1、#CiscoLive#CiscoL�������iveSteven Chimes,Technical Solutions ArchitectBRKSEC-2079What It Is,Why You Need It and the Cisco Technologies That Make Frictionless Security PossibleZero Trust Network Access(ZTNA)Demystified 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Your Spe
2、akerSecurity Architect focused on global financials and global life sciences customers15 years in industry including higher ed,manufacturing and 10 years at CiscoAuthor of CCNP Security Virtual Pr�������ivate Networks SVPN 300-730 Official Cert GuideBRKSEC-20793Agenda 2023 Cisco and/or its affiliates.All r
3����、ights reserved.Cisco PublicThe What&Why of ZTNACisco Secure FirewallCisco Secure Firewall+DuoDuo Network Gateway(DNG)Cisco Secure AccessBRKSEC-20794 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App
4、to chat with the speaker after the sessionFind this session in the Cisco Liv��e Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speak�������er until June 9,2023.12345https:/ 2023 Cis
5、co and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-20795The What&Why of ZTNA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco�������LiveWhy Zero Trust?Dissolving perimeterAttackers actively exploiting gaps and weaknesses80%of organizations are NOT prepared7BRKSEC-2079202
6、3 Ciscos Cybersecurity Readiness Index 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Network AccessZTNABRKSEC-20798 2023 Cisco and/or its affilia����tes.All rights reserved.Cisco Public#CiscoLivePrincipalsApplied ToZTNAZero TrustNetwork Acces�����sBRKSEC-20799 2023 Cis
������7、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy ZTNA?Zero TrustUser ExperienceSaaS Delivery10BRKSEC-2����079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvolution of ZTNAVPNSDPZTNASoftwareDefinedPerimeterSoftwareDefinedPerimeter(Rebranded)BRKSEC-2079
8、11Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvolu�����tion of ZTNA:Organization AdoptionVPNSDPZTNASoftwareDefinedPerimeterSoftwareDefinedPerimeter(Rebranded)Hybrid WorkBRKSEC-207912Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
9、LiveZT�������� vs.ZTA vs.ZTNA vs.ZTAAZero TrustZero TrustA comprehensive security framework that prioritizes least privilege,strict access controls,and continuous monitoring to mitigate risks and protect resources.Zero Trust Zero Trust AccessAccess�������A specific aspect of Zero Trust that focuses on managing and
10、 enforcing access to resources13BRKSEC-2079Zero Trust(ZT)Zero Trust Access(ZTA)Zero TrustNetwork Access(ZTNA)Zero TrustApplication Access(ZTAA)2023 Cisco and/or it�������s affiliates.All rights reserved.Cisco Public#CiscoLiveZ������T vs.ZTA vs.ZTNA vs.ZTAAZero Trust Zero Trust NetworkNetwork Access(ZTNA)Access(Z
11、TNA)A subset of Zero Trust Access that focuses on secure access t����o networks.Zero Trust Zero Trust ApplicationApplication Access(ZTAA)Access(ZTAA)A subset of Zero Trust Access that focuses on secure access to individual applications.14BRKSEC-2079Zero Trust(ZT)Zero Trust Access(ZTA)Zero TrustNetwork A
12、ccess(ZTNA)Zero TrustApplication Access(ZTAA)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZTNA vs.ZTAAZero Trust Network Access Zero Trust Netw����ork Access(ZTNA)(ZTNA)Zero Trust Application Access Zero Trust Application Access(ZTAA)(ZTAA)Allow Access To:Corporate Network(
13、10.0.0.0/8 or*)Production Jira Ap������p()When:User Identit������y(Lee authenticated via MFA)Device Posture(Fully patched device)Location(United States)Continuous Monitoring(TLS decrypt and IPS inspection)15BRKSEC-2079The primary difference between ZTNA and ZTAA is the granularity of access granted by policyThe
14、 primary difference betwee�����n ZTNA an�������d ZTAA is the granularity of access in the policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypes of Zero Trust AccessClientlessClientlessZero Trust AccessZero Trust AccessClientClient-BasedBasedZero Trust AccessZero Trust AccessGen
15、eral DescriptionA lightweight method of securely accessing resources.A more feature rich method of securely accessing resource.Application SupportSup������ports web applications(HTTP/HTTPS)without any software and other s������elect protocols(SMB/RDP/SSH/etc.)via a portal or small helper application.Broad appli
