《保护 Webex 会议并避免会议欺诈 - 虚拟世界中会议的隐私、机密性和安全性选项.pdf》由会员分享,可在线阅读,更多相关《保护 Webex 会议并避免会议欺诈 - 虚拟世界中会议的隐私、机密性和安全性选项.pdf(85页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveTony MulchronePrincipal Product ManagerWebex SecurityBRKCOL-2876Securing Webex Meetings and avoiding meeting fraudPrivacy,Confidentiality and Security options for meetings in a virtual world#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaIntroduc
2、tionSecure Webex platformSecure Webex Meeting Types:Standard,Private,End to End EncryptedScheduled Webex Meetings and Webex Personal RoomsSecuring Webex Meetings and avoiding meeting fraudPrivacy features Deleting meeting metadataE2E Encryption and E2E Identity:Technical Deep DiveBRKCOL-28763 2023 C
3、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex Meetings ArchitectureWebex Meetings ArchitectureMeeting CentreMeeting CentreServiceServiceEvents CentreEvents CentreServiceServiceIdentityIdentityServiceServiceRecordingRecordingServiceServiceTraining CentreTraining CentreSer
4、viceServiceSupport CentreSupport CentreServiceServiceAnalyticsAnalyticsServiceServiceSite AdminSite AdminServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceSIPSIPWebex and 3Webex and 3rdrdParty SIP devicesParty SIP devicesTLS/HTTPSEncrypted MediaSIPOptionally Encrypted MediaCloud register
5、ed Webex apps and devicesCloud registered Webex apps and devicesPSTN usersPSTN usersMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceHTTP/TLS HTTP/TLS Proxy serversProxy serversMeetings Meetings ServicesServicesBRKCOL-28764 2023 Cisco and/or its affilia
6、tes.All rights reserved.Cisco Public#CiscoLiveWebex Meetings Regions and RedundancyWebex Meetings Regions and RedundancyMeeting CentreMeeting CentreServiceServiceEvents CentreEvents CentreServiceServiceIdentityIdentityServiceServiceRecordingRecordingServiceServiceData Centre AData Centre AData Centr
7、e BData Centre BData Centre CData Centre CData Centre AData Centre AData Centre BData Centre BData Centre CData Centre CWebex Services for Webex Meetings/Events/Training/Support,Identity,Recording are regionalized and Webex Services for Webex Meetings/Events/Training/Support,Identity,Recording are r
8、egionalized and replicated across independent data centres.replicated across independent data centres.User Generated Content(e.g.Recordings,Transcripts,Uploaded Files)is stored in the regional data User Generated Content(e.g.Recordings,Transcripts,Uploaded Files)is stored in the regional data center
9、 closest to a Customers location as provided during the ordering process center closest to a Customers location as provided during the ordering process Webex Meetings regions:EU/UK/US/Canada/APAC/AustraliaWebex Meetings regions:EU/UK/US/Canada/APAC/AustraliaTraining CentreTraining CentreServiceServi
10、ceSupport CentreSupport CentreServiceServiceAnalyticsAnalyticsServiceServiceTranscriptionTranscriptionServiceServiceSite AdminSite AdminServiceServiceBRKCOL-28765Webex Meetings:Secure Platform-TLS signalling-Encrypted MediaNetwork Requirements for Webex Meetings and Messaging servicesNetwork Require
11、ments for Webex Meetings and Messaging serviceshttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex encrypted HTTP signaling Webex encrypted HTTP signaling TLS/HTTPS trafficTLS/HTTPS trafficWebex ServicesWebex ServicesPrivate IP address rangePrivate IP address ran
12、geTLS TerminationTLS TerminationPrivate IP address rangePrivate IP address rangeFirewall Firewall RoutersRouters1:1 NAT1:1 NATFirewall Firewall RoutersRoutersSecure Webex Data CentreSecure Webex Data CentreTLS/HTTPS TLS/HTTPS ProxyProxyWebex Webex ServiceServiceHTTP over TLSHTTP over TLSPublic Publi
13、c IP Addresses IP Addresses InternetWebex Perimeter Webex Perimeter ProtectionProtectionDDOS ProtectionDDOS ProtectionTraffic FilteringTraffic FilteringBehavioural AnalysisBehavioural AnalysisTLS/HTTPS TLS/HTTPS ProxyProxyTLS/HTTPS TLS/HTTPS ProxyProxyTLS/HTTPS TLS/HTTPS ProxyProxyWebex Webex Servic
14、eServiceWebex Webex ServiceServiceWebex Webex ServiceServiceBRKCOL-28767 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceWebex Media ServicesWebex Media ServicesMediaMediaServic
15、eServiceData Centre AData Centre AData Centre BData Centre BData Centre CData Centre CData Centre DData Centre DData Centre EData Centre EData Centre FData Centre FWebex Media services are globally distributed across multiple data centresMedia Server clusters in each data centre provide local and ge
16、ographic redundancyMedia servers support voice,video and content sharingAll media is encryptedMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceMediaMediaServiceServiceBRKCOL-28768 2023 Cisco and/or its aff
17、iliates.All rights reserved.Cisco Public#CiscoLiveInternetWebex Media Services:Encrypted MediaWebex Media Services:Encrypted MediaWebex ServicesWebex ServicesPrivate IP address rangePrivate IP address rangeMedia ServicesMedia ServicesPublic IP address rangePublic IP address rangeWebex Perimeter Webe
18、x Perimeter Protection:Protection:UDP/TCP/TLS MediaUDP/TCP/TLS MediaTraffic FilteringTraffic FilteringVolumetric Attack Volumetric Attack ProtectionProtectionMedia NodeMedia NodeOS ServicesOS ServicesSecure Webex Data CentreSecure Webex Data CentreWebex Webex ServiceServiceWebex Webex ServiceService
19、Webex Webex ServiceServiceWebex Webex ServiceServiceMedia NodeMedia NodeOS ServicesOS ServicesMedia NodeMedia NodeOS ServicesOS ServicesUDP Media Port 5004/9000UDP Media Port 5004/9000TCP Media Port 5004TCP Media Port 5004TLS Media Port 443TLS Media Port 443Encrypted MediaEncrypted MediaFirewall Fir
20、ewall RoutersRoutersFirewall Firewall RoutersRoutersWebex Media Encryption cipher:Webex Media Encryption cipher:AEADAEAD-AESAES-256256-GCMGCMBRKCOL-28769 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebexWebexServiceServiceWebex Identity Webex Identity User sign in and
21、AuthorizationUser sign in and Authorization1)1)Customer downloads and installs the Customer downloads and installs the Webex AppWebex App2)2)Webex App establishes a secure TLS Webex App establishes a secure TLS connection with the Webex Cloudconnection with the Webex Cloud3)3)Webex Identity Service
22、prompts User for an Webex Identity Service prompts User for an e e-mail IDmail ID4)4)User Authenticated by Webex Identity User Authenticated by Webex Identity Service,or Enterprise Service,or Enterprise IdPIdP(SSO)(SSO)5)5)OAuth Access and Refresh Tokens created OAuth Access and Refresh Tokens creat
