SkypeShield - Securing Skype for Business
Download as PPT, PDF1 like2,625 views
Skypeshield is a server-side security solution designed to enhance the security of Skype for Business and Exchange by implementing features like two-factor authentication, account lockout protection, and device access control. It allows for the management of devices, the creation of dedicated app passwords to protect Active Directory credentials, and incorporates MDM integration and federation policies for compliance. Additionally, Skypeshield offers scalable architecture for filtering and access control, ensuring secure connectivity to corporate networks from external devices.
SkypeShield - Securing Skype for Business
- 1. Leading Skype for Business Security http://AGATSoftware.com V6 http://SkypeShield.com
- 2. Slide2 Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure. Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to. SkypeShield is a server side solution with not additional client install supporting all devices.
- 3. Slide3 SkypeShield high level feature list Two Factor Authentication – Add the device as the second factor for authentication. Protect both SfB & Exchange EWS Account lockout protection – Block attacks sending failed login attempts to authentication service Device Access Control – manage devices connected using device enrollment process MDM binding – Verify only devices that are managed by MDM can connect to SfB server
- 4. Slide4 SkypeShield feature list (cont) Active Directory credential protection – Avoid using domain password by creating dedicated app password Federation Ethical Wall- granular policy control based on users/groups/domain for each modality (IM, File sharing, Application sharing, Audio, Video, meetings) RSA integration – Use RSA authentication code instead of domain password VPN traffic splitter – Split authentication from SIP to allow secure and efficient deployment over VPN
- 5. Slide5 Two Factor authentication Based on end point ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Protects both Skype for Business & Exchange (EWS) – blocking any request passing to network servers unless coming from an approved device
- 6. Slide6 Access Control – Enrollment Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process: Self Service / Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.
- 8. Slide8 Two Factor Authentication architecture
- 9. Slide9 Access Portal main Settings View approved & blocked devices Restrict registration and ongoing connection by IP range Access Rule black / White list Allow / Block guest users Filter by device type & OS Allow / Block Web app login Define number of devices per user Registration policy (Two steps/ Manual/ Automatic) Failed login auditing & Soft Lockout management
- 10. Slide10 Access Portal main Settings (cont) Require re-authentication by time -Session termination Save password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve device/user House keeping service Notification settings Reports & Search
- 11. Slide11 Access Portal admin control
- 12. Slide12 Account Lockout protection Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times DDoS , Dos , brute force attacks- Such attacks can result in the network becoming unavailable
- 13. Slide13 Account lockout protection (cont) SkypeShield blocks the failed attempts on the gateway server side, before reaching the Active Directory SkypeShield offers a multi-site defense approach covering all authentication channels Unified solution that protects all distributed resources. Failed attempts are counted and stored in a central database table which is shared by all SkypeShield components.
- 14. Slide14 MDM binding SkypeShield can limit the usage of Lync to managed devices only – devices with MDM Compatible with any MDM solution supporting one of the following capabilities: Certificate enrollment Application management (MAM) VPN triggering / control These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MASS360, Good, XenMobile and more.
- 16. Slide16 VPN support for Skype for Business MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN SkypeShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet. Does not require VPN splitting
- 17. Slide17 Lync traffic splitting over VPN
- 18. Slide18 Federation Ethical Wall Solves ethical and compliance regulations , security and data protection issues Apply federation policies based on specific users , groups and domains/companies Specific modality policy control- IM, File transfer, Meeting, Audio, Video Enforces policy in the DMZ and blocks non-approved traffic
- 20. Slide20 AD credential protection SkypeShield introduces a new approach for protecting the Active Directory credentials With SkypeShield the connection to Skype is done by using App dedicated Skype credentials that are created by the user rather than the regular network Active Directory credential SkypeShield completely eliminates the need to store Active Directory passwords on the device Supports work against Exchange & Skype with one App credentials
- 21. Slide21 Active Directory App login The user creates dedicated Skype credentials on a self service internal web site for use on device, instead of Active Directory credentials.
- 22. Slide22 Skype App credentials architecture
- 23. Slide23 Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory. SkypeShield allows the usage of Skype without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated Skype for Business credentials for use on the mobile device.
- 24. Slide24 RSA integration Mobile users enter their RSA Token authentication code instead of Active Directory password SkypeShield verifies password against RSA Authentication Manager and impersonate user against Skype Desktop users Authenticate in web site from Browser and than can login from Skype desktop client
- 25. Slide25 Product architecture - Bastion Proxy SkypeShield solution offers as part of the solution the dedicated reverse proxy Bastion developed by AGAT. The SkypeShield filters are plugged into Bastion to extend access control and content filtering capabilities Cross-platform- Windows / Linux Scalable Event-Driven Architecture. Can publish multiple servers in parallel/ mulita channels. Highly efficient asynchronous architecture. Supports high availability deployment
- 26. Slide26 Bastion (cont) Main characteristics : Geared towards full-featured HTTP filtering. HTTPS - Decrypt SSL Supports many HTTP scenarios: Chunked, gzip and deflate Transfer-Encodings Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).
- 27. Slide27 Skype for Business SIEM Security Information Event Management Security alerts based on geolocation information and behavior profiling Skype for Business Application Firewall- Sanitize all non authenticated requests in DMZ: Verify request type, content type headers, content length, URL validation, validate request structure, characters etc. Break any direct request to enter domain- session termination SkypeShield Road map
- 28. Slide28 SkypeShield Road map (cont) Soft token TFA Authentication (Google authenticator / Azure authenticator) for : Lync on premise Lync online (Office 365) DLP engine Apply content rules policy on IM data Examples of content handled in messages: Social security numbers Credit card numbers ID numbers
- 29. Slide29 AGAT products- Overview AGAT Software is a company focusing on security solutions for authentication and content filtering while externally connecting devices to company network. The companies Mobility-Shield core product suite secures applications such as Skype and other apps based on Active Directory authentication like outlook. SkypeShield is part of MobilityShield AGAT’s Security suite. AGAT also offers secure browser and digital signature mobile applications for mobile PKI requirements.
- 30. Slide30 To learn more about our solutions please visit our website at http://SkypeShield.com http://AGATSoftware.com info@agatsoftware.com