Transcription
White PaperCitrix WebConferencing SecurityCitrix provides true end-to-end data securitymeasures that address both passive and activeattacks against confidentiality, integrity andavailability when using GoToMeeting,GoToWebinar and GoToTraining.gotomeeting.com
White PaperWeb Conferencing SecurityCitrix GoToMeeting, GoToWebinar and GoToTraining tools are themost secure web conferencing products available. For eachsolution, standards-based cryptography with true end-to-endencryption, a high-availability hosted service infrastructure and anintuitive user interface combine to maximize confidentiality,integrity and availability.This document provides a technicaldescription of the security features built intoGoToMeeting, GoToWebinar and GoToTraining.It has been written for technical evaluators andsecurity specialists who are responsible forensuring the safety of their company’snetwork and the privacy and integrity ofbusiness communications.GoToMeeting, GoToWebinar and GoToTrainingare web conferencing tools that allow multiplePC and Mac users to interact using screensharing, remote keyboard/mouse control, textchat and other features. GoToMeeting isideal for sales demos and collaborativeonline meetings. Built for larger audiences,GoToWebinar is great for marketingpresentations and company events. AndGoToTraining provides features specificallyfor web-based training, such as onlineaccess to tests and materials and a hostedcourse catalog.These products are hosted services, deliveredvia web browsers, downloadable clientexecutables and a network of multicastcommunication servers operated by Citrix.Sessions are scheduled, convened andmoderated using the Citrix website and clientsoftware. GoToMeeting, GoToWebinar andGoToTraining automatically integrate with VoIPgotomeeting.comand phone conferencing for ease of use andsolution completeness.Business needs for secure collaborationEasy-to-use online business collaborationtools like GoToMeeting, GoToWebinar andGoToTraining can help companies increaseproductivity by enabling them to communicateand interact more effectively with co-workers,business partners and customers. But suchtools vary greatly when it comes to embeddedsecurity features. Moreover, it is essential tounderstand the security implications ofonline collaboration and comply with safeusage guidelines.Using any web conferencing solution requirescareful consideration of potential threats andresulting business risks. Business security needsthat must typically be addressed when adoptinga web conferencing product include: Preventing unauthorized use of the serviceand its features so that only legitimate usersand invited participants can schedule and participate in online sessions Avoiding any compromise of company assets,including client computers and the privatenetworks to which they are attached2
White Paper Protecting the privacy and integrity ofconfidential communication, includingscreen sharing, text messages, email andvoice interaction Ensuring availability and reliability of the service itself, so that business communicationscannot be denied or disrupted Integrating seamlessly with other network/computer security measures, so that web conferencing services can leverage (not degrade)an organization’s existing safeguardsOur web conferencing tools were developedfrom the ground up to satisfy these commonbusiness security needs. By incorporatingsecurity features and making them easy toadminister and use, GoToMeeting,GoToWebinar and GoToTraining enableeffective and safe online business collaboration.Role-based security featuresTo enable account owners to enforce companyaccess policies related to service and featureuse, every GoToMeeting, GoToWebinar andGoToTraining user is assigned one of severalapplication-defined roles. Organizers (or trainers) are authorized toschedule meetings, webinars and/or trainingsessions. An organizer sets up each session,invites other users to participate, initiates andends the session and designates the currentpresenter. Attendees are authorized to participate in sessions. Attendees can view the trainer’s orpresenter’s screen, chat with other attendeesor view the attendee list. Presenters are attendees who are able toshare their computer screens with otherattendees. Presenters also decide whichother attendees, if any, are permitted to control the keyboard and mouse of thepresenters’ computers.gotomeeting.comWeb Conferencing Security Internal administrators are Citrix staffmembers authorized to manageGoToMeeting, GoToWebinar and GoToTrainingservices and accounts. External administrators are individuals from acustomer site authorized to manage multiuser accounts. External administrators canconfigure account features, authorize organizers and access a variety of reporting tools.The GoToMeeting, GoToWebinar andGoToTraining user interfaces provide intuitivesession controls and status indicators thatfacilitate productive and safe online sessions.Controls and privileges available to each userdepend on the currently assigned role:organizer, active presenter or