23、ed and sent to Webex Appand sent to Webex AppThe Access Token contain details of the The Access Token contain details of the Webex resources the User is authorised to Webex resources the User is authorised to accessaccess5)5)Webex App presents its Access Token to Webex App presents its Access Token
24、to register with Webex Services over a secure register with Webex Services over a secure channelchannelWebex IdentityWebex IdentityServiceServiceIdPIdPWebexWebex CloudCloudMeetings Messaging CallingMeetings Messaging CallingBRKCOL-287610 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
25、lic#CiscoLiveWebex DeviceWebex DeviceImage StoreImage StoreIdentityIdentityServiceServiceWebex Devices Webex Devices-Onboarding,Registration&AuthorizationOnboarding,Registration&AuthorizationWebexWebexServiceService23456Webex Device application software and Webex Device application softwa
26、re and embedded OS are installed as a firmware binary embedded OS are installed as a firmware binary image before leaving the factory image before leaving the factory WebexDevice imageDiscoveryDiscoveryServiceServiceWebex Control Hub administrator generates Webex Control Hub administrator generates
27、device activation code for the devicedevice activation code for the deviceUser prompted for activation code during device User prompted for activation code during device installation.Activation code sent to Webex installation.Activation code sent to Webex Discovery Service,which determines the devic
28、es Discovery Service,which determines the devices organization and redirects to the Identity Serviceorganization and redirects to the Identity ServiceIdentity Service sends OAuth tokens and Identity Service sends OAuth tokens and Certificate Trust List*to the device over direct Certificate Trust Lis
29、t*to the device over direct PAKE SRP secured channelPAKE SRP secured channelDevice checks current software version.If Device checks current software version.If upgrade required,a signed image is sent to the upgrade required,a signed image is sent to the device.Signed image verified and installeddevi
30、ce.Signed image verified and installedDevice registers to Webex ServicesDevice registers to Webex ServicesWebexWebex CloudCloud*Can include Enterprise CA Certs for TLS Proxy inspection*Can include Enterprise CA Certs for TLS Proxy inspectionBRKCOL-287611Webex MeetingsSecure Meeting Types:-Standard M
31、eetings-Private Meetings-End to End Encrypted Meetings 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAssigning and Selecting Webex Meeting TypesAssigning and Selecting Webex Meeting TypesWebex Control Hub(and Site Admin)Webex Control Hub(and Site Admin)Administrator can
32、assign various default Administrator can assign various default meeting session types to usersmeeting session types to usersAdministrator can also create new bespoke Administrator can also create new bespoke meeting session types and assign these to meeting session types and assign these to usersuse
33、rsAll available session types can be enabled/All available session types can be enabled/disabled per userdisabled per userMeeting Host/SchedulerMeeting Host/SchedulerWhen scheduling a meeting via the users webpage/calendarWhen scheduling a meeting via the users webpage/calendarThe user will see the
34、selection of meeting session types assigned to The user will see the selection of meeting session types assigned to them by the administratorthem by the administratorUser selects their preferred meeting session type for the meetingUser selects their preferred meeting session type for the Test User 1
35、Test User 1STDSTDStandard MeetingPROPROPrivate Meeting(Video Mesh only)PROPROPro End to End Encrypted(VOIP only)BRKCOL-287613Secure Webex MeetingsWebex Trust Encryption and IdentityZero TrustEnd to End Encryption&End to End Identity 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C
36、iscoLiveEncryption for standard Webex MeetingsEncryption for standard Webex MeetingsEvery vendor of cloud meeting services requires access to meeting encryption keys for SIP,H323,PSTN and other servicesMeeting CentreMeeting CentreServiceServiceIdentityIdentityServiceServiceRecordingRecordingServiceS
37、erviceSite AdminSite AdminServiceServiceEncrypted SignallingEncrypted MediaSIPSIPWith standard Webex Meetings,the cloud needs to access to encryption keys to decrypt SRTP media from With standard Webex Meetings,the cloud needs to access to encryption keys to decrypt SRTP media from SIP devices,PSTN
38、gateways and for other services such as recordingSIP devices,PSTN gateways and for other services such as recordingWith standard Webex Meetings,all signalling and media in the Webex cloud is encryptedWith standard Webex Meetings,all signalling and media in the Webex cloud is encryptedWebex apps and
39、devices use encrypted signalling and encrypted mediaWebex apps and devices use encrypted signalling and encrypted mediaSIP devices can encrypt signalling and media,PSTN audio is encrypted by the Webex cloudSIP devices can encrypt signalling and media,PSTN audio is encrypted by the Webex cloudWebex M
40、ediaWebex MediaServiceServiceWebex MediaWebex MediaServiceServicePrivacy&Confidentiality(Hop by Hop encryption)Accessibility(Anyone:Cloud,SIP,PSTN users)Features(All:Recording,Transcripts,Webex Assistant etc)BRKCOL-287615 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnc
41、ryption for Private Webex MeetingsEncryption for Private Webex MeetingsAll apps and devices must have access to the Webex Video Mesh Node on premisesAll apps and devices must have access to the Webex Video Mesh Node on premises All media is switched in the on premises Webex Video Mesh NodeAll media
42、is switched in the on premises Webex Video Mesh Node-No media cascades to the Webex cloudNo media cascades to the Webex cloud-Cloud registered Webex apps and devices always use encrypted signalling and encrypted mediaCloud registered Webex apps and devices always use encrypted signalling and encrypt
43、ed media-On Premise Webex and 3On Premise Webex and 3rdrdParty SIP apps and devices Party SIP apps and devices maymay use encrypted signalling and encrypted mediause encrypted signalling and encrypted mediaIdentityIdentityServiceServiceAnalyticsAnalyticsServiceServiceSite AdminSite AdminServiceServi
44、ceWebex MediaWebex MediaServiceServiceSIPSIPEncrypted SignallingEncrypted MediaVideo Mesh NodeVideo Mesh NodePrivate MeetingPrivate MeetingPrivacy&Confidentiality-Media kept on premisesAccessibility My org only:Cloud and SIP based usersFeatures-No cloud media servicesMeeting CentreMeeting CentreServ
