Cisco Secure Connect - Solution Overview

Last updated
Save as PDF

Overview
Secure Remote Access
Secure Internet Access
Site Interconnect
Pre-onboarding Checklist

Learn more with these free online training courses on the Meraki Learning Hub:

Cisco Secure Connect Introduction

Sign in with your Cisco SSO or create a free account to start training.

Overview

Cisco Secure Connect securely connects users working anywhere to any application, including private applications hosted in your data center or in a private cloud, or public SaaS applications. The solution integrates both client-based and clientless remote worker access, native Cisco Meraki^® SD-WAN and Cisco SD-WAN (Viptela) connectivity, and comprehensive cloud-based security capabilities into one subscription.

This section reviews some of the key components of the solution. Note that certain functionality is dependent on the Secure Connect package purchased. More info the packages can be found here.

Secure Remote Access

Secure Connect provides secure access to private network destinations and applications for remote workers via client-based tunnels using the Cisco Secure Client, formerly Cisco AnyConnect, and clientless per-app access using any browser. The following explains the difference between client-based and clientless remote access solutions.

Client-based Access

Overview

With client-based access, Secure Client which is installed on the user’s device, establishes Datagram Transport Layer Security (DTLS) tunnel to the Secure Connect cloud. Client-based access supports all ports and protocols making it ideal for non-web-based apps or applications that require an agent or application running on the end device. Deployment and ongoing management of Secure Client software can be simplified by using the Cisco SecureX management platform. (SecureX only supports the only Windows client at this time)

When the tunnel is active, the user’s traffic is routed through the Cloud Firewall where network access policies can control access to private applications and resources. In addition, endpoint posture policies can be applied to ensure only compliant devices can connect to the network.

1 Remote Access.png

Traffic Steering

Secure Client supports traffic steering also known as split tunneling. Traffic steering rules are either inclusion-based or exclusion-based to determine what traffic is sent (inclusion) or not sent (exclusion) through Secure Connect tunnel.

2 Remote Access with Traffic Steering.png

Protecting Clients When Tunnel is not Active

When the tunnel is not active, Secure Client with the Umbrella Roaming Security Module has the option to send web traffic to Secure Connect for enhanced internet security for web-based applications.

3 Roaming Module.png

Clientless ZTNA Access (Browser Access)

Clientless Zero Trust Network Access (ZTNA) allows you to leverage a web browser for remote access to private web-based applications without requiring users to install Secure Client on their devices or creating special inbound rules on your on-premises firewall. Clientless access addresses situations where it might not be feasible or desirable to install Secure Client on a remote user’s device.

To access an application, the user connects to the Secure Connect ZTNA reverse proxy using a unique URL that is created by Secure Connect for each application. Both the user and device are verified and validated by a Browser Access Policy (BAP) on a per-session basis before access is permitted to an application.

4 ZTNA.png

Controlling Network Access to Private Applications

Traditionally, users with access to the network can reach any application or resource connected to the network, making those applications vulnerable to attacks. With Secure Connect, administrators can take security a step further by preventing users from reaching the application by restricting network access. Access can be controlled in two complimentary ways:

Create network or browser access policies to control access based on user's identity or associate group. Identity-based policies require SAML authentication through your Identity Provider (IdP). If you don't have an IdP, you can use Meraki Cloud Auth as your IdP.
Set up endpoint posture profiles to grant or deny access to applications based on device-specific criteria such as:
- Client-based
  - Operating Systems (OS) type and version
  - OS firewall status
  - Antivirus-malware software status
  - Disk encryption status
- Client-less
  - Operating Systems (OS) type
  - Browser type and version
  - Location information based on IP address

Secure Internet Access

Secure Connect acts as your secure onramp to the Internet and provides the first line of defense. Internet-bound traffic from users, applications and IoT devices located in the office, along with remote users with Secure Client installed is sent to the Secure Connect cloud where both outbound and inbound traffic is inspected.

Using multiple services to detect threats and enforce policies, Secure Connect provides a customizable approach to how you secure your network from internet-based threats. Being cloud-based, the system receives real-time threat updates from the Cisco Talos Intelligence Group, the largest private security threat intelligence organization in the world.

Below is a brief description of each service that is part of the Secure Internet Access solution.

5 Secure Internet Access.png

DNS Security

DNS-layer security blocks name resolution requests to malicious domains before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. In addition, internet usage policies can be enforced using Cisco Umbrella’s 85+ category-based content filters to create custom allow/block lists of websites with unwanted content.

Cloud Firewall

The Cloud Firewall a layer 3, 4 and 7 firewall to protect traffic across all ports and protocols without performance degradation. All traffic coming into Secure Connect from sites and client-based VPN comes in through Cloud Firewall where layer 3 and 4 access policies can be applied. Depending on the destination, Cloud Firewall will then route the traffic to:

Private Application traffic or traffic going between sites will be sent to the Secure Connect interconnect fabric. (See Site Interconnect for more information.)
Internet-bound web traffic (tcp port 80/443) is routed to the Secure Web Gateway for further inspection.
Non-web internet-bound traffic will stay in Cloud Firewall where it goes through the layer 7 application visibility and control and Intrusion Prevention Systems processes.

The Intrusion Prevention System (IPS), based on SNORT 3  technology, uses signature-based detection to examine network traffic flows and take automated actions to catch and drop dangerous packets before they reach their target. An IPS capability is only as effective as the cyber attack dictionaries. Secure Connect IPS uses an extensive database of signatures (40,000+ and growing) from the Cisco Talos Intelligence Group.

Secure Web Gateway

The Secure Web Gateway (SWG) specifically protects web traffic over ports 80/443. SWG proxy all of your web traffic for greater visibility and control. It enables you to log all activity, inspects web traffic to protect against viruses and malware, and enforce acceptable internet use policies. Files are scanned and known bad items blocked. New or suspicious files can be routed to a sandbox for deeper inspection and retrospective alerts can be generated if a file starts to display bad behavior. SWG can utilize the Microsoft API to route the appropriate Mircosoft 365 traffic directly to the nearest Microsoft data center to maximize performance.

Cloud Access Security Broker

The typical organization is only aware of a small fraction of its overall cloud activity. Cloud Access Security Broker (CASB) provides the ability to detect and report on cloud applications in use across your organization. For discovered apps, view details on the risk level and block or control usage to better manage cloud adoption and reduce risk.

Data Loss Prevention

Data Loss Prevention (DLP) is part of CASB. The DLP function scans in all outbound web traffic and blocks sensitive data in it from leaving your organization or being exposed to malicious attackers in the cloud. Secure Connect support two type of rules - Real Time and SaaS API-based. Real Time DLP rules inspect the web traffic that traverses the proxy and extend support for all cloud applications. SaaS API-based rules scan data at rest in the cloud using APIs for Microsoft 365 and other select SaaS applications.

Site Interconnect

Network interconnect provides intelligent routing between sites connected to the Secure Connect network fabric. Cloud Firewall network access policies to control access to private applications and resources ensuring zero-trust policies are enforced. The cloud architecture drastically reduces the network complexity, providing a secure, high availability network fabric while the unified user interface minimizes the time needed for setup, monitoring and maintenance.

6 Site Interconnect 2.png

Note: Cisco SD-WAN sites are interconnected through the Cisco SD-WAN fabric and not the Secure Connect fabric. Cisco SD-WAN integration with Secure Connect is for Secure Internet Access and Remote Access only.

Pre-onboarding Checklist

Setting up Secure Connect will require some information about your network and application. To streamline the setup process, it is recommended to go through the Secure Connect Pre-onboarding Checklist, which can be found here.