Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sessions about to start – Get your rig on!. Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft.

Published byHector Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Sessions about to start – Get your rig on!. Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft."— Presentation transcript:

1 Sessions about to start – Get your rig on!

2 Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft Worldwide Productivity Team OSS411

3

4

5

6

7

8 All communications are secured by default Including signaling Session Initiation Protocol (SIP), media Secure Real-time Transport Protocol (SRTP), content, web traffic Secure Hypertext Transfer Protocol (HTTPS), and inter- server traffic Server/Server, Server/Client, Client/Client An admin must make a change to the configuration to disable this, if needed Can be disabled only for interoperability traffic; inter-server traffic cannot be unsecure No accounts are enabled by default Account enabling requires admin interaction No users are admin by default No groups are ever added to the admin groups, not even the enterprise admin groups External access is disabled by default This access includes mobile devices, devices from home, and federated partners PINs are required on phones Users must configure a PIN on phones that they use Built-in limits to ease the load on Edge Servers Federated partners can send only 20 messages per second; if spam is detected, it is reduced to one message per second

9 Why is a server trusted (and when)? Server fully qualified domain name (FQDN) must match the name in the Lync Topology stored in Central Management store (CMS) Server must present a valid certificate The server certificate must be from a trusted Certificate Authority (CA) All criteria must be satisfied If either of these criteria is missing, the server is not trusted and connection with it is refused This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN

10 No security through obscurity All specifications are available on MSDN Redline documentation Vendors are encouraged to build devices and services that interact with Lync securely SNOM Polycom Lync Room System vendors Audiocodes NET etc...

11

12

13 1. Alice starts Lync client and provides her SIP address 2. Client queries DNS 3. DNS points to Lync pool 4. Lync client connects to Lync Pool 7. Trusted and encrypted connection established 6. Client authenticates 5. Server presents certificate

14 Certificate’s SN or SAN: Lyncdiscover.contoso.com Lyncdiscover.contoso.com Alice@contoso.com

15

16

17

18

19 Authentication | Lync Client external | TLS-DSK Lync ClientLync Server FEWebTicket WSCertProv WSReverse ProxyAD Edge Establish TCP and TLS 443/tcp 5061/tcp 401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS Establish TCP and TLS connection 443/tcp 4443/tcp Get Certificate Service MEX Document Web Ticket Security Token is required : URL for Web Ticket WS Request Web-Ticket MEX / Security Token Web-Ticket Security Token Establish TCP and TLS connection 443/tcp4443/tcp Certificate Signing Request w/ Web Security Token Lync Server Signed User Certificate Establish TCP and TLS connection 443/tcp4443/tcp Publishing Lync User Cert & PKI pair SIP Register with Lync Server Signed Certificate 200 OK 443/tcp 5061/tcp SIP Register Request Authentication NTLM Auth Credentials NTLM/Kerberos Auth Auth : success

20 Authentication | Lync Client external | 2FA Lync ClientLync Server FEWebTicket WSCertProv WSReverse ProxyAD FS Edge Establish TCP and TLS 443/tcp 5061/tcp 401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS Establish TCP and TLS connection 443/tcp 4443/tcp Get Certificate Service MEX Document Web Ticket Security Token is required : URL for Web Ticket WS Request Web-Ticket MEX / Security Token Web-Ticket Security Token Establish TCP and TLS connection 443/tcp4443/tcp Certificate Signing Request w/ Web Security Token Lync Server Signed User Certificate Establish TCP and TLS connection 443/tcp4443/tcp Publishing Lync User Cert & PKI pair SIP Register with Lync Server Signed Certificate 200 OK 443/tcp 5061/tcp SIP Register Establish TCP and TLS connection 443/tcp Establish TCP and TLS connection 443/tcp Request Authentication Authentication Token Authentication Redirect Authentication Token

21

22

23

24

25

26

27 1. IM sent in SIP connection secured using TLS 2. Pool A forwards IM to Pool B in encrypted SIP/MTLS channel 3. IM sent to Bob’s Lync client in SIP connection secured using TLS 5. During the conversation, IMs might be stored in Archiving Database or Exchange 4. IM replies in the same path but opposite direction 6. After conversation is over, conversation history record may be stored