45、iceServiceNo media cascaded to the Webex cloudNo media cascaded to the Webex cloudBRKCOL-287616 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebexWebexServiceServiceWebex Identity Webex Identity User sign in and AuthorizationUser sign in and Authorization171)1)Customer
46、downloads and installs the Customer downloads and installs the Webex AppWebex App2)2)Webex App establishes a secure TLS Webex App establishes a secure TLS connection with the Webex Cloudconnection with the Webex Cloud3)3)Webex Identity Service prompts User for an Webex Identity Service prompts User
47、for an e e-mail IDmail ID4)4)User Authenticated by Webex Identity User Authenticated by Webex Identity Service,or Enterprise Service,or Enterprise IdPIdP(SSO)(SSO)5)5)OAuth Access and Refresh Tokens created OAuth Access and Refresh Tokens created and sent to Webex Appand sent to Webex AppThe Access
48、Token contain details of the The Access Token contain details of the Webex resources the User is authorised to Webex resources the User is authorised to accessaccess5)5)Webex App presents its Access Token to Webex App presents its Access Token to register with Webex Services over a secure register w
49、ith Webex Services over a secure channelchannelWebex IdentityWebex IdentityServiceServiceIdPIdPWebexWebex CloudCloudMeetings Messaging CallingMeetings Messaging CallingBRKCOL-2876 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeeting Video&Roster Display:User Identity in
50、formationBRKCOL-287618 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInternal UsersInternal Users(Authenticated)(Authenticated)External UsersExternal Users(Authenticated)(Authenticated)Unverified Users Unverified Users(Not Authenticated)(Not Authenticated)(Not Signed In)
51、(Not Signed In)Webex Meetings:Host ControlsAdmitting Users from the LobbyLobby:User Categories and User Identity informationBRKCOL-287619QuestionQuestion:How do you know that your Meetings Provider How do you know that your Meetings Provider does not have your meeting content encryption does not hav
52、e your meeting content encryption keys?keys?AnswerAnswer:If the meeting encryption key is generated on If the meeting encryption key is generated on your device and never leaves it,and this common your device and never leaves it,and this common meeting encryption key can only be generated by meeting
53、 encryption key can only be generated by meeting participantsmeeting participantsZero Trust End to End EncryptionZero Trust End to End Encryption 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security:End to End EncryptionZero Trust Security:End to End Encrypt
54、ionWebexWebex MediaMediaServiceServiceMeetingParticipantTLS/HTTPSTLS/HTTPSEncrypted Meeting DataEncrypted Meeting DataMeeting Content Encryption KeyMeeting Content Encryption KeyWebexWebexMeetingParticipantMeetingParticipantWebex Meetings Webex Meetings ServiceServiceZero TrustZero Trust=No access t
55、oNo access toMeeting encryption Meeting encryption keyskeysOnly Meeting Participants have the Meetings content encryption keyOnly Meeting Participants have the Meetings content encryption keyBRKCOL-287621Question:Question:How do you know that your Meetings Provider How do you know that your Meetings
56、 Provider cannot impersonate you,so as to get access to cannot impersonate you,so as to get access to your meeting encryption key?your meeting encryption key?Answer:Answer:If the identity information exchanged between If the identity information exchanged between participants in your meeting(and use
57、d to participants in your meeting(and used to generate the meeting encryption key)is generate the meeting encryption key)is authenticated not by the Meetings Provider,but authenticated not by the Meetings Provider,but verified by an independent/external Identity verified by an independent/external I
58、dentity Provider of your choiceProvider of your choiceZero Trust End to End IdentityZero Trust End to End Identity 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser Info User Info JWTJWTZero Trust Security:End to End IdentityZero Trust Security:End to End IdentityWebexW
59、ebex MediaMediaServiceServiceMeetingParticipantCA signed:CA signed:Identity CertificateIdentity CertificateWebexWebexMeetingParticipantWebex Meetings Webex Meetings ServiceServiceZero TrustZero Trust=No control over No control over meeting meeting participants identity participants identity informat
60、ioninformationUser Info User Info JWTJWTIdP signed:IdP signed:User Info User Info Verified CredentialsVerified CredentialsMeeting Participant Identity InformationMeeting Participant Identity InformationUser Info User Info JWTJWTCACAIdPIdPUser Info User Info JWTJWTUser Identities verified by all meet
61、ing participantsUser Identities verified by all meeting participantsMeetingParticipantWebex Independent CAWebex Independent CAWebex Independent IdPWebex Independent IdPBRKCOL-287623Secure Webex MeetingsWebex Trust Encryption and IdentityZero TrustEnd to End Encryption&End to End Identity 2023 Cisco
62、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meetings Zero Trust Security for Webex Meetings E2E Media EncryptionE2E Media EncryptionMLS and SFrame operationMLS and SFrame operationWebexWebex MediaMediaServiceServiceWebex MLS Webex MLS ServiceServiceS
63、 S-Frame Meeting Encryption Key 1Frame Meeting Encryption Key 1TLS/HTTPSTLS/HTTPSSRTP Encrypted DataSRTP Encrypted DataS S-Frame Encrypted DataFrame Encrypted DataMeetingParticipantMeetingHostWebex IdentityWebex IdentityServiceServiceSRTP Data Encryption KeysSRTP Data Encryption KeysS S-Frame Meetin
64、g Encryption Key 2Frame Meeting Encryption Key 2WebexWebexPrivacy&Confidentiality(Cloud cannot decrypt media)Accessibility Any cloud connected user.No SIP,No PSTNFeatures No cloud media services e.g.No Recording,WXA etcBRKCOL-287625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C
65、iscoLiveZero Trust Security for Webex Meetings:E2E Identity Zero Trust Security for Webex Meetings:E2E Identity Meeting Roster Meeting Roster-User Identity detailsUser Identity detailsBRKCOL-287626 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Web
66、ex Meetings:E2E Identity Zero Trust Security for Webex Meetings:E2E Identity Meeting Roster Meeting Roster-User Identity detailsUser Identity detailsCredential is verified by Identity Provider(Ory).Select the icon to view the credential details.Credential is verified by Webex CA.Select the icon to v
67、iew the credential details.BRKCOL-287627 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meetings:E2E Identity Zero Trust Security for Webex Meetings:E2E Identity Meeting Roster Meeting Roster-User Identity detailsUser Identity detailsBRKCOL-2
