CISCO

SECURE

Cisco Secure Access

“Addressing the Challenges of Secure Connectivity with
relentless focus”

Prabhat Singh, VP Engineering, Cloud Security

Eric Wang, Chief Architect, Cloud Security
John Rauser, Sr Director, Engineering, Cloud Security
Challenges in Secure Connectivity

§ Significant challenges in dealing with policy complexity

§ Legacy on-premises VPN Infrastructure
§ Advent of Generative AI Apps leading to data leakage
risks
§ Limited flexibility and efficiency of secure connectivity
to private applications
§ Need high throughput connectivity between users and
applications
§ Inadequate security while accessing cloud and on-
prem applications
§ Data residency requirements for global markets
Cisco Secure Access: The Transformation Journey

…of our infrastructure and platform …of our users’ experience

…of our software delivery systems

…of our product architecture
Our Commitment to Exceptional Quality

§ Ensured Frictionless Adoption and Migration

Experience
§ Brought an intuitive-ease-of-use to the product

§ Highly Available, Reliable, and Scalable

Service
§ Monitoring Product Telemetry and Field
feedback for hotspots

§ Culture is geared towards Speed and Agility

§ Problems will happen
§ Committed to Hyper-fast resolution of problems
and opportunities.
Industry’s first Intelligent unified policy management
solution
”Intent based Security and
Access Policies”

Ex. “Allow Sam access to jira but

do not allow him access to
Facebook”
 Industry’s first Intelligent unified policy
management solution
Policy Enforcement Points

F/W
DLP
SWG

Unified
Policy Intent Policy
User’s Intent ZTNA
Management Interpretation Distribution
UI

IPSEC
In Natural GenAI SDWAN
Language Policy RAVPN
Ex. “Allow Sam access to jira but Assistan
do not allow him access to t
Facebook”
Generative AI-Driven capabilities for data protection

User submits
sensitive DLP
1 information as a Inspector ChatGP
Prompt (SWG) T

Document
submitted to
SSE for
inspection
2 Employee Cisco
uses GenAI Submission DLP Secure
generated UI Inspector
Document (SWG) Access
LLM
Confidence
Score
(0 – 100 %)
Architecture Deep Dive
 Unified SSE and SASE Services
CNHE: Cloud Native Headend (unified headend)
Umbrella Roaming Security SFCN: Secure Firewall Cloud Native
VPP: Vector Packet Processor

Access (Client/User) Access Control & Security Scan Access (Server/App)

NATaaS Internet
/ SaaS
FWaaS SWG
(VPP)
CNHE (SFCN/Snort)
Unified
Headend Secure Internet Access (SIA) CNHE Private
Apps
Branch S2S (VPP) Unified
Catalyst SD-WAN (Viptela)
Meraki SD-WAN Headend Branch S2S
Common (VPP)
FWaaS w/ IPS, AMP Catalyst SD-WAN (Viptela)
Scanning Meraki SD-WAN
(SFCN/Snort/NGFW)
RA-VPN Service
(SFCN/ASA) Network-to-Network (East- (IPS, DLP,
West): Branch to branch, AMP, AV,
AnyConnect RA-VPN RA-VPN
Remote user to Branch, Remoter Sandboxing,
(SFCN/ASA)
use to remote user …) AnyConnect RA-VPN

ZTNA
Headend
ZTNA Proxy Resource
HTTP/MASQUE
ZTNA Client ZTNA security policy Connector RC
Proxy Agent Private
Gateway Apps
Secure Private Access (SPA)
Browsers
Public Cloud, Private DC, MSP
Packet Flows (Phase 1)
1. 0 (DNS Security)
2. 1/2/3/4/5/10 (Branch to Internet)
3. 1/2/3/4/3/6/15/9 (Branch to Branch)
4. 7/8/3/4/5/10 (RAVPN user to Internet)
5. 7/8/3/4/3/6/15/9 (RAVPN user to Branch/private app)
6. 12/13/3/4/3/6/15/9 (Client-based ZTNA to Private
App via S2S VPN)
7. 16/17/3/4/3/6/15/9 (Client-less ZTNA to Private App
via S2S VPN)

SR
8. 20/5/10 (SWG roaming user to Internet)
9. 7/8/3/4/3/8/7a (RAVPN user to RAVPN user)
10. 1/2/3/4/3/8/7a (Branch user to RAVPN user)
11. 12/13/3/4/3/18/19/9 (Client-based ZTNA to Private
App via App Connector)
12. 16/17/3/4/3/18/19/9 (Client-less ZTNA to Private App
RC GW RC
Agent
via App Connector)
13. 11/14/3/4/5/10 (Cisco SD-WAN to Internet, DIA use
case)
CNHE: Cloud Native Headend (unified headend)
SR: Service Router (overlay service interconnect)
SFCN: Secure Firewall Cloud Native
VPP: Vector Packet Processor
 All-level Resiliency DNS GeoLB
Umbrella DNS GeoLB
Route 53

AWS Region A Private Edge Region A

Cloud Resiliency Edge Resiliency

Cloud Resiliency Edge Resiliency
Region 0 Region 0
Region 1 Region 1
Tunnel LB VPN LB LB LB
Tunnel LB VPN LB NLB NLB