16、cation support via client software on the users device.Partner/BYOD UsePreferred methodYes,if desired/neededEmployee UseYes,if desiredPrefe������rred method16BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Edge NetworkOn-Premises NetworkSecurity Reference Archi
17、tectureXDR SECURITY OPERATIONS TOOLSETTALOS THREAT INTELLIGENCEActionable threat intelligenceCollective responsesComprehens�������ive visibilitySignal identificationThreat research&analysisSERVICESDevice discovery&insightsNetwork detection&responseEndpoint detection&r�������esponseCAPABILITIESOpen API platform&3r
18、d party native integrationsRisk-based vulnerability managementSecurityanalyticsSecurity orchestration,automation&responseThreat visibility,incident response&threat huntingKenna|Secure Ana�������lytics|SecureX Secure Client|Talos Incident ResponseWorkload,Application,and Data SecuritySASE/Security Service E
19、dgeDuo|Secure Connect|UmbrellaIndustrial Threat DefenseDNAC|CyberVision|Industrial Networking ISE|Secure Firewall|Secure Network Analytics In the Office/Managed LocationCatalyst|DNAC|ISE|Meraki|Secure FirewallSecure Network Analytics|Web ApplianceZERO������� TRUSTCustom threat research on demandIncident re
20、sponse retainerImplement and manageManaged detection&responseStrategy&assessmentUser/Device SecuritySASE/SDWANMeraki|Secure FirewallThousandEyes|Viptela mitigationVisibilitySegmentationSecurity analytics&loggingv3.1SASE/REMOTE WORKER:Cisco Secure Clien�������t(AnyConnect)|Umbrella|Secure Endpoint|Meraki Sy
21、stems Manager|Duo|Secure E-mail|ThousandEyesDNS-layersecurityAnomaly detectionComplianceIdentity/pxG��������ridGroup tag classification Applicationnetwork gatewayConfiguration orchestrationContent filteringEncrypted visibilityAnalyticsApplication performance optimizationCloud based orchestrationCloud OnRamp
22、Cloud access security brokerRuggedizedThreat mitigationVisibilityIdentity/pxGridCloudNetwork access controlNetwork security analyticsDigital experience monitoringIPSec VPNIntegrated securitySegmentationFWaaSSecure w�������eb gatewayNGFWMiddle mi�������leoptimizationAnti-virus/Anti-malwareCloud managedContinuous t
23、rustMobile device manageme�����ntEmail,Phishing,SPAM,BEC,DLP,content filteringDigital experience monitoring Host FWPostureTelemetry/VisibilityQueryPasswordlessRisk-based MFADNS-layersecurityEndpoint detection&responseSecure WebVPNDevicetrustHYBRID MULTI-CLOUD:ACI|Cloud Insights|Panoptica|Radware|Secure A
24、pplication|Secure Endpoint|Secure������ Firewall|Secure Cloud Analytics|Secure WorkloadGroup tag classificationNGIP������SData loss preventionRemote browserisolationZero Trust Network AccessCloud malware detectionRAaaSTenant restrictionsBrowser accesscontrolIdentity/postureCloud analyticsAnti-virus/Anti-malware
25、API securityApp discoveryCloud Native SecurityCloud Posture ManagementDDoS,WAF/BotIdentity/pxGridMicro/Macro SegmentationRun-time applicationTelemetryThreat mitigationVisibilityG�����roup tag propagationReferenceCisco Secure Firewall Zer����o Trust Access(ZTA)2023 Cisco and/or its affiliates.All rights reser
26、ved.Cisco Public#CiscoLiveSecure Firewall Zero Trust Access(ZTA)BackgroundBackgroundFor organi���zations wanting to adopt a Zero Trust posture,they were required to have additional software installed(like AnyConnect)on client devices.Where the client application acted as a proxy and handled authenticat
27、ion and access.That is until 7.4.Whats NewWhats NewClientless Zero Trust Application Security functionality to the FTD SAML b�����ased authentication of users with support for Duo,Azure AD,Okta,&other Identity Providers No additional network equipment needed.Simply upgrade to FTD v7.4.BenefitsBenefitsEna
28、bles users to access applications without requiring additional software on personal devices.RequirementsRequirementsSecure Firewall 7.4Snort 3FMC On Prem+F����MC REST API or cdFMCNot supported on ASA Only Routed mode supported Not supporte�������d on individual mode cluster BRKSEC-207919 2023 Cisco and/or its
29、affiliates.All rights reserved.Cisco Public#CiscoLive20Setting Up Secure Firewall �����Zero Trust AccessBRKSEC-2079Deploy Secure Firewall in the DMZ.Configure your SAML IdP forprimary auth.Create public DNS entries for your protected internal web apps to point to the Secure Firewalls ������public interface.Use