general attendee.Organizer privilegesOrganizers (or trainers) have the most control ina session and the ability to grant and revokevarious privileges for the other participants.Specific organizer privileges include: The ability to invite attendees, before or during the session, so that only authorizedparticipants can join a given session The ability to see the complete list of attendees and their current roles and privileges, sothe organizer remains aware of those presentat all times The ability to start and end the session, whichprevents others from disrupting the sessionaccidentally or otherwise The ability to make any attendee the activepresenter, controlling which desktop canbe viewed at any point in time throughoutthe session The ability to disallow the use of chat by oneor more attendees, and permitting sidebardiscussions only when appropriate3
White Paper The ability to disconnect attendees The ability to transfer the organizer role toanother attendee (a privilege that cannot berevoked) so the session can continue if theorganizer must leave earlyPresenter privilegesA presenter is the user actively sharing his or herdesktop screen with other attendees. Only oneattendee at a time within a session may begranted the active presenter role. Presentershave the following controls available to them: The ability to enable, disable or pause screensharing, which can be helpful to avoid displaying confidential data that might otherwiseappear on the presenter’s desktop (e.g., whilesearching files or folders) The ability to grant/revoke remote keyboardand mouse control to another attendee,which facilitates efficient communicationthrough desktop interaction The ability to make another attendee the presenter, providing for a flexible, dynamic flowduring sessionsWhenever a presenter is sharing his or herscreen with other attendees, an “On Air”indicator is displayed on the presenter’scontrol panel. To share his or her screen, thepresenter must click the Screen button on thecontrol panel. These features ensure thatpresenters always know when desktop sharingis active so that desktop screens are nevershared accidentally.Attendee privilegesUsers with the basic attendee role have thefollowing privileges: The ability to join any session to which theyhave been invited at or after the session’sstart timegotomeeting.comWeb Conferencing Security The ability to view the presenter’s screenunless the presenter has paused or disabledscreen sharing If granted, the ability to remotely control thepresenter’s keyboard and mouse (a privilegethat is automatically revoked whenever theactive presenter role is changed) The ability to use chat to send text messagesto all other attendees or to one specificattendee (features that can be disabled by anorganizer) The ability to leave a session at any timeBasing access rights and privileges on assignedroles allows flexible sessions that facilitatehighly dynamic interaction between attendees,without sacrificing either control or visibility.Organizers can easily add attendees orchange the presenter as needed throughoutthe session. Presenters remain in completecontrol of their own desktops, and organizershave everything required to manage thesession effectively.Account and sessionauthentication featuresRole-based authorization depends upon theability to correctly identify and authenticateeach and every user. To ensure that eachorganizer, presenter and attendee is in fact whohe or she claims to be, GoToMeeting,GoToWebinar and GoToTraining incorporaterobust account and session authenticationfeatures.Website account loginTo access a user account on the GoToMeeting,GoToWebinar and GoToTraining website, usersmust supply a valid email address andcorresponding user account password. To makethem hard to guess, all passwords must containat least eight characters and include bothletters and numbers. Too many failed log-in4
White Paperattempts cause the website account to betemporarily locked to protect against passwordguessing. Passwords stored in the servicedatabase are encrypted and checked using acryptographically secured verifier that is highlyresilient to offline dictionary attacks.Session information disclosureUnlike some competing solutions, informationdescribing scheduled GoToMeeting,GoToWebinar and GoToTraining sessions is onlyavailable to the organizer and invitedparticipants. Because session descriptions areonly displayed after users have successfullyauthenticated, and then only to those usersauthorized to view it, potentially sensitiveinformation such as the session subject,organizer name and session time are neverexposed for casual perusal by hackers, curiousweb surfers or your competition.Authentication of session attendeesBecause most organizations hold manysessions with restricted attendance, it is notenough to let any user associated with a givenGoToMeeting, GoToWebinar or GoToTrainingaccount view session descriptions or attendsessions. Instead, authorization to join eachsession is based on a unique session ID and anoptional password.Whenever a session is scheduled, a