Transcription
Cisco WebEx Connect IM securityWhite paperCisco WebEx ConnectIM security:Enterprise Instant Messagingthrough a commercial-grademultilayered architectureCisco WebEx LLC3979 Freedom Circle,Santa Clara, CA 95054 USAMain: 1.408.435.7000Sales: 1.877.509.3239www.webex.com
Cisco WebEx Connect IM security white paperAbstractCollaboration and communication solutions empower enterprise teams tofind, connect to, and work efficiently with colleagues both inside and outsidethe organization. To deliver an integrated solution—combining presence,enterprise-grade instant messaging, audio and video conferencing, voiceover IP (VoIP), telephony, and more—without adding complexity to theirexisting infrastructures, IT organizations are turning to hosted collaborationsolutions. Businesses demand that hosted services build in enterprise-classsecurity, without compromising the company’s privacy or weakening theprotection of sensitive files and communications. Cisco WebEx ConnectIM offers organizations the advantages of a multilayered security strategyderived from more than 10 years of experience and investments in hostedcollaboration solutions.This paper overviews the security factors that make WebEx Connect IMa robust, highly available, and secure Enterprise Instant Messaging (EIM)solution. The overview begins with a description of in-the-cloud securitymeasures, then provides information about the measures taken to protectdata in motion, authenticate users, and help IT manage policies. Specificissues and security features relating to instant messaging and shared spacesare also explained, as well as compliance and auditing practices relating toWebEx Connect IM.2
Cisco WebEx Connect IM security white paperIntroductionToday’s IT professionals are caught in the middle of a struggle. They mustbalance increasingly stringent cost controls, minimize complexity, andimprove manageability of the infrastructure, while still providing employeeswith access to the latest technology innovations.Today, many users within organizations ranging from small businesses toglobal enterprise organizations use consumer IM solutions such as AOLInstant Messenger (AIM), GoogleTalk , or Yahoo! Messenger . While thesesolutions work well for consumers, they represent several risks to corporatenetworks and challenges to IT organizations including: Unencrypted IM traffic running through public networks with serversunprotected by firewalls Information exchanged during IM sessions that could be stored onunsecure systems Lack of virus scanning or spam filtering Spoofing and other misuse of domain names caused by consumer IMsolutions do not provide professional domain names and user ID’s The inability of IT to dictate policy or usage of consumer IM systems otherthan locking down the entire IM application within a networkWebEx Connect IM allows IT departments to satisfy the requirements of bothcorporate management and users. The hosted service delivers EIM servicessecurely over the Internet, so organizations no longer have the burden ofadding hardware infrastructure complexity and management overhead.The WebEx Software- as-a-Service (SaaS) solution makes it easy for IT toimplement updates. Cisco updates the service rapidly, so users always havethe most up-to-date features available.WebEx Connect IM runs over a security framework that can be used bykey collaboration applications such as instant messaging and spaces. Thisinfrastructure, called the Cisco WebEx Collaboration Cloud, is a systemof highly secure and redundant data centers located around the world.Backed by this “always secure” architecture, WebEx Connect IM is basedon a multilayered security model that maximizes data security and ensuresservice continuity. The contributing components include: In-the-cloud security, to protect physical sites and introduce stringentcontrols over Cisco personnel that administer and manage the service Data-in-motion security, to safeguard message transport between WebExConnect IM clients (user desktops, mobile users, and web clients) and theWebEx Collaboration Cloud Data-at-rest protection, to restrict access to user files and communications,authenticate users to determine appropriate privileges and servicepermissions, and to enforce collaboration policies for each enterpriseThe “always secure” architecture is strengthened by compliance withindustry data center standards, and regular audits provide transparencyand accountability. Cisco’s integrated security technologies and securityrelated practices provide a level of protection that often exceed the security3