30、rs access the“internal”app using their browser.InternetDMZInternal NetworkHTTPS443SAMLSAML 2.0Identity ProviderInternal Web ApplicationsCompany IntranetSecure FirewallReference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive�����Demo Setup:Secure Firewall ZTA w/AD FS21BRKSEC-2
31、079User BrowserExternal DNSfw.metronic.io&billing.metronic.io 203.0.113.2Internal DNSbilling.metronic.io 192.168.1.2ApplicationServer192.168.1.2OUTSIDE203.0.113.2SAML IdP(AD FS)Secure Firewallw/TLS Decrypt+IPS+Anti-Malware 2023 Cisco and/or its affiliates.All rights reserved.Ci��������sco Public#CiscoLiveCo
32、nfig:Secure Firewall ZTA w/AD������� FS22BRKSEC-2079Reference 2023 Cisco and/o����r its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Secure Firewall ZTA w/AD FS23BRKSEC-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Secure Firewall ZTA w/AD FS24BR
33、KSEC-2079ReferenceU������ser Demo:Cisco Secure Firewall ZTA+AD FS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights res�������erved.Cisco Public#CiscoLiveIm Lee.I use the same password everywhere.Cisco Secure Firewall ZTA+Duo 2023 Cisco and/or
34、 its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthenticate UsersVerify users are who they say they areProvide Strong Pro������vide Strong MultiMulti-Factor Factor AuthenticationAuthenticationProtects against unauthorized access using valid credentialsQuickly deploy and Quickly deploy and be pr
35、otectedbe protectedCloud native and designed to be user friendly from the start,Duo allows any ������IT professional to implement at lightning speedImplement Implement Password�����lessPasswordlessIncrease security and user productivity by logging in without a passwordPrevent Push Prevent Push Phishing Attacks
36、Phishing AttacksEnsures users dont fall victim to push phishing attacksProvide Strong Provide Strong MultiMulti-Factor Factor AuthenticationAuthenticationProtects against unauthorized access using valid credentialsQuickly deploy and Quickly d�����eploy and be protectedbe protectedCloud native and designe
37、d to be user friendly from the start,Duo allows any IT profes������sional to implement at lightning speedBRKSEC-207929 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo Setup:Secure Firewall ZTA w/AD FS30BRKSEC-2079User BrowserExternal DNSfw.metronic.io&billing.metronic.io 20
38、3.0.113.2Internal DNSbilling.metronic.io 192.168.1.2ApplicationServer192.168.1.2OUTSIDE203.0.113.2SAML IdP(AD �������FS)Secure Firewallw/TLS Decrypt+IPS+Anti-Malware 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo Setup:Secure Firewall ZTA w/Duo SSO31BRKSEC-2079User BrowserE
39、xternal DNSfw.metronic.io&billing.metronic.io 203.0.113.2Internal DNSbilling.metronic.io 192.168.1.2ApplicationServer192.168.1.2OUTSIDE203.0.113.2Secure Firewallw/TLS Decrypt+IPS+Anti-MalwareSAML IdP(Duo SS�����O)Active Directory/Duo AuthenticationProxy 2023 Cisco and/or its affiliates.All ������rights reserve
40、d.Cisco Public#CiscoLi������veConfig:Secure Firewall ZTA w/Duo SSO32BRKSEC-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Secure Firewall ZTA w/Duo SSO33BRKSEC-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC������onfig:S
41、ecure Firewall ZTA w/Duo SSO34BRKSE����C-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo MFA35BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+Duo MFA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVictim Demo:Push Ph
42、ishing Attack 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or������ its affiliates.All rights reserved.Cisco Public#CiscoLivePushWearablesPhone CallSoft Token#BiometricsSecurity KeysSMSHardware TokensLevel of AssuranceAuthentication MethodsVerified PushStrong
43、Multi-Factor Authentication(MFA)OptionsConfigure authentication options for each application or group of usersRequire phishing-resistant MFA(FIDO2)for critical applications and privileged usersEnable multiple option for users for ease of use and flexibilit�������yFlexible MFA for every use case40BRKSEC-207
44、9 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrevent Push Phishing AttacksVerified Duo PushIncreases security of pus�������h-based MFA while preserving ease of useCustomizable code lengthCan be triggered only when risk level increases to preserve user productivityBRKSEC-2079
45、41 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrusted EndpointsBlock attacke��������rs by only allowing regist�������ered and managed devices to gain access to corporate resourcesBlock AttackersBlock AttackersOnly allow registered or managed devices to gain access to corporate apps