68、87628Webex Meetings:Scheduled Meetings and Personal Room Meetings 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScheduled Webex MeetingsScheduled Webex MeetingsRecording ControlsRecording ControlsEnable Breakout sessionsEnable Breakout sessionsRequire invitees to registe
69、rRequire invitees to registerSimultaneous InterpretationSimultaneous InterpretationMeeting OptionsMeeting OptionsAttendee PrivilegesAttendee PrivilegesMost secure and preferred meeting typeMost secure and preferred meeting typeMultiple meeting types availableMultiple meeting types availableOne time
70、meeting or recurringOne time meeting or recurringPassword protectedPassword protectedAuto Lock featureAuto Lock featureLobby ControlsLobby ControlsJoin before Host controlsJoin before Host controlsCall In numbersCall In numbersAttendee mute controlsAttendee mute controlsBRKCOL-287630 2023 Cisco and/
71、or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex Personal Room MeetingsWebex Personal Room MeetingsA convenient meeting type,but recommended A convenient meeting type,but recommended for meetings with trusted participantsfor meetings with trusted participantsPersonal Room MeetingsPe
72、rsonal Room Meetings-A persisted meeting A persisted meeting-Always availableAlways available-Activated by the host(or coActivated by the host(or co-host)host)Limited security features:Limited security features:-Lobby Lobby(Site Admin controlled)(Site Admin controlled)-Lock Lock(Site Admin/Host cont
73、rolled)(Site Admin/Host controlled)-CAPTCHA CAPTCHA(Site Admin controlled)(Site Admin controlled)abcdefghabcdefghMute attendee controlsMute attendee controlsBRKCOL-287631 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Meeting access:PSTN/SIP/Cloud devicesSecure Mee
74、ting access:PSTN/SIP/Cloud devicesCloud registered Webex devices Cloud registered Webex devices Audio/Video/Desktop shareAudio/Video/Desktop shareMeeting Roster,Reactions,Meeting Roster,Reactions,One Button to Push,Noise ReductionOne Button to Push,Noise ReductionWebex Assistant,Closed CaptionsWebex
75、 Assistant,Closed CaptionsRecording etcRecording etcCloud registered Webex device security Cloud registered Webex device security Webex recognizes cloud registered devices and can Webex recognizes cloud registered devices and can apply security privileges such as Lobby bypassapply security privilege
76、s such as Lobby bypassSecurity for SIP devices&Phone users Security for SIP devices&Phone users DTMF entered DTMF entered-meeting number&numeric passwordmeeting number&numeric passwordVideo system settings:Video system settings:Enforce numeric meeting password when joiningEnforce numeric meeting pas
77、sword when joiningPhone settings Phone settings:CLID and PIN matching to authenticate site usersCLID and PIN matching to authenticate site usersEnforce numeric meeting password when joining by phoneEnforce numeric meeting password when joining by phoneThe richest meeting experience comes with the We
78、bex app,but The richest meeting experience comes with the Webex app,but Users can also join meetings from cloud registered Webex devices,SIP devices,PhonesUsers can also join meetings from cloud registered Webex devices,SIP devices,PhonesSIP devices SIP devices Audio/Video/Desktop shareAudio/Video/D
79、esktop sharePSTN/IP PhonesPSTN/IP PhonesAudio onlyAudio onlyIn Meeting FeaturesIn Meeting FeaturesSecurity FeaturesSecurity FeaturesBRKCOL-287632 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdministrator and Meeting Host Administrator and Meeting Host-Security document
80、sSecurity documentshttps:/ and other exploitsAvoiding fraud and unwanted attendeesWebex features for user screening&controlled access to meetings 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeepfake and online meetingsDeepfake software is freely available todayDeepfake
81、 exploits are usually sophisticated attacks or doctored pre-recorded videoInstances of meetings with fraudulent users using deepfake are relatively small today,but there have been several significant casesTo avoid deepfake users in meetings.The host need tools that allows them to check the validity
82、of a users identity The host needs to be able to vet individual users and eject unwanted usersParticipants need an indicator of the authenticity of each userWebex has these tools.BRKCOL-287635 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLess sophisticated,but more comm
83、on meeting fraud exploitsMeeting fraud is generally of two types:1)PSTN Call Back Toll FraudUnwanted users join meetings and initiate a call back to a premium rate numberThe organization hosting the meeting pays the bill for these premium rate calls2)Eavesdroppers/unwanted usersAt best,these attacke
84、rs will disrupt your meetingAt worst,unwanted access information that your organization considers confidentialThe majority of meeting fraud today is perpetrated by unverified(guest)usersAn unverified user is any user who does not have a Webex account,or has not signed inAllowing unverified users to
85、join your meetings,makes meetings easily accessible to any user-This can be beneficial,when a required attendee does not have a Webex account(paid/free)-The downside is that an unverified user is exactly that they can enter any username,and the meeting host cannot verify their identity until they ar
86、e in the meetingBRKCOL-287636New Webex Meetings Security features Scheduled Meetings:Auto Admit feature Personal Meeting Rooms:New Lobby Controls Organization/User Group/User:External Meeting Access Controls Internal Meeting Access Controls External Meeting Feature Controls Internal Meeting Feature
87、Controls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScheduled Meetings:Auto Admit featureSite Admin-Uninvited Users:Wait in the Lobby until the host admits themUninvited Users:Cannot join the meetingUser Page:Scheduled Meeting:Auto AdmitAuto Auto AdmitAdmitUser Page:S
88、cheduled Meeting:Auto AdmitAuto Auto AdmitAdmitAuthenticated,invited users&rooms listed on the meeting owners calendar invite can join or start the meeting with or without hostBRKCOL-287638 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew:New:Personal Room Lobby setting
89、sPersonal Room Lobby settingsToday:Guests=Unverified Users and verified(authenticated)External Users.This can lead to lobby bloat in large meetings and a tendency for hosts to“admit all”rather than vet individual usersNew settings:Separate lobby controls unverified users and verified external users.