uniquenine-digit session ID, created by theGoToMeeting, GoToWebinar or GoToTrainingservice broker using a pseudorandom numbergenerator, is returned to the organizer. Thesession ID is then communicated to all invitedattendees using email, instant messaging, atelephone or other communication methods.To join the session, each attendee must presentthe session ID to the service broker by eitherclicking on a URL that contains the session ID orby manually entering the value into a formgotomeeting.comWeb Conferencing Securitypresented by the downloaded GoToMeeting,GoToWebinar or GoToTraining client.Whenever a valid session ID is presented, theservice broker returns a set of uniquesession credentials to the GoToMeeting,GoToWebinar or GoToTraining client. Thesesession credentials are never seen by theattendee, but are used by the software toconnect to one or more communicationservers. Credentials include a 64-bit session ID,a short role ID and an optional 64-bit roletoken. These are used to identify theappropriate session and transparentlyauthenticate the user as either an organizer orattendee. All sensitive communications takeplace over SSL-protected connections toprevent disclosure of session credentials.In addition, attendees must authenticate end toend with the session’s organizer. This is basedon a secret random value provided by theservice broker and an optional password thatthe organizer chooses and communicates toattendees. To provide maximum assuranceagainst unauthorized access and ensure sessionconfidentiality, Citrix strongly encourages theuse of the password feature.It is important to note that the optionalpassword is never transmitted to Citrix at anytime. This provides added assurance that nounauthorized parties, including Citrixoperations personnel, can join and participatein the session.By providing two levels of attendeeauthentication, GoToMeeting, GoToWebinarand GoToTraining ensure that onlyauthorized attendees can join sessions to whichthey have been invited and that each user isgranted privileges in accordance with his or herassigned role.5
White PaperAdministration-site securityLike all connections to the GoToMeeting,GoToWebinar and GoToTraining website,connections to the administration portal areprotected using SSL/TLS. Administrativefunctions are protected using strong passwords,activity logging, regular audits and a variety ofinternal physical and network security controls.Communications security featuresCommunications between participants in aGoToMeeting, GoToWebinar or GoToTrainingsession occurs via an overlay multicastnetworking stack that logically sits on top of theconventional TCP/IP stack within each user’s PC.This network is realized by a collection ofmulticast communications servers (MCS)operated by Citrix.Participants (session endpoints) communicatewith Citrix infrastructure communication serversand gateways using outbound TCP/IPconnections on ports 8200, 443 and 80.Because GoToMeeting, GoToWebinar andGoToTraining are hosted web-based services,participants can be located anywhere on theInternet — at a remote office, at home, at abusiness center or connected to anothercompany’s network. Anytime, anywhereaccess to the GoToMeeting, GoToWebinar andGoToTraining services provides maximumflexibility and connectivity. However, topreserve the confidentiality and integrity ofprivate business communication, these toolsalso incorporate robust communicationsecurity features.Communications confidentiality and integrityGoToMeeting, GoToWebinar and GoToTrainingprovide true end-to-end data securitymeasures that address both passive and activeattacks against confidentiality, integrity andavailability. All connections are end-to-endgotomeeting.comWeb Conferencing Securityencrypted and accessible only by authorizedsession participants.Screen-sharing data, keyboard/mousecontrol data and text chat information arenever exposed in unencrypted form whiletemporarily resident within Citrixcommunication servers or during transmissionacross public or private networks.Communications security controls based onstrong cryptography are implemented at twolayers: the TCP layer and the multicast packetsecurity layer (MPSL).TCP layer securityIETF-standard secure sockets layer (SSL) andtransport layer security (TLS) protocols areused to protect all communication betweenendpoints. To provide maximum protectionagainst eavesdropping, modification or replayattacks, the only SSL cipher suite supported fornon-website TCP connections is 1024-bit RSAwith 128-bit AES-CBC and HMAC-SHA1.However, for maximum compatibility withnearly any web browser on any user’sdesktop, the GoToMeeting, GoToWebinar andGoToTraining website supports in-boundconnections using most supported SSLcipher suites.For the customers’ own protection, Citrixrecommends that customers configure theirbrowsers to use strong cryptography bydefault whenever possible and to always installthe latest operating system and browsersecurity patches.When SSL/TLS connections are established tothe website and between GoToMeeting,GoToWebinar or GoToTraining components,Citrix servers authenticate themselves to clientsusing VeriSign/Thawte public key certificates.6