46、and resourcesCover BYODCover BYODSafely allow BYOD and 3rd party devices without requi�������ring Mobile Device Management softwareControl Device Control Device AccessAccessGive organizations control over which devices can access corporate apps and resourcesMitigate RiskMitigate RiskWhen limitedauthenticat
47、or options are availableCorporate Managed DeviceRegistered DeviceUnknown DeviceWere sorry.Access is not allowed.LEVEL OF TRUSTBlock AttackersBlock AttackersOnly allow registered o�������r managed devices to gain access to corporate apps and resourcesCover BYODCover BYODSafely allow BYOD and 3rd party devic
48、es without requiring Mobile Device Management softwareBRKSEC-207942 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Verified Push43BRKSEC-2079Reference 2023 Cisco and/or it�������s affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Trusted Endpoints44BRKSE
49、C-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Trusted Endpoints45BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+Duo Verified Push+Duo Trusted Endpoints(AD Domain)2023 Cisco and/or its������ affiliates.All rights reserved.Cisco Public#CiscoLi
50、veAttacker Demo:Cisco Secure ����Firewall ZTA+Duo Verified Push+Duo Trusted Endpoints(AD Domain)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reser��������ved.Cisco Public#CiscoLiveGartner:Market Guide for User Authentication,Report a poo
51、r user authentication UX reduces employee agility.Ultimately,it degrades operational performance and decreases business revenue.BRKSEC-207950Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub����lic#Cisco����LiveThe Friction is Real Authentication FatigueBRKSEC-207951 2023 Cisco and/or
52、 its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Verified Push52BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+Duo Verified Push+Multiple Bro�������wsers 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affil�����iates.All rights rese
53、rved.Cisco Public#CiscoLiveBefore:Remembere�����d Device Session BoundariesReplaceRepla�����cewithwithFirst BrowserAppBrowserDevice Health ApplicationGranular Policy CoverageHigh Security,Low Friction Auths:Passwordless and RBAMFA AccessMFA AccessSecond BrowserMFA AccessRemembered device session borderInterac
54、tive authentication-end user frictionAuthentication brokered through device,Duo,and DHABRKSEC-207955 2023 Cisco and/or its affiliates.All rights reserved.Cisc����o Public#CiscoLiveBefore:Remembered Device Session BoundariesReplaceReplacewithwithFirst BrowserAppBrowserDevice Health ApplicationGranular Po
55、licy CoverageMFA AccessMFA AccessSecond BrowserMFA AccessRemembered device session borderInteractive authentication-end user frictionAuthentication brokered through device,Duo,and DHAHigh Security,Low Friction Auths:Passwordless and RBABRKSEC-207956 2023 Cisco and/or it������s affiliates.All rights reserv
56、ed.Cisco Public#CiscoLiveAfter:Remembered Device Session BoundaryFirst BrowserAppBrowser�������Device Health ApplicationGranular Policy CoverageMFA AccessMFA AccessSecond BrowserMFA AccessRemembered device session borderInteractive authentication-end user frictionAuthentication brokered through device,Duo,
57、and DHAHigh Security,Low Frictio����n Auths:Passwordless and RBABRKSEC-207957 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdmin Experience:Enable �����Remember SessionsBRKSEC-207958 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Verified P
58、ush59BRKSEC-2079Re������ference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Health App Remembered Sessions60BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+Duo Verified Push+Multiple Browsers+Duo DHA Remembered Sessions 2023 Cisco and/or its affiliates.All
59、 rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey BenefitsPromotes use of strong authentication factors FIDO2,Verified Duo Pus����hEnables widespread adoption MFA and secure access policies across the customers IT environmentMinimizes
60、friction for user login experiences and enables higher productivityReduces IT costs and overheads related password managementEnforce strong security controls while min������imizing frictionBRKSEC-207963Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Does This Work?
