Clear Touch CTI-OTHER-DNMT-V2 User guide

Brand
Clear Touch
Model
CTI-OTHER-DNMT-V2
Category
Networking
Type
User guide
Montage
Network &
Security Whitepaper
©DisplayNote Technologies 2017 1 displaynote.com
Montage Network & Security Whitepaper
Introduction
Montage is a wireless presentation solution allowing connected devices to share their screen
and video camera among those connected. Montage is a tailored solution available on
multiple platforms;
A hardware unit, based on CentOS 7.2, an enterprise grade Linux distribution derived
from the sources of Red Hat Enterprise Linux (RHEL). This provides the Montage
platform a secure, stable and manageable system in which to execute. Security has
been top priority in the design of this Montage platform where the operating system
runs a minimal installation with a very limited set of services running.
Windows software, available for Windows 8 and above. This allows for the Montage
software to be deployed securely across existing hardware.
Android software, available for Android 5.0 and above.
Note: features vary per platform
Infrastructure
All inbound and outbound data from our backend layer is encrypted and transmitted over
TLS or DTLS with 2048-bit asymmetric encryption and 256-bit symmetric encryption using
certificates from third party credited authorities. Network communication is protected
using the latest in technology to secure all video, audio and data. Using the TLS and DTLS
cryptography protocols, previously referred to as SSL, we provide protection using a 2048-
bit asymmetric key in conjunction with a 256-bit symmetric session key. More information
on network ports used can be found further within this document.
The backend tier provides four public services; REST API, XMPP and STUN / TURN.
We use a combination of both Azure and Amazon services to provide a resilient and
redundant backend whilst providing the lowest latency possible.
Azure
Azure's data centres are geographically dispersed and comply to ISO/IEC 27001:2005, SOC 1
and SOC 2
1
and have a CSA STAR certification
2
.
These data centres are managed and operated by Microsoft who have decades-long
experience building enterprise software and running some of the largest online services in
the world.
1
http://www.iso.org/iso/catalogue_detail?csnumber=42103
2
https://downloads.cloudsecurityalliance.org/star/certification/STAR-658377-Microsoft-Azure.pdf
©DisplayNote Technologies 2017 2 displaynote.com
Using Azure's Network Security Groups (NSG), access to virtual machines hosting our
services are limited to those ports configured within the NSG only. All our virtual machines
are located within the same virtual LAN and communication between virtual machines is via
private network interfaces behind the Azure firewall.
Application Servers
Application services
Montage Box Montage Client
Port 443 TLS
REST & WebSockets API
Port 443 HTTPS
XMPP
Port 443 TLS
STUN/TURN
Port 443 TLS
Port 443 TLS
Figure 1. Montage Architecture
Amazon AWS
We use also Amazon AWS to host and support the services we offer to our clients. Amazon
AWS is a well-known cloud service managed by Amazon, a trusted provider of cloud services
that offers geographical dispersion - allowing us to have a server closer to the end user,
which reduces latency in cloud connectivity.
All our cloud services running on Amazon AWS are running under a Virtual Private Cloud
(VPC) and each environment has its own virtual network protected by Amazon’s availability
zone and firewall.
©DisplayNote Technologies 2017 3 displaynote.com
Amazon AWS servers are geographically dispersed and have many certifications and third-
party assessments, including ISO/IEC 27001:2005, SOC 1 and SOC 2 and CSA STAR
certification
3
. Further information can be found in their security whitepaper
4
.
Montage features
The Montage software consumes a REST API provided by our SaaS layer which is credential
secured. All communication with the REST API and our XMPP services are over TLS (port 443)
with 2048-bit asymmetric encryption and 256-bit symmetric encryption. For video calls STUN
is used to establish a peer to peer connection. If this fails, then the client will attempt to use
our relay service using the TURN protocol.
In addition to DTLS encryption, we also encrypt data through Secure Real-Time Protocol,
which safeguards IP communications from hackers, so that your video and audio data is kept
private point to point.
Meeting ID and PIN
For each meeting a unique meeting ID is generated mediated from our SaaS layer which is
used as a means for the clients to connect to that specific meeting. If there is an Internet
connection, this meeting ID will be 6 digits long. If no Internet is available (or if force local
meetings’ is checked in settings) the Meeting ID will be 10 digits long. This 10 digit meeting
ID is generated using the device IP address, which enables connection from different subnets
on the same network.
If devices connect using the 6 digit meeting ID, connection is attempted locally, however if
this is not possible then the connection is made via XMPP.
The host can also specify a PIN which is configured at the box directly, and on each client
connecting would request confirmation of the PIN*. On connecting the screen of the
connected device is shared and the user can decide to continue sharing their screen and
adding web camera video and audio*.
(*Linux hardware box and Windows software only)
