Transcript Slide 1
Secure Lync mobile Authentication http://www.mobility-shield.com V3 Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure. Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to. LyncShield is a server side solution with not additional client install supporting all devices. The product is available on TMG or Bastion reverse proxy Slide 2 Security issues and solutions Problem Solution Connecting non authorized devices Two Factor Authentication Active Directory password Avoid AD credentials on device – dedicated log in leakage Account lockout /DDoS Blocking false authentication attempts in DMZ proxy before the Active Directory All the solutions are available for both mobile and external PC/ Laptops Slide 3 [1] - Two Factor authentication Based on Device ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Slide 4 Access Control – Enrollment Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process: Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list. Slide 5 Two Step Registration Slide 6 Two Factor Authentication architecture Slide 7 Access Portal admin View approved & blocked users Restrict registration and ongoing connection by IP range Allow / Block Web app login Access Rule black / White list Allow / Block guest users Number of devices per user SMTP notification Product settings- Registration, Authentication… Two level admin - local domain admin Reports & Search Slide 8 Access Portal admin control Slide 9 [2]- AD credential protection approach Lync Shield introduces a new approach for protecting the Active Directory credentials With Lync Shield the connection to Lync is done by using dedicated Lync credentials that are created by the user rather than the regular network Active Directory credential Lync Shield completely eliminates the need to store Active Directory passwords on the device Slide 10 Active Directory dedicated login The user creates dedicated Lync credentials on a self service internal web site for use on device, instead of Active Directory credentials. Slide 11 Dedicated Lync credentials architecture Slide 12 Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory. LyncShield allows the usage of Lync without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device. Slide 13 [3]- Active Directory Account Lockout protection Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times Ddos , Dos , brute force attacks- Such attacks can result in the network becoming unavailable LyncShield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory Slide 14 Coming soon- RSA / ADFS / Office 365 RSA integration User will authenticate in a web site using RSA User will need to connect device within short time (5 minutes for example) to complete registration RSA Authentication will be valid for a limited configurable time (like one day). Two Factor Authentication for Office 365 / Device registration Solution for using Lync with ADFS without breaking Exchange connectivity Solutions planned to be released by end of Q4, 2014 Slide 15 Coming soon- - EWS Protector Exchange Web Service Protector is an independent product securing the Exchange services required for Lync meeting information Offers currently: DDos protection/ account lockout protection for EWS authentication services (available) Two Factor Authentication (available) Password protection (using Lync credentials and not AD)- to be released soon (available) Filter by operations – allowing only meeting requests (soon) Slide 16 Bastion Reverse proxy forwarding traffic to the configured backend servers. Cross-platform- Windows / Linux Pluggable filtering architecture. Filters HTTP(S). Scalable Event-Driven Architecture. Can publish multiple servers in parallel. Highly efficient asynchronous architecture. Bi-directional content filtering. Slide 17 Bastion (cont) Geared towards full-featured HTTP filtering. Most reverse proxy solutions are geared towards web acceleration. Supports many HTTP features and scenarios. Chunked, gzip and deflate Transfer-Encodings. Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG). Slide 18 AGAT Security suite - Overview LyncShield and MobilityShield are part of AGAT’s Security suite. AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks. The solution is also available on Bastion reverse proxy without the use of Forefront. Slide 19 To learn more about our solutions please visit our website at http://www.mobility-Shield.com [email protected] Slide 20