOL-2030
Cisco Spark app request an encryption
key from the Hybrid Key Management
Server
Any messages or files sent by a Client
are encrypted before being sent to the
Cisco Spark Platform
Encrypted messages and content
stored in the cloud
Key Management Service
Encryption Keys stored locally
39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are
stored in Cisco Spark Platform
Key Mgmt Service
message
Content Server
message messagemessage
Cisco Spark App will retrieve
encryption keys from the Hybrid Key
Management Server
Key Management Service
These messages are sent to every
other Client in the Spark Room and
contain a link to their encryption key
on the Hybrid Key Management
Server
HDS - Decrypting Messages & Content
39BRKCOL-2030
40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Hybrid Data Security: Search Indexing Service
40BRKCOL-2030
41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search Index
41BRKCOL-2030
Client sends its search
request over a secure
connection to the Indexing
Service
###################
B9
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message
42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Indexing Service
Content Server
Cisco Spark Compliance Service : E-Discovery (1)
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash
Algorithm
Admin selects a group of
messages and files to be
retrieved for E-Discovery
e.g. : based on date range/
content type/ user(s)
The Content Server returns
matching content to the
Compliance Service
The Indexing Service
searches the Content
Server for selected content
43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
E-Discov. StorageContent Server
Cisco Spark Compliance Service : E-Discovery (2)
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts it
before sending it to the E-
Discovery Storage Service
E-Discovery Storage Service :
Sends the compressed and
encrypted content to the
Administrator on request
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
##################
##################
##################
##################
##################
##################
Jo Smith’s
Messages and Files
E-Discovery
Content Ready
45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hybrid Key
Management Servers
in different
Enterprises establish
a Mutual TLS*
connection via Cisco
Spark Platform
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
45BRKCOL-2030
Enterprise A Enterprise B
Hybrid Key
Management Servers
make outbound
connections only :
HTTPS, Web Socket
Secure (WSS)
*All connections to and within Cisco Spark Platform use ECDH to generate symmetric Encryption Keys
46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
With a secure
connection between
Hybrid KMSs…
Users can be added to
rooms created by each
Enterprise
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
46BRKCOL-2030
Enterprise A Enterprise B
Mutually
Authenticated Hybrid
KMSs can request
Room Encryption
Keys from one another
on behalf of their
Users
48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Data Center A
Hybrid Data Security Architecture
vSphereHybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
Hybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
HDS Cluster
Config File
IDE
Mount
IDE
Mount
ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions
such as sending health checks and checking for new versions of HDS.
HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services.
HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection
settings, Database Master Encryption key, etc.
IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.
Customer Provided Services
Postgres
Database
Syslogd
Database
Back Up
System Back Up
49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HDS includes:
ü KMS
ü Search indexer
ü eDiscovery backend
Whilst HDS offers unique security features to customers in that they, and they alone, can
store and own the encryption keys for their messages and content….
These benefits also come with significant responsibilities :
A HDS Deployment requires significant customer commitment and an awareness of the
risks that come with owning encryption keys…
Complete loss of either the configuration ISO or the Postgres Database will result
in loss of the decryption keys stored in HDS. This will prevent users from
decrypting space content and other encrypted data. If this happens, an empty HDS
can be restored, however, only new content will be visible.
49BRKCOL-2030
Hybrid Data Security – Positioning :
HDS may not be desirable for all customers
50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HDS Install Prerequisites
See prerequisites in https://www.cisco.com/go/hybrid-data-security
X.509 Certificate, Intermediates and Private Key
PKI is used for KMS to KMS federation (Public Key Infrastructure)
Common Name signed by member of Mozzila Trusted Root Store
No SHA1 signatures
PKCS12 format
2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max
Minimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per server
kms://cisco.com easily supports 15K users per HDS.
1 Postgres 9.6.1 Database Instance (Key datastore)
8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database.
1 Syslog Host
hostname and port required to centralize syslog output from the three HDS instances and management containers
A secure backup location
The HDS system requires organization administrators to securely backup two key pieces of information. 1) A
configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will
result in loss of customer data. See <Section on Disaster Recovery>.
