• No results found

Building the Lync Security Eco System in the Cloud Fact Sheet.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Building the Lync Security Eco System in the Cloud Fact Sheet."

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

[Type text]

Fact Sheet.

(2)

Problem statement

For effective UC deployment it must be easy and cost effective to inter-connect all Microsoft Lync environments, encrypt end to end clients that are non-Microsoft and manage security with direct access to the Microsoft’s Lync architecture at the closest point to their core servers.

Microsoft's Lync is based on the Session Initiation Protocol (SIP) which is the preferred standard Unified Communications protocol adopted by most vendors, hosted service providers and which is used to provide SIP trunk connections from Network Service Providers (NSP). SIP trunks are direct IP connections to IP-PBXs.

This combined with the architecture and design of Lync limits the connectivity,

Security and interoperability between Lync and other SIP based products and services. Lync is a complex product; a typical Lync installation spans multiple servers and is dependent on a number of additional services.

You need Security

Investment in Unified Communications has been a major part of the IT budget in the last 5 years with many looking to use Voice over the Internet, Video and Instant Messaging as productivity tools, which improves communication, saves significant costs to the business and is the future.

The introduction of Bring Your Own Devices (BYOD-Mobile) together with the adoption of Cloud computing, private or public and the variants of technologies that uses SIP, has created a natural void for security, and in this we see many gaps have occurred which add risk to the business and allows various criminal activities such as:-

 Denial of Service Attacks  Eavesdropping  Packet Spoofing  Replay Attack  Message Integrity  Information Leakage

(3)

Microsoft Connection points for Lync.

UM-Labs platform provides access and security via the Lync Edge server and Front End Server. These connection points enable full UC integration. UM Labs also offer

Mediation Server connections; these are used where a lower level of integration is needed, for example for SIP trunks connections.

SIP is delivered over IP networks. All data and applications on an IP network use a

transport protocol to deliver data from one end-point to another, for example from a

(4)

Lync Security Eco System in the Cloud

Explaining the Solution and the over lay for Unified Communications (UC).

All transport protocols run over the Internet Protocol (IP). IP’s job is to deliver a series of packets. The transport protocol reassembles those packets and reconstructs the

application data stream. SIP offers a choice of three different transport protocols. These are:

o UDP, this is a light-weight connectionless protocol that does little more than extract data from IP packets then delivers it to an application. It is the responsibility of the receiving application to re-assemble the data stream. o TCP, this is a connection orientated protocol which delivers complete and

ordered data streams to the application. Compared to UDP, there is an additional overhead particularly on servers handling large numbers of connections.

(5)

The SIP standard allows all 3 transport protocols. Microsoft Lync supports only TCP and TLS and uses TLS for all connections between Lync clients and servers for

signalling. Lync uses a variant of TLS known as mTLS (mutual TLS). TLS connections are established using certificates.

(6)

Most enterprises will want the flexibility to be able to operate outside of these

constraints. The UM Labs Lync Connector establishes the same grade of connection to a Lync server as a standard Microsoft Lync client. It can connect to either the Lync Front-end Server or Edge Server (depending on network topology).

The connection is fully encrypted and authenticated. The Lync Connector also establishes authenticated and encrypted connections to the standard SIP Hosted Service or Enterprise PBX. The Lync Connector then relays all calls, Instant Messaging and presence information between the Lync and standard SIP systems.

SIP Trunk Services

The majority of SIP trunk services provide only UDP for signalling connectivity; this makes it impossible to directly connect to a Lync server. A small number of trunk providers offer TCP connectivity. While this enables the trunk to connect to a Lync server, there is a loss of the security offered by TLS. An even smaller number of SIP trunk services offer TLS, but their connectivity requirements may be incompatible with Lync.

Allowing TCP connections from an external service to a Lync server sacrifices a layer of security.

Existing IP-PBX

Many organisations are deploying Lync to provide an internal IP-PBX service. The Lync system will need to connect to both hardware IP phones and softphones running on tablets or mobile devices. In most cases these deployments will coexist with an existing IP-PBX or need to interconnect with an IP PBX in another location. Lync’s connectivity requirements make this difficult.

Mobile VoIP Clients and BYOD

Many enterprises have deployed VoIP clients on smartphones to enable enterprise mobility and to adopt a Bring Your Own Device (BYOD) policy. There are a number of ‘VoIP apps’ for smart-phones and for tablets which enable those clients to connect over WiFi or a cellular data connection to the corporate IP-PBX and operate as extensions on that PBX. Many of these apps offer call encryption and also support IM and presence. Organisations implementing Lync will want to retain their investment in this area, particularly as the earlier Lync client for smart-phones does not support direct VoIP calls. (Lync 2013 client has implemented this in the update.)