90、Allows administrators to apply different sets of controls for these groups of users,to reduce lobby bloat and meeting fraudPersonal Room Meeting Lobby ControlsBRKCOL-287639New Webex Meetings Security features Scheduled Meetings:Auto Admit feature Personal Meeting Rooms:New Lobby Controls Organizatio
91、n/User Group/User:External Meeting Access Controls Internal Meeting Access Controls External Meeting Feature Controls Internal Meeting Feature Controls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKCOL-2876Control Hub Organization wide/User Group/User:Access Controls-
92、External Webex MeetingsAll meetings(Default setting)All meetings(Default setting):Allow users to join all external meetingsApproved external sites only Approved external sites only:All users in the org can join meetings hosted on approved external sitesInternal meetings only Internal meetings only:B
93、lock users from joining all external meetingsThese controls can be applied to:All users in the organizationGroups of users using Templates applied to user groupsIndividual users user profileBRKCOL-287641 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl Hub Organizat
94、ion wide/User Group/User:Internal Webex Meeting Access Controls(1)Any external user can join Scheduled and Personal Room meetings(Default Setting)These controls can be applied to:All users in the organizationGroups of users using Templates applied to user groupsIndividual users user profileBRKCOL-28
95、7642 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl Hub Organization wide/User Group/User:Internal Webex Meeting Access Controls(2)Option 1:No external users can join Personal Room meetings and Scheduled meetings(default)Option 2:No external users can join Persona
96、l Room meetings Any user can join scheduled meetingsBRKCOL-287643 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl Hub Organization wide/User Group/User:Internal Webex Meeting Access Controls(3)Option 1:Only users in approved external domains can join Personal Room
97、meetings and Scheduled meetings(default)Option 2:Only users in approved external domains can join Personal Room meetingsAny user can join scheduled meetings44BRKCOL-2876New Webex Meetings Security features Scheduled Meetings:Auto Admit feature Personal Meeting Rooms:New Lobby Controls Organization/U
98、ser Group/User:External Meeting Access Controls Internal Meeting Access Controls External Meeting Feature Controls Internal Meeting Feature Controls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFeature Controls for External Webex MeetingsBRKCOL-2876These meeting feature
99、 controls apply when users in your organization join any external Webex meetingThese controls do not apply to users joining internal meetingsThese controls can be applied to:All users in the organizationGroups of users using Templates Individual users user profiles46BRKCOL-2876 2023 Cisco and/or its
100、 affiliates.All rights reserved.Cisco Public#CiscoLiveFeature Controls for Internal Webex MeetingsThese meeting feature controls apply when users in your organization join any internal Webex meetingTelephony controls(not shown)-Call In-Call Back-VoIPThese controls do not apply to users joining exter
101、nal meetingsThese controls can be applied to:All users in the organizationGroups of users using TemplatesIndividual users user profileBRKCOL-287647New Webex Meetings Features:SecurityAudio WatermarkingVideo Watermarking 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex
102、 Meetings-Audio WatermarkingBRKCOL-287649Available today for Webex E2E Encrypted MeetingsAvailable today for Webex E2E Encrypted MeetingsWhen Audio Watermarking is enabled,the meeting audio includes a unique identifier for each participant.An Admin can upload audio recordings to Control Hub,which th
103、en analyzes the recording and looks up unique identifiers.The results of the analysis show which participant shared the meeting content externally.In order to be analyzed,the recording must be an AAC,MP3,M4A,WAV,MP4,AVI,or MOV file no larger than 500MB.The recording must be longer than 90 seconds.Yo
104、u can only analyze recordings for meetings hosted by people in your organization.Analyzed recordings are deleted as soon as the analysis is complete.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex Meetings-Video WatermarkingGA date:2H CY2023GA date:2H CY2023All Meeti
105、ng Types supportedAll Meeting Types supportedVisual Watermark for both shared content and videoVisual Watermark for both shared content and videoWebex app Webex app Desktop,Mobile,WebDesktop,Mobile,WebAuthenticated users display email watermarkAuthenticated users display email watermarkUnverified us
106、ers display email and usernameUnverified users display email and usernameLocal Recording automatically disabledLocal Recording automatically disabledNetwork Recording optionalNetwork Recording optionalBRKCOL-287650New Webex Meetings features:PrivacyDelete Meeting Host and Usage information 2023 Cisc
107、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex Meetings Delete Meeting Host and Usage dataWebex Meetings:Host and Usage data examplesWebex Meetings:Host and Usage data examplesIP Address User Agent Identifier Hardware Type Operating System Type&Version Client Version.Host Na
108、me and email address Meeting Site URL Meeting Start/End Time Meeting Title Call attendee informationFor full details see the Webex Meetings Privacy Data Sheet https:/ Hub Control Hub-Account Account-Privacy PrivacyAllows and administrator to delete Meeting Host and Usage Information based on Meeting
109、 Host nameDeleted data cannot be retrievedhttps:/ based E2E Encrypted MeetingsMLS based E2E Encrypted Meetings MLS key packages and User Identity InformationMLS key packages and User Identity Information MLS operation MLS operation meeting participant join meeting participant join SFrame EncryptionS
110、Frame Encryption Combined MLS&SFrame operation Combined MLS&SFrame operation meeting participant join meeting participant join Zero Trust End to End EncryptionZero Trust End to End EncryptionDeepDive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDigital Digital Signature
111、SignatureMLS key packages and User Identity InformationMLS key packages and User Identity InformationMessaging Layer Security(MLS)Developed as a security layer for E2E encrypting group messaging.Repurposed for Webex Meetings E2E encryption.Identity Credentials are used by MLS(in MLS key packages)to
112、verify meeting participants and as part of the MLS E2E encryption key generation processhttps:/www.ietf.org/archive/id/draft-ietf-mls-architecture-10.htmlhttps:/www.ietf.org/archive/id/draft-ietf-mls-protocol-20.htmlMLS uses“key packages”to identify users and to generate new MLS uses“key packages”to
113、 identify users and to generate new meeting encryption keys as participants join and leave the meetingmeeting encryption keys as participants join and leave the meetingEach MLS key package contains Each MLS key package contains:Participants Identity Info&Public Key(Verified Credentials/Cert.)A tree
114、hash value that represents the cryptographic group state and credentials of the group members(meeting participants)An identifier for the current version of the meeting encryption keyCACAPublicPublicTree HashTree HashKey IdKey IdDigital Digital SignatureSignaturePrivatePrivatePublicPublicPrivatePriva
