Brksec 1708

#CiscoLiveAPJC
Cisco Secure Access

Overview and End-to-end flow review
Jonny Noble – Director, Technical Marketing

@JonnyNoble3
BRKSEC-1708
#CiscoLiveAPJC
#CiscoLiveAPJC
#CiscoLiveAPJC Session ID © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until December 22, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-1708
#CiscoLiveAPJC BRKSEC-1708 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Abstract
• This session provides an end-to-end introduction and overview for Cisco's latest
Security Service Edge solution, Cisco Secure Access
• We will take a closer look at the latest innovations in Cisco's Secure Service Edge
(SSE), including new ZTNA client-based and clientless capabilities, simplified policy
management, and a unified client that will remove the frustration of securely
connecting for your hybrid workforce, all coming together to protect your users and
applications
• The session will start by defining the current challenges enterprises are facing and
the use cases that Cisco Secure Access solves, followed by an overview of the
architecture, a deep dive on the flow of data for the supported use-cases for secure
internet and private access, what differentiates this solution from others in the
market, concluding with a look at the dashboard and end-user experience
• Ample time will be kept for QA and an open discussion with the audience
Jonny Noble - About me…
• I am Director of Technical Marketing for Cloud Security
at Cisco, with expertise in Secure Service Edge and
surrounding SASE-related technologies
• I am focused on cyber-security and have over 25 years of vast
experience in customer-facing disciplines in leading global hi-tech
organizations
• I am a seasoned speaker at Cisco Live events and regularly
represent Cisco at numerous other customer and partner events,
trade shows, and exhibitions
• I hold degrees in Electronics, Sociology, a Business MBA, and am
CISSP certified
• Session Introduction
• Setting the scene for Cisco
Secure Access
• What have we built?
Architecture and flow
Agenda
•
• Demos
• Q&A and summary
BRKSEC-1708 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Let’s set the scene,
and session
expectations
Hybrid work
era creates unmanageable risk
Your organization’s security wasn’t

85% Not adequately
designed for a hyper-distributed model prepared to handle
cybersecurity
threats*
* Source: Cybersecurity Readiness Index – Cisco: March 2023
The multi-vendor approach is problematic
Internet
apps
CASB
SWG RBI SaaS
apps
Separate consoles
Core
private
apps
ZTNA Sandbox Longtail/non-
DLP standard apps
WEB THREATS
Security innovation
SPAM is a patchwork. ler
sca z HU
RANSOMWARE
paloalto
NT
RE
SS
#CiscoLiveAPJC © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Current patchwork approach intensifies the problem
More products leads to more complexity within your business and IT environment
Exfiltration
Ransomware
Lateral movement
76
Average number of
Web threats
security tools used
Stolen credentials per enterprise today
Spam
New threats spawn new vendors, putting the burden on customers
Customer care-abouts
No visibility in direct-to-Internet traffic.
Visibility and Control Siloed, disaggregated dashboards
Many on-prem, private applications.

Simplified Remote Access Need for simplified end user experience
Need user access control, security posture

ZTNA is a journey management, application and user group policies
Granular segmentation and

Segmentation zero trust policies for applications
SASE/SSE approach is the technology foundation
Fundamental to your security strategy for a hyper-distributed world
Zero Trust Approach
Connect It Secure It
Market convergence
SASE
Cloud Firewall Zero Trust Secure

Access as a Network Web
Security Service Access Gateway
Broker (CASB) (FWaaS) (ZTNA) (SWG)
SD-WAN SSE
*with support for remote workers
Eliminate unnecessary decisions
How would you like to connect to your applications?
Internet apps
VPN Please use VPN for some
apps and ZTNA for others.
SaaS apps
?
Unless it’s just the Internet,
ZTNA in which case you should
connect directly.
P Private apps
Direct Thank you,
The Management
T Traditional apps
Reimagine the user experience:
Cisco Secure Access makes the connections you need
1 2
Internet apps
Authenticate Get to work Protected by SWG
SaaS apps
Protected by CASB
P Private apps
ZTNA gives controlled access
Note: Supports both client and clientless connectivity to selected applications
T Traditional apps
VPN gives network access
for existing applications
What have we built?
Cisco Secure Access

Better for users, easier for IT,
and safer for everyone
Cisco Secure Access
Modernize your defense with converged cloud security in a single subscription
Better for Users Easier for IT Safer for Everyone

Facilitate a frictionless Lower cost and Reduce risk and improve
workforce experience increase efficiencies business resilience
Imagine cybersecurity that’s

safer and easier for everyone
Unique secure access that is easier and safer for everyone…
From anywhere Cisco Secure Access To anything
Better for Users Easier for IT Safer for Everyone