While most VoIP apps are able to offer a choice of SIP transports and therefore request a connection to a Lync server, there are a number of practical difficulties in connecting a non-Lync device to a Lync server.

(7)

Even if the device supports TLS it may not be possible or practical to meet Lync’s strict mTLS requirements.

Using TCP as a connection option means sacrificing a layer of security and will leave the Lync server open to a range of attacks, including a potentially expensive call fraud attack.

It may not be feasible or practical to use Active Directory to authenticate users running non Lync devices.

UM Labs Software Security Platform as a Service (SSPaaS) is responsible for handling security functions which include signalling and media encryption for the back-end systems. Calls made via the service are decrypted and forwarded to a UC acting as an IP-PBX. The IP-PBX is responsible for routing calls between handsets, for providing a voice mail service for handsets that are not currently reachable and for

implementing other functions including text messaging and conferencing with secure video if necessary. The UC processes clear-text audio/video streams, and so must be contained within secure perimeter with all connections to external services calls routed via the SPaaS.

(8)

The UM-Labs ‘Innovation in Security’ Showcase includes:

 Secure Communications at the touch of a button from the desk or mobile

 Simple connectivity to legacy phone systems  Secure SIP Trunking for better ROI

 Secure Voice/video for Bring Your Own Device’s  Secure Networking and Community Building with no

‘Eavesdropping’

 Secure Virtual Business applications for Unified Communications

‘Innovation in Security’ showcase is the world’s first authentication and Encryption Security Platform as a Service (SPaaS) for UC, which brings together ‘Persona Management’ and ‘End to End encryption’ across an enterprise voice network, allowing 21st century social business to be performed in safety, protected from corruption or eavesdropping.

(9)

About UM-Labs

UM Labs is a pioneer and leader of Security Software Services for Cloud Computing in the 21st Century. We deliver advanced innovative technology which deals with major issues of criminal activity and protect businesses large or small from Fraud, Disruption attacks and hacking attacks, but maintain service between users. The unique aspects of UM-Labs Platform as a Service are that it defends Unified Communications when using voice over IP/SIP, Video/BYOD and Persona

Management for all mobile/tablet devices, while making existing legacy UC Systems work together, thus protecting your existing investment.

The company markets a Security Service Platform for public Cloud (SSaaS/PaaS) and a private Cloud Platform, which makes connecting VoIP/Video/BYOD/UC systems to the public internet easy and secure, in this the company provides the enterprise with a data firewall as a bonus of the architecture and therefore reduces the need for both, this is considered to be an ‘All-in-One’ cloud security solution.

UM-Labs as a research centre has proven the technology and developed it based on the 21st century needs for cyber security, including Cloud deployment and mobile usage. The team is made up of industry experts who have been major contributors to the current security and communications industry. Adopting UM-Labs Innovation in Security will allow for true integration across the business with single

References

Download now ( PDF - 9 Page - 760.20 KB )

Related documents

Acano solution. Deployment Guide. Acano. January B

As shown in the figure above, the Lync Front End Server needs a Trusted SIP Trunk to the Acano solution, configured to route calls originating from Lync clients through to Acano

Implementation. Integration. Managed Services. Support

Avaya Session Manager or SES Lync with Mediation Server/Service Exchange UM Lync Enterprise Voice Lync Conferencing Enterprise Active Directory Enterprise Active Directory

December 2012 Price List Guide

The 2010 version of the Lync Server Enterprise External Connector, Lync Server Plus External Connector, and Lync Server Standard External Connector is the final version of

Building the Lync Security Eco System in the Cloud Fact Sheet.

Front-end Server Edge Server Mediation Server Active Directory Lync Connector Authentication, Encryption OTT Service Voice/Video Calls Presence Instant Hosted Service

Module 4. Planning and Designing Load Balancing

Lync Clients Monitoring Server Internal Network Edge Array WAN Lync Clients. Federated Organizations with Lync Server

Fabrizio Volpe. MVP Directory Services MCITP Lync

Lync Server Features Instant Messaging • Presence • File Transfer • Sharing Audio and video call • Peer to Peer Audio And Video Conferencing Voice Over IP • Integration With

IM and Presence. Skype for Business 2015 users. Legend. Skype for Business 2015 users. Active Directory Domain Services.

XMPP federation locate Edge Server Edge Server Access edge Edge Server A/V edge Edge Server Conf edge external AutoDiscover Service proxied to Lync Server Web Service proxied to

Thunder Series with Microsoft Lync Server 2013 for Reverse Proxy Deployments DEPLOYMENT GUIDE

Figure 64: Reverse Proxy service group configuration for Lync Server 2013 Front End pool Note: The set of real server, port and server selection algorithm are defined in a