115、tePublicPublicTree HashTree HashKey IdKey IdDigital Digital SignatureSignaturePublicPublicTree HashTree HashKey IdKey IdDigital Digital SignatureSignaturePublicPublicEach meeting participant signs their key package with their private key,Each meeting participant signs their key package with their pr
116、ivate key,so that other meeting participants can verify its authenticityso that other meeting participants can verify its authenticityororIdPIdPUser Info User Info JWTJWTBRKCOL-287654 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMLS key package MLS key package:contains
117、the participants Identity details(verified credentials/certificate)and other meta data used for identity verification and meeting encryption key generation.Webex MLS Webex MLS ServiceServiceWebex CloudWebex CloudLeaderLeaderNew meeting participants send their key package New meeting participants sen
118、d their key package to the meeting leader(In MLS,the leader does to the meeting leader(In MLS,the leader does not need to be the Meeting Host)not need to be the Meeting Host)The meeting leader shares the new participants The meeting leader shares the new participants key package with the other parti
119、cipants.key package with the other participants.The meeting leader shares the existing meeting The meeting leader shares the existing meeting participants key packages with the new participants key packages with the new participant.participant.All meeting participants generate a new meeting All meet
120、ing participants generate a new meeting encryption key encryption key(MLS uses timers to reduce key churn when(MLS uses timers to reduce key churn when large numbers of participants join the meeting in large numbers of participants join the meeting in a short time interval)a short time interval)A ne
121、w meeting encryption key is created when A new meeting encryption key is created when participants join or leave the meetingparticipants join or leave the meetingMLS Operation:Meeting Participant JoinMLS Operation:Meeting Participant JoinBRKCOL-287655 2023 Cisco and/or its affiliates.All rights rese
122、rved.Cisco Public#CiscoLiveSFrame for E2E Encrypted Webex MeetingsSFrame for E2E Encrypted Webex MeetingsSecure Frames(SFrame)Secure Media Frames provides an extra layer of authenticated encryption for media.The whole media frame is encrypted before being placed into individual SRTP payloadsSFrame u
123、ses MLS to provide the encryption keys that each meeting participant needshttps:/datatracker.ietf.org/doc/draft-ietf-sframe-enc/Double Encryption processDouble Encryption process1)Unencrypted media frame2)Packetize unencrypted media frame 3)Encrypt packets using SFrame E2E Meeting Encryption key4)En
124、crypted SFrame packets-Encrypted with SRTP keys5)Media meta data moved to SRTP header extension(authenticated)SFrame encryption cipher AESSFrame encryption cipher AES-256256-GCMGCMEncrypted SFrame format Encrypted SFrame format:SFrame header Frame counter(used for encryption IV)-Key IdSFrame Encrypt
125、ed MediaSFrame authentication tagAuthenticated SRTP header extension Authenticated SRTP header extension Speaker volume indication(used by Webex media servers to switch media without decrypting SFrame content)BRKCOL-287656 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSe
126、cure Frames(SFrame)Secure Frames(SFrame)Unencrypted Media FramePacketizationPacketizationEncrypt each packet with SRTP Hop By Hop Encryption KeyEncrypt each packet with SRTP Hop By Hop Encryption KeySFrame media metadata(e.g.speaker volume)in RTP Header ExtensionSFrame media metadata(e.g.speaker vol
127、ume)in RTP Header Extensionallows Webex media servers to switch data without needing to decrypt the SFrame contentallows Webex media servers to switch data without needing to decrypt the SFrame contentSFrame HeaderSFrame HeaderSFrame Auth TagSFrame Auth TagSRTP HeaderSRTP HeaderSRTP Auth TagSRTP Aut
128、h TagEncrypt each packet with SFrame End to End Meeting Encryption KeyEncrypt each packet with SFrame End to End Meeting Encryption KeyBRKCOL-287657 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meetings Zero Trust Security for Webex Meeting
129、s E2E Media EncryptionE2E Media EncryptionMLS and SFrame operationMLS and SFrame operationWebexWebex MediaMediaServiceServiceWebex MLS Webex MLS ServiceServiceS S-Frame Meeting Encryption Key 1Frame Meeting Encryption Key 1TLS/HTTPSTLS/HTTPSSRTP Encrypted DataSRTP Encrypted DataS S-Frame Encrypted D
130、ataFrame Encrypted DataMeetingParticipantMeetingHostWebex IdentityWebex IdentityServiceServiceSRTP Data Encryption KeysSRTP Data Encryption KeysS S-Frame Meeting Encryption Key 2Frame Meeting Encryption Key 2WebexWebexPrivacy&Confidentiality(Cloud cannot decrypt media)Accessibility Any cloud connect
131、ed user.No SIP,No PSTNFeatures No cloud media services e.g.No Recording,WXA etcBRKCOL-287658 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMessage/File/Whiteboard/AnnotationZero Trust Security for Webex Meetings Zero Trust Security for Webex Meetings E2E Encryption for m
132、eeting chat,files,whiteboards and annotationE2E Encryption for meeting chat,files,whiteboards and annotationWebexWebex MediaMediaServiceServiceWebex MLS Webex MLS ServiceServiceMeeting Media Encryption Key 1Meeting Media Encryption Key 1TLS/HTTPSTLS/HTTPSSRTP Encrypted DataSRTP Encrypted DataS S-Fra
133、me Encrypted DataFrame Encrypted DataMeetingParticipantMeetingHostWebexWebexWebex MeetingsWebex MeetingsWhiteboard ServiceWhiteboard ServiceWebex MeetingsWebex MeetingsFile ServiceFile ServiceWebex MeetingsWebex MeetingsChat ServiceChat ServiceMeeting Content Encryption KeyMeeting Content Encryption
134、 KeyMessage/File/Whiteboard/Annotation#Content encryption key generated by meeting host,encrypted with media encryption key and Content encryption key generated by meeting host,encrypted with media encryption key and shared with other participants.shared with other participants.WebexWebex cloud serv
135、ices do not have access to content encryption cloud services do not have access to content encryption key.Meeting chat,files,whiteboards and annotations are not available when the meeting endskey.Meeting chat,files,whiteboards and annotations are not available when the meeting endsBRKCOL-287659 2023
136、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meetings Zero Trust Security for Webex Meetings Summary of E2E EncryptionSummary of E2E Encryption featuresfeaturesEnd to End Encryption meetings available to enterprise and consumer customersEnd to
137、End Encryption meetings available to enterprise and consumer customersSupported by Webex App(desktop and mobile)and Webex devicesSupported by Webex App(desktop and mobile)and Webex devicesUp to 1000 participants(MC today),(UCF 250 today.1000 Q3 CY2023)Up to 1000 participants(MC today),(UCF 250 today
138、.1000 Q3 CY2023)Audio Watermarking,Video WatermarkingAudio Watermarking,Video WatermarkingFace recognition,Gesture recognitionFace recognition,Gesture recognitionRoom interpretation,People presence detectionRoom interpretation,People presence detectionProximity pairing,Background noise removalProxim
