White Papers

Product Suite for Secured Lync (Skype for Business) Connectivity

Key Features

  • Two Factor Authentication (TFA)
  • Active Directory (AD) password protection
  • Block DoS, DDoS & Brute-force attacks
  • Smart Card policy solution for mobile.
  • No additional client install required

Background

In today’s mobile enterprise, the need to connect smartphones and external devices to the corporate network is a vital business requirement. To protect their sensitive business data, mobile enterprises require easy-to-deploy tools that secure the connectivity of personal mobile and external devices with corporate Lync (Skype for Business) servers.

The widespread use of smartphones and other handheld devices has revolutionized the way in which we work, play and interact. Whether your company has adopted a Bring Your Own Device (BYOD) strategy or provides corporate mobile devices to its employees, these devices present a major information security threat, as they contain very sensitive data, which might fall into the wrong hands.

Employees, who connect to the  corporate  network  from home  or from public  non-managed networks,  increase the  risk of data  leaks and possible  exposure  of a user’s network  credentials.

Moreover, since there is no control over the apps employees install on their smartphones, these devices are prone to malware infection.

Smartphones, desktop PCs and any other external device outside the organization can connect to Microsoft Lync server using the Lync client. While connected, sensitive information is being exposed, requiring the organization to take precautions. Many companies realize that securing Lync connectivity is as important as securing remote access, since smartphones and other mobile devices can be used as a tunnel into the corporate  network.

LyncShield is specifically designed to address the complex security needs of today’s mobile enterprise providing secure Lync connectivity from anywhere.

LyncShield Product Suite

Unlike most mobile security solutions, that focus on protecting the data stored on the mobile device through encryption strategies and containerization, LyncShield offers a new approach that eliminates the need to store Active Directory passwords on the device.

LyncShield interacts directly with the client – server Lync traffic. This innovative solution effectively controls who may connect to the network based not only on credentials but also on the device in use. Since LyncShield does not require any additional client installation, it is an ideal solution for organizations with a BYOD policy.

Architecture

The Lync Shield product suite is specifically developed for Microsoft environments and integrates naturally with the Forefront TMG/ ISA server family. As a server-side software solution, LyncShield can be easily and quickly installed on the relevant gateway and

Lync Access Control for Strong Authentication

Key Features:

  • Two-factor authentication using the mobile device as something you have and the password as something you know.
  • Self-service access portal to support two-step registration of users.
  • Admin auditing and control tools for approving devices
  • Multiple enrollment options
  • Device Registration Options

Lync Access Control supports various enrollment options:

Automatic Registration

– The device is registered when user connects to Lync for the first time. Once registered, Lync Access Control verifies during subsequent synchronizations that the operation is in fact performed from the registered device. Any attempt to connect, using the user’s credentials from a different device will be blocked automatically.

Two Step Registration

– This option is based on a tighter security approach, requiring the user to first register on a dedicated Access Portal and connect afterwards within a short period of time (defined in portal configuration) in order to complete the registration process.

Authentication can be performed against the user’s AD credentials or by using custom credentials that the user creates on the Access Portal (different to their AD credentials). The custom login option, offers a higher level of security as AD credentials are not stored on the mobile device, and is useful for supporting organizations that use smartcards for network access rather than username/password credentials.

Admin User Management and Auditing

LyncShield includes an admin website “Access Portal” for tracking the user registration process, approving blocked users, deleting users, changing registration site settings and more.

For  enterprise   installations  with  multiple  domains, the  admin  site can be  managed separately  for each domain, allowing each helpdesk to manage  the users in its domain.

LyncShield also offers the Lync Edge Access Control, which enables the safe connection of computers from outside the corporate network to the organization’s Lync server and prevents account lockout.

Connecting desktops, and especially laptops, to Lync services is also risky because this requires access to the Active Directory and exposes the organization to account lockout issues.

Lync Edge Access Control eliminates threats by blocking failed attempts at the Edge server side before they reach the Active Directory. This is done by configuring a block-failed login policy that blocks attack attempts from reaching the Active Directory. The policy includes a limited number of allowed failed attempts within a defined period.

Lync Edge Access control can also secure the authentication. By using Lync Edge Access Control, the authentication can be configured to block NTLM and force certificate authentication, thus achieving a Two-Factor Authentication process for desktops and laptops outside the corporate network.

Benefits

  • Avoid using Active Directory credentials on mobile device / laptop
  • Block DoS, DDoS and Brute force attacks
  • Avoid account lockout.
  • Solution for Smart card login policy. Protects both Lync edge and gateway.