61、Is It Secure?Duo Serv���������ice associates the unique device identifier issued by DHA on first authentication.Duo Service then evaluates the device identifier on subsequent authentications during the device health check.If it is a matc������h,and the authentication is otherwise allowed by policy,we grant access
62、and do not prompt the user for an interactive authentication.The device identifier is a new,cryptographically secure,random token.It is stored for 12 hours and i������s communicated to Duo servers via TLS and certificate pinning.BRKSEC-207964Reference 2023 Cisco and/or its affiliates.All rights reser����ved.C
63、isco Public#CiscoLiveEnter your current usernameUse Passwordless Authenti��������cators:Platform Biometrics(Touc���h ID,Windows Hello)FIDO2 security Keys(YubiKey,Feitian)Duo Mobile(passwordless push)Thats it!Duo Passwordless.1,2,3you are in!65BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cis
64、co Public#CiscoLiveConfig:Duo Passwordless66BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+������Duo Passwordless 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVerify DevicesVerify the trustwo
65、rthiness devices before granting accessAssess Security Assess Security PosturePostureDeny access to compromised or out of compliance devicesVerif������y Endpoint Verify Endpoint TrustTrustBl�������ock access from unmanaged and unknown devicesGuide Guide SelfSelf-RemediationRemediationEliminate vulnerabilities an
66、d lower IT costs by empowering users to remediate their deviceProvide Complete Provide Complete Visibility Visibility Gain complete visibility into all laptops and mobile devices accessing your resourcesCheck Device HealthAssess Security Assess Securi���ty PosturePostureDeny access to compr�����omised or ou
67、t of ��������compliance devicesVerify Endpoint Verify �����Endpoint TrustTrustBlock access from unmanaged and unknown devices BRKSEC-207969Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Passwordless70BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved
68、.Cisc�����o Public#CiscoLiveConfig:Duo Device Health71BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZT������A+Duo Passwordless+Duo Device HealthReference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
69、CiscoLiveRisk-based AuthenticationMaximize security without compromising user productivityRBAAdjust authentication requirements in real time based on risk levelsPatent pending risk signal analysis with Wi-Fi FingerprintD������etermine risks levels without infringing on user privacyBRKSEC-207974Reference 2
70、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi�����veRisk-Based Auth������enticationDevice TrustLocation(IP)Known Attack PatternsBlockVerifiedDuo PushDuo Push2FANo Re-AuthRequiredFIDO2 AuthenticatorIncreases user productivity without compromising securityCORPORATE RESOURCESAUTHENTICAT
71、ION REQUIREMENTRISK SIGNAL ANALYSISWi-Fi FingerprintLEVEL OF TRUSTDynamically adjust requirements based on risk levelBRKSEC-207975 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi�����c#CiscoLiveRisk-Signal:Wi�����-Fi FingerprintAnonymizedAnonymized Wi-Fi network data provides a strong risk si
72、gnalstrong risk signal.Low Risk:Low Risk:Familiar network fingerprintHigh Ris��kHigh Risk:Novel network fingerprintNetwork 1Network 2Network 3Wi-Fi Fingerprint analysis requires Duo Device Health app on Windows and macOSaccess devices.BRKSEC-207976 2023 Cisco and/or its affiliates.All rights reserved.
73、Cisco Public#CiscoLiveRisk-Signal:Known Attack Patterns1.1.User Marked FraudUser Marked Fraud:A user has indicated they werent responsible for a login.2.2.Anomalous and suspicious activity:Anomalo�������us and suspicious activity:There are unusual authentication attributes,such as repeated authentication f
74、ailures.3.3.Push spray:Push spray:Authentications show characteristics of an adversary performing a non-targeted push attack across multiple users.4.4.Push phishing:Push phishing:Authentications show characteristics of an adversary perfo����rming a targeted push harassment attack.5.5.Unrealistic travel������:
75、Unrealistic travel:A user appears to authenticate from a new location that would be impossible to reach based on the past authentication location.6.6.Country code mismatch:Country code mismatch:The authentication device and ac�������cess device appear to be in two different countries.BRKSEC-207977 2023 Cis
76、co �����and/or its affiliates.All rights reserved.Cisco ������Public#CiscoLiveRisk-Based Authentication:Factor SelectionEnhances security without compromising user experience by stepping up to more secure factors only when requiredFends off push phishing attacks while preserving user experienceby only requesti
77、ng addition������al interaction for high-risk loginsAccess DeniedVerified Verified Duo Push Duo Push requiredrequiredNo Re-AuthRequiredFIDO2 Authentication requiredPush Phishing Attack PatternPush Phishing Attack �������PatternRiskRisk-Based AuthenticationBased AuthenticationVerified Verified Duo Duo PushPushHig
