Endpoint SD-WAN Client Hands On Training Lab 2023 © Netskope Confidential. All rights reserved. Netskope Unified Client with Endpoint SD-WAN and SSE Netskope Unified Client, tailored for remote users, integrates SD-WAN and SSE to deliver a secure, high-performance network environment, ensuring a reliable and protected connectivity experience for individuals working remotely. SASE Industry’s First Unified SASE Client with Endpoint SD-WAN + SSE One Client for SSE + SD-WAN ML-driven Insights and Visibility Assured App Experience One-to-Many Server Initiated One Policy Branch & Remote 2023 © Netskope Confidential. All rights reserved. Borderless SD-WAN – A Glance Zero trust, performance-optimized & one-click Netskope Intelligent SSE 1 2 Deployed at the edge, Netskope SASE Gateway (spoke) selects closest NewEdge data center, establishes tunnels & performs intelligent app-aware traffic steering SASE Gateway (hub) in customer’s data center or in the cloud provides site-to-site optimized connectivity for critical apps & traffic (esp. voice/video) Sites 3 SASE Orchestrator Netskope Cloud Native Management/Controller 100% SaaS, Multi-Tenant, Compliant SASE Controller 1 Web and SaaS Netskope NewEdge Users SASE Gateway (spoke) SASE GW Hub SASE GW Hub Public/private data center IoT Devices 2 Voice/video Users 4 SASE Client Providing SWG+CASB+SD-WAN functionality 2023 © Netskope Confidential. All rights reserved. Netskope ZTNA Next L3E as a Service SWG/CASB (SSE lic.) SP PoP 1 Virtual SASE GW SP PE Internet Overlay Customer Network BGP MPLS Remote User with Netskope Client Virtual SASE GW SP PE SP PoP 2 2023 © Netskope Confidential. All rights reserved. Netskope ZTNA Next 360 as a Service SWG/CASB (SSE lic.) SP PoP 1 Virtual SASE GW SP PE Publisher Internet Overlay MPLS BGP Remote User with Netskope Client Customer Network Virtual SASE GW SP PE SP PoP 2 2023 © Netskope Confidential. All rights reserved. Netskope ZTNA Next 360 as a Service Option 2: Customer Hosted Hub Option 1: SP Hosted Hub SWG/CASB (SSE lic.) SWG/CASB (SSE lic.) SP PoP 1 Virtual SASE GW SP PE Publisher Internet Overlay Internet Overlay Publisher MPLS Remote User with Netskope Client Remote User with Netskope Client BGP Virtual SASE GW SP PE Customer Network SASE GW Customer Network SP PoP 2 Advantages: • Access to all applications including client-to-server and server-initiated flows • One to Many connectivity Additional Options: ● Endpoint SD-WAN - Path quality, App visibility & AppQoE • Least Privilege Identity aware access • Clientless Access + FQDN based App Access 2023 © Netskope Confidential. All rights reserved. Hub Groups: Overview DC Hub Grouping enables the logical grouping of GWs deployed at a single location or across multiple locations. This enables network infrastructure to scale, accommodating thousands of remote Clients while maintaining reliability and performance. Along with scaling, it facilitates automated failover between multiple hubs in a network environment ensuring uninterrupted client-to-hub traffic. Hub groups are configured on the basis of location or collective function. Clients are configured to connect to individual hubs within the group which is selected at random among available Hubs or based on geolocation proximity. This arrangement aims to distribute clients evenly across the hubs within the group, optimizing resource usage and improving overall network performance. Easy scaling and failover The connection to the remote user Client is via the BWAN tunnel to the GW Hub. In Hub H1 Hub H2 Hub H3 Hub H4 Pool: 10.1.1.0/21 State: Active Pool: 10.2.2.0/21 State: Active Pool: 10.3.3.0/21 State: Active Pool: 10.4.4.0/21 State: Active Ease of Access The connection to the remote user Client is via the BWAN tunnel to the GW Hub. In Remote Connection Remote IT Admin either behind the BWAN Hub or connected remotely via Netskope Client can RDP 2023 © Netskope Confidential. All rights reserved. BWAN Client Features 1. 2. 3. 4. 5. 