Cisco+ Secure Connect - Solution Overview
Overview
Cisco+ Secure Connect securely connects users working anywhere to any application, including private applications hosted in your data center or in a private cloud, or public SaaS applications. The solution integrates both client-based and clientless remote worker access, native Cisco Meraki® SD-WAN and Cisco SD-WAN (Viptela) connectivity, and comprehensive cloud-based security capabilities into one subscription.
This section reviews some of the key components of the solution. Note that certain functionality is dependent on the Cisco+ Secure Connect package purchased. More info the packages can be found here.
Secure Remote Access
Cisco+ Secure Connect provides secure access to private network destinations and applications for remote workers via client-based tunnels using the Cisco Secure Client, formerly Cisco AnyConnect, and clientless per-app access using any browser. The following explains the difference between client-based and clientless remote access solutions.
Client-based Access
Overview
With client-based access, the Cisco Secure Client which is installed on the user’s device, establishes Datagram Transport Layer Security (DTLS) tunnel to the Cisco+ Secure Connect cloud. Client-based access supports all ports and protocols making it ideal for non-web-based apps or applications that require an agent or application running on the end device. Deployment and ongoing management of Cisco Secure Client software can be simplified by using the Cisco SecureX management platform. (SecureX only supports the only Windows client at this time)
When the tunnel is active, the user’s traffic is routed through the Cloud-delivered Firewall where network access policies can control access to private applications and resources. In addition, endpoint posture policies can be applied to ensure only compliant devices can connect to the network.
Traffic Steering
Cisco Secure Client supports traffic steering also known as split tunneling. Traffic steering rules are either inclusion-based or exclusion-based to determine what traffic is sent (inclusion) or not sent (exclusion) through Cisco+ Secure Connect tunnel.
Protecting Clients When Tunnel is not Active
When the tunnel is not active, the Cisco Secure Client with the Umbrella Roaming Security Module has the option to send web traffic to Cisco+ Secure Connect for enhanced internet security for web-based applications.
Clientless ZTNA Access (Browser Access)
Clientless Zero Trust Network Access (ZTNA) allows you to leverage a web browser for remote access to private web-based applications without requiring users to install the Cisco Secure Client on their devices or creating special inbound rules on your on-premises firewall. Clientless access addresses situations where it might not be feasible or desirable to install the Cisco Secure Client on a remote user’s device.
To access an application, the user connects to the Cisco+ Secure Connect ZTNA reverse proxy using a unique URL that is created by Cisco+ Secure Connect for each application. Both the user and device are verified and validated by a Browser Access Policy (BAP) on a per-session basis before access is permitted to an application.
Controlling Network Access to Private Applications
Traditionally, users with access to the network can reach any application or resource connected to the network, making those applications vulnerable to attacks. With Secure Connect, administrators can take security a step further by preventing users from reaching the application by restricting network access. Access can be controlled in two complimentary ways:
- Create network or browser access policies to control access based on user's identity or associate group. Identity-based policies require SAML authentication through your Identity Provider (IdP). If you don't have an IdP, you can use Meraki Cloud Auth as your IdP.
- Set up endpoint posture profiles to grant or deny access to applications based on device-specific criteria such as:
- Client-based
- Operating Systems (OS) type and version
- OS firewall status
- Antivirus-malware software status
- Disk encryption status
- Client-less
- Operating Systems (OS) type
- Browser type and version
- Location information based on IP address
- Client-based
Secure Internet Access
Cisco+ Secure Connect acts as your secure onramp to the Internet and provides the first line of defense. Internet-bound traffic from users, applications and IoT devices located in the office and remote users with the Cisco Secure client is sent to the Cisco+ Secure Connect Cloud where both outbound and inbound traffic is inspected.
Using multiple services to detect threats and enforce policies, Cisco+ Secure Connect provides a customizable approach to how you secure your network from internet-based threats. Being cloud-based, the system receives real-time threat updates from the Cisco Talos Intelligence Group, the largest private security threat intelligence organization in the world.
Below is a brief description of each service that is part of the Cisco+ Secure Connect Secure Internet Access solution.
DNS Security
DNS-layer security blocks name resolution requests to malicious domains before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. In addition, internet usage policies can be enforced using Cisco Umbrella’s 85+ category-based content filters to create custom allow/block lists of websites with unwanted content.
Cloud-delivered Firewall
The Cloud-delivered Firewall (CDFW) a layer 3, 4 and 7 firewall to protect traffic across all ports and protocols without performance degradation. All traffic coming into Cisco+ Secure Connect from sites and client-based VPN comes in through CDFW where layer 3 and 4 access policies can be applied. Depending on the destination, CDFW will then route the traffic to:
- Private Application traffic or traffic going between sites will be sent to the Secure Connect interconnect fabric. (See Site Interconnect for more information.)
- Internet-bound web traffic (tcp port 80/443) is routed to the Secure Web Gateway for further inspection.
- Non-web internet-bound traffic will stay in CDFW where it goes through the layer 7 application visibility and control and Intrusion Prevention Systems processes.
The Intrusion Prevention System (IPS), based on SNORT 3 technology, uses signature-based detection to examine network traffic flows and take automated actions to catch and drop dangerous packets before they reach their target. An IPS capability is only as effective as the cyber attack dictionaries. Cisco+ Secure Connect IPS uses an extensive database of signatures (40,000+ and growing) from the Cisco Talos Intelligence Group.
Secure Web Gateway
The Secure Web Gateway (SWG) specifically protects web traffic over ports 80/443. SWG proxy all of your web traffic for greater visibility and control. It enables you to log all activity, inspects web traffic to protect against viruses and malware, and enforce acceptable internet use policies. Files are scanned and known bad items blocked. New or suspicious files can be routed to a sandbox for deeper inspection and retrospective alerts can be generated if a file starts to display bad behavior. SWG can utilize the Microsoft API to route the appropriate O365 traffic directly to the nearest Microsoft data center to maximize performance.
Cloud Access Security Broker
The typical organization is only aware of a small fraction of its overall cloud activity. Cloud Access Security Broker (CASB) provides the ability to detect and report on cloud applications in use across your organization. For discovered apps, view details on the risk level and block or control usage to better manage cloud adoption and reduce risk.
Data Loss Prevention
Data Loss Prevention (DLP) is part of CASB. The DLP function scans in all outbound web traffic and blocks sensitive data in it from leaving your organization or being exposed to malicious attackers in the cloud. Cisco+ Secure Connect support two type of rules - Real Time and SaaS API-based. Real Time DLP rules inspect the web traffic that traverses the proxy and extend support for all cloud applications. SaaS API-based rules scan data at rest in the cloud using APIs for Microsoft 365 and other select SaaS applications.
Site Interconnect
Network Interconnect provides intelligent routing between sites connected to Cisco+ Secure Connect. Meraki SD-WAN sites connected to the Cisco+ Secure Connect network fabric's closest Region and sites connected via IPSec VPN seamlessly gain access to any already-connected nodes with an added benefit of applied CDFW network access policies to control access to private applications and resources. This drastically reduces the network complexity, providing a highly available network fabric with minimal setup and maintenance.
Note: Cisco SD-WAN sites are interconnected through the Cisco SD-WAN fabric and not the Cisco+ Secure Connect fabric. Cisco SD-WAN integration with Cisco+ Secure Connect is for Secure Internet Access and Remote Access only.
Pre-onboarding Checklist
Setting up Cisco+ Secure Connect will require some information about your network and application. To streamline the setup process, it is recommended to go through the Cisco+ Secure Connect Pre-onboarding Checklist, which can be found here.