Exceptional User Simplified IT Tighter
Web
Experience Operations Security
Remote
users
Public
SaaS apps
Users Login and IT has one dashboard to Converged, cloud-
Managed and get to work see traffic, set policies, and native security defends
unmanaged analyze risk against the unknown
devices Private
apps
Converged cloud-native security on a single platform
SASE/SSE approach is the technology foundation
Fundamental to your security strategy for a hyper-distributed world
Zero Trust Approach
Connect It Secure It
Market convergence
SASE
Cloud Firewall Zero Trust Secure

Access as a Network Web
Security Service Access Gateway
Broker (CASB) (FWaaS) (ZTNA) (SWG)
SD-WAN SSE
*with support for remote workers
Cisco Secure Access
A comprehensive Security Service Edge (SSE) solution to accelerate your
SASE journey
Core SSE Capabilities
+ + +
Firewall as a Secure Web Cloud Access Zero Trust
Service Gateway (SWG) Security Network
(FWaaS) Broker (CASB) Access (ZTNA)
and so much more in one subscription…

• Cisco SD-WAN integration
• 3rd party integrations (IdP, MDM (posture), and other security tools)
• Global scale with Cisco data centers and public cloud locations
Going beyond Core Security Service Edge
Cisco Secure Access
VPNaaS
Digital Experience Monitoring
DNS Security
Remote Browser Isolation
Data Loss Prevention
Advanced Malware Protection
Sandbox
Talos Threat Intelligence
AI-powered Platform
Consolidate security into one cloud solution with a single subscription
Architecture and
flow drill-down
Internet Traffic
Private Traffic
Evolution from Cisco Umbrella SIG Secure Tunnel
Main use-cases
• Secure Internet Access
• POPs in Cisco Edge Data Centers
• Meraki and Viptela SD-WAN Integration from DIA to SIA
Umbrella SIG
DNS L3/4/7 Secure Web Data Loss Cloud-access Internet/SaaS

Security Firewall Gateway Prevention Security Broker
(SWG) (DLP) (CASB)
MFA Device
Support Posture
Public Applications & Health
Cisco Edge Data Centers

On Premise,
Users, Devices DC/Colo/
& Things Private Applications SD-WAN Branch
Internet Traffic
Private Traffic
Architecture overview Secure Tunnel
Breakout (unmonitored internet and trusted SaaS)
Cisco Secure Access

Public Applications
Unified Dashboard Unified Security
Managed Private Applications
Endpoint • Identity and Posture • Flexible ingress/egress Internet/SaaS
based Controls connectivity
Clientless
Access • Single SLA • Consistent inspection for all Private
traffic Applications
Unmanaged • Single Policy ZTNA Private Public/Private

• Granular context-based Applications via Cloud
• Magnetic Design System control App Connector or
Public Applications Backhaul VPN
POPs in Public Cloud

On Premise,
DC/Colo/
Users, Devices
Branch
& Things
Users & How Apps

Devices
Internet Traffic
Private Traffic
Architecture overview: Who Secure Tunnel
Cisco Secure Access

Public Applications

Endpoint •Identity and Posture •Flexible ingress/egress Internet/SaaS
Clientless based Controls connectivity

Access Private
•Single SLA • Consistent inspection for all Applications
Unmanaged ZTNA Private Public/Private

•Single Policy traffic Applications via Cloud
App Connector or
Public Applications •Magnetic Design System •Granular context-based Backhaul VPN
control
On Premise,
DC/Colo/
Users, Devices
Branch
& Things
Users &
Devices
Zero Trust Access Module
New in Cisco Secure Client
• Transparent user experience

• Proxied resource access with coarse-
grained or fine-grained access control
• Service managed client certificates with
TPM/hardware enclave key storage
• Support for both TCP and UDP applications
• Cisco and third-party VPN client interop
• Next-generation protocol (QUIC & MASQUE)
What are QUIC and MASQUE?
QUIC (not an acronym) MASQUE (Multiplexed Application
Substrate over QUIC Encryption)
• UDP-based, stream-multiplexing,
encrypted transport protocol • IETF working group focused on next
generation proxying technologies on top of
• First used in Google Chrome in 2012 the QUIC protocol
• Used for HTTP/3, Apple iCloud Private • Provides the mechanisms for multiple
Relay, SMB over QUIC, DNS over QUIC, proxied stream and datagram-based flows
etc. inside HTTP/2 and HTTP/3
• Optimized for the next generation of • Used by iCloud Private Relay since 2021
internet traffic with low latency and high
capacity, compared to TLS over TCP • HTTP/2 and HTTP/3 extensions allow for
the signaling and encapsulation of UDP
• Supports micro-tunnels
and IP traffic
When combined, MASQUE + QUIC provides an efficient and secure transport

mechanism for TCP, UDP and IP traffic for both web and non-web protocols
Challenges with the journey to Zero Trust
Zero Trust
IT Sales
VPN
SolarWinds SAP Concur Workday Salesforce