6. On-prem detection User authentication Prelogon Tunnel Device Posture Check Multilink User-Group based Policies 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: On-Prem Detection On-Prem detection enables the BWAN Client to identify its position, on-prem or remote, and automatically deactivating the BWAN tunnel if on-prem detection is successful. Detection can be done using DNS resolution or HTTP server access. On Premise (Office/Workspace) DNS HTTPS X Remote User with Netskope Client SD-WAN overlay tunnel not formed (on-prem detected) • When enabled, it enters auto detection mode, wherein "Detection” is governed by the Netskope Console and will be the same as the Netskope SSE Client • Disabling the toggle overrides the default settings from the Netskope Console and can then be configured to rely on DNS domain resolution or HTTP server access • When on-prem detection is successful, the Client will disable the tunnels to the Hub(s) and remain in Active state and show status as [On-Prem] 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: User Authentication The user authentication feature prompts the remote Client user to authenticate against the configured IDP before accessing resources at the Hub. This provides enhanced security and further enforces zero-trust access with least privilege user group based access. User authenticates against IDP 1 the IDP Security Rules enforced on 3 the Hub for authenticated clients 2 Session Remote User with Netskope Client established BWAN GW Hub Private App SD-WAN overlay tunnel • When enabled, the user will be prompted to authenticate against the configured IDP • Once the user authenticates the user information will be sent over the BWAN tunnel • User group based security policies can be created and enforced on the hub. 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: Prelogon Tunnel The Prelogon tunnel feature enables and brings up the tunnel from the Client to the Hubs before the user logs into the machine. Hub Firewall Rules defined 1 For authenticated clients Lock Screen 2 Session Remote User with Netskope Client established BWAN GW Hub Private App SD-WAN overlay tunnel • When enabled, the Client establishes the tunnels to the Hubs before the user logs into the machine • Disabling the feature will set the Client to bring up the tunnel only once the user logs in to the machine • The feature enhances security • The feature also ensure the user can reach necessary resources such as DNS and domain controllers when the user is not authenticated. 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: Device Posture The Device Posture check feature determines whether to permit or deny devices from connecting the BWAN tunnel based on device classification or posture checks. Posture check can be done based on various parameters outlined in the diagram. Device Posture Check Encryption Registry File Process AD Domain Certificate • Device classification rules can be configured per OS - Windows, macOS, Linux, Android iOS, Chrome OS • Netskope Client divides device classification results into 5 categories: Managed, Unmanaged, Unknown, Not Configured, Custom • The NS Client checks new device classification status at regular intervals. It is by default set to check during the Auto Config refresh 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: Multilink The BWAN client supports simultaneous use of multiple WAN interfaces with separate tunnels built over each interface towards the BWAN hub. This integration extends the SDWAN capabilities previously exclusive to the BWAN GW to the Client, thereby empowering remote users with advanced SD-WAN functionalities. Advantages • Sub second failover between tunnels when working in active/active mode • Per-flow link steering across multiple tunnels when working in active/active mode • Active/Standby tunnel operation and sub-second failover in case of active/standby mode DTLS UDP 443 - Link 1 DTLS UDP 443 - Link 2 Internet Remote User with Netskope Client BWAN GW Hub DC SD-WAN overlay tunnel over link-1 SD-WAN overlay tunnel over link-2 Active/Active Mode • The Client optimally leverages all accessible bandwidth across all links • Load balancing of flows across active overlays to the same hub in a round-robin fashion • Sub-second failover wherein when a link fails, the flows are immediately moved to the next available active link. Active/Standby Mode • The Client establishes an overlay tunnel to the Hub(s) on all available links but forwards traffic only on the link with highest priority/OS-default with the other overlays in standby mode. • In case the active link goes down, the Client performs seamless sub-second failover from the active link to the standby link. 2023 © Netskope Confidential. All rights reserved. BWAN Client Features: User-Group Based Access Control The Netskope Client, by default, forwards user information when forming the tunnel to the BWAN Hub. The user information is used to map users to a group and enforce access policies on the Hub GW. App1 bob@netskope.com User Group: Blue Remote User 1 App2 App3 ann@netskope.com User Group: Green App4 Remote User 2 Secure Access • User identity exchange between Netskope Unified Client & IDP