skypeshield - securing skype for business
TRANSCRIPT
Leading Skype for Business Security
http://AGATSoftware.com
V6
http://SkypeShield.com
Slide 2
Background & Overview
Connecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure.
Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to.
SkypeShield is a server side solution with not additional client install supporting all devices.
Slide 3
SkypeShield high level feature list
Two Factor Authentication – Add the device as the second factor for authentication. Protect both SfB & Exchange EWS
Account lockout protection – Block attacks sending failed login attempts to authentication service
Device Access Control – manage devices connected using device enrollment process
MDM binding – Verify only devices that are managed by MDM can connect to SfB server
Slide 4
SkypeShield feature list (cont)
Active Directory credential protection – Avoid using domain password by creating dedicated app password
Federation Ethical Wall- granular policy control based on users/groups/domain for each modality (IM, File sharing, Application sharing, Audio, Video, meetings)
RSA integration – Use RSA authentication code instead of domain password
VPN traffic splitter – Split authentication from SIP to allow secure and efficient deployment over VPN
Slide 5
Two Factor authenticationBased on end point ID sent by clientSeveral registration/ enrolment options to enforce access
control policy based on matching the device and the user.Protects both Skype for Business & Exchange (EWS) –
blocking any request passing to network servers unless coming from an approved device
Slide 6
Access Control – EnrollmentSupport several access control policies:
Automatic Registration – Device ID is registered upon first use of account.
Two steps registration process: Self Service / Two Step Registration – User registers on
internal site and then must sync within a defined time frame to complete registration.
Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.
Slide 7
Two Step Registration
Slide 8
Two Factor Authentication architecture
Slide 9
Access Portal main SettingsView approved & blocked devicesRestrict registration and ongoing connection by IP rangeAccess Rule black / White listAllow / Block guest usersFilter by device type & OSAllow / Block Web app loginDefine number of devices per userRegistration policy (Two steps/ Manual/ Automatic)Failed login auditing & Soft Lockout management
Slide 10
Access Portal main Settings (cont)
Require re-authentication by time -Session terminationSave password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve
device/userHouse keeping serviceNotification settingsReports & Search
Slide 11
Access Portal admin control
Slide 12
Account Lockout protectionAccount lockout can be the result of the following:
The user changed the Active Directory password, but did not change the settings on the device.
The username (without the password) being obtained by a hacker who tried to log in several times
DDoS , Dos , brute force attacks- Such attacks can result in the network becoming unavailable
Slide 13
Account lockout protection (cont)
SkypeShield blocks the failed attempts on the gateway server side, before reaching the Active Directory
SkypeShield offers a multi-site defense approach covering all authentication channels
Unified solution that protects all distributed resources.Failed attempts are counted and stored in a central
database table which is shared by all SkypeShield components.
Slide 14
MDM bindingSkypeShield can limit the usage of Lync to managed
devices only – devices with MDMCompatible with any MDM solution supporting one of
the following capabilities:Certificate enrollmentApplication management (MAM)VPN triggering / control
These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MASS360, Good, XenMobile and more.
Slide 15
SkypeShield MDM app
Slide 16
VPN support for Skype for Business
MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN
SkypeShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet.
Does not require VPN splitting
Slide 17
Lync traffic splitting over VPN
Slide 18
Federation Ethical WallSolves ethical and compliance regulations , security and
data protection issuesApply federation policies based on specific users , groups
and domains/companiesSpecific modality policy control- IM, File transfer,
Meeting, Audio, VideoEnforces policy in the DMZ and blocks non-approved
traffic
Slide 19
Federation Ethical wall
Slide 20
AD credential protectionSkypeShield introduces a new approach for protecting
the Active Directory credentialsWith SkypeShield the connection to Skype is done by
using App dedicated Skype credentials that are created by the user rather than the regular network Active Directory credential
SkypeShield completely eliminates the need to store Active Directory passwords on the device
Supports work against Exchange & Skype with one App credentials
Slide 21
Active Directory App login
The user creates dedicated Skype credentials on a self service internal web site for use on device, instead of Active Directory credentials.
Slide 22
Skype App credentials architecture
Slide 23
Mobile Smart Card solution
Many organizations that smart card for network login do not have a username and password for Active Directory.
SkypeShield allows the usage of Skype without the need to manage Active Directory credentials.
With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated Skype for Business credentials for use on the mobile device.
Slide 24
RSA integrationMobile users enter their RSA Token authentication code
instead of Active Directory passwordSkypeShield verifies password
against RSA Authentication Manager and impersonate user against Skype
Desktop users Authenticate in web site from Browser and than can login from Skype desktop client
Slide 25
Product architecture - Bastion Proxy SkypeShield solution offers as part of the solution the
dedicated reverse proxy Bastion developed by AGAT.The SkypeShield filters are plugged into Bastion to extend
access control and content filtering capabilitiesCross-platform- Windows / LinuxScalable Event-Driven Architecture.Can publish multiple servers in parallel/ mulita channels. Highly efficient asynchronous architecture. Supports high availability deployment
Slide 26
Bastion (cont) Main characteristics :
Geared towards full-featured HTTP filtering.HTTPS - Decrypt SSLSupports many HTTP scenarios: Chunked, gzip and deflate
Transfer-EncodingsPipelining.
Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).
Slide 27
Skype for Business SIEM Security Information Event Management Security alerts based on geolocation information and
behavior profiling Skype for Business Application Firewall-
Sanitize all non authenticated requests in DMZ: Verify request type, content type headers, content length,
URL validation, validate request structure, characters etc.Break any direct request to enter domain- session
termination
SkypeShield Road map
Slide 28
SkypeShield Road map (cont)
Soft token TFA Authentication (Google authenticator / Azure authenticator) for : Lync on premiseLync online (Office 365)
DLP engine Apply content rules policy on IM dataExamples of content handled in messages:
Social security numbers Credit card numbers ID numbers
Slide 29
AGAT products- OverviewAGAT Software is a company focusing on security
solutions for authentication and content filtering while externally connecting devices to company network.
The companies Mobility-Shield core product suite secures applications such as Skype and other apps based on Active Directory authentication like outlook.
SkypeShield is part of MobilityShield AGAT’s Security suite.
AGAT also offers secure browser and digital signature mobile applications for mobile PKI requirements.
Slide 30
To learn more about our solutions please visit our website at
http://SkypeShield.comhttp://AGATSoftware.com