Cisco WebEx Solutions

Technical overview- security

Thomas Flambeaux Cisco WebEx SE

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Global Distribution Meeting (GDM) and Content Delivery Network (CDN) optimize user experience

GDM local switching Distributed Meeting st hub is selected with Globaleliminates traffic congestion to a single hub. Provides optimal in-meeting experience wit bandwidth

GDM GDM GDM GDM GDM GDM

GDM

GDM

GDM

Pre and post meeting experience enhanced by leveraging CDN

GDM New Hub Existing Hub Cisco WebEx Collaboration Cloud

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Client Download with CDN configured

customer.webex.com
1. https://customer.webex.com 2. Web page response 3. 5. request Start meeting 4. server: https://customer.cdn.webex.com WebEx client version directory (e.g. T27LBSP17_4567) (Actual package name used for single download origin) Response parameter WebEx client download

Client download request to: customer.webex.com 6. CDN edge server gets client package from WebEx server. Cache the package for later use. 7. WebEx client download

Edge server
2010 Cisco and/or its affiliates. All rights reserved.

Attendee
Cisco Confidential 3

CDN enables WebEx to offer the fastest join times

East Coast
First-time Presenter First-time Attendee

West Coast
First-time Presenter First-time Attendee

WebEx

Citrix

Netviewer

Adobe

Microsoft

Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, Miercom Sept 2010

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

WebEx Plug-in
ActiveX Java applet TFS Flash (Event center) MSI

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

1)Users access site URL with browser, joins/starts meeting 2)Meeting Manager grants access, registers user, logs access 3)Ping Server identifies optimum CB reports info to client

4)Client establishes connection to best Collaboration Server 5)CB checks with Meeting Manager, grants access, establishes privileges

2 3

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

GDM switch architecture

San Jose Data Center Cluster A MZM CB CB WWP MZM WebDB CB CB Zone1 Cluster B MZM CB CB CB Zone2 MZM CB CB CB Zone2 Zone1 UK Data Center

CB

CB

Virtual MMP pool MCC MCS MCS MCS MCS MCS MCS

MMPDB

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

GDM enables lowest desktop sharing latency

Source: Lab Testing Summary Report- Web Conferencing, Report # 100716, MiercomSept 2010 . Tests were conducted in 2 different locations with different network access points. Total latency was calculated over a 13 slide PPT deck with various animations and transitions.

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Summary of CDN and GDM Benefits

CDN
Content Delivery Network

CDN improves the join/start meeting experience

CDN enables faster download of the Meeting Client binary to the attendee/host computer

GDM

Global Distributed Meeting

GDM enhances the in-meeting experience

GDM connects the attendee/host to the closest WebEx data center for faster communication in the meeting

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Cisco multi-layer security model

MULTI-LAYER SECURITY MODEL
Site Security Collaboration Security Network Security Physical Security Customer-Defined Service Administration Access Controls Policy Management SSL/AES Encryption User Authentication

Third Party Audits

SAS-70 Type II ISO27001 (planned)

Data Center Secure Facility

Cisco WebEx Collaboration Cloud

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10

Physical security
Cisco CSG Applications
Strict Access Controls Vulnerability Management

2-Factor Authentication

Daily Scan Schedule Documented Patching Process

Hardened Networks

Secure Service Platform

24/7 Service Monitoring Geographic Failover

High Availability

Firewalls Secure Device Configuration Baselines

Hardened Systems

Intrusion Detection & Response

24/7 Response Capabilities

STIG Derived Hardening Standards Application White Listing

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

Network Security

Leveraging best-in-class technologies

Data Protection for Conferencing, IM, Spaces
Data-in-motion protection:

Secure

128-bit SSL encryption standard 256-bit AES end-to-end encryption PKI optional Strict access control Data is switched, not stored Network Based Recording (NBR)

Data-at-rest protection:

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12

Default SSL encryption

All WebEx meeting traffic is encrypted with 128-bit

SSL encryption

All traffic is secured and transported over HTTPS (port 443)

SSL
Control

while on the public network SSL-enabled meetings are implemented by default in the WebEx environment

Meeting Data

Internet
Meeting Switches SSL Accelerator

Encrypt/Decry pt Meeting Data

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

End to end encryption

Meeting data is encrypted using AES at the client Meeting data remains encrypted over the entire network 256 bit cipher strength Random key generation
SSL AES

Self-signed X.509 certificates used to exchange key Control data remains unencrypted to optimize switching of

meeting traffic between attendees

Control

Meeting Data

Internet
Meeting Switches SSL Accelerator

Meeting Data Remains Encrypted

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

PKI identity validation

Use of PKI provides identify validation and authorization
PKI SSL AES

of attendees AES encryption keys secured by digital certificates Certificate access support through Microsoft Crypto Libraries or Apple Macintosh Key Chains Support for multiple certificate authorities for each site WebEx will not provide Certificate authority services

Control

Meeting Data
Host certificate used to validate against CA CAs uploaded by Admin:

Internet
Meeting Switches SSL Accelerator Attendee certificate used to validate against CA

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

Layered encryption model

SSL supported for all Webex Enterprise meeting services The End to End Encryption Session Type needs to be
SSL SSL

enabled on the Webex Site

AES

AES

AES/PKI is only supported on Meeting Centre

AES/PKI does not support Network Based Recording Join before Host or Hybrid Audio PKI deployment is restricted to the Windows and MAC OS PKI requires an existing X.509 certificate infrastructure to
AES PKI PKI AES

be in place

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

NBR Security
Administrator can set recording policies for each session

Disable recording Disable download Password protect downloads Disable forwarding links to recording

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17

Policy management
Policies can be used to manage and

enforce corporate rules governing all aspects of collaboration

Enable/disable features Manage collaboration privileges Enforce enterprise security policies

Policies can be used to:

During a meeting, the host can: Lock the meeting Eject attendees Assign presenter and annotation privileges Re-assign host role

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Collaboration security
Set meeting password Lock down meeting Eject attendees Disable share Host privileges Audio dial-in/dial-out control

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

Rigorous audits by independent parties

Customer/Site audits

On an as needed basis Internal audits Performed as needed for Ciscos internal audit group SAS70 Type II audit Type II Targeted for completion in Feb 2011 ISO27001 compliance Targeted for completion end of 2011 Infrastructure and application security assessments Code assisted Pen tests by iSec Partners

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Integration points
WebEx offers 3 basic APIs as integration points In-Meeting Integration
Active Talker Mute/Un-mute Etc.

Provisioning & Usage Collection

Login/SSO
Join/Start Meeting Page Authentication

TSP API

XML API

URL API
SAML is also available

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21

In-Meeting integration TSP API architecture

Meeting Attendee Adaptor uses Bridge API to manage low level communication to audio bridge Audio Conference PSTN

Data Conference

WebEx Firewall

Partner Firewall

Meeting Server

INTERNET

Audio Bridge

Telephony Server XML Communication to take place between WebEx Telephony Server and TSP Partner Adaptor Server
2010 Cisco and/or its affiliates. All rights reserved.

TSP Partner Hosted Adaptor Server

Cisco Confidential

22

Thank you.

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23