139、ity pairing,Background noise removalLocal Recording(Webex App)Local Recording(Webex App)Zero Trust E2EE does not give Webex access to meeting encryption keys.This means that cloud Zero Trust E2EE does not give Webex access to meeting encryption keys.This means that cloud services and endpoints that
140、need to decrypt meeting content cannot participate in E2EE meetings:e.g.services and endpoints that need to decrypt meeting content cannot participate in E2EE meetings:e.g.PSTN and SIP endpointsPSTN and SIP endpointsCloud RecordingCloud RecordingWebex Assistant Webex Assistant Meeting Transcription,
141、RealMeeting Transcription,Real-time translation,Closed captioning,Highlightstime translation,Closed captioning,HighlightsRemote Desktop Control(planned)Remote Desktop Control(planned)Web Browser based Webex AppWeb Browser based Webex AppSX,DX,and MX series devicesSX,DX,and MX series devicesBRKCOL-28
142、7660 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meetings Zero Trust Security for Webex Meetings E2E EncryptionE2E Encryption feature roadmapfeature roadmapMedium TermMedium TermE2E Encryption for 1:1 calls(Webex App and Webex devices)E2E
143、Encryption for 1:1 calls(Webex App and Webex devices)E2E Encryption Breakout roomsE2E Encryption Breakout roomsLong TermLong TermMLS support for all meetings:MLS support for all meetings:=E2E Identity for all meetings=E2E Identity for all meetings=Dynamic E2E Encryption capability for all meetings=D
144、ynamic E2E Encryption capability for all meetingsBRKCOL-287661Zero Trust End to End IdentityZero Trust End to End Identity OpenID Connect based Credentials OpenID Connect based Credentials for User Identity Informationfor User Identity Information Certificate(ACME)based Credentials Certificate(ACME)
145、based Credentials for User Identity Informationfor User Identity Information Webex Trust based Credentials for Webex Trust based Credentials for User Identity InformationUser Identity Information In Meeting In Meeting Security informationSecurity informationDeepDiveZero Trust Security:Zero Trust Sec
146、urity:E2E Identity E2E Identity for E2EE Webex Meetingsfor E2EE Webex MeetingsOpenID Connect based OpenID Connect based Credentials for User Identity Credentials for User Identity InformationInformation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVerifiable Credentials
147、 with OpenID Connect for Webex MeetingsVerifiable Credentials with OpenID Connect for Webex MeetingsOpenID ConnectUser InfoVerifiable CredentialsOpenID IdP based specification for the issuance and verification of User Identities based on JSON Web Tokens(JWTs)https:/ Provider based verifiable User Id
148、entityIdentity Provider based verifiable User IdentityA verifiable credential Holder must authenticate with their IdP and request their verified credentials(Signed JSON Web Token).Webex uses MLS to distribute Credentials to all Meeting participantsA Verifier on receipt of another users credentials c
149、an fetch and use the IdPs public key to verify the signature on the users credentialsEach Webex meeting participant will verify the credentials of all other participants with their issuing IdPIssuerIssuerHolderHolderVerifierVerifierissuanceissuancepresentationpresentationTrust Trust Fetch Issuers JS
150、ON Web Key Set(JWK Set)Fetch Issuers JSON Web Key Set(JWK Set)User Info User Info JWTJWTUser Info User Info JWTJWTIdPIdPBRKCOL-287664 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenID Connect based Credentials for User Identity InformationOpenID Connect based Credenti
151、als for User Identity InformationUsers authenticating with their Enterprise IdP receive:Users authenticating with their Enterprise IdP receive:Webex OAuth Tokens for service accessWebex OAuth Tokens for service accessUsers authenticating Users authenticating viavia their OpenID their OpenID OryOry I
152、dP receive:IdP receive:Verifiable Credentials for MLS identity in E2EEed meetingsVerifiable Credentials for MLS identity in E2EEed meetingsWebex MediaWebex MediaServiceServiceWebex MLS Webex MLS ServiceServiceWebex AppUser AWebex IdentityWebex IdentityServiceServiceUsername:Username:Password:Passwor
153、d:jsmithjsmithCustomers OIDC IdP Customers OIDC IdP Issuing Webex App Issuing Webex App Verifiable CredentialsVerifiable CredentialsUsername:Username:Password:Password:jsmithjsmithUser Info User Info JWTJWTCustomers IdP Customers IdP Webex App Webex App User Sign InUser Sign InPhase 1 Phase 1 Two Id
154、Ps Two IdPs IdP 1:Webex user login auth&VC login authIdP 1:Webex user login auth&VC login authIdP 2:OIDC IdP creates User VCIdP 2:OIDC IdP creates User VCIdPIdPIdPIdPSecondary authentication not always Secondary authentication not always necessary,if identity verification initiated necessary,if iden
155、tity verification initiated shortly after initial Webex authenticationshortly after initial Webex authenticationBRKCOL-287665 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenID Connect based Credentials for User Identity InformationOpenID Connect based Credentials for
156、User Identity InformationUsers authenticating with their Enterprise IdP receive:Users authenticating with their Enterprise IdP receive:Webex OAuth Tokens for service accessWebex OAuth Tokens for service accessandandVerifiable Credentials for MLS identity in E2EEed meetingsVerifiable Credentials for
157、MLS identity in E2EEed meetingsWebex MediaWebex MediaServiceServiceWebex MLS Webex MLS ServiceServiceWebex AppUser AWebex IdentityWebex IdentityServiceServiceUsername:Username:Password:Password:jsmithjsmithUsername:Username:Password:Password:jsmithjsmithUser Info User Info JWTJWTCustomers IdP Custom
158、ers IdP Webex App User Sign In AuthenticationWebex App User Sign In AuthenticationVerifiable Credentials AuthenticationVerifiable Credentials AuthenticationIdPIdPPhase 2 Phase 2-Single IdP Single IdP 1)Webex user login authentication 1)Webex user login authentication 2)Verifiable Credentials login a
159、uthentication2)Verifiable Credentials login authenticationBRKCOL-287666Zero Trust Security:Zero Trust Security:E2E Identity E2E Identity for E2EE Webex Meetingsfor E2EE Webex MeetingsCert(ACME)based Credentials Cert(ACME)based Credentials for User Identity Informationfor User Identity Information 20
160、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACME for E2E Identity for devices with Webex MeetingsACME for E2E Identity for devices with Webex MeetingsAutomated CertificateManagement Environment(ACME)The ACME protocol is used to generate user and device identity certifica
161、tes.ACME automatically handles Certificate Signing Requests sent to Certificate AuthoritiesDevice certificate name validation via public domain name checkUser CSR validation via SAML assertion from a federated IdPhttps:/tools.ietf.org/html/rfc8555https:/tools.ietf.org/html/draft-biggs-acme-sso-00ACM
162、E is protocol that can be used by a Certificate Authority and a Certificate applicant to automate the process of identity verification and certificate issuanceRFC 8555 Describes an automated validation procedure that allows domain-name based certificates()to be obtained without user intervention.Web
163、ex uses MLS to distribute Certificates to all Meeting participantsEach Webex meeting participant will verify the certificates of all other participants with their issuing CA.Certificates validated in accordance with RFC 5280&RFC 6960BRKCOL-287668 2023 Cisco and/or its affiliates.All rights reserved.