External devices represent a security threat to your corporate network. User credentials are stored and used on the device in public networks. Users also tend to install apps without knowing the source. This raises a few issues:

  • Your Active Directory username and password can be hacked and used to provide access to many core business applications.
  • Potentially allowing someone else to access your Lync information.
  • Exposing your Active Directory to Dos, DDoS and Brute-force attacks.

For these reasons, securing access control is essential.

Here are few examples of how your organization can improve Lync connectivity security using the custom login feature in the Lync Access Control module:

Avoid Storing Active Directory Credentials on Device

Using the Active Directory credentials in the non-secure environment of a mobile device introduces risk. The exposed credentials could be hacked and used to either get access to your Lync information like contacts and calendar or login to other corporate applications.

Mobile hacking is typically done in two ways: “Eavesdropping” on public networks, or hostile applications installed by users or received by SMS.

Smart Card Solution

Many organizations with high security requirements use smart cards or tokens for network login. In these networks, users do not have a username and password for Active Directory. Lync Access Control allows the usage of Lync without the need to manage Active Directory credentials. With LyncShield’s custom login solution, the user logs into the Access Portal, authenticates with his smart card from his network computer and creates dedicated Lync credentials for use on the mobile device, external laptop or desktop.

Restrict Lync to Corporate Devices

A special IP Filter was developed in order to limit access to the organization’s Lync server to corporate devices only. The IPF can be implemented at the registration process or during the ongoing usage of Lync. Registration filtering enables control on the devices that can complete the registration process and filtering on the ongoing controls from which location connection is allowed.

By using our IPF, registration can be limited to a specific IP range that is accessible only from within the corporate network, thus blocking attempts to register a device without being able to join the corporate network.

Active Directory Account Lockout Guard

Account lockout can be a result of two scenarios:

  • A user has changed the Active Directory password but did not change the device settings, so the device keeps trying to authenticate with the old password.
  • An attacker that got hold of the username (without the password) tries to login several times.

Block DoS, DDoS attacks and brute force attacks

Publishing Lync to the Internet exposes your network to Dos, DDoS and brute force attacks. These can cause your network to become unavailable and cause significant business damage.

LyncShield blocks these attacks on the gateway level by configuring a block failed login policy thus blocking the attack attempts from reaching the Active Directory.

Secure remote access to corporate resources without Microsoft Forefront

  • Fully compatible with LyncShield’s product suite
  • High scalability and throughput
  • Standalone Gateway for LyncShield

Bastion is a lightweight, extensible and highly scalable reverse proxy server solution, which is focused on content filtering for HTTP(S) traffic. The Bastion is designed to enable organizations that do not use Microsoft Forefront gateways take advantage of the LyncShield product suite.

Bastion forwards traffic to the configured backend servers (e.g. Lync or internal website). By employing a pluggable filtering architecture, it can be easily extended to support any kind of filtering through filter modules.

Scalable Event-Driven Architecture

Bastion is designed as an event-driven server using asynchronous I/O which uses multithreading to respond to requests. This significantly reduces the overhead as opposed to thread-driven synchronous I/O architectures. Accordingly, the event-driven architecture greatly enhances scalability, allowing Bastion to handle a higher number of concurrent TCP connections compared to process or thread-driven reverse proxy servers.

Bastion can operate on both HTTP requests and responses. Requests and responses can be blocked, modified or left as is (if no filtering is needed). Since Bastion offers maximum HTTP protocol compatibility (beyond the common web usage subset), it can be used to filter almost any HTTP-based protocol, such as Lync traffic.

LyncShield Architecture

About AGAT Software

AGAT Software, founded in 1999, began its operations as a Microsoft software development consulting firm. Today, the company focuses most of its efforts on web development, with special expertise in security applications and digital signature solutions.

Over the past few years, AGAT has developed three lines of products: AGSecurity suite, AGForms (web forms development and management infrastructure) and AGSign (digital signature solutions).

AGSecurity suite  includes  several  security  products  that  address  the  complex  network  requirements of enterprises and large organizations. Many of the products in this suite are offered as an extension for Microsoft Forefront servers (ISA/IAG/TMG/UAG). The most recent addition to the AGSecurity suite, ActiveSync Shield is designed to meet the complex ActiveSync security needs of today’s mobile enterprise.

AGAT’s customers consist of government offices, banks, insurance companies and large industrial corporations (including Fortune 500 companies).