Cisco WebEx Connect IM security white paperexpectations of other enterprise-grade on-premises solutions. In fact, Ciscodata centers have never been compromised while other companies oftenmake headlines from incidents relating to data loss, lost backup tapes, orinformation left on public computers.Security and the WebEx Collaboration CloudThe WebEx Collaboration Cloud provides organizations with the Ciscoadvantages of persistent security, management, and integration. The strengthof this hosted infrastructure stems from the multilayered security model, andoffers uptime in excess of 99.99 percent.The high-performance WebEx Collaboration Cloud is based on carrier-classinformation-switching architecture, and is purpose-built for real-time servicesthrough data centers that are strategically placed near major Internet accesspoints. Dedicated, high-bandwidth fiber routes traffic around the globe. Theuniquely secure, extremely scalable WebEx Collaboration Cloud serves as ahighly available infrastructure, unburdened by the physical limitations of onpremise server solutions.Security architectureAll hosted WebEx services benefit from the WebEx Collaboration Cloudsecurity architecture (see Figure 1). The architecture encompasses thesecurity built into the data centers’ foundational layers and extends throughthe entire infrastructure, including management processes. Each datacenter element is evaluated within the overall architecture framework, and isdesigned to contribute to the overall security. For example, customer data isstored in file servers that do not face the network edge; data flows within thedata centers are configured to minimize exposure.For more information about the WebEx Collaboration Cloud securityarchitecture, review the white paper: Unleashing the power of real-timecollaboration: Security overview of Cisco WebEx solutions 352/cisco webexsecurity overview.pdfFigure 1. Cisco WebEx Multilayer Security Model4
Cisco WebEx Connect IM security white paperSecure XMPP connectionsWebEx Connect IM utilizes Extensible Messaging and Presence Protocol(XMPP) – the Internet standard for real-time communication. XMPPstandardizes a native approach for authentication and channel encryption,prevents address spoofing that can generate spam, and helps prevent thetransmission of malware. The Internet Engineering Task Force (IETF) hasevolved XMPP to strengthen security, and WebEx Connect IM gives usersthe benefits of these advancements.In compliance with the XMPP standard, WebEx Connect IM capabilities arecarried out over secure client sessions. Each session begins with the clientperforming service lookup using the WebEx Connect IM Domain NameSystem (DNS) service records. An encrypted connection is established usingTransmission Control Protocol (TCP), and then the server authenticates theclient. Unlike Simple Mail Transfer Protocol (SMTP) and Session InitiationProtocol (SIP), XMPP requires this authentication step. The standard clientauthentication for XMPP is based on the Simple Authentication and SecurityLayer (SASL) and the DIGEST-MD5 mechanism.After a client has established an encrypted channel connection and hasbeen authenticated by the server, it can then exchange presence information,messages, and request-response interactions with other users andapplications. However, a WebEx Connect IM client cannot simply assert itsaddress on the network, as with email communications. WebEx CollaborationCloud servers prevent address forging by validating or stamping senderaddresses, which helps to greatly reduce spam on the network. WebExConnect IM servers also use native rate limiting to block denial-of-serviceattacks and other attempts to clog the network with large volumes of packets.Blocking spam, viruses, and other threatsXMPP networks are characterized by a lack of spam, spam over instantmessaging (“spim”), viruses, and malware. The built-in prevention of addressforging makes it almost impossible for spammers to hijack addresses fromwhich to send messages. Native rate limiting makes it more costly to rundistributed botnets, since a spammer would need to establish accountsat multiple servers. It is also difficult to discover large numbers of XMPPaddresses via directory harvest attacks, since XMPP servers do notdivulge addresses or unknown users in response to standard requests.Users’ presence information and IP addresses are only shared withauthenticated entities.Servers in the WebEx Collaboration Cloud include client-controlled whitelists and blacklists to help users block communications with undesirable orrisky users and groups. Since XMPP is a pure XML technology, it doesnot allow binary attachments, scripts, inline images, or other executablemalware. Phishing attacks are possible, but the prevention of address forginghas made such attacks rare. The XMPP community has also developedXMPP extensions such as spam reporting mechanisms that can be used ifspam escalates.5
