2Background & OverviewConnecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure.Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to.LyncShield is a server side solution with not additional client install supporting all devices.The product is available on TMG or Bastion reverse proxy
3Security issues and solutions ProblemTwo Factor AuthenticationConnecting non authorized devicesAvoid AD credentials on device – dedicated log inActive Directory password leakageBlocking false authentication attempts in DMZ proxy before the Active DirectoryAccount lockout /DDoSAll the solutions are available for both mobile and external PC/ Laptops
4 - Two Factor authentication Based on Device ID sent by clientSeveral registration/ enrolment options to enforce access control policy based on matching the device and the user.
5Access Control – Enrollment Support several access control policies:Automatic Registration – Device ID is registered upon first use of account.Two steps registration process: Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration.Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.
10- AD credential protection approach Lync Shield introduces a new approach for protecting the Active Directory credentialsWith Lync Shield the connection to Lync is done by using dedicated Lync credentials that are created by the user rather than the regular network Active Directory credentialLync Shield completely eliminates the need to store Active Directory passwords on the device
11Active Directory dedicated login The user creates dedicated Lync credentials on a self service internal web site for use on device, instead of Active Directory credentials.
13Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory.LyncShield allows the usage of Lync without the need to manage Active Directory credentials.With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.
14- Active Directory Account Lockout protection Account lockout can be the result of the following:The user changed the Active Directory password, but did not change the settings on the device.The username (without the password) being obtained by a hacker who tried to log in several timesDdos , Dos , brute force attacks- Such attacks can result in the network becoming unavailableLyncShield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory
15Coming soon- RSA / ADFS / Office 365 RSA integrationUser will authenticate in a web site using RSAUser will need to connect device within short time (5 minutes for example) to complete registrationRSA Authentication will be valid for a limited configurable time (like one day).Two Factor Authentication for Office 365 / Device registrationSolution for using Lync with ADFS without breaking Exchange connectivitySolutions planned to be released by end of Q4, 2014
16Coming soon- - EWS Protector Exchange Web Service Protector is an independent product securing the Exchange services required for Lync meeting informationOffers currently:DDos protection/ account lockout protection for EWS authentication services (available)Two Factor Authentication (available)Password protection (using Lync credentials and not AD)- to be released soon (available)Filter by operations – allowing only meeting requests (soon)
17BastionReverse proxy forwarding traffic to the configured backend servers.Cross-platform- Windows / LinuxPluggable filtering architecture.Filters HTTP(S).Scalable Event-Driven Architecture.Can publish multiple servers in parallel.Highly efficient asynchronous architecture.Bi-directional content filtering.
18Bastion (cont) Geared towards full-featured HTTP filtering. Most reverse proxy solutions are geared towards web acceleration.Supports many HTTP features and scenarios.Chunked, gzip and deflate Transfer-Encodings.Pipelining.Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).
19AGAT Security suite - Overview LyncShield and MobilityShield are part of AGAT’s Security suite.AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks.The solution is also available on Bastion reverse proxy without the use of Forefront.
20To learn more about our solutions please visit our website at