Overview of the Cisco+ Secure Connect Choice

Cisco+ Secure Connect Choice is a secure access service edge (SASE) based scalable cloud service delivering on-demand secure remote connectivity for your organization. Secure Connect Choice offers a Cisco-managed remote access VPN, cloud-delivered security services, and user and context-based access control to applications for Zero Trust Network Access.

The Secure Firewall Cloud Native must be configured to enable the transmission of syslog and Netflow Secure Event Logging (NSEL) events to the Cisco cloud. Syslog events and NSEL events are generated when logging is enabled on the Secure Firewall Cloud Native, and network traffic matches access control rule criteria. After the events are stored in the Cisco cloud, you can view them on the Event Logging page in CDO.

The remote worker can access:

• External applications outside your organization without a virtual private network (VPN).

• Internal protected applications within your organization's network with or without a VPN.

This solution comprises the following systems:

• Cisco Umbrella provides DNS layer and Web security for users accessing external applications, say google.com, that doesn't require VPN connectivity.

• Secure Firewall Cloud Native (SFCN) provides VPN services for users accessing internal protected applications within your organization's network that require VPN connectivity.

• Duo Network Gateway (DNG) deployed on Secure Firewall Cloud Native, also known as SFCN-DNG. It provides a Zero Trust Network Access (ZTNA) service for users accessing internal applications on your protected network within your organization's network that doesn't require VPN connectivity.

  ZTNA is a network security model that allows organizations to provide granular and adaptive access controls to private applications or resources across clouds or corporate data centers.

• Duo Admin Panel provides Multi-Factor Authentication (MFA) capabilities.

• Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that provides a simplified management interface and cloud-based access for users to perform the following:

  • Protect the internal web applications or SSH server configuration your users can access without having to join a VPN. Add a Protected Web Application.

  • Monitor the overall data associated with each system of the Secure Connect Choice service. See Secure Connect Choice Overview Dashboard.

  • Monitor real-time or historical data from AnyConnect VPN sessions retrieved from the Secure Firewall Cloud Native VPN head-ends. Monitor Remote Access Virtual Private Network Sessions.

  • Monitor multi-factor authentication events generated after a successful or failed multi-factor authentication. These events are retrieved from the Duo Admin Panel logs. Monitor Multi-Factor Authentication Events.

  • Monitor Zero Trust user sessions established after a successful multi-factor authentication for users accessing internal protected applications without VPN connectivity. These events are retrieved from the DNG. Monitor Zero Trust Network Access Sessions.

  • Monitor the connection status of your onboarded AWS VPCs using AWS Transit Gateway. See Monitor AWS VPC tunnels using AWS Transit Gateway.

  • Monitor event logs stored in the Cisco cloud. Also, monitor events generated for intrusion and file policies. See Monitor Historical and Live Events.

  • Read and deploy changes - Duo Admin Panel and SFCN-DNG.

    • Read changes from Duo Admin Panel - Read application created in the Duo Admin Panel into CDO for adding the protected application.

    • Read changes from SFCN-DNG - Read any changes made outside CDO on SFCN. See Read Configuration Changes from a Secure Firewall Cloud Native to CDO.

    • Deploy changes to SFCN-DNG - Deploy the Duo Network Gateway protected web application to SFCN-DNG. See Deploy Configuration Changes from CDO to Secure Firewall Cloud Native.

Supported Scenarios

Cisco+ Secure Connect Choice offering supports the following scenarios for remote workers:

• Secure browsing on the public internet:

  In this scenario, a remote worker accesses an external resource, say google.com, without a VPN connection. Cisco Umbrella provides DNS layer security to stop threats over all ports and protocols. It helps stop malware earlier and prevent callbacks to attackers if infected machines connect to the network. Cisco Umbrella also provides Web security to block malicious websites.

• Access protected applications on the internal network without connecting to a VPN:

  In this scenario, a remote worker accesses protected applications inside your organization without a VPN connection. The Duo Network Gateway (DNG) available as part of this solution provides Zero Trust Network Access to allow remote workers to access your on-premises websites, web applications, and SSH servers without connecting to VPN. The DNG contains the information about a SAML 2.0 Identity Provider (IdP) that provides primary authentication. All requests to the protected applications are proxied through the DNG.

• Access protected applications on the internal network using a VPN:

  In this scenario, a remote worker accesses internal applications within your organization using a VPN connection. As part of this solution, Cisco provides scalable remote access VPN services to handle requests from remote workers. AnyConnect is the only client that is supported.