ensures secure access to DC Resources • BWAN also provides granular control for periodic user re-authentication or forced authentication to ensure continued secure access. Access Controls Visibility and Analyitcs • Least privileged access for users with group based access control using security and AppX policies enforced on the BWAN Hub • Netskope BWAN provides in-depth per-user visibility analytics - traffic flows, connectivity, active users, apps used • Further described under section Monitoring and Analytics 2023 © Netskope Confidential. All rights reserved. Netskope Unified Client: Packet Flow Decision Process Netskope Unified Client forwards traffic to the intended gateway depending on the services enabled and the steering rules that are configured. Each packet is processed in the following order: NPA Gateway (NewEdge) Enables zero-trust secure access to private enterprise applications in Hybrid IT. Netskope Gateway (NewEdge) Enables CASB, SWG and Cloud Firewall security features hosted on Netskope New Edge BWAN Hub Borderless SD-WAN gateway locations that are designated as Hubs. Hub sites are typically DCs which host applications or data to which remote users require access. 2023 © Netskope Confidential. All rights reserved. Netskope Unified Client Modes: Supported Modes: ● BWAN Only ● BWAN + SWG/CASB/CFW ● BWAN + SWG/CASB/CFW + NPA ● BWAN + NPA Supported Platforms: ● Windows 10 or above ● MacOS Monterey 12.6.8 or above ● ARM is currently not supported 2023 © Netskope Confidential. All rights reserved. Netskope Unified Client: ZTNA Next L3E (Endpoint SD-WAN) DC-Hub-GW1 DTLS UDP 443 MPLS Hub Group Remote User with Endpoint SD-WAN Client Internet SD-WAN overlay tunnel RDP Servers 10.0.30.101 10.0.30.102 10.0.30.103 10.0.30.104 10.0.30.105 10.0.30.106 Customer Network DC-Hub-GW2 SP POP Netskope SASE Client Netskope Unified client installed on remote user machines. SD-WAN Overlay DC SD-WAN DTLS overlay tunnel initiated by the Client to the GW Hub on UDP 443. Traffic steered to DCs over Netskope BWAN via GW Hubs. The DC can be on-prem, or hosted on private or public cloud. BWAN GW is available in physical and virtual form factors. 2023 © Netskope Confidential. All rights reserved. Netskope Clientless NPA IDP Netskope NewEdge Private App 1 10.0.30.100 Internet Remote User Clientless NPA Enabled CASB / SWG / CFW NPA Publisher Data Center Connectivity to NewEdge over Internet Connectivity to IDP for Auth Browser Based Access User Authentication App Access Users access the application via the browser User is authenticated against the configured IDP Authenticated users connect to a URL which connects Netskope NewEdge and directs the connection to the Publisher 2023 © Netskope Confidential. All rights reserved. Next Gen SWG 2023 © Netskope Confidential. All rights reserved. 19 Secure Web Gateway / CASB Stop threats, protect data and take control of the cloud and web Web Managed Cloud Uses Cases Unmanaged Cloud Public Cloud Non-Web • Apply contextual controls with more granular policies than allow/deny • Control data movement to personal instances and unmanaged apps • Use risk scores to control policy and enforce coaching behaviors • Inspect Guest WiFi and Machine Traffic Benefits • Inline controls stop data loss before it leaves a managed SWG CASB Threat Protection Data Protection User Risk Scoring Instance Awareness Targeted RBI UEBA Next-Gen SWG environment Cloud Firewall NewEdge • Stop threats such as phishing, malware and ransomware in real time • Delivers seamless security stack integration through Cloud Exchange modules REMOTE ACCESS Direct to Cloud BYOD 2023 © Netskope Confidential. All rights reserved. 20 What is Web Security? The main differentiator between Web Security and CASB is the steering. Web Security provides: Web browsing protection (web category filtering, URL allowlists and blocklists, etc.) Data Loss Prevention (DLP) Intrusion Prevention System (IPS) Protection against malware 2023 © Netskope Confidential. All rights reserved. 21 Steering Configuration To enable Web Traffic steering, go to: Settings > Security Cloud Platform > Traffic Steering > Steering Configuration > Default tenant config > Edit Configuration 2023 © Netskope Confidential. All rights reserved. 22 Steering Exceptions All cert-pinned applications are bypassed by default Add exceptions based on: Application Category Certificate Pinned Apps Domains Source Locations Destination Locations Source Countries 2023 © Netskope Confidential. All rights reserved. 23 CASB 2023 © Netskope Confidential. All rights reserved. 