Network
Outbound HTTPS on TCP port 443 from HDS host
Bi-directional WSS on TCP port 443 from HDS host
TCP connectivity from HDS host to Postgres database host, syslog host and statsd host
50BRKCOL-2030
52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 52
Whitelisted Ports and Destinations :
Media Port Ranges:
Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004, 5006
Destination IP Addresses : Any
• Spark Call (7800, 8800 Phones)
• Spark Desk and Room Devices
• Spark Clients
• See following slides for details
Signalling
Media
Supported by most devices today,
remaining devices on roadmap
53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Voice and Video Classification and Marking
Source Range Summary – Endpoints and Clients
BRKCOL-2030 53
Audio:
52000-52099
Spark Soft Clients Spark Devices
Video:
52100-52299
52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299
54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Apps : Network Port and Whitelist Requirements
Spark Device Protocol Source Ports Destination
Ports
Destination Function
Spark applications :
Windows,
Mac,
iOS,
Android,
Web
UDP Voice 52000 – 52049
Video 52100 – 52199
Exception - Windows
(OS Firewall issue)
Ephemeral source ports
used today (Fix due by
Q3 CY '17)
5004 &
5006
Any IP Address SRTP over UDP to Cisco Spark Media
Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Cisco Spark
Media Nodes
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
*.appsflyer.com
*.adobetm.com
*.omtrdc.net
*.optimizely.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Content and Space Storage
Content and Space Storage
Anonymous crash data
Anonymous Analytics
Mobile Clients only - Ad Analytics
Web Clients only - Analytics
Web Clients only - Telemetry
Web Clients only - Metrics
55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Devices : Network Port and Whitelist Requirements
Spark Device Protocol Source Ports Destination
Ports
Destination Function
Desktop and Room
Systems :
SX Series
DX Series
MX Series
Room Kits
Spark Boards*
UDP Voice 52050 – 52099
Video 52200 – 52299
5004 &
5006
Any IP Address SRTP over UDP to Cisco Spark
Media Nodes
TCP Ephemeral 5004 &
5006
Any IP Address SRTP over TCP or HTTP to Cisco
Spark Media Nodes* (Not Spark
Board)
TCP Ephemeral 443
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.rackcdn.com
*.crashlytics.com
*.mixpanel.com
HTTPS
Spark Identity Service
OAuth Service
Core Spark Services
Identity management
Core Spark Services
Content and Space Storage
Content and Space Storage
Anonymous crash data
Anonymous Analytics
Spark Board TCP Ephemeral 80 www.cisco.com or
www.ciscospark.com or
www.google.com or
www.amazon.co.uk
HTTTP for time synchronization
56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 56
Media Port Ranges:
Source UDP Ports : Voice and Video 34000 - 34999
Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)
Destination UDP/ TCP/ sRTP Port : 5004, 5006
Destination IP Addresses : Any
Hybrid Media Node (HMN) :
• Can be used to limit source IP address range to HMNs only
• Hybrid Media Node Source UDP ports for voice and video are different to
those used by endpoints – Used for cascade links to Cisco Spark Platform
• Voice and Video use a common UDP source port range : 33434 - 33598
Signalling
Media
57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connecting from the Enterprise - Firewalls
BRKCOL-2030 57
Hybrid Data Security Node (HDS) :
• Key Management Service
• Indexing (Search) Service
• E-Discovery Service
Signalling
Media
Hybrid Data Services
• HDS Signaling Traffic Only
• Outbound HTTPS and WSS Signaling Only
58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HMN & HDS Nodes: Network Port & Whitelist Requirements
BRKCOL-2030 58
Spark Device Protocol Source Ports Destination
Ports
Destination Function
Hybrid Media
Node (HMN)
UDP Voice and Video use a
common UDP source
port range :
34000 - 34999
5004,
5006
Cascade
Destination
Any IP Address Cascaded SRTP over UDP
Media Streams to Cloud Media
Nodes
TCP Ephemeral 5004
Cascade
Destination
Any IP Address Cascaded SRTP over
TCP/HTTP Media Streams to
Cloud Media Nodes
TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS
TCP Ephemeral 443 *wbx2.com
*idbroker.webex.com
HTTPS Configuration Services
Hybrid Data
Security Node
(HDS)
TCP Ephemeral 443 *.wbx2.com
idbroker.webex.com
identity.webex.com
index.docker.io
Outbound HTTPS and WSS
60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Address given to Device/Application……….
Connecting from the Enterprise - Proxy Types
BRKCOL-2030 60
Proxy Types:
• Transparent Proxy (Device/Application is unaware of Proxy existence)
• In Line Proxies (e.g. Combined Proxy and Firewall)
• Traffic Redirection (e.g. Using Cisco WCCP)
Signalling
UDP Media
HTTP/HTTPS traffic only sent to the Proxy server e.g.