Cisco WebEx Connect IM security white paperPhysical site securityCisco operates all infrastructure used within the WebEx Collaboration Cloud.The physical security at the data centers includes hard-line perimeterdevices for facilities and buildings, and employees must pass biometricaccess controls and possess ID badges for entry. Additional protection isprovided by video surveillance.Network-based securityWebEx Connect IM’s highly secure XMPP connections and Cisco’s networkwith built-in firewalls fortify security. Advanced intrusion detection andprevention further safeguard all network traffic. XMPP-based security andbuilt-in Cisco protection is not limited to internal networks. Tens of thousandsof Internet domains deliver XMPP services to millions of users, and since firstdeployed in 1999, this growing XMPP network has experienced no majorsecurity incidents.Data at RestAccess to data stored in the cloud can only be accomplished using WebExConnect IM, and only after proper user authentication. Additional dataprotection features include: Administration restrictions – Only authenticated, authorized data centerpersonnel can access specific collaboration data. Cisco uses extremelygranular access controls for administration, which creates separation ofduties using least-privileged, role-based access levels. All administrativeaccesses to WebEx Connect IM file systems and data are logged andreviewed to ensure compliance with the policies and role definitions. File separation – Files from different companies are stored on separatephysical disks or isolated using logical unit numbers (LUNs). Host hardening – Cisco’s host-hardening practices provide additionalsecurity for WebEx Connect IM data. Each server build is based on aminimal installation of the Linux operating system, and hardened based onguidance from Security Technical Implementation Guides (STIGs) publishedby the National Institute of Standards and Technology (NIST). Extraneoustools, libraries, and files have been removed to reduce the likelihoodof system vulnerabilities and system misuse. As with all CSG productresources, user access is strictly limited. All systems undergo a thoroughsecurity review and acceptance validation prior to production deployment,as well as regular ongoing hardening and vulnerability assessment. Data removal – Since data is stored in a limited number of systems,complete removal (with no associated remnant backup data) is guaranteedat the request of the customer. Accidental deletions can be restored duringa period specified by the customer. Restricted use – WebEx Connect IM data is never crawled or indexedfor analysis.6
Cisco WebEx Connect IM security white paperRedundancyAny failure of an individual server in a group initiates transparent routing ofrequests to other available servers within the WebEx Collaboration Cloud.Failure of an individual server is detected by the regular load-balancingcheck; individual servers are also monitored by the WebEx NetworkOperations Center.Cisco’s redundant and high-performance failsafe solutions within andbetween data centers contribute to the high availability of the service. Blocklevel replication of data across servers and data centers speeds fault anddisaster recovery in the event of system failures, power outages, and otherevents that can affect entire sites or geographies.Data backup and disaster recoveryWebEx Connect IM offloads the need for IT organizations to manage projectdata. The elimination of backup tapes alone (all backups are carried out asdisk-to-disk saves) significantly decreases the risk of data loss. Service-levelagreements (SLAs) include up-time guarantees and allow IT to specify therequirements and to cost-effectively provide reliable collaboration servicesand uninterrupted access to project data throughout the organization. Backupprocesses within the Cisco data centers are split into two categories: globalsite backups, and file backups.Global site backups provide recovery in the event of large-scale incidentssuch as power outages, natural disasters, service capacity overload, ornetwork capacity overload. The WebEx Collaboration Cloud architecturesupports manual backups for scheduled maintenance and automatic realtime failover of traffic in the event of an outage or capacity issue. Tieredbackups involve both online (Tier 1) and offline (Tier 2) saves, and datais stored in two geographically dispersed data centers (Mountain View,California and Denver, Colorado). Global site backups are carried outas follows: One snapshot is taken daily; multiple snapshots are retained onTier 1 storage. One snapshot is taken daily and stored to Tier 2 storage; multiple snapshotsare retained on Tier 2. Database and file replications are carried out to ensure data consistency.An automated sync mechanism ensures that databases and files are alwayssynchronized. An on-demand restoration can be carried out to restore adatabase or file system in the event of user error or location-related issues.Even in the case of a location outage, the sync replication mechanism canbe restarted and instantly synchronizes the data. Databases and files arebacked up as follows:––Snapshots are taken daily on primary/active sites; multiple snapshots areretained on Tier 1 storage as well as on Tier 2 storage.––Databases are archived daily on Tier 2 storage; the number of days ofretention is configured to meet customer requirements.––A daily backup of all databases is also created, and multiple backupsstored in Tier 1 storage.7