78、h Risk:High Risk:Duo recognizes patterns from common MFA targeted attacksLow Risk:Low Risk:Normal Push requests patternsPasscodes/Token requiredBRKSEC-207978 2023 Cisco and/or its affiliates���.All rights reserved.Cisco Public#CiscoLiveRisk-Based Factor SelectionDuo Risk-Based Factor Selection works wi
79、th existing authentication met������hods policy for web-based applications that show the Duo Universal Promp����t and for the Duo Auth API application(meaning any client app that uses the named Duo Auth API application).When Duo detects a high-risk authentication attempt from a user for an application with Ri
80、sk-Based Factor Selection policy settings applied,Duo limits the available authentication methods to those that best protect ag����ainst the risk.BRKS������EC-207979Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive80Risk-Based Authentication:Remembered DevicesBRKSEC-2079Acc
81、ess DeniedVerifiedDuo Push requiredNo ReNo Re-AuthAuthRequiredRequiredFIDO2 Authentication requiredRemembered DeviceRemembered DeviceNo reNo re-authentication authentication requiredrequiredRiskRisk-Based Authenticati����onBased AuthenticationFrictionless AccessFrictionl����ess AccessNo change to IP address
82、/No change to IP address/WiWi-Fi FingerprintFi FingerprintEnhanced protection for remembered devices.Dynamically require authentication when change in risk is detected.High Risk:Device is remembered,change in network fingerprint,risk level ������increased,re-authentication requiredLow Risk:Device is ������remem
83、bered,no change,no re-authentication required for X daysDuo Push2FA required 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRis������k-Based Remembered DevicesAdds additional security to the existing Duo Remembered Devices functionality.Establishing the remembered device sessio
84、n is automatic with no user prompt.Once the remembered device session is established,Duo looks for anomalou�������s IP addresses or changes to a device throughout the lifetime of the ������remembered device session and requires a new re authentication if it observes that change from historical baselines.Risk-Bas
85、ed Remembered Devices evaluates 30 days of IP history for each user.BRKSEC-207981Reference 2023 Ci��������sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo MFA82BRKSEC-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Risk-Based
86、Auth83BRKSEC-2079ReferenceUser Demo:Cisco Secure Firewall ZTA+Duo Risk-Based Auth(High Risk)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser Demo:Cisco Secure Firewall ZTA+Duo Risk-Based Auth(Low Risk)2023 Cisco an�������d/or its affiliates.All rights reserved.Cisco Public#Ci
87、scoLive 202���3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStrong Strong SecuritySecurityHigh High ProductivityProductivityHigh ProductivityStrong SecurityHigh Risk/High FrictionGreater User ProductivityGreater Business SecurityEliminate the trade-offFrustrate attackers,not u
88、sersBRKSEC-207988 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Zero Trust Access Optio�����nsSecure FirewallSecure FirewallDuo Network GatewayDuo Network Gat������ewayCisco Secure AccessCisco Secure AccessHostingHardware/VMTypeClientlessClientWeb browserSupported TrafficClie
89、nt-to-serverSupported AppsHTTPSClientProtocol(s)TLSControlsPer-App Policy,TLS Decrypt,IPS,Anti-Malware89BRKSEC-2079ReferenceDuo Network Gateway(DNG)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPN-l�����ess Remote Access to Private ApplicationsDetect user&device context for
90、internal apps with the Duo Network GatewaySecurity GroupsTier 110.0.0.1-4*.domain.local192.0.0.1/24Tier 2Tier 3DNG(443)SSH/RDP Public InternetTrusted UserTrusted Dev����iceUse Cisco Duo Premier to secure access to private applications on-premises or in the public cloud.Supports:HTTP/SSSHRDPSMBBRKSEC-207
91、991 2023�������� Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetting Up Duo Network Gateway(DNG)Deploy a DNG in the DMZ.Configure your SAML IdP forprimary auth.Create public DNS entries for your protected internal web apps to point to the DNGs public interface.Users access the“inte
92、rnal”app using their browser.Learn how to set up DNGInternetDMZInternal NetworkHTTPS443SAMLPerimeter FirewallSAML 2.0Identity ProviderInternal FirewallInternal Web Applicatio������nsCompany IntranetDuo Ne���twork gatewayBRKSEC-207992Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
93、CiscoLiveDemo Setup:Secure Firewall ZTA w/Duo SSO93BRKSEC-2079User BrowserExternal DNSfw.metronic.io&billing.metronic.io 203.0.113.2Internal DNSbilling.metronic.i����o 192.168.1.2ApplicationServer192.168.1.2OUTSIDE203.0.113.2Secure Firewallw/TLS Decrypt+IPS+Anti-MalwareSAML IdP(Duo SSO)Active Directory/
94、Duo AuthenticationProxy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo Setup:Duo Network Gateway w/Duo SSO94BRKSEC-2079User BrowserExternal DNSdng.metronic.������io&billing.metronic.io 203.0.113.2Internal DNSbilling.metronic.io 192.168.1.2ApplicationServer192.168.1.2SAML I