Destination ports 80, 443, 8080, 8443
61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Detection (Proxy Address given to Device/Application)
Connecting from the Enterprise – Proxy Detection
BRKCOL-2030 61
• Manual Configuration
• Auto Configuration (Proxy Auto-Config (PAC) files)
Proxy
Address
Proxy
Address
Proxy
Address
PACPACPAC
Signalling
UDP Media
62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Capabilities Spark Devices – Proxy Detection
BRKCOL-2030 62
Spark Device Protocol Software Train Proxy Detection Granular Configuration
Windows, Mac,
iOS, Android, Web
HTTPS WME Yes : Manual
Yes : PAC Files
Manually Configure Proxy Address or
Use PAC files (or Windows GPO)
DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device
Web interface
Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy
Address
7800 Phones SIP
HTTPS
Synergy Lite SIP – N/A
HTTPS – No (Planned)
Deploy In Line Proxy or
Traffic Redirection (WCCP)
8800 Phones SIP
HTTPS
Synergy Lite SIP – N/A
HTTPS – No (Planned)
Deploy In Line Proxy or
Traffic Redirection (WCCP)
ATA SIP ATA SIP - N/A N/A
63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Proxy Authentication
Connecting from the Enterprise – Proxy Authentication
BRKCOL-2030 63
• Proxy intercepts outbound HTTP request
• Authenticates the User (Username & Password)
• Authenticated User’s traffic forwarded
• Unauthenticated User’s traffic dropped/blocked
Signalling
UDP Media
Proxy Authentication is not mandatory, Many
Enterprises do No Authentication
64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Basic Authentication
Common Proxy Authentication Methods
BRKCOL-2030 64
• Digest Authentication
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
Signalling
UDP Media
65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Proxy Authentication Bypass Methods
BRKCOL-2030 65
Manually Configure Proxy Server with :
• Device IP Address
IP Address 10.100.200.1
Signalling
UDP Media
10.100.200.3
identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.crashlytics.com
*.mixpanel.com
*.rackcdn.com
• Whitelisted Destinations (e.g. *ciscospark.com)
66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Capabilities Spark Devices – Proxy Authentication
BRKCOL-2030 66
Spark Device Protocol Software Train Proxy Authentication Granular Configuration
Windows, Mac,
iOS, Android, Web
HTTPS WME Basic - No
Digest - No
NTLM - Yes (Windows)
Kerberos - No
Windows Only Today
Others OSs use Authentication By Pass
(Basic/ Digest/ Kerberos – Planned)
DX HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
SX HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
MX HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
Room Kits HTTPS Room OS Yes : Basic Auth – Web based Config
Digest Auth - planned
Configure Username and Password for
Proxy Authentication (Basic Auth)
Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for
Proxy Authentication (Basic Auth)
7800 Phones SIP
HTTPS
Synergy Lite SIP – N/A
HTTPS – No (Planned)
Authentication Bypass
8800 Phones SIP
HTTPS
Synergy Lite SIP – N/A
HTTPS – No (Planned)
Authentication Bypass
ATA SIP ATA SIP – N/A N/A
67. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What do we send to Third Party sites?
BRKCOL-2030 67
Site Clients that Access It What is sent there User
PII?
Anonymized
Usage info?
Encrypted
User
Generated
Content
*.clouddrive.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.rackcdn.com Win, Mac, iOS, Android,
Web, Spark Board
Encrypted files for Spark file sharing.
Part of Rackspace content system.
N N Y
*.mixpanel.com Win, Mac, iOS, Android,
Web
Anonymous usage data N Y N
*.appsflyer.com iOS, Android Anonymous usage data related to
onboarding
N Y N
*.adobedtm.com Web Anonymous usage data N Y N
*.omtrdc.net Web Anonymous usage data N Y N
*.optimizely.com Web Anonymous usage data for AB
testing
N Y N
69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should a new WebEx site be managed?
Choose Cisco Spark Control Hub:
• Customer is rolling out both WebEx and
Cisco Spark and they desire a unified
management experience across both
• When the customer doesn’t need the following
features:
1. Extensive WebEx site branding and customization
2. Tracking Codes for intra-company billing
3. Group-level feature assignment
Choose WebEx Site Administration:
• The customer requires 1 or more of the
advanced management features (1-3
listed to the left)
• The customer can accept segregated
management of WebEx and Cisco Spark
Document with detail on how to choose and feature differences will be linked in the UX and
available at: https://goo.gl/EAK9ZY
70. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco Spark linking is a process to enable WebEx sites WBS31 or above that are
managed by WebEx Site Administration to leverage improved WebEx analytics on
Cisco Spark Control Hub, and if the customer has purchased Pro Pack for Cisco Spark
Control Hub can also leverage diagnostics.
• Note: WebEx sites that are already managed using Cisco Spark Control Hub do not
need Cisco Spark linking
When should I use Cisco Spark linking?
