Webex Calling Cloud Security and Media Path Optimization

Prepared by : Semih Tığlı – Presales Architect

As Webex Calling continues to expand rapidly, addressing security concerns and optimizing latency and bandwidth usage remain top priorities for Cisco. By implementing end-to-end encryption, your data is protected using keys exclusive to you, while the RTP traffic is routed through the shortest possible path, ensuring both fast and secure communication.

For organizations planning to adopt a hybrid architecture or fully migrate to the cloud, security and traffic efficiency are the foremost considerations. In this article, we will provide detailed insights into these critical aspects.

Keep Your RTP Traffic Local with Webex Calling

Cisco Webex Calling is a cloud-based communication service, and typically, real-time data such as voice traffic is processed within Cisco’s cloud infrastructure. However, in certain scenarios, users may prefer to keep RTP traffic within their local network.

To achieve this, Cisco Unified Border Element (CUBE) is used as a gateway that routes and processes communication traffic locally. CUBE acts as a Customer Premises Equipment (CPE) device, allowing RTP traffic to remain within the local network instead of being routed to the cloud.

However, specific network requirements and configurations are necessary to maintain RTP traffic locally. These requirements involve properly setting up the CUBE device and integrating it with the Webex Calling solution to ensure seamless communication.

Optimize Media Path with ICE

ICE (Interactive Connectivity Establishment) is a protocol that determines the optimal path for media traffic in real-time communication applications such as VoIP or video conferencing.

In addition to routing local traffic through CUBE, you can leverage ICE Lite-supported CUBE Gateways to optimize media paths. This ensures that media traffic flows exclusively between devices, reducing latency and improving overall communication efficiency.

ICE (Interactive Connectivity Establishment) allows establishing a direct connection between two devices by bypassing obstacles such as NAT (Network Address Translation) devices and firewalls on the network. ICE optimizes network performance and quality while directing media traffic in the best possible way.

ICE consists of two main components :

• STUN (Session Traversal Utilities for NAT) : Used to determine which IP address a device is using behind a NAT or firewall.
• TURN (Traversal Using Relays around NAT) : Utilizes a reliable third-party server to transmit media traffic between two devices. If a direct connection cannot be established or there is a NAT obstacle, media traffic is routed through the TURN server.

ICE uses a series of algorithms and methods to determine the best path for media traffic transmission. This is essential for overcoming obstacles on the network, ensuring optimal performance, and minimizing latency. While ICE prefers to transmit media traffic directly between devices, if obstacles like NAT or firewalls are encountered, it can securely transmit media traffic using the TURN server.

ICE is supported by many real-time communication protocols, such as WebRTC (Web Real-Time Communication) and SIP (Session Initiation Protocol). These protocols can use ICE to direct media traffic in the best way and establish a direct connection between devices.

In real-time communication applications, ICE enables better performance, lower latency, and improved quality.

Use Exclusive Keys with Key Management Server

Cisco Webex KMS (Key Management Service) is a security service used in Cisco Webex products like Webex Meetings and Webex Teams to manage data encryption and key management.

Overview of how Cisco Webex KMS works :

• Key Management : Cisco Webex KMS is used to manage and distribute encryption keys for users. During the key management process, KMS generates, rotates, stores, and distributes keys. It securely stores users’ private keys and transmits them to authorized devices using secure protocols.
• Encryption and Decryption : KMS manages data encryption and decryption processes within Webex services. For example, audio and video data in Webex Meetings is encrypted by KMS and transmitted securely. On the receiving end, the data is decrypted using the correct key, ensuring secure data transmission and protection against unauthorized access.
• Secure Key Storage : KMS securely stores encryption keys without storing them on devices, making them more resistant to physical or virtual attacks. By securely managing and storing keys, KMS ensures data security for users.
• Key Rotation : KMS performs regular key rotation, ensuring that encryption keys are periodically renewed to maintain security. Key rotation involves decommissioning old keys and implementing new ones, preventing unauthorized access.
• Authorization and Access Control : KMS enforces security controls for the authentication and authorization of users and devices. Access to encryption keys and their usage is subject to authorization policies, ensuring data security through strict access control measures.

When KMS (Key Management Service) is used, the traffic between the Webex application (webexapp) and the endpoint (device) can proceed as follows :

• Before communication begins, encryption keys must be shared between the Webex application and the endpoint. KMS facilitates secure key management and distribution, ensuring that the keys are safely shared.
  The Webex application and the endpoint can periodically rotate the encryption keys. This is a crucial security step, as regularly updating keys enhances security and protects against potential threats.
• During communication, data such as audio, video, or other media transmitted by the Webex application is encrypted. This encrypted data is then decrypted on the endpoint, converting it back to its original form. The encryption and decryption processes are determined by the specific encryption algorithms and keys used.
  Media traffic (audio, video) between the Webex application and the endpoint is typically routed through the most direct path possible. This is vital for minimizing latency and maintaining communication quality. KMS assists in establishing direct connections by overcoming network obstacles such as NAT (Network Address Translation) and firewalls.
• While KMS is crucial for key management and security, it does not directly handle the transmission of traffic between the Webex application and the endpoint. KMS ensures key security and management, while real-time data traffic is transmitted directly between the application and the endpoint.

In conclusion, with Cisco Webex KMS, you can secure end-to-end communication using your own encryption keys. In today’s world, cloud systems and hybrid architectures offer organizations significant advantages in terms of productivity and efficiency. Transitioning to these architectures is seen as essential for staying competitive and increasing productivity. However, ensuring communication security during these transitions remains a top priority.

Cisco, as a well-established provider of security solutions, has extensive expertise in identifying and addressing security vulnerabilities. This expertise has been effectively integrated into Webex solutions, providing robust security for all communication.

To learn more about our expertise in unified communications and to get in touch with us, visit our expertise page.