95、dP(Duo SSO)Duo Network Gateway(DNG)203.0.113.2Active Directory/Duo AuthenticationProxyEdge Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C�������iscoLiveConfig:Duo Network Gateway(DNG)95BRKSEC-2079Referenc�����e 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
96、LiveConfig:Duo Network Gateway(DNG)96BRKSEC-2079Reference 2023 Cisco������� and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Network Gateway(DNG)97BRKSEC-2079Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfig:Duo Network Gateway(DNG)98BRKSE
97、C-2079ReferenceUser Demo:Duo Network Gateway(DNG)20������23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Zero Trust Access OptionsSecure FirewallSecure FirewallDuo Network GatewayDuo Network GatewayC
98、isco Secur�������e AccessCisco Secure AccessHostingHardware/VMDocker ContainerTypeClientlessClientlessClientWe��������b browserWeb browser and/or Duo ConnectSupported TrafficClient-to-serverClient-to-serverSupported AppsHTTPSHTTP,HTTPS,RDP,SSH,SMBClientProtocol(s)TLSTLSControlsPer-App Policy,TLS Decrypt,IPS,Anti-M
99、alwarePer-App Policy,Identity,Access Control,Device Posture,Geolocation101BRKSEC-2079Cisco Secure Access 2023 Cisco and/or its affili�������ates.All rights reserved.Cisco Public#CiscoLiveCisco Secure AccessGo beyond core Security Service Edge(SSE)to better connect and protect your business103BRKSEC-2079*In
100、cluded in the unified experience/separate license(optional)CSPMDuo MFA/SSOFirewall as a Service(FWaaS)and ����IPSSecure Web Gateway(SWG)Cloud Access Security Broker(CASB)and DLPZero Trust Network ������Access(ZTNA)Cisco delivers the core and more in a single subscriptionCore SSEDNSSecurityRemote Browser Isola
101、tion*Multimode DLPVPN as a ServiceSandboxAdvanced Malware protectionTalos Threat Intelli�����genceDigital Experience Monitoring*Add-on solutionsSD-WANXDR 2023 Cisco and/or its affil�����iates.All rights reserved.Cisco Public#CiscoLiveCisco Secure AccessGo beyond core Security Service Edge(SSE)to better connec
102、t and protect your business104BRKSEC-2079Zero Trust Network Access(ZTNA)Core SSE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEasy,frictionless user experienceStep 1:Log inStep 2:Securely start workCisco Secure AccessNote:Supports both client and cl��������ientless Zero Trust A
103、ccess connectivityInternet appsSaaS appsCore private appsLongtail/non-standard appsBRKSEC-2079105User Demo:Cisco Secure Access+Client-Based Zero Trust Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.���Cisco Public#
104、CiscoLiveCisco Secure Client Zero Trust Access����� ModuleTransparent user experienceProxied resource access with coarse-grained or fine-grained access controlService managed client certificates with TPM/hardware enclave key storageSupport for both TCP and UDP applicat������ionsCisco and third-party VPN client
105、 interopNext-generation protocol(MASQUE+QUIC)108BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is QUIC and MASQUE?QUIC(not an acronym):UDP-based,stream-multiplexing,encrypted transpor�����t protocol.First used in Google Chrome in 2012.Used for HTTP/3,iCloud Pr
106、ivate Relay,SMB over QUIC,DNS over QUIC,etc.Optimized for the next generation of internet traffic with reduced latency compared to TLS over TCP.MASQUE(Multiplexed Appli������cation Substrate over QUIC Encryption):IETF working group focused on next generation proxying technologies on top of the QUIC protoc
107、ol.Provide������s the mechanisms for multiple proxied stream and datagram-based flows inside HTTP/2 and HTTP/3.Used by iCloud Private Relay since 2021.HTTP/2 and HTTP/3 extensions allow for������� the signaling and encapsulation of UDP and IP traffic.When combined,MASQUE+QUIC provides an efficient and secure tra
108、nsport mechanism for TCP,UDP and IP traffic for both web and non-web protocols.109BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveW���hy QUIC?Fast connection establishment(0-RTT)Ability to change IPs without renegotiation(Connection migration)No waiting for partia
109、lly delivered packets(Individually encrypted packets)Not vulnerable to TCP meltdown(UDP transport)No head-of-line blocking(Stream multiplexing)Can simultaneously use multiple interfaces(Multipath)110BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserv��������ed.Cisco Public#CiscoLiveWhy MASQUE?No
110、direct resource access(Proxy architecture)Broad application support(TCP,UDP and IP)Fallback to HTTP/2(TCP 443)if QUIC(UDP 443)is blockedFlexibility to support per-connection,per-app or per-device tunnelsNative OS support111BRKSEC-2079Vision Demo:Cisco Zero Trust Access on Apple iO�������S 2023 Cisco and/or
111、 its affiliates.All rights reserved.Cisco Public#CiscoLiveVision Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi�����c#CiscoLiveMore on Apples Native OS Support of MASQUE114BRKSEC-2079“Learn how relays can make y����our apps network traffic more private and secure without the overhead o
