Cisco Secure Access

Cisco Secure Access utilizes a modernized approach to effectively securing today’s complex, hybrid work environments. It achieves this by improving user access to all applications and resources, simplifying operations with a Single-Console Deployment and Policy Engine, and featuring a unified client with Cisco Secure Client for end-user connectivity.

Cisco Secure Access combines core Secure Services Edge (SSE) principals, such as Secure Web Gateway( SWG), Cloud Access Security Broker (CASB), DNS Security, Data Loss Prevention (DLP), and Cloud Delivered Firewall (CDFW), Zero Trust Access (ZTNA) and VPN-as-a-Service (VPNaaS) secure end-user connectivity methods, with advanced features, and Intrusion Prevention System (IPS) capabilities, Malware Protection, and Digital Experience Monitoring (DEM) allows users to easily and securely gain access to business-critical applications and private resources, creating a low-friction environment for the end-user.

The result is a holistic, resilient cloud-delivered solution, allowing for IT teams to become more efficient, decreased OpEx, and increased user-productivity.

Let’s Dive into the Basics of Cisco Secure Access

Within Cisco Secure Access, there are two overarching Use Cases - Secure Internet Access and Secure Private Access.

Secure Internet Access:

Secure Internet Access (SIA) allows for the “Split-Tunneling” of unmonitored internet connections, connections to trusted SaaS applications and public internet resources.

Secure Internet Access Policy implements core SSE features, such as DNS Security, CASB, DLP, RBI and SWG.

Secure Internet Access allows for a wide rand of Access Rules, such as:

• Allow -Permit Access
• Block – Deny Access
• Isolate the user’s browser session with Remote Browser Isolation
• Warn – Flag the request for the end-user by presenting them with a warning, and allowing them to click through to bypass the warning

Secure Private Access: 

Secure Private Access (SPA) secures end-user access to private resources by allowing Zero Trust Network Access connections to securely access Private Resources and Applications.

Secure Private Access offers two types of Access rules:

• Allow
• Block

On the backend, Private Access to Resources and Applications can be achieved through either Network Tunnels or Resource Connectors.

Network Tunnels:

Network Tunnels connect Cisco Secure Access to your Datacenters to enable fast, reliable private network connections to your applications through IPsec  Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnels.

With a maximum capacity of 1G per tunnel, additional Tunnels can be added to achieve the desired throughput.

Network Tunnels are grouped for HA and can failover to Resource Connectors if configured to do so. From a User Access perspective, users can private resources through Network Tunnels by with either a VPNaaS or a ZTNA connection.

There are no restrictions on throughput measured in packets per second, nor are there any restrictions on the number of users per tunnel.

Resource Connectors:

Resource Connectors are lightweight VMs deployed in either AWS, Azure, or ESXi that provide access to private resources for both Client-Based and Clientless ZTA connections, providing a DTLS tunnel to Secure Access.

From there, Zero Trust Access user requests are sent to the Resource Connector, where the connection would be proxied to the internal resource.

From an internal resource perspective, the resource is coming from Resource Connector, with all traffic egressing from the Resource Connector IP.

Resource Connectors allow access to applications with overlapping IPs, and are strictly an outbound connection, requiring no routing configuration changes and eliminating the need to punch holes in the firewall.

Resource Connectors can be grouped for High Availability, and feature Auto=failover, as well as Load Balancing support for Resource Connectors in the same Resource Connector Group, Region, and Deployment type.

Workflow for ZTNA Connections in Cisco Secure Access:

• First, the end-user connectivity method to Secure Access’ protected resources would connect via Zero Trust Access Module (Client or Clientless) within the Cisco Secure Client
  
  
• Micro-tunnels are created via QUIC & MASQUE protocols, which terminate on the ZTNA proxy
  • Each micro-tunnel receives a unique tunnel from the user all the way to the application

• At this point, the user will hit authentication - SAML provider, IDP, SSO, with the option to add MFA and Posture at this point
  
  
• Something to note is that the user is only authenticating once against ZTNA - Once ZTNA has evaluated the user, they will be allowed to request access to resources, upon which the client will be enrolled with SA based on authentication results.
  
  
• Upon successful authentication, the client will receive a trusted cert from SA, which will continually be renewed
  • Authentication can be renewed based upon app, set timeout, etc.

• From there, the user will be able to request access to Private Resources
  
  
• The request will go through the Access Policy and then goes out the backhaul through either the Network Tunnel or the Resource Connector.

To learn more about how to optimize your organization’s Zero Trust Strategy with Cisco Secure Access, please reach out to the ModernCyber Team to learn more about our Consulting Services, Deployment, and Enablement Services!