White PaperWeb Conferencing SecurityFor added protection against infrastructureattacks, mutual certificate-based authenticationis used on all server-to-server links (e.g., MCSto-MCS, MCS-to-Broker). These strongauthentication measures prevent would-beattackers from masquerading as infrastructureservers or inserting themselves into the middleof session communications.value generated with the HMAC-SHA-1algorithm. Because GoToMeeting,GoToWebinar and GoToTraining use very strong,industry-standard cryptographic measures,customers can have a high degree ofconfidence that multicast session data isprotected against unauthorized disclosure orundetected modification.Multicast layer securityAdditional features provide complete end-toend security for multicast packet data,independent of those provided by SSL/TLS.Specifically, all multicast session data isprotected by end-to-end encryption andintegrity mechanisms that prevent anyone withaccess to our communications servers (whetherfriendly or hostile) from eavesdropping on asession or manipulating data without detection.The MPSL provides an added level ofcommunication confidentiality and integrityand is unique to our products. Companycommunications are never visible to any thirdparty, including both users who are not invitedto a given session and Citrix itself.Furthermore, there is no additional cost,performance degradation or usability burdenassociated with these essential communicationsecurity features. High performance andstandards-based data security is a built-infeature of every session.MPSL key establishment is accomplished byusing a randomly generated 128-bit seed valueselected by the GoToMeeting service brokerthat is distributed to all endpoints over TLS andused as the input to a NIST-approved HMACSHA1 key-derivation function. The seed value iserased from the GoToMeeting service broker’smemory when the session ends.MPSL further protects multicast packet datafrom eavesdropping using 128-bit AESencryption in counter mode. Plain-text data istypically compressed before encryption usingproprietary, high-performance techniques tooptimize bandwidth. Data integrity protection isaccomplished by including an integrity checkgotomeeting.comFirewall and proxy compatibilityLike other Citrix products, GoToMeeting,GoToWebinar and GoToTraining include built-inproxy detection and connection managementlogic that helps automate software installation,avoid the need for complex network (re)configuration and maximize user productivity.Firewalls and proxies already present in yournetwork generally do not need any specialconfiguration to enable use of our webconferencing tools.When GoToMeeting, GoToWebinar orGoToTraining endpoint software is started, itattempts to contact the service broker via theendpoint gateway (EGW) by initiating one ormore outbound SSL-protected TCP connectionson ports 8200, 443 and/or 80. Whicheverconnection responds first will be used and theothers will be dropped. This connectionprovides the foundation for participating in allfuture sessions by enabling communicationbetween hosted servers and the user’s desktop.When the user attempts to join a session, theendpoint software establishes one or more7
White Paperadditional connections to Citrixcommunications servers, again using SSLprotected TCP connections on ports 8200, 443and/or 80. These connections carry dataduring an active session.In addition, for connectivity optimization tasks,the endpoint software initiates one or moreshort-lived TCP connections on ports 8200, 443or 80 that are not SSL protected. These networkprobes do not contain any sensitive orexploitable information and present no risk ofsensitive information disclosure.By automatically adjusting the local networkconditions using only outbound connectionsand choosing a port that is already open inmost firewalls and proxies, GoToMeeting,GoToWebinar and GoToTraining provide a highdegree of compatibility with existing networksecurity measures. Unlike some other products,ours do not require companies to disableexisting security measures to allow webconferencing communication. These featuresmaximize both compatibility and overallnetwork security.Voice securityCitrix provides integrated audio conferencingfor GoToMeeting, GoToWebinar andGoToTraining sessions through the telephonenetwork (PSTN) as well as Voice over InternetProtocol (VoIP). The PSTN already provides forthe confidentiality and integrity of voicecommunications. To protect the confidentialityand integrity of VoIP connections from theendpoints to the voice servers, we use an SRTPwith AES-128-HMAC-SHA1-based protocolov
for web-based training, such as online access to tests and materials and a hosted course catalog. These products are hosted services, delivered via web browsers, downloadable client executables and a network of multicast communication servers operated by Citrix. Sessions are scheduled, convened and moderated using the Citrix website and client