112、f a VPN.Well show you how to integrate relay servers in your own app and explore how enterprise networks can use relays����� to �������securely access internal resources.”https:/ Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Access Module-Socket InterceptWhy Socket Intercept?C
113、ontrol of DNS and applicatio�����n traffic before VPN clientsNo route table manipulationAbility t�������o capture traffic by IP,IP subnet,FQDN and FQDN wildcardInteroperability with Cisco and non-Cisco VPNs115BRKSEC-2079VPN ClientsZero TrustAccess ModuleApplicationSocket Intercept/FilterPacket Intercept/FilterR
114、outing TableVirtual InterfacePhysical InterfacePacket Intercept/FilterUser �����Demo:Cisco Secure Access+Client-Based Zero Trust Access+Third-Party VPN(OpenVPN)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its �������affiliates.All rights reserved.Cisco Public#Cis
115、coLiveZero Trust Access JourneyNetwork level access cannot control at app level difficult to deploy and manage Tradition�������al VPNTraditional VPNLift and shift your VPN to the cloud more control and easier to manage VPN asVPN as-a a-ServiceServiceGranular controls at the������ application level.VPNaaS for non
116、-standard apps Unified Zero Trust AccessUnified Zero Trust Access+VPNaaSVPNaaSSuccessSuccessPragmatic migration to more control direct to private appsZero Trust A�����ccess does not work for non-standard appsSetting up Zero Trust Access for every app and user can be arduousMove apps to Zero Trust Access
117、over timeReduced threat surfacePosture verificationApp-specific accessLeast privileged accessBenefitsTake control of all your private apps with precisionBRKSEC-2079118 2023 Cisco and/or its affiliates.All rights�������� reserved.Cisco Public#CiscoLiveCisco Secure Access�����-Policy Table119BRKSEC-2079Reference 2
118、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Access-Private Resources120BRKSEC-2079Refe�����rence 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Access-Private Access Rule121BR�������KSEC-2079Reference 2023 Cisco and/or its affil
119、iates.All rights reserved.Cisco Public#CiscoLiveZero Trust Access Traffic FlowPrivate TrafficSecure TunnelPrivate ApplicationsCisco Secure AccessPOPs in Public CloudMASQUEDC/Colo/BranchPublic/Private CloudPrivate ApplicationsZero TrustAccess ModuleL3/4/7 FirewallMFASupportDevice Posture�������and HealthOpt
120、ionalAuthIPSec backhaul orApp connector BRKSEC-2079122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Access App ConnectionsNetwork Tunnel IPSec Backhaul Static or BGP based routing Au������to Failover/RedundancyApplication Connector(AC)Software deployment(VM or Clou
121、d Instance)Deploy closest to application Outbound connectivity(no holes in fi�������rewall)Auto failover/load balancingIPSecOutbound DTLS TunnelsAppsAppsData CenterCloudCisco Cisco Secure Secure AccessAccessBRKSEC-2079123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Zero
122、 Trust Access OptionsSecure FirewallSecure FirewallDuo Network GatewayDuo Network GatewayCisco Secure AccessCisco Secure AccessHostingHardware/VMDocker ContainerSaaSTypeClientlessClientlessClientlessClient-BasedClientWeb browserWeb browser and/or Duo ConnectWeb���� browserZero Trust Access ModuleOS Nati
123、ve ClientsVPN ModuleSupported TrafficClient-to-serverClient-to-serverClient-to-serverClient-to-serverClient-to-server,Client-to-client,Server-to-clientSupported AppsHTTPSHTTP,HTTPS,RDP,SSH,SMBHTTP,H�������TTPSTCP,UDPTCP,UDP,ICMPClient�������Protocol(s)TLSTLSTLSMASQUE over QUIC or TLSTLS,DTLS,IPSecControlsPer-App
124、Policy,TLS Decrypt,IPS,Anti-MalwarePer-App Policy,Identity,Access Control,Device Posture,GeolocationPer-App Pol������icy,Access Control,Device Posture,Geolocation,TLS Decrypt,IPS124BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco We
125、bex App Questions?Use Cisco Webex App to chat with the spe������aker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker u
126、ntil June 9,2023.1234125https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisc�����o PublicBRKSEC-2079125 2023 Cisco and/or its ����affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event surv
127、ey will get C�������isco Live-branded socks(while supplies last)!126BRKSEC-2079These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.A
128、ll rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Lib�����rary for more sessions at www.CiscoL 2023 Cisco and/or its
129、 affiliates.All rights reserved.Cisco Public#CiscoLiveMore on Cisco Secure Firewall ZTA128BRKSEC-2079 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMore on SAML and Duo129BRKSEC-2079 2023 Cisco����� and/or its affiliates.All rights reserved.Cisco Public#CiscoLive���������130More on Ci
130、sco Secu��������re AccessBRKSEC-2079Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive132Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234132 2023 Cisco and/or its affiliates.All rights reserved.Ci�������sco PublicBRKSEC-2079#CiscoLive
sgpjbg002
工作日 8:30 - 17:30
报告分类
