Zero Trust Network Access

(ZTNA) Demystified
What It Is, Why You Need It and the New Cisco
Technologies That Make Frictionless Security Possible
Steven Chimes, Platform Security Architect
CCIE Security #35525

BRKSEC-2079
About Your Speaker
• Security Architect focused on global financials
and global life sciences customers
• 15 years in industry including higher ed,
manufacturing and 10 years at Cisco
• Author of CCNP Security Virtual Private
Networks SVPN 300-730 Official Cert Guide

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 • Why ZTNA and it’s evolution
• ZTA w/ Cisco Secure Firewall

Agenda • ZTA w/ Cisco Secure Access

Not Covered: ISE, TrustSec or Duo

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Webex App

Questions?
Use the Webex App to chat with the speaker
after the session

How
1 Find this session in the Cisco Events Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2079

by the speaker until February 23, 2024.

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Why ZTNA?
Why ZTNA?

49% 53% 55%

Employees are Remote/hybrid Traffic to/from off-
remote/hybrid users workers using DIA premises, cloud-based
facilities

This complexity + an increased ability of attackers to profit

has made hypothetical attacks reality and pushed many
organizations to the breaking point.
Reference: ESG SSE Survey, June 2023

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
ZTNA
Zero Trust Network Access

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ZT
Zero Trust
Applied
To
NA
Network Access
Principals

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Why ZTNA?

User Experience SaaS Delivery Zero Trust

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ZT vs. ZTA vs. ZTNA vs. ZTAA (Outcome View)
• Zero Trust Zero Trust (ZT)
• A comprehensive security framework that
Zero Trust Access (ZTA)
prioritizes least privilege, strict access
controls, and continuous monitoring to
mitigate risks and protect resources. Zero Trust Zero Trust
Network Access Application Access
(ZTNA) (ZTAA)

• Zero Trust Access

• A specific aspect of Zero Trust that focuses
on managing and enforcing access to
resources

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ZT vs. ZTA vs. ZTNA vs. ZTAA (Outcome View)
• Zero Trust Network Access (ZTNA) Zero Trust (ZT)
• A subset of Zero Trust Access that focuses
Zero Trust Access (ZTA)
on secure access to networks.

Zero Trust Zero Trust

Network Access Application Access
• Zero Trust Application Access (ZTAA) (ZTNA) (ZTAA)
• A subset of Zero Trust Access that focuses
on secure access to individual applications.

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
ZTNA vs. ZTAA (Outcome View)
Zero Trust Network Access Zero Trust Application Access
(ZTNA) (ZTAA)

Corporate Network Production Jira App

Allow Access To:
(10.0.0.0/8 or *.example.com) (jira.example.com)

User Identity (Lee authenticated via MFA)

Device Posture (Fully patched device)

When:
Location (United States)

Continuous Monitoring (TLS decrypt and IPS inspection)

The primary
The difference
primary between
difference ZTNA
between andand
ZTNA ZTAA is the
ZTAA granularity
is the of access
granularity granted
of access in the by policy
policy

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Types of Zero Trust Access

Clientless Client-based

Lightweight method to More feature rich method to

General description
securely access resources securely access resources

Web applications (HTTP/HTTPS)

via a web browser and other select Broad range of applications via a
Application support
protocols (SMB/RDP/SSH/etc.) via a software client
portal or small helper application

Partner/BYOD use Preferred method Yes, if desired/needed

Employee use Yes, if desired Preferred method

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco Secure Firewall
Zero Trust Access (ZTA)
New Cisco Zero Trust Access Options
Secure Firewall Cisco Secure Access

Hosting Hardware or VM
Type Clientless

Client Web Browser

Supported
Client-to-server
Traffic

Supported
HTTPS
Apps
Client
TLS
Protocol(s)
Device
None (Use Duo)
Posture
Per-App TLS Decrypt, IPS,
Controls Anti-Malware

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Cisco Secure Firewall Zero Trust Access (ZTA)

Background What's New Benefits Requirements

• Prior to Secure Firewall 7.4, • Clientless Zero Trust • Enables users to access • Secure Firewall 7.4
organizations wanting to Access functionality applications without • Snort 3
grant users access to added to Secure Firewall requiring additional
private applications and 7.4. software on personal • FMC On Prem + FMC
implement zero trust were devices. REST API or cdFMC
• SAML based
required to install additional authentication of users • Not supported on ASA
software installed (like with support for Duo, • Only Routed mode
AnyConnect / Secure Azure AD, Okta, & other supported
Client) on client devices. Identity Providers. • Not supported on
• No additional network individual mode cluster
equipment needed.
Simply upgrade to FTD
v7.4.
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Demo Setup: Secure Firewall ZTA w/ AD FS

