Cisco Secure Connect

The Unified Bridge to the Cloud

A new convergence of networking and security has evolved with the introduction of Secure Access Service Edge (SASE) technology.

Businesses have traditionally relied on firewalls and security stacks located on-premise to manage all their security policies, ensuring their employees stay secure from online threats from both within and outside the network.

SD-WAN technology connects business locations, while client VPNs allow users to access data center/HQ servers, and applications remotely.

However, in recent years, we've seen a significant shift in service location.

It was common to see 80% of traffic internally, while only 20% was routed over the internet.

Now, more staff are working remotely and using an ever-increasing number of applications within the cloud such as MS365, OneDrive, SharePoint, and Desktops as a Service.

The Challenges of Securing Cloud Applications

Dependence on cloud-based software has led to bottlenecks in security infrastructure, impeding employee productivity and network performance. Not to mention managing various software applications and database connections becomes more complex.

As more data is hosted in the cloud, we must manage both on-premises and cloud security policies. Each service with its own security measures can lead to inconsistencies and potential risks.

So how do you manage the security of all these services, users, and devices, regardless of location, without hindering performance and ensuring compliance with all company policies?

The answer is by managing security at the edge of these services to enhance speed and efficiency by avoiding traffic redirection to a central location, by decentralizing the network.

This is where SASE comes in.

What is SASE??

SASE at a high level can be broken down into these components to provide a cloud-hosted service:

SASE is designed to provide a seamless user experience with minimal effort by securely connecting users, things, and applications from anywhere. Ultimately, it's a movement towards Cloud Hosted Networking and Security.

Cisco Secure Connect

An evolution from Cisco SIG, the project started with the Meraki / Umbrella SD-WAN connector for branch sites to tunnel through Umbrella. Now Meraki has amplified this security fabric to integrate remote access and SD-WAN interconnect.

Next comes the magic where the Meraki platform combines the security and networking features as a service into the following use cases:

Use Case: Secure Internet Access

• Enhance Internet security for users, private applications, and IoT devices with cloud-based protection from malware, phishing, and other threats both on-prem and remotely.
• Enforce Internet usage policies and manage access to public SaaS-based applications.

DNS Security

Cisco Umbrella blocks malicious domains before connections are made, stopping threats at the source. It also lets you enforce internet usage policies with 85+ content filters, allowing custom policies for unwanted websites.

Cloud?Firewall

All traffic within Secure Connect from sites and client-based VPNs routes through the Cloud Firewall, where access policies can be applied.

The Cloud Firewall is network and application-aware, which protects traffic across all ports and protocols without performance impact. The IPS uses SNORT and leverages Cisco Talos for its signature database.

Depending on the destination, the Firewall routes traffic as follows:

• Private application or site-to-site traffic is sent to the Secure Connect interconnect (SD-WAN) fabric.
• Internet-bound web traffic (TCP 80/443) is routed to the SWG for inspection.
• Non-web internet-bound traffic stays in the Firewall for layer 7 application visibility, control, and IPS processing.

Secure Web Gateway

The SWG protects web traffic over ports 80/443 by proxying all traffic for visibility and control.

Known threats are blocked, suspicious files are sandboxed, and retrospective alerts are generated if needed. SWG also uses the Microsoft API to route MS365 traffic directly to the nearest DC for optimal performance.

Cloud Access Security Broker

Organizations usually know only a fraction of their cloud activity. Secure Connect's CASB reports on all cloud apps, providing risk details and allowing you to block or control usage, thus reducing risk.

Data Loss Prevention

Cisco's DLP inspects outbound web traffic in real time to block sensitive data using custom policies.

DLP enforces data protection rules, restricts risky uploads, integrates with CASB, and generates alerts and reports to ensure compliance and security.

Use Case: Secure Remote Access

• Client-based?or clientless?(browser-based)?remote access services.
• Apply policies by user or group to ensure least-privileged access to private applications.

Client-based Access?

With the Secure Client (VPN software) on the user’s device, a tunnel is built to the Cloud Firewall. Client-based access supports all ports/protocols,?making it ideal for non-web-based apps or applications that require an agent on the end device.?

In addition, endpoint posture policies can be applied to ensure only compliant devices can connect to the network.

Traffic Steering

The Secure Connect Client also supports split tunneling. These rules are either inclusion or exclusion-based and determine what traffic is sent or not sent through the Secure Connect?tunnel.?

Forget Client VPNs - Clientless Browser Access

Clientless Zero Trust Network Access (ZTNA) leverages a zero-trust proxy for endpoints with clientless access without any VPN to access a private application. This approach is ideal when installing the client isn't feasible, allowing authentication and application access via a web browser.

To access an application, the user connects to the ZTNA?reverse proxy using a unique URL for each application.

Before access is permitted to an application, both the user and device are verified and validated by a Browser Access Policy (BAP) on a per-session basis.

Direct SAML integrations allow users to be authenticated and policies to be enforced through both traditional and Azure AD with options to integrate with Cisco Duo for MFA.

An ideal use case would be for providing third-party access to your private applications on devices that might not be owned or managed by your company.

Use Case: Enhance Your Existing SD-WAN

Secure Connect offers deep integrations with the Meraki SD-WAN, creating a unified SASE experience by extending the fabric to the cloud.

If your users are in the office, SASE’s integration with SD-WAN means that your user’s traffic is routed back through Meraki's Auto-VPN.

If they require direct web access to cloud applications and resources, the traffic is routed directly via the cloud firewall and security policies.

Licensing

There are two packages available, each having two tiers, Essentials and Advantage:

Secure Connect Foundation package – focused on secure internet access for branch and roaming users.

• Essentials – Secure connectivity
• Advantage – Data protection and advanced security

Secure Connect Complete package – focused on hybrid users that need secure Internet access, ZTNA, and remote access as a service.

• Essentials – Secure connectivity
• Advantage – Data protection and advanced security

Get in Touch!

If your business uses private or public cloud applications like Office 365, Google Cloud Services, Dropbox, or Sage Cloud, and has a mix of on-site and remote users, Secure Connect offers a perfect solution to manage and secure your remote workforce.

If you've found this insightful and would like to find out more about our Cisco Secure Connect services, we can provide a free trial to set up the SASE solution on your network, and assist with setup, configuration, and management - please get in touch:

[email protected] or call 0333 370 1353.