Cloud
If Montage has access to the Montage Cloud, then it will be able to allow devices connecting
to it from outside of its local network e.g. A Chromebook client on a remote network and a
Windows client connected on another network within your organisation, with voice and
video available if those devices are connected using the Montage Linux box or Montage
Windows Software. This can be restricted by deactivating access to the cloud in Montage
settings. The Montage hardware units can also function solely using their access point with
which connecting devices will be assigned an IP address.
3
https://d0.awsstatic.com/whitepapers/compliance/AWS_Certifications_Programs_Reports_Third-
Party_Attestations.pdf
4
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
©DisplayNote Technologies 2017 4 displaynote.com
Updates
An Internet connection is required for updates. The updates are downloaded over a secure
connection (using port 443) and are installed on demand. A notification will appear in the
Montage user interface to indicate an available update that the user can install. Updates can
also be installed via USB drive connected to Montage if Internet cannot be made available.
Security
The clients and boxes are authenticated on our servers using a 4-step authentication process
with SASL
5
. At any time, administrators can remove a client or box from the authorised zone
temporarily and permanently.
All data transferred between the user's device and Montage is peer to peer (P2P) and is over
TLS or DTLS with 2048-bit asymmetric encryption and 256-bit symmetric encryption. If a P2P
connection fails to connect between the client and Montage, then the software will relay the
data via our TURN server over TLS TCP port 443.
Access Point and Wi-Fi
The Montage Linux unit offers an internal access point, secured with WPA2 with TKIP
encryption, allowing clients to connect directly to the box and in so creating a local network.
The box can be configured to allow these locally connected devices to have access to an
external network which would be cabled to the box.
The Montage Linux unit can also connect as a Wi-Fi client to an external Access Point and
network. See Figure 2. If the unit is also cabled to a network, then the two interfaces can
also be optionally bridged if access between the two networks is needed.
5
https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
©DisplayNote Technologies 2017 5 displaynote.com
Wired connection to network
(Optionally bridged in software
with Wireless interface)
Montage
Wireless 2.4 GHz/5 GHz
Secured WPA/TKIP
Wireless Access Point
Wireless network, guest
or corporate network
Figure 2. Montage Box connected as Wi-Fi client
For Airplay Mirroring and Airplay Video the box publishes services on the connected networks
using Zero-configuration networking
6
.
6
https://en.wikipedia.org/wiki/Zero-configuration_networking
©DisplayNote Technologies 2017 6 displaynote.com
SaaS
PC, MacBook
Or Chromebook
Signaling, camera and
screen sharing via
Port 443 TLS
Signaling via
Port 443 TLS
PC, MacBook
Or Chromebook
Montage
Camera and Screen
shared via DTLS
PC, MacBook
Or Chromebook
Signaling via
Port 443 TLS
Configured DHCP
or Static IP
PC, MacBook
Or Chromebook
Signaling, camera and
screen sharing via
Port 443 TLS
Figure 3. Network architecture of Montage, internal and external connections.
In a typical configuration Montage is connected to an existing network infrastructure, either
using a static IP or DHCP. Clients can connect either via the access point on the Montage
unit or via the existing network infrastructure. When connected locally then signalling data
is communicated over port 443 TLS and video and audio over DTLS. When the client is
connected from a remote network then all signalling, video and audio data are relayed via
our SaaS tier via port 443 TLS. See Figure 3.
Firewall and Proxy
Firewall
For remote connections, receiver and clients need to be able to access the Internet
through these ports;
TCP 80
TCP 443
UDP 53
For local connections (i.e. clients on the same network or connecting through
Montage Access Point) the following ports are used;
TCP 1-65535 (It will be selected from available ones)
©DisplayNote Technologies 2017 7 displaynote.com
UDP 1025 65535
TCP 4700, 7000, 7100 (For Airplay connections)
If there is Layer 7 filtering or proxy with protocol filtering on these ports then the following
protocols will need to be allowed;
HTTP
HTTPS
DTLS
XMPP
Bonjour protocols
SRTP
DNS
STUN
TURN
ICE
Our SaaS provides services at the following FQDNs;
netcheck.joinmontage.com
montage.displaynote.com
xmpp.displaynote.com
stunturn-prod-ireland.displaynote.com
stunturn-prod-mumbai.displaynote.com
stunturn-prod-singapore.displaynote.com
stunturn-prod-virginia.displaynote.com
stunturn-prod-california.displaynote.com
Proxy support
The Montage Linux box and Windows software support proxy configuration. The following
proxy types are supported;
HTTP Proxy (with or without authentication)
SOCKS 5 (with or without authentication)
Proxy with Auto-Configuration File (PAC) (with or without authentication)
System proxy - to inherit proxy settings from Windows
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9

Clear Touch CTI-OTHER-DNMT-V2 User guide

Brand
Clear Touch
Model
CTI-OTHER-DNMT-V2
Category
Networking
Type
User guide
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Other documents