Secure Lync mobile Authentication
Download
Report
Transcript Secure Lync mobile Authentication
Secure Lync mobile Authentication
http://www.mobility-shield.com
http://LyncShield.com
V5
Background & Overview
Connecting external devices (mobile/computers) to the
corporate network raises security risks related the Active
Directory exposure.
Typically there is no control over apps installed on
employees’ smartphones and the networks that these
devices are connected to.
LyncShield is a server side solution with not additional
client install supporting all devices.
Slide 2
Security requirement and solutions
Requirement
Solution
Secure external
authentication
Two Factor Authentication based
adding the device factor
Protect Active Directory
password from leaking
Avoid AD credentials on device –
Dedicated App credentials log
Protect agaist Account
lockout & DDoS attack
Soft lockout in DMZ Blocking
false authentication attempts
from reaching the Active
Directory
Slide 3
Security issues and solutions (cont)
Requirement
Solution
Limit Lync to approved /
corporate devices
Control device registration by
certificate or manual admin
Limit Lync to devices with
MDM
Bind Lync usage to MDM
control
All the solutions are available for both mobile and external PC/ Laptops
Slide 4
[1] - Two Factor authentication
Based on Device ID sent by client
Several registration/ enrolment options to enforce access
control policy based on matching the device and the user.
Protects both Lync & Exchange (EWS) – blocking any
request passing to network servers unless coming from
an approved device
Slide 5
Access Control – Enrollment
Support several access control policies:
Automatic Registration – Device ID is registered upon first
use of account.
Two steps registration process:
Self Service / Two Step Registration – User registers on
internal site and then must sync within a defined time
frame to complete registration.
Admin Manual Enrollment – Admin management of user
list using training mode and rejected auditing list.
Slide 6
Two Step Registration
Slide 7
Two Factor Authentication architecture
Slide 8
Access Portal main Settings
View approved & blocked devices
Restrict registration and ongoing connection by IP range
Access Rule black / White list
Allow / Block guest users
Filter by device type & OS
Allow / Block Web app login
Define number of devices per user
Registration policy (Two steps/ Manual/ Automatic)
Failed login auditing & Soft Lockout management
Slide 9
Access Portal main Settings (cont)
Require re-authentication by time -Session termination
Save password policy management
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/ approve
device/user
House keeping service
Notification settings
Reports & Search
Slide 10
Access Portal admin control
Slide 11
[2]- AD credential protection approach
Lync Shield introduces a new approach for protecting the
Active Directory credentials
With Lync Shield the connection to Lync is done by using
App dedicated Lync credentials that are created by the
user rather than the regular network Active Directory
credential
Lync Shield completely eliminates the need to store
Active Directory passwords on the device
Supports work against Exchange & Lync with one App
credentials
Slide 12
Active Directory App login
The user creates dedicated Lync credentials on a self
service internal web site for use on device, instead of
Active Directory credentials.
Slide 13
Lync App credentials architecture
Slide 14
Mobile Smart Card solution
Many organizations that smart card for network login do
not have a username and password for Active Directory.
LyncShield allows the usage of Lync without the need to
manage Active Directory credentials.
With the dedicated login solution, the user logs into the
Access Portal authenticating with his smart card from his
network computer and creates dedicated SharePoint
credentials for use on the mobile device.
Slide 15
RSA integration
Mobile users enter their RSA Token authentication code
instead of Active Directory password
LyncShield verifies password
against RSA Authentication
Manager and impersonate user
against Lync
Desktop users Authenticate in web
site from Browser and than can login
from Lync desktop client
Slide 16
[3]- Account Lockout protection
Account lockout can be the result of the following:
The user changed the Active Directory password, but did
not change the settings on the device.
The username (without the password) being obtained by a
hacker who tried to log in several times
DDoS , Dos , brute force attacks- Such attacks can result in
the network becoming unavailable
Slide 17
Account lockout protection (cont)
LyncShield blocks the failed attempts on the gateway
server side, before reaching the Active Directory
LyncShield offers a multi-site defense approach covering
all authentication channels
Unified solution that protects all distributed resources.
Failed attempts are counted and stored in a central
database table which is shared by all LyncShield
components.
Slide 18
[5] MDM binding
LyncShield can limit the usage of Lync to managed devices
only – devices with MDM
Compatible with any MDM solution supporting one of the
following capabilities:
Certificate enrollment
Application management (MAM)
VPN triggering / control
These are available from most of the vendors around the
market including Microsoft Intune, AirWatch, MobileIron,
MASS360, Good, XenMobile and more.
Slide 19
LyncShield MDM app
Slide 20
VPN support for Lync
MSFTs recommendation is to keep all voice and video
traffic going through the Edge and not over the VPN
LyncShield offers an Hybrid solution requiring the
authentication to be done over VPN and routing the
Video/Audio to go through the Edge over the internet.
Does not require VPN splitting
Slide 21
Lync traffic splitting over VPN
Slide 22
Product architecture - Bastion Proxy
LyncShield solution offers as part of the solution the
dedicated reverse proxy Bastion developed by AGAT.
The Lyncshield filters are plugged into Bastion to extend
access control and content filtering capabilities
Cross-platform- Windows / Linux
Scalable Event-Driven Architecture.
Can publish multiple servers in parallel/ mulita channels.
Highly efficient asynchronous architecture.
Supports high availability deployment
Slide 23
Bastion (cont)
Main characteristics :
Geared towards full-featured HTTP filtering.
HTTPS - Decrypt SSL
Supports many HTTP scenarios: Chunked, gzip and deflate
Transfer-Encodings
Pipelining.
Supports filtering content, blocking content or generating
proxy responses anytime during the filtering chain (unlike
TMG and UAG).
Slide 24
LyncShield Road map
Federation Firewall
Access rules based on Active Directory group membership
General access control
Specific operations such as file sharing
Privacy
Lync SIEM - Security Information Event Management
Security alerts based on geolocation information and usage
patterns
Slide 25
LyncShield Road map (cont)
Lync Application Firewall Sanitize all non authenticated requests in DMZ:
Verify request type, content type headers, content length,
URL validation, validate request structure, characters etc.
Break any direct request to enter domain- session
termination
Google Authenticator Two Factor Authentication for
Lync on premise
Lync online (Office 365)
Slide 26
LyncShield Road map (cont)
DLP engine
Apply content rules policy on IM data
Examples of content handled in messages:
Social security numbers
Credit card numbers
ID numbers
Support Skype for Business
On going as MS release new clients
Slide 27
AGAT products- Overview
AGAT Software is a company focusing on security
solutions for authentication and content filtering while
externally connecting devices to company network.
The companies Mobility-Shield core product suite secures
applications such as Skype / Lync/ SharePoint and other
apps based on Active Directory authentication.
LyncShield is part of MobilityShield AGAT’s Security suite.
AGAT also offers secure browser and digital signature
mobile applications for mobile PKI requirements.
Slide 28
To learn more about our solutions
please visit our website at
http://mobility-shield.com
http://LyncShield.com
http://AGATSoftware.com
[email protected]
Slide 29