24 SaaS Apps Require a Granular Data Security Approach Context Corporate Email Personal Email Instances Users Corporate Personal Sends Confidential Email Shares Sensitive Data # All Internal # Internal+External Uploads Sensitive File 2023 © Netskope Confidential. All rights reserved. 25 CASB Components ShadowITIT Shadow Corporate Personal Instances out-of-band introspection CASB APIs CASB Inline Security Posture Mgmt DLP DLP Any location 26© Netskope Confidential. All rights reserved. 2023 Threat Protection 2023 © Netskope Confidential. All rights reserved. 27 Multi-Engine Threat Protection Strong defense against known and unknown threats Forward Proxy managed device Data-in-Motion Std. Threat Protection (Fast Scan) Adv. Threat Protection (Deep Scan) AI/ML Cloud Sandbox Managed & Unmanaged Cloud (SaaS & IaaS) RBI Websites Reverse Proxy unmanaged device www. | Data-in-Motion User Behavior Analytics Netskope Threat Labs Netskope Cloud Exchange Managed Cloud (SaaS & IaaS) CFW API Integration Data-at-Rest Fast Scan Deep Scan Behavior Analytics Known Malicious Unknown Malicious Insider Threats 2023 © Netskope Confidential. All rights reserved. 28 Advanced Threat Protection for Cloud & Web Advanced Threat Protection (Deep Scan) 2023 © Netskope Confidential. All rights reserved. 2 9 Threat Protection – STND vs ADV Standard Threat Protection (Fast Scan) • • • • • • Anti-malware engines, Web IPS, and true file type analysis 40+ threat intel feeds, plus importing IOCs including malicious URLs and file hashes Inline portable executable (PE) file machine learning for Patient Zero malware detection and blocking ML-classifier phishing detection to identify phishing domains in real-time blocking access to those sites Standard sandboxing to corroborate all AV/ML detections Cloud Threat Exchange (CTE) enables threat intel sharing with EPP/EDR, SIEM, SOAR, etc. Advanced Threat Protection (Deep Scan) • Standard Threat Protection capabilities included • De-obfuscation and recursive file unpacking with support for 350+ families of installers, packers, and compressors • Pre-execution analysis and heuristics for 3,500+ file format families, with 3,000+ static binary threat indicators for Windows, Mac OS, Linux, iOS, Android, firmware, Flash, PDF, and other document types • Cloud sandboxing for 30+ file types including Portable Executable (PE) files (e.g., Windows executables), Microsoft Office files, PDF files, Batch files, Archive files (e.g., zip, 7z, tar), Visio, RTF, Flash, HTML and Java Applets • Machine learning deep analysis to detect unknown threats, anomalies, and behaviors, with ML models for PEs, PDFs, malicious Office files, and malicious URLs in files • Patient Zero alerts, Sandbox API, RetroHunt API, and MITRE ATT&CK sandbox analysis • Patient Zero protection to hold files until sandboxing completes • 3rd party sandbox integration for second verdicts 2023 © Netskope Confidential. All rights reserved. 30 Real time policy 2023 © Netskope Confidential. All rights reserved. 31 Real-time Protection Policies Enforce an action based on: Users, groups, and OUs (as inclusions or exclusions) and other criteria (source IP, user confidence, etc.) Cloud apps, web page categories, private apps, etc. Activities (browse, download, upload, etc.) Constraints (From User, File Type, etc.) and criteria (App Instance Tag, Destination Country, etc.) Define DLP and threat protection profiles to protect against data loss and malware. 2023 © Netskope Confidential. All rights reserved. Real-time Protection policy processing Order-specific! Important! Real-time Protection policies are processed sequentially (top to bottom) DLP = Exception A match will stop further processing. Verify the order of your policies! Select the rule position when saving the policy: Top / Bottom / Before / After Drag and drop policies to re-order Click Apply Changes to save the order. Policy changes do not take effect until you apply the changes. 2023 © Netskope Confidential. All rights reserved. Client Lab Topology UCaaS Applications Cloud-Hub GW Netskope NewEdge Web and SaaS CASB / SWG / CFW Clientless NPA NPA Publisher Private App 1 10.0.30.100 Internet Hub Group Remote User with Netskope Client Tunnel to Netskope NewEdge Data Center with Netskope BWAN & Netskope Private Access DC-Hub-GW1 SD-WAN overlay tunnel MPLS From MSP Hosted DC to Customer DC DC-Hub-GW2 RDP Servers 10.0.30.101 10.0.30.102 10.0.30.103 10.0.30.104 10.0.30.105 10.0.30.106 Customer Network SP POP 2023 © Netskope Confidential. All rights reserved. Thank you Continue to hands-on lab 2023 © Netskope Confidential. All rights reserved.
