Friday, 8 May 2026

Cisco Secure Access notes

Intro to Cisco Secure Access (CSA)

At a high level it works like this:
  • Users > CSA > Resources

Ways to connect to CSA

  • Remote managed > ZTNA  > CSA
  • Remote managed > VPNaaS > CSA
  • Remote unmanaged > Clientless ZTNA > CSA
  • Branch > IPsec tunnel > CSA
  • IOT devices > IPsec tunnel > CSA
  • We can also integrate SD-WAN connections into CSA (more on it later)


What we can do inside CSA
  • Groups
  • firewall rules
  • web gateway
  • DLP
  • CASB (cloud security broker)
  • Device posture
  • ZTNA
  • Monitor and TS

Outbound from CSA
  • Connections to Internet and SaaS sites
  • Backhaul to private apps hosted in your public or private cloud
  • IPsec tunnels to other datacenter/pop/brance

PoP is point of presence. Often user will connect to the closest one for lowest latency 
CSA connection can enter the POP in dublin and etc the POP in France for examle

What problem is cisco secure access trying to solve ?
  • Orgs with remote users and 3rd party contractors who need access but also all secure 
  • Orgs with users who are mobile (in office / at home / on the road)
  • Orgs with hybrid setups (on prem / public cloud / private cloud / SaaS)
  • Consolidate all the access policies in one place
  • Keep a zero trust mindset
Secure private access (tunnel or proxy)
  • Via VPN
  • Via ZTNA client 
  • Via ZTNA clientless 

Secure Internet Access (s
  • VPN full tunnel
  • Internet security module
  • Branch DIA
We can have SPA and SIA working together


Insights and monitoring
Admins and monitor endpoint performance with thousand eyes
Need an account and agent deployed

Global scale architecture 
User > CSA POP > CSA routing > CSA POP > Resource

Unified cloud architecture 
  • Control everything in one cloud dashboard
  • Traffic acquisition 
  • Collect and augment with extra data (posture etc) 
  • Classify traffic (public / private)
  • Rules (FWaaS / SWG / CASB / Decryption / IPS / DLP)
  • Send via backhaul or internet 
Open APIs
  • As well as the cloud dashboard
  • Multiple Restful API
  • Automate tasks
  • Deployment
  • Admin
  • Policies
  • Reports
Talos threat intelligence 
Visibility across the entire threat landscape fusing experts data and gen AI
Talos detect threats and block them for all customers

User connectivity
  • VPNaaS
  • ZTNA module
  • Web roaming module (80/443 only)
  • Clientless ZTNA
VPN (DTLS/IPsec) > ZTNA (Wireguard/gRPC) > ZTA (MASQUE/QUIC)

TLS - TCP security
DTLS - UDP (some speed improvement)
QUIC is UDP based (fastest0), a way to speed up TLS connections
MASQUE - Multiplex Application Substrate over QUIC encryption / a streaming protocol. This is an application proxy that runs on top of QUIC. It can have multiple streams active in one MASQ session.

Client connectivity 

Secure client 
VPN > ASA> IPsec / Internet 
ZTNA client > ZTNA proxy > IPsec / Resource connector 
Sec/Roaming module  > DNS/SWG > Internet 
 
Clientless > Rev Proxy > IPsec / Resource connector 
Branch > IPSec > IPsec / Internet 

Cisco Secure Client
You will need to deploy the CSC client with the ZTNA module
Duo desktop will also be deployed if you use posture

Other modules
Secure endpoint (formerly AMP)
Roaming module (Umbrella but this will be replaced)
Thousand Eyes (no UI)
Cloud management module (no UI)
DART

Secure Private Access (client based ZTNA)
ZTNA supports apps via IPsec backhaul
FTD > HA VTI tunnels > CSA
We create two tunnels to CSA for redundancy 
We configure BGP between the two so they can exchange routes

Secure Private Access (clientless)
Only works with web apps

Secure Private Access (VPN)
Connect to secure access cloud

Secure Internet Accesss via VPNaaS
Connect to CSA then on to internet sites / SaaS

Modular policy with magnetic UI
Define apps / resources
define private / public rules

Live demo
https://www.cisco.com/c/en/us/products/security/secure-access/live-demo.html
Cisco have a live demo which you can try it out
First step will be to setup a tunnel group (VPN)
Setup on your peer on the HQ or brance

Connector groups are for the resource connectors
We can add one to AWS Azure and VMware

We can add SAML/SSO for our user ID

Private resources 
We can had a file server here

You can make firewall rules under secure

Zero trust 
  • Micro segmentation 
  • Network isolation
  • Native OS support
  • TPM to protect certs and key
Principals 
  • Never trust
  • Always verify
  • Enforce least privilege 
Success factors
  • Allow the user to work securely with minimal disruption
  • Adjust policy to risk
  • Consistency across environments because of shared policy
AI assistant
Helps you create rules but leaves them disabled, a human must enable the rule.

Planning for a CSA project delivery
  • Well defined scope and timelines
  • Access to sites / network devices etc
  • Clear roles and responsibilities
  • Single customer point of contact / PM
  • Customer involvment and comms
  • Clearly defined and agreed use cases
  • Pilot and customer validation
  • Knowledge transfer
  • High level docs
  • SOW - statement of work
  • BOM - Bill of materials
  • Checklist
Secure Access licensing 

Essentials 
  • Secure internet access (SIA)
  • Secure Private Access (SPA)
  • SWG
  • ZTNA
  • L3/4 firewall
  • CASB
  • RBI (for risk traffic or high level phishing targets)
Advantage
  • Everything in essentials 
  • Layer 7 firewall
  • IPS
  • DLP
  • RBI
Licensing subscriptions
based on per user 
1 year
3 year
5 year 
Non standard terms on per contract basis 

Cisco user protection suite
Incorporates related technologies all into one solution
  • Posture and auth management 
  • Endpoint security 
  • Email security 
  • Experience insights
  • Remote browser isolation
  • Security Service Edge 

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)