Secure Lync mobile Authentication

http://www.mobility-shield.comhttp://LyncShield.com

V5

Slide 2

Background & Overview

Connecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure.

Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to.

LyncShield is a server side solution with not additional client install supporting all devices.

Slide 3

Security requirement and solutions

Solution Requirement

Two Factor Authentication based adding the device factor

Secure external authentication

Avoid AD credentials on device – Dedicated App credentials log

Protect Active Directory password from leaking

Soft lockout in DMZ Blocking false authentication attempts from reaching the Active Directory

Protect agaist Account lockout & DDoS attack

Slide 4

Security issues and solutions (cont)Solution Requirement

Control device registration by certificate or manual admin

Limit Lync to approved / corporate devices

Bind Lync usage to MDM control

Limit Lync to devices with MDM

All the solutions are available for both mobile and external PC/ Laptops

Slide 5

[1] - Two Factor authenticationBased on Device ID sent by clientSeveral registration/ enrolment options to enforce access

control policy based on matching the device and the user.Protects both Lync & Exchange (EWS) – blocking any

request passing to network servers unless coming from an approved device

Slide 6

Access Control – EnrollmentSupport several access control policies:

Automatic Registration – Device ID is registered upon first use of account.

Two steps registration process: Self Service / Two Step Registration – User registers on

internal site and then must sync within a defined time frame to complete registration.

Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

Slide 7

Two Step Registration

Slide 8

Two Factor Authentication architecture

Slide 9

Access Portal main SettingsView approved & blocked devicesRestrict registration and ongoing connection by IP rangeAccess Rule black / White listAllow / Block guest usersFilter by device type & OSAllow / Block Web app loginDefine number of devices per userRegistration policy (Two steps/ Manual/ Automatic)Failed login auditing & Soft Lockout management

Slide 10

Access Portal main Settings (cont)

Require re-authentication by time -Session terminationSave password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve

device/userHouse keeping serviceNotification settingsReports & Search

Slide 11

Access Portal admin control

Slide 12

[2]- AD credential protection approachLync Shield introduces a new approach for protecting the

Active Directory credentialsWith Lync Shield the connection to Lync is done by using

App dedicated Lync credentials that are created by the user rather than the regular network Active Directory credential

Lync Shield completely eliminates the need to store Active Directory passwords on the device

Supports work against Exchange & Lync with one App credentials

Slide 13

Active Directory App login

The user creates dedicated Lync credentials on a self service internal web site for use on device, instead of Active Directory credentials.

Slide 14

Lync App credentials architecture

Slide 15

Mobile Smart Card solution

Many organizations that smart card for network login do not have a username and password for Active Directory.

LyncShield allows the usage of Lync without the need to manage Active Directory credentials.

With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.

Slide 16

RSA integrationMobile users enter their RSA Token authentication code

instead of Active Directory passwordLyncShield verifies password

against RSA Authentication Manager and impersonate user against Lync

Desktop users Authenticate in web site from Browser and than can login from Lync desktop client

Slide 17

[3]- Account Lockout protectionAccount lockout can be the result of the following:

The user changed the Active Directory password, but did not change the settings on the device.

The username (without the password) being obtained by a hacker who tried to log in several times

DDoS , Dos , brute force attacks- Such attacks can result in the network becoming unavailable

Slide 18

Account lockout protection (cont)

LyncShield blocks the failed attempts on the gateway server side, before reaching the Active Directory

LyncShield offers a multi-site defense approach covering all authentication channels

Unified solution that protects all distributed resources.Failed attempts are counted and stored in a central

database table which is shared by all LyncShield components.

Slide 19

[5] MDM binding

LyncShield can limit the usage of Lync to managed devices only – devices with MDM

Compatible with any MDM solution supporting one of the following capabilities:Certificate enrollmentApplication management (MAM)VPN triggering / control

These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MASS360, Good, XenMobile and more.

Slide 20

LyncShield MDM app

Slide 21

VPN support for Lync

MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN

LyncShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet.

Does not require VPN splitting

Slide 22

Lync traffic splitting over VPN

Slide 23

Product architecture - Bastion Proxy LyncShield solution offers as part of the solution the

dedicated reverse proxy Bastion developed by AGAT.The Lyncshield filters are plugged into Bastion to extend

access control and content filtering capabilitiesCross-platform- Windows / LinuxScalable Event-Driven Architecture.Can publish multiple servers in parallel/ mulita channels. Highly efficient asynchronous architecture. Supports high availability deployment

Slide 24

Bastion (cont) Main characteristics :

Geared towards full-featured HTTP filtering.HTTPS - Decrypt SSLSupports many HTTP scenarios: Chunked, gzip and deflate

Transfer-EncodingsPipelining.

Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

Slide 25

Federation FirewallAccess rules based on Active Directory group membershipGeneral access controlSpecific operations such as file sharingPrivacy

Lync SIEM - Security Information Event Management Security alerts based on geolocation information and usage

patterns

LyncShield Road map

Slide 26

LyncShield Road map (cont)

Lync Application Firewall-Sanitize all non authenticated requests in DMZ:

Verify request type, content type headers, content length, URL validation, validate request structure, characters etc.

Break any direct request to enter domain- session termination

Google Authenticator Two Factor Authentication for Lync on premiseLync online (Office 365)

Slide 27

LyncShield Road map (cont)

DLP engine Apply content rules policy on IM dataExamples of content handled in messages:

Social security numbers Credit card numbers ID numbers

Support Skype for Business On going as MS release new clients

Slide 28

AGAT products- Overview

AGAT Software is a company focusing on security solutions for authentication and content filtering while externally connecting devices to company network.

The companies Mobility-Shield core product suite secures applications such as Skype / Lync/ SharePoint and other apps based on Active Directory authentication.

LyncShield is part of MobilityShield AGAT’s Security suite.AGAT also offers secure browser and digital signature

mobile applications for mobile PKI requirements.

Slide 29

To learn more about our solutions please visit our website at http://mobility-shield.com

http://LyncShield.comhttp://AGATSoftware.com

info@agatsoftware.com