28

29 5. Alice sends a file to Bob 1.Alice places audio/video call to Bob. Session is established via encrypted SIP/TLS/MTLS channel 2. A/V media exchanged in P2P fashion, secured by SRTP protocol 3. Bob shares an application, the information about sharing is sent via encrypted SIP/TLS/MTLS signaling channel 4. Sharing of the application is secured by SRTP protocol 7. Transfer of the file is secured by SRTP protocol 6. Bob accepts the file

30

31

32

33 1. Call setup with Pool in SIP/TLS 2. Call setup with MS in SIP/MTLS 3. Call setup with GW in SIP/MTLS or SIP/TCP 4. Call setup with PSTN in ISDN 5. Media secured by SRTP protocol PSTN 5. Media secured by SRTP protocol or unencrypted (RTP) 6. Media unprotected in ISDN

34

35 1. Signaling via SIP/TLS 2. Media A/V/AppSharing with SRTP 3. File upload and download via HTTPS 4. Files are stored on File Share. 5. OWAS server receives PPTX via Front End Server from File Share via HTTPS 6. Client views PowerPoint presentations directly from OWAS Server via HTTPS 7. Annotations and whiteboard sent via PSOM/TLS

36

37

38

39 1. Sign-in, contacts, presence, IMs, call setups etc. to Edge in SIP/TLS 2. Sign-in, contacts, presence, IMs, call setups etc. to Pool in SIP/MTLS 3. ABS, Meeting Files, etc. to RP in HTTPS 4. ABS, Meeting Files, etc. via to/from Pool in HTTPS 5. Media for audio, video, appsharing, file transfer to Edge in SRTP 6. Media in SRTP

40

41

42

43

44

45

46

47

48

49 Threat Probability to affect Lync Mitigation solutions Compromised-key attackLowProtect private PKI keys Network denial-of-service attackLowUse firewall to throttle Internet traffic EavesdroppingVery lowProtect private PKI keys Identity spoofing/IP address spoofingVery low Transport Layer Security (TLS) protects from spoofing IP addresses Man-in-the-middle (MiM) attackVery low Protect Active Directory from adding MiM as trusted server RTP replay attackVery lowLync maintains an index of received SRTP packets SPIM (spam over Internet Messaging, or IM) Low Block SPIM-offending IP at firewall or disable federation during the attack. Edge server also automatically throttles down requests if failure/success ratio becomes too high for IM. Personally identifiable informationLow Train users to only accept federation requests from known and trusted individuals.

50

51

52

53 Type of information: Blocked Contacts?External Contacts?Colleagues?Workgroup?Friends & Family? Presence InformationYes Presence StatusYes Display NameYes Email AddressYes Title *Yes Work Phone *Yes Mobile Phone *Yes Home Phone *Yes Other PhoneYes Company *Yes Office *Yes SharePoint Site *Yes Meeting Location #Yes Meeting Subject #Yes Free BusyYes Working HoursYes Location #Yes Notes (Out-of-Office Note) Yes Notes (Personal)Yes Last ActiveYes Personal Photo Web Address (if applicable) Yes (*) if this information is defined in an organization’s directory service, it will be visible to all contacts in your organization, regardless of privacy relationship, and to external contacts (if configured and recognized by your organization’s network). (#) this information is visible by default

54

55 Lync Server 2013 relies on certificates and public key infrastructure (PKI) Important changes for organizations that use Public certificates internally Changes per November 1 st 2015 Private IP addresses may no longer be part of a certificate Private DNS names may no longer be part of a certificate The Subject Name / Common Name field is deprecated and discouraged for use After 2015, it will be impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified What if your servers are installed in contoso.local ? An internal Enterprise Certificate Authority (CA) is required

56

57

58

59 1. IM or Call Setup to Pool in SIP/TLS 2. IM or Call Setup to Edge in SIP/MTLS 5. IM or Call Setup to Pool in SIP/MTLS Internet 4. IM or Call Setups in Federation SIP/MTLS 5. IM or Call Setup to in SIP/TLS 6. Media in SRTP via both Edges for Federation (not client-to-client) Media in SRTP

60

61

62 Thanks! Don’t forget to complete your evaluations aka.ms/mytechedmel

Download ppt "Sessions about to start – Get your rig on!. Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Name | Title | Microsoft Corporation

Name | Title | Microsoft Corporation
Voice over IP Fundamentals

Voice over IP Fundamentals
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Introduction 1 Lecture 5 Application Layer slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering Department.

Introduction 1 Lecture 5 Application Layer slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering Department.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google