OUTSIDE
203.0.113.2

Secure Firewall Application

User Browser w/ TLS Decrypt + Server
IPS + Anti-Malware 192.168.1.2

External DNS Internal DNS

SAML IdP
fw.metronic.io & billing.metronic.io
(AD FS)
billing.metronic.io à192.168.1.2
à 203.0.113.2
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Reference

Config: Secure Firewall ZTA w/ AD FS

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
User Demo:
Cisco Secure Firewall ZTA
+ AD FS
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Flow – Basic Flow

ired
A i f requ SAML IdP
F
ut h z+M 2. FW redirects
th /A
3. Au to SAML IdP

csdac.emealab.local
1. DNS points csdac.emealab.local to FW
ZTA Client 4. FW assigns ZTA cookie and allows traffic through
ZTA
Firewall

HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

Thank you to Chris Grabowski for saving me a ton of time building these ZTA Firewall slides BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Flow – Failed Authentication
Wrong username
or password

2. FW redirects Azure
to SAML IdP Entra ID

fmc.emealab.local
1. DNS points fmc.emealab.local to FW
ZTA Client

ZTA
I don’t know Firewall
what happened
at SAML IdP…
HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Flow – Compliant Endpoint

ired
i f requ SAML IdP
A
t h z + MF
u 2. FW redirects
A uth/A
3. to SAML IdP
csdac.emealab.local
1. DNS points csdac.emealab.local to FW
4. Protected access to the internal application
Corporate PC
ZTA
Firewall

HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Flow – Non-Compliant Endpoint
Personal PC ZTA Firewall csdac.emealab.local
1. DNS points csdac.emealab.local to FW

3. A 2. FW redirects
uth/A to SAML IdP
uthz
+ Duo
Heal
th A SAML IdP
pplic
a ti on P
ostu
re

HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Flow – Successful Auth/Authz w/ Inspection
TLS Decryption
th z with IPS and
ut h/Au
c essf
ul A
Azure
Malware Protection
uc 2. FW redirects
3. S Entra ID
to SAML IdP

ise01.emealab.local
1. DNS points ise01.emealab.local to FW
ZTA Client 4. Protected access to the internal application 5. Clean traffic

ZTA
Firewall

HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Flow – ZTA Individual vs. Grouped Applications
ZTA Application
Group (SSO)

2. SAML Redirect to IdP

configured for entire
Application Group
fmc.emealab.local

1. Access an application in the Group

3. Access the non-grouped application
ZTA ise01.emealab.local
Firewall

4. SAML Redirect to IdP

configured for Individual
csdac.emealab.local
Application

Individual
Application

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 Flow – Grouped Applications
ZTA Application
Group

2. FW redirects Azure fmc.emealab.local

to SAML IdP Entra ID
3. Protected access to
fmc.emealab.local
1. ZTA pre-auth flow to fmc.emealab.local
ZTA Client 4. ZTA pre-auth flow to ise01.emealab.local SSO
5. Protected access to
ZTA
ise01.emealab.local
Firewall
Access another application in the ise01.emealab.local

ZTA Application Group

HTTPs (Pre-Auth)
SAML IdP AAA
ZTA Protected Flow

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Recommendations
• Only SAML IdPs are supported e.g. Azure AD, Duo, Ping ID, One Login, Okta
• DNS needs to be configured to direct application traffic to the ZTA firewall’s interface.
• ZTA application protection supported for Internet and internal access use-case (with
proper DNS configuration)
• ZTA is supported on routed mode in HA/Cluster*/Multi-Instance deployments
• License requirements:
• Essentials license for basic ZTA access
• IPS and/or Malware Defense for application traffic inspection
• ZTA does not work in evaluation mode

• ZTA traffic is not subjected to Access Control Policy (ZTA policy takes precedence)

* Not supported on individual mode cluster

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Recommendations
• Supports HTTPs applications only (HTTP, RDP, SSH not supported)
• ZTA supports interactive web applications (requires user SAML login)
• ZTA is not a reverse-proxy:
• Firewall does not rewrite HTTP requests
• The flow is based on HTTP redirects
• TLS decryption is mandatory – Snort validates ZTA HTTP cookie in the HTTP request

• ZTA will not work for non-HTTP traffic tunneled through TCP 443 interface.
• A pre-auth certificate matching FQDNs of protected applications is required
• Not supported if protected application redirects between ports or does strict HTTP
Host Header validation

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Note the port at the end of the FQDN
Secure Firewall redirects to a FQDN with a high port (20,000+) for each app

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 SAML Assertion Consumption and Setting
Application Cookie
Secure Firewall
POST https://app.example.com/+webvpn+/index.html generates a Zero Trust