164、Cisco Public#CiscoLiveDNSDNSWebex MediaWebex MediaServiceServiceWebex MLS Webex MLS ServiceServiceWWebex AppUser AWebex IdentityWebex IdentityServiceServiceIdPIdPCACACertificate based Credentials for Device Identity Information Certificate based Credentials for Device Identity Information Webex Devi
165、ces onboarded by organization administrator receiveWebex Devices onboarded by organization administrator receiveWebex OAuth Tokens for service accessWebex OAuth Tokens for service accessCustomer organization uses ACME to request a signed Device Identity certificate from a non Cisco CACustomer organi
166、zation uses ACME to request a signed Device Identity certificate from a non Cisco CAACME Certificate RequestACME Certificate RequestWebex Webex AdministratorAdministratorCustomers cloud Customers cloud IdPIdPe.g.Oktae.g.OktaNon Cisco Certificate AuthorityNon Cisco Certificate Authoritye.g.Lets Encry
167、pte.g.Lets EBRKCOL-287669Zero Trust Security:Zero Trust Security:E2E Identity E2E Identity for E2EE Webex Meetingsfor E2EE Webex MeetingsWebex TrustWebex Trust based Credentials based Credentials for User Identity Informationfor User Identity Information 2023 Cisco and/or its affiliates.All rights r
168、eserved.Cisco Public#CiscoLiveWebex Trust based Credentials for User Identity InformationWebex Trust based Credentials for User Identity InformationUsers authenticating with their Enterprise IdP receive:Users authenticating with their Enterprise IdP receive:Webex OAuth Tokens for service accessWebex
169、 OAuth Tokens for service accessandandWebex CA certificates for User Identity in Webex E2EE meetingsWebex CA certificates for User Identity in Webex E2EE meetingsWebex MediaWebex MediaServiceServiceWebex MLS Webex MLS ServiceServiceWebex AppUser AWebex IdentityWebex IdentityServiceServiceCACAIdPIdPU
170、sername:Username:Password:Password:jsmithjsmithCustomers IdP Customers IdP Webex App User Sign InWebex App User Sign InWebex CAWebex CAMeeting Participant Identity CertMeeting Participant Identity CertBRKCOL-287671 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWebex Medi
171、aWebex MediaServiceServiceWebex MLS Webex MLS ServiceServiceWebexDevice 1Webex AppUser ACACAWebex Trust based Credentials for Device Identity Information Webex Trust based Credentials for Device Identity Information Webex Devices onboarded by organization administrator receiveWebex Devices onboarded
172、 by organization administrator receiveWebex OAuth Tokens for service accessWebex OAuth Tokens for service accessandandWebex CA certificates for Device Identity in Webex E2EE meetingsWebex CA certificates for Device Identity in Webex E2EE meetingsWebex IdentityWebex IdentityServiceServiceWebex CAWebe
173、x CADevice Identity CertDevice Identity CertBRKCOL-287672Zero Trust Security:E2E Identity Zero Trust Security:E2E Identity for E2EE Webex Meetingsfor E2EE Webex MeetingsIn Meeting Security InformationIn Meeting Security Information 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
174、scoLiveZero Trust Security for Webex Meetings Zero Trust Security for Webex Meetings Meeting Meeting SecuritySecurity icons:Encrypted/E2E Encryptedicons:Encrypted/E2E EncryptedEncrypted Meeting Encrypted Meeting:Webex App,Webex Room devices,SIP devices,PSTNNetwork based:Recording,Transcription,Speec
175、h Recognition,Closed Captions,Webex Assistant etcEnd to End Encrypted Meeting End to End Encrypted Meeting:Webex App,Cloud registered Webex Room devices onlyNo SIP devices or PSTN usersNo cloud collaboration media based servicesBRKCOL-287674 2023 Cisco and/or its affiliates.All rights reserved.Cisco
176、 Public#CiscoLiveZero Trust Security for Webex MeetingsZero Trust Security for Webex MeetingsE2E Encrypted Meeting Security InformationE2E Encrypted Meeting Security InformationBRKCOL-287675 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Security for Webex Meet
177、ings Zero Trust Security for Webex Meetings E2E Encrypted Meetings E2E Encrypted Meetings-Meeting Security CodeMeeting Security CodeBRKCOL-287676 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeeting Security Codes Meeting Security Codes Protecting against MITM attacksPr
178、otecting against MITM attacksThe meeting security code is displayed to all meeting participants.If they all have the same value,then they know they have not been intercepted and impersonated by an attacker(Meddler In The Middle(MITM)attack)The Webex E2E Encrypted Meeting Security code is derived fro
179、m all participants MLS key packagesIf participants have the same code,they know they agree on all aspects of the group,including the groups secrets and the current participant list.The security code value changes every time a new participant joins the meeting.BRKCOL-287677 2023 Cisco and/or its affi
180、liates.All rights reserved.Cisco Public#CiscoLiveMeeting Security Codes Meeting Security Codes Protecting against MITM attacksProtecting against MITM attacksWebexWebex MediaMediaServiceServiceWebex MLS Webex MLS ServiceServiceS S-Frame E2E Meeting Encryption KeyFrame E2E Meeting Encryption KeyMeetin
181、gParticipantMeetingHostSRTP Encryption KeysSRTP Encryption KeysWebexWebexServiceServiceWhat a MITM attacker needs to get access to What a MITM attacker needs to get access to:Your encrypted media SRTP encryption keys,all MLS E2E Meeting Encryption keysYour TLS connections to Webex,including the MLS
182、service and all MLS key packagesBRKCOL-287678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeeting Security Codes Meeting Security Codes Protecting against MITM attacksProtecting against MITM attacksWhat a MITM attacker needs access to What a MITM attacker needs access
183、to:Your encrypted media SRTP encryption keys,all MLS E2E Meeting Encryption keysYour TLS connections to Webex,including the MLS service and all MLS key packagesTo impersonate you To impersonate you At a minimum,a MITM attacker needs to:At a minimum,a MITM attacker needs to:Intercept all MLS key pack
184、ages and replace them with their ownWebexWebex MediaMediaServiceServiceWebex MLS Webex MLS ServiceServiceS S-Frame E2E Meeting Encryption KeyFrame E2E Meeting Encryption KeyMeetingParticipantMeetingHostSRTP Encryption KeysSRTP Encryption KeysWebexWebexServiceServiceS S-Frame E2E Meeting Encryption K
185、eyFrame E2E Meeting Encryption KeySecurity CodeSecurity CodeKKH 7CV MGV QTC 37JKKH 7CV MGV QTC 37JSecurity CodeSecurity CodeABC 7DE FXR 25T GG8ABC 7DE FXR 25T GG8The Security Codes generated by each Webex app using their MLS key packages should match BRKCOL-287679 2023 Cisco and/or its affiliates.Al
186、l rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!80BRKCOL-2876These points help you get on the leaderboard and increase your chances of wi
187、nning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 81Questions?Use Cisco Webex App to chat with the speaker afte
188、r the sessionFind BRKCOL-2876 in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.123481https:/ 2023 Cisco and/or its affiliates.All
189、rights reserved.Cisco PublicBRKCOL-2876 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit t
190、he On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive84Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123484 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKCOL-2876#CiscoLive