RA- ZTNA IPSec

CNHE RA-
CNHE ZTNA
CNHE CNHE
IPSec
CNHE CNHE CNHE CNHE
SWG SWG
VPN Proxy
Data
Data VPN
Data Proxy
Data Data
Data
Data Data Data Data
Proxy CNHE
Node CNHE
Headend CNHE
Headend Proxy
CNHE
CNHE
Node CNHE
Headend CNHE
Headend CNHE Node Node Node Node
Node Node Node Node

Service
Service
Router
Router Resource Security
Resource
Resource Security
Resource FWaaS
Resource Resource
FWaaS
Resource Resource Connector Scan
Connector
Connector Scan
Connector Connector Connector
Connector
GW Connector GW GW
GW GW GW
GW GW Resource
Resource Resource
Resource Resource
Connector
Resource
Connector Connector
Connector Connector
GW
Connector
GW GW
GW GW
GW
NATaaS
NAT Gateway
Tenant LB
Cloud DC 0 Tenant LB Edge DC 0

Cloud DC 1 Edge DC 1

Edge DC 2
POP Buildout (Oct Release)
16 POPs in AWS, across 8 Geographical regions

Private Preview GA

4 Regions – 8 Geo Regions -

one POP per two POPs per
region Region

Time reduction to build a new POP (engineering target)

March May Jul Sep Oct goal

8 weeks 6 weeks 4 weeks 2 weeks 1 week

Note: does not include finance & legal approval times

Global Scale Architecture
Connecting users and apps from anywhere to anywhere, with low latency
and high availability

Carrier • Overlay service network

Resiliency Networks Resiliency independent of underlying network
Region Region
architecture (CSP, private network
Private
or hybrid)
Private
Edge Service Service Edge
DC Router Internet Router DC • Overlay Service Router
Exchanges TE
TE interconnects services within and
across POPs, and globally

AWS Cloud AWS

• Private peering to major carriers,
Cloud Service
Router Service Service Cloud Internet exchanges and CSPs for
DC Router DC
Providers
TE
low latency and redundancy
TE

• ThousandEyes (TE) integration and

private tooling for continuous
Internet
Transit
mentoring for availability, latency
Underlay network and optimal paths
Overlay network
 “Flex-Single-Pass” Architecture
• Each service responsible for its
own layer – no redundant
processing; parallel scans
• Consistent multi-stage policy
evaluation as data becomes
available (L3/4àL7àcontent)
• Metadata shared across services
for flexible services and end-to-
end policy
• Optimized for flexibility/scalability
and single-service performance
• Expanded to global connections Products

with Service Router – consistent

security even traversing across
geo-regions
Zero Trust Access Deep Dive
Three “Simple” Elements

Client Cloud Applications

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Client Browser-Based ZTNA
Proxy
Architecture
Thousand
Eyes Agent Client ZTNA Proxy

E
Duo Agent Zero Trust Access MASQU

DNS Resolvers
urity
DNS Sec
Umbrella Roaming

Web Secu
Lee rity Secure Web Gateway

VPN
RA-VPN
Tunnel Cloud VPN Headend

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco confidential 18
 Customer’s
ZTA Overall Solution Architecture MFA

Admin Configuration Customer’s

IdP

Dashboard json API Configuration Identity

Gateway Distribution Gateway
Admin
Control Reporting
Plane
Posture Service ZT Controller
(enrollment, configuration)

CTL
Posture
Service
Client
(AnyConnect + Policy
Service
DHA) ZT Proxy
User
VPP
Client Service Service
Router Resource
DNS Connector
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco confidential
 App 1

IPSec
Endpoint App N

Client
Clientless App
App 1
Connector 1

App
Connector 2

App 2
App
Connector 3

App Connector
Group1

App
Connector 1 App 3

App
Client Connector 2
App 4
Clientless App Connector
Group2
 Need for Highly Context Sensitive and
Adaptive Zero Trust Solutions
Adaptive
Zero Trust

• Least-privilege access
Contextual • Continuous posture
Maturity

Zero Trust and trust assessment

• Hybrid Networking
• Posture based Access • All Apps secured
Basic Zero • Step-up Authentication
Trust • Client/-less Access
• Fine grained Segmentation
Implicit • MFA • Metadata driven Access
Trust • Coarse Segmentation
• Privileged Apps secured
• Single Factor Auth
• Unsegmented
• Open Access

Zero Trust Journey

Industry-first HTTP3-based proxy for secure, segmented
ZTNA
World’s most widely deployed VPN now being offered as
a SaaS service from the cloud
• Enables frictionless and hassle-free migration journey to the cloud
• Provides Secure Web, Firewall and DLP inspection of traffic
• Fall back option to ZTNA for all port / all protocol traffic
High performance traffic acquisition technology for IP-Sec
and SD-WAN (Meraki/Catalyst)
• Provides high-performance flexibility connectivity to the SSE cloud
• Any customer-premise: SD-WAN, branch, DC, private cloud
• Unified cloud-native headend (CNHE) with pluggable architecture and high-
performance data plane (VPP)
Feature rich, high performance enterprise firewall with
SWG and content inspection services

Deep
Inspection &
Any User FWaaS Content
Scan
Any App
Any Device Any Service
Any Connection IPS
Any Device
DLP
Anywhere Anywhere
AMP
Anytime SWG Anti-Virus Anytime
Sandboxing
…

• Enterprise-grade Firewall and SWG as cloud services, compatible with Secure Firewall
• Same level of protections for all user traffic paths, Internet access, private application access
and network-to-network
• Complete threat protection and data protections. More content scan engines than NGFW
• Enables extension of on-prem network segmentation and policy to cloud