Custom Apps
Jira Custom Apps Server-initiated apps Custom Apps Klue
Datadog Oracle ERP SalesLoft

Peer-to-Peer Multi-channel Apps Latency Sensitive Apps Longtail Apps Custom Apps Legacy
App compatibility with Zero Trust
Examples of private apps that don’t work well with Zero Trust
• Client-to-client traffic (i.e. peer-to-peer VoIP)

• Server-to-client traffic (i.e. remote desktop; remote assistance)
• Applications that require a unique client IP (i.e. SMBv1)
• Applications that require SRV DNS records (i.e. Active Directory, Kerberos,
SCCM)
• Applications that require the server to send a data payload (after the TCP 3-way
handshake), before the client will send a data payload (i.e. MySQL Studio)
• Applications that perform an ICMP connectivity check prior to connecting via TCP or
UDP
Simplify the journey to Zero Trust with migration
Unified ZTNA
Granular controls at the application level +
VPNaaS and Digital Experience Management
VPN as-a-Service
Lift your VPN to the cloud – more
control and easier to manage
Traditional VPN
Network level access – cannot
control at app level
Why QUIC?
Fast connection establishment (0-RTT)
Ability to change IPs without renegotiation (Connection migration)
No waiting for partially delivered packets (Individually encrypted packets)
Not vulnerable to TCP meltdown (UDP transport)
No head-of-line blocking (Stream multiplexing)
Can simultaneously use multiple interfaces (Multipath)
Why MASQUE?
No direct Broad Fallback to Flexibility to Native OS

resource application HTTP/2 (TCP support per- support
access (Proxy support (TCP, 443) if QUIC connection, per-
architecture) UDP and IP) (UDP 443) is app or per-
blocked device tunnels
Zero Trust Access module – Socket intercept
Why use socket intercept?

Zero Trust
• Control of DNS and Access module
application traffic before VPN
clients (interoperability with
Cisco and non-Cisco VPNs)
• No route table manipulation VPN clients
• Ability to capture traffic by IP,
IP subnet, FQDN, and FQDN
wildcard
Internet Traffic
Private Traffic
Who: Remote User Connectivity Secure Tunnel
Anyconnect VPN
→ Authentication & Posture @ Connect time
→ DTLS Tunnel
Cisco Secure Client VPN → Carry Internet & Private Traffic (All ports & protocols)
→ SAML, (+) Cert, & (+) Multi-Cert Authentication
ZTNA Module
ZTNA → Authentication & Posture per session
→ QUIC tunnel (MASQUE proxy)
→ Carry Private Traffic (All ports & protocols)
www
→ SAML Auth + Auto re-new
Managed Endpoint
Web Roaming Module
→ Device Enrollment (profile)
→ Carry Internet Web Traffic (80/443)
Clientless ZTNA
Browser → Accessible from any browser that supports SAML/Cookies
→ Request based posture (geolocation, browser version, OS)
→ Web Apps Only
Unmanaged Endpoint
VPN ZTNA ZTNA
unmanaged
Client-based Client-based
Posture (browser only)
Operating System ✓ ✓ ✓
* Roadmap Geolocation Check ✓ ✓ ✓*

(moved to access policy)
Firewall ✓ ✓
Authorization check prior Disk Encryption ✓ ✓

to application access Browser Check ✓ ✓
Anti-Malware ✓ ✓
Authorization and access check File Check ✓

per session
Registry Check
✓
(windows only)
Process Check ✓
System Password ✓
Certificate Check ✓
Supported AV vendors – Client-based ZTNA
Windows 10/11 macOS
• BitDefender Endpoint Security • BitDefender Endpoint Security
• Cisco Secure Endpoint • Cisco Secure Endpoint
• CrowdStrike Falcon Sensor • CrowdStrike Falcon Sensor
• McAfee Endpoint Security • McAfee Endpoint Security
• SentinelOne • SentinelOne
• Sophos AV (Intercept X) • Sophos AV (Intercept X)
• CylancePROTECT • Symantec Endpoint Protection
• Symantec Endpoint Protection • Trend Micro Apex One
• Trend Micro Apex One • VMWare Carbon Black Cloud
• VMWare Carbon Black Cloud • CylancePROTECT
• Microsoft Defender • Palo Alto Cortex XDR
• Palo Alto Cortex XDR
Supported AV vendors, RA VPN:

https://www.opswat.com/partners/certification/certified-products
Internet Traffic
Private Traffic
Who: Branch Users Connectivity Secure Tunnel
Cisco
Secure
Access
Internet/SaaS
SD-WAN
Branch
Public/Private Cloud
Private Applications
Branch Devices
→ 1GB throughput (edge device tunnel to Secure Access)
→ All internet traffic is routed to Secure Access
→ Auto Tunnels with Viptela SD-WAN SIA branches 1
1 Available Dec 2023 (requires Viptela code upgrade)
Internet Traffic
Private Traffic
Architecture Overview - Apps Secure Tunnel
Cisco Secure Access

Public Applications

Endpoint •Identity and Posture •Flexible ingress/egress Internet/SaaS
Clientless based Controls connectivity

Access Private
•Single SLA • Consistent inspection for all Applications
Unmanaged • App Connector Public/Private

•Single Policy traffic • Backhaul VPN Cloud
Public Applications
•Magnetic Design System •Granular context-based
control
On Premise,
DC/Colo/
Users, Devices
Branch
& Things
Users & Apps

Devices
Apps: Private Applications
IPSec Network Tunnel

→ IPSec Backhaul
Apps
→ Static or BGP based routing
→ Auto Failover/ Redundancy
Data Center Cloud
Cisco
Secure
Access
Outbound
DTLS Tunnels Application Connector (AC)
→ Software deployment (VM or Cloud Instance)
→ Deploy closest to application
Apps → Outbound connectivity (no holes in firewall)
→ Auto failover / load balancing
Apps: Internet/SaaS Applications
Trusted SaaS/Bypass
→ Bypass inspection for trusted web apps
→ route traffic directly from host to internet
Cisco
Secure
Access
Internet/SaaS
Secure Internet Access

→ All traffic filtered through Secure Access
→ Branch traffic routed via IPSec tunnel
→ Remote user traffic acquired via Secure
Client
Internet Traffic
Private Traffic
Security services Secure Tunnel
Cisco Secure Access

Public Applications
Client Capabilities
• Client-based ZTNA with
Endpoint Internet/SaaS
multi-tunnel support DNS L3/4/7 Secure Web Data Loss Cloud-access
Security Firewall Gateway Prevention Security Broker
• Client-less ZTNA Clientless Access w/ IPS (SWG) (DLP) (CASB)
Private
• Secure Remote Access Applications
(aka VPNaaS) Unified SSE Dashboard
Unmanaged • Identity and Posture- ZTNA Private Public/Private
• Identity and posture- Applications via Cloud
based Controls App Connector or
based controls Public Applications
MFA Device Secure • Unified Policy Backhaul VPN
Support Posture Access • Magnetic Design
• Trusted Network & Health (ZTNA/VPNaaS)
Detection System

On Premise,
Internet Traffic
Private Traffic
The Glue: Security Services & Policy Flow Non-Web Traffic
Cisco Secure Access

Traffic
Acquisition
(CNHE)
ZTNA SWG DLP CASB

Proxy
NAT
Auth
Network
Tunnel
ZTNA
Clientless
Device L3/4/7
MFA FW IPS
Posture Services
Support
& Health Router
Remote
VPN
Optional
Cisco Secure Access – Full architecture
Internet Traffic
Private Traffic
Secure Tunnel
Cisco SSE
Public Applications
Client Capabilities
• Client-based ZTNA with Managed Private Applications
Endpoint
multi-tunnel support DNS L3/4/7 Secure Web Data Loss Cloud-access Internet/SaaS
• Client-less ZTNA Security Firewall Gateway Prevention Security Broker
Clientless Access w/ IPS (SWG) (DLP) (CASB)
• Secure Remote Access Private
(aka VPNaaS) Applications
• Identity and posture-based Unified SSE Dashboard
Unmanaged • Identity and Posture- ZTNA Private Public/Private
controls Applications via Cloud
based Controls
App Connector or
• Trusted Network Detection Public Applications
MFA Device Secure
• Unified Policy
Backhaul VPN
• Single SLA
• Unified SSE Dashboard Support Posture Access
• Magnetic Design System
& Health (ZTNA/VPNaaS)
with cloud-managed
deployment
On Premise,
Select Cisco Innovations

