Transcript Slide 1

Secure Lync mobile Authentication
http://www.mobility-shield.com
http://LyncShield.com
V3
Background & Overview
 Connecting external devices (mobile/computers) to the
corporate network raises security risks related the Active
Directory exposure.
 Typically there is no control over apps installed on
employees’ smartphones and the networks that these
devices are connected to.
 LyncShield is a server side solution with not additional
client install supporting all devices.
Slide 2
Security issues and solutions
Problem
Solution
Connecting non
authorized devices
Two Factor Authentication
Active Directory
password leakage
Avoid AD credentials on device –
dedicated log in
Account lockout
/DDoS protection
Blocking false authentication attempts in
DMZ proxy before the Active Directory
Limit usage to
managed devices
Several device registration options
working with or without MDM solutions
All the solutions are available for both mobile and external PC/ Laptops
Slide 3
[1] - Two Factor authentication
 Based on Device ID sent by client
 Several registration/ enrolment options to enforce access
control policy based on matching the device and the user.
 Protects both Lync & Exchange (EWS) – blocking any
request passing to network servers unless coming from
an approved device
Slide 4
Access Control – Enrollment
 Support several access control policies:
 Automatic Registration – Device ID is registered upon first
use of account.
Two steps registration process:
 Self Service / Two Step Registration – User registers on
internal site and then must sync within a defined time
frame to complete registration.
 Admin Manual Enrollment – Admin management of user
list using training mode and rejected auditing list.
Slide 5
Two Step Registration
Slide 6
Two Factor Authentication architecture
Slide 7
Access Portal main Settings
 View approved & blocked users
 Restrict registration and ongoing connection by IP range
 Allow / Block Web app login
 Access Rule black / White list
 Allow / Block guest users
 Filter by device type & OS
 Define number of devices per user
 Failed login auditing
Slide 8
Access Portal main Settings (cont)
 Soft Lockout management and manual release
 Session termination management
 Save password policy management
 Multi LDAP support (for HA & distributed implantation)
 Registration policy (Two steps/ Manual/ Automatic)
 Support of Multi level admin management
 Reports & Search
 Notification settings
 VPN configuration
Slide 9
Access Portal admin control
Slide 10
[2]- AD credential protection approach
 Lync Shield introduces a new approach for protecting the
Active Directory credentials
 With Lync Shield the connection to Lync is done by using
App dedicated Lync credentials that are created by the
user rather than the regular network Active Directory
credential
 Lync Shield completely eliminates the need to store
Active Directory passwords on the device
 Supports work against Exchange & Lync with one App
credentials
Slide 11
Active Directory App login
 The user creates dedicated Lync credentials on a self
service internal web site for use on device, instead of
Active Directory credentials.
Slide 12
Lync App credentials architecture
Slide 13
Mobile Smart Card solution
 Many organizations that smart card for network login do
not have a username and password for Active Directory.
 LyncShield allows the usage of Lync without the need to
manage Active Directory credentials.
 With the dedicated login solution, the user logs into the
Access Portal authenticating with his smart card from his
network computer and creates dedicated SharePoint
credentials for use on the mobile device.
Slide 14
RSA integration
 Mobile users enter their RSA Token authentication code
instead of Active Directory password
 LyncShield verifies password
against RSA Authentication
Manager and impersonate user
against Lync
 Desktop users Authenticate in web
site from Browser and than can login
from Lync desktop client
Slide 15
[3]- Account Lockout protection
 Account lockout can be the result of the following:
 The user changed the Active Directory password, but did
not change the settings on the device.
 The username (without the password) being obtained by a
hacker who tried to log in several times
 DDoS , Dos , brute force attacks- Such attacks can result in
the network becoming unavailable
Slide 16
Account lockout protection (cont)
 LyncShield blocks the failed attempts on the gateway
server side, before reaching the Active Directory
 LyncShield offers a multi-site defense approach covering
all authentication channels
 Unified solution that protects all distributed resources.
 Failed attempts are counted and stored in a central
database table which is shared by all LyncShield
components.
Slide 17
VPN support for Lync
 MSFTs recommendation is to keep all voice and video
traffic going through the Edge and not over the VPN
 LyncShield offers an Hybrid solution requiring the
authentication to be done over VPN and routing the
Video/Audio to go through the Edge over the internet.
 Does not require VPN splitting
Slide 18
Lync traffic splitting over VPN
Slide 19
MDM binding
 LyncShield can limit the usage of Lync to managed devices
only – devices with MDM
 Compatible with any MDM solution supporting one of the
following capabilities:
 Certificate enrollment
 Application management (MAM)
 VPN triggering / control
 These are available from most of the vendors around
the market including AirWatch, MobileIron,
MASS360, Good, XenMobile and more.
Slide 20
LyncShield Road map
 App based MDM binding
 Client side app – Lync Launcher
 Verify only managed devices with MDM can connect to
Lync company infrastructure
 Federation Firewall
 Access rules based on Active Directory group membership
 General access control
 Specific operations such as file sharing
 Privacy
Slide 21
LyncShield Road map (cont)
 Support Skype for Business
 Lync Firewall Sanitize all non authenticated requests in DMZ
 Break any direct request to enter domain
 Google Authenticator Two Factor Authentication for
 Lync on premise
 Lync online (Office 365)
Slide 22
Bastion
 Reverse proxy forwarding traffic to the configured
backend servers.
 Cross-platform- Windows / Linux
 Pluggable filtering architecture.
 Filters HTTP(S).
 Scalable Event-Driven Architecture.
 Can publish multiple servers in parallel.
 Highly efficient asynchronous architecture.
 Bi-directional content filtering.
Slide 23
Bastion (cont)
 Geared towards full-featured HTTP filtering.
 Most reverse proxy solutions are geared towards web
acceleration.
 Supports many HTTP features and scenarios.
 Chunked, gzip and deflate Transfer-Encodings.
 Pipelining.
 Supports filtering content, blocking content or generating
proxy responses anytime during the filtering chain (unlike
TMG and UAG).
Slide 24
AGAT Security suite - Overview
 LyncShield and MobilityShield are part of AGAT’s Security
suite.
 AGAT Security suite is a set of unique components that
allow extending Forefront (ISA/TMG IAG/UAG)
functionality to solve complex architectures and
requirements, typically implemented in large, complex
and well secured networks.
 The solution is also available on Bastion reverse proxy
without the use of Forefront.
Slide 25
To learn more about our solutions
please visit our website at
http://www.mobility-Shield.com
[email protected]
Slide 26