Cisco WebEx Connect IM security white paperProtecting Data in MotionFigure 2. The Cisco WebEx Collaboration Cloud.Data flows between WebEx Connect IM clients and the WebEx CollaborationCloud (see Figure 2) using 128-bit encrypted Secure Socket Layer (SSL)connections. This transport layer security can also utilize 256-bit AdvancedEncryption Standard (AES) protection, and sessions can be configured tobe fully encrypted end to end. Conferencing and instant messaging traffic isswitched, so data flows are not persistent. File transfers through the IM clientare also encrypted.Standard SSL encryption is used when communicating with non-WebExConnect IM clients (AES encryption is not an option in these cases).For customers who take advantage of the ability to integrate WebEx ConnectIM with Cisco Unified Communications Manager, transport security for VoIPis managed by the integrated security capabilities of the Cisco UnifiedCommunications Manager functionality.Restricting accessEach WebEx Connect IM user has a unique access identity, including auser identity (ID) and password. To simplify access to WebEx Connect IMand other WebEx services such as WebEx Meeting Center, Cisco supportsfederated authentication for user Single Sign-On (SSO) using SecurityAssertion Markup Language (SAML) and WS-Fed protocols.Customers retain complete ownership of user names and passwords.Administrators can manage accounts and password strength, passwordaging, and account deactivations. In accordance with requirements forcompliance with the Sarbanes-Oxley Act (Section 404, access management),the Health Insurance Portability and Accountability Act (HIPAA), and otherregulations, WebEx Connect IM has adopted strict guidelines for passwords: Passwords must be eight characters in length. Passwords must contain both upper- and lower-case letters, mixed withnumbers and symbols (!, @, #, ). Passwords cannot be reused over the course of five password changes. Passwords must be changed at specified intervals.8
Cisco WebEx Connect IM security white paperCross-company federationsSince WebEx Connect IM supports Security Assertion Markup Language(SAML) for user authentication. This extends authentication beyond WebExConnect IM to other WebEx services as well as federated applicationdomains that support CA SiteMinder or Microsoft Active Directory .WebEx Connect IM supports native presence and IM federation withother XMPP-based clients such as GoogleTalk or Adium. WebEx ConnectIM can also federate with the AIM network, IBM SameTime (if thecompany has deployed the SameTime XMPP gateway), and Microsoft Office Communication Server if the company has deployed the OCSXMPP gateway). For a list of XMPP clients, visit www.xmpp.org. While IM andpresence across other IM clients are supported, other WebEx Connect IMcapabilities are not – including Spaces, file transfer, audio/video conferencingand desktop sharing.Managing policiesPolicies are used to manage and enforce corporate rules governing allaspects of collaboration. IT can take advantage of granular controls to grantaccess to specific services and data based on roles, groups, or the needs ofa particular individual. WebEx Connect IM also gives IT the ability to managecollaboration privileges and to enforce enterprise security policies.The WebEx Connect IM organizational administration interface simplifiespolicy definition and management, and also gives IT the ability to selectivelyenable or disable WebEx Connect IM and some individual features suchas external communication, file sharing or rich media such as video oraudio conferencing.For instant messaging, WebEx Connect IM utilizes a network-based policymodel. Policies can be applied to the user, group, and organization levelsto control the features that are available to individual users. The networkbased policies enforce a system-wide identity, and policies follow users towherever they are located, including accessing the features from outside ofthe company network.For example, using WebEx Connect IM instant messaging: There are policies to control whether users can send instant messages topeople outside of the company. External users must request permission to add a user to their contact list. Instant messaging can be protected using AES end-to-end encryption.Supporting user-based controlsEach user also has the ability to control some collaboration parameters. Forexample, a user’s presence information can only be followed by those peopleauthorized by the user. IT can grant privileges based on the user’s affiliationsand roles in the organization.9
Cisco WebEx Connect IM security white paperCompliance and third-party auditsCisco has a dedicated security department, which reports directly to theCIO of the Cisco Collaboration Software Group (CSG) and the CorporateSecurity Office. The combined team reco
Cisco WebEx Connect IM security white paper Secure XMPP connections WebEx Connect IM utilizes Extensible Messaging and Presence Protocol (XMPP) – the Internet standard for real-time communication. XMPP standardizes a native approach for authentication and channel encryption, prevents addre