• ZTNA for Any Application, Any Port, Any Protocol with per user, per application controls • Unified SSE Dashboard - simplify administration to reduce risk and improve efficiency
• Unified Client with Multi-tunnel ZTNA, VPNaaS, Posture
• Secure Internet Access – single in-line inspection with application policy
• POPs in Public Cloud and Cisco Edge Data Centers
Initial AWS Region coverage since GA
• Asia Pacific (Mumbai)
• Asia Pacific (Singapore)
• Asia Pacific (Tokyo)
• Australia (Sydney)
• Europe (Frankfurt)
• Europe (London)
• Middle-East (Tel Aviv)
• US East (Northern Virginia)
• US West (Oregon)
Datacenter architecture targets
• Initially in AWS regions
• Ability to reach wide coverage, quickly (81 availability zones* in 31 regions)
• New locations available within ~2 weeks
• Close to customers’ users and app locations
• After initial release will further expand

• Additional public cloud locations: GCP, Azure, Gov cloud, customer private cloud
• Further expansion: Full hybrid

• Seamless integration between public cloud and Cisco’s existing cloud edge DCs (~40)
• Ability to run private instance on customer’s network (hybrid integration with cloud)
* Excludes availability zones in China and gov-cloud
Demos
1. Dashboard and Admin Experience

2. Resource Connectors
3. Experience Insights
Summary
Q&A
Summary and call to action…
• Secure Access provides the best end-user and admin experiences
• Differentiators:
• Single dashboard/policy
• Single agent
• VPNaaS
• Easy to get started; migration options, POV

• Product experts at Cisco Live from Product Management, Technical
Marketing, and Sales Architects
• Product demos, MTE, related breakout sessions
• BRKSEC-2729, ZTNA deep dive: Room 212 / Thursday, 16:00
Session Surveys
We would love to know your feedback on this session!
• Complete a minimum of four session surveys and the overall event surveys to claim
a Cisco Live T-Shirt
Participating in user research gives you a
place to share your thoughts and
experiences to influence the future of
Cisco Secure products.
• You'll hear from us once every 90 days at the most
• Participation is completely optional, and you can
opt out at any time
Q&A
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Thank you
#CiscoLiveAPJC
#CiscoLiveAPJC
#CiscoLiveAPJC

Brksec 1708

Uploaded by

Copyright:

Available Formats

Brksec 1708

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 1708

Uploaded by

Copyright:

Available Formats

#CiscoLiveAPJC

Cisco Secure Access

Jonny Noble – Director, Technical Marketing

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Your organization’s security wasn’t

* Source: Cybersecurity Readiness Index – Cisco: March 2023

New threats spawn new vendors, putting the burden on customers

Many on-prem, private applications.

Need user access control, security posture

Granular segmentation and

Cloud Firewall Zero Trust Secure

Cisco Secure Access

Better for Users Easier for IT Safer for Everyone

Imagine cybersecurity that’s

From anywhere Cisco Secure Access To anything

Better for Users Easier for IT Safer for Everyone

Cloud Firewall Zero Trust Secure

Core SSE Capabilities

and so much more in one subscription…

Consolidate security into one cloud solution with a single subscription

Evolution from Cisco Umbrella SIG Secure Tunnel

DNS L3/4/7 Secure Web Data Loss Cloud-access Internet/SaaS

Cisco Edge Data Centers

Architecture overview Secure Tunnel

Breakout (unmonitored internet and trusted SaaS)

Cisco Secure Access

Unmanaged • Single Policy ZTNA Private Public/Private

POPs in Public Cloud

Users & How Apps

Architecture overview: Who Secure Tunnel

Breakout (unmonitored internet and trusted SaaS)

Cisco Secure Access

Unified Dashboard Unified Security

Clientless based Controls connectivity

Unmanaged ZTNA Private Public/Private

• Transparent user experience

When combined, MASQUE + QUIC provides an efficient and secure transport

SolarWinds SAP Concur Workday Salesforce

Datadog Oracle ERP SalesLoft

• Client-to-client traffic (i.e. peer-to-peer VoIP)

Ability to change IPs without renegotiation (Connection migration)

No waiting for partially delivered packets (Individually encrypted packets)

Not vulnerable to TCP meltdown (UDP transport)

No head-of-line blocking (Stream multiplexing)

Can simultaneously use multiple interfaces (Multipath)

No direct Broad Fallback to Flexibility to Native OS

Why use socket intercept?

Who: Remote User Connectivity Secure Tunnel

* Roadmap Geolocation Check ✓ ✓ ✓*

Authorization check prior Disk Encryption ✓ ✓

Authorization and access check File Check ✓

Supported AV vendors, RA VPN:

Who: Branch Users Connectivity Secure Tunnel

1 Available Dec 2023 (requires Viptela code upgrade)

Architecture Overview - Apps Secure Tunnel

Breakout (unmonitored internet and trusted SaaS)

Cisco Secure Access