WebEx site is WBS31 or above & managed by WebEx Site Administration
and
1. wants WebEx analytics that are available through Cisco Spark Control Hub
- OR -
2. wants to easily roll out Cisco Spark for WebEx users
What is Cisco Spark Linking?
71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pro-Pack for Cisco Spark Control Hub
Engagement, performance, diagnostics
Topline metrics
Visualization of trends / patterns
(down to the individual user)
Key usage & user behavior
72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WebEx Analytics via the Pro Pack for Cisco Spark Control Hub
Identify recurring anomalies
within historical trends
Easily see and drill down
on problem areas
Explore detailed quality data
(at the meeting and user level)
Search meetings in real-time
73. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Sign-On (SSO) Enhancements
Add Attendance Security to Internal Meetings
Feature Highlights
• Identify or “tag” attendees in Participant list as
SSO authenticated: “Internal” or “Guest”
• Require all participants to authenticate with SSO
• Set up invite-only meetings and require internal
participants to authenticate with SSO
(no forwarding of invite allowed)
• Available in Cisco WebEx® Meeting Center,
Training Center, and Event Center
BRKCOL-2160 73
74. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
SAML Session Tokens
IdP Session Token TTL
Generally less than one business day or 8 hours
2nd Factor may or may not be stored or cached
WebEx SP Session Token TTL
Browser: 90 minutes (default)
Mobile/Client: 336 hours or 14 days (default)
TTL values can be customized upon request
SAML Session Tokens can expire before their TTL expires
User closes browser or signs-out
Loss of network connection
Tokens have be revoked
74
75. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distinguish User Type in Lobby
• List of users in lobby sorted by signed
in/non-signed in user
• Security feature of differentiating
between internal and external users
• Option to select who can join
Remember Home Page
• Remembers signed-in user’s
previously visited page
• Returns to previous visited page
when app is relaunched
Mobile Improvements
BRKCOL-2160 75
76. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Audio devices or Video end points do not have lobby experience.
Hence these devices do not obey the new settings and unauthenticated
users are still placed directly into open rooms.
Note: Video devices can be completely blocked today from Personal Room when this setting is on,
but hurts the user experience. (Not Recommended)
Limitations and Caveats
BRKCOL-2160 76
77. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
WebEx: Secure as You Want it to Be
Site level settings
- Decline to list meeting on WebEx public site
- Block Guest Access and ‘Join Before Host’
- Exclude the meeting password from invitations (we do this by default now)
- Control audio privileges (global call back, toll and toll free options)
- Restrict mobile device access types
- Press ‘1’ to connect on audio
- Control global session types [chat/desktop share/remote control/file xfer/etc]
Authentication based
- Require meeting password, set password length/complexity requirements
- Manually approve account sign-ups
- Require Attendees to login. SSO even better
- Leverage ‘guest’ vs ‘internal’ user labels. Inform hosts that on a per-meeting basis
they can exclude non-internal users
- Speak with each call-in user in the meeting, and verify identity
78. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160
WebEx: Secure as You Want it to Be
Personal Room Settings
- Force unauthorized users to Personal Room lobby
- Autolock Personal Room after [n] minutes
TelePresence Settings
- Require TelePresence authentication/Meeting Pin
- Enforce TLS for TelePresence participants
In-Meeting Settings
- Control in-meeting session types [chat/desktop share/remote control/file xfer/etc]
- Eject/remove users that aren’t behaving properly, followup w/TAC InfoSEC if
necessary
Recording Policy
- Enforce recording passwords and authentication to retrieve.
- Pull recordings from the site after (n) days
79. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160 79
CMR Cloud (WebEx Video) Security Features
81. What you’ve learned
Cisco Spark have multiple data stores, Obfuscated User Identity
Cloud based Data Security and Data Services
Option to sync user data and enable SSO
Traffic is always encrypted, Data-at-rest stored encrypted as well with Secure Search
Compliance & E-Discovery Services, Retention Policies, Data ownership
Hybrid Data Security (HDS)
KMS on premise, Architecture, Search, Firewalls, Federation
Firewalls and Proxies Support
WebEx update
Management, Pro-Pack, SSO, Best Practices
82. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Meet the Engineer 1:1 meetings
• Related sessions
• BRKCOL-2699 Authorization and Authentication concepts for Collaboration
• BRKCOL-2607 Understanding Cloud and Hybrid Cloud Collaboration Deployment
• BRKCOL-2444 Evolution of Core Collaboration: Cloud and Hybrid Architectural Design
• BRKCOL-2281 Steps to Successfully deploy Cisco Spark along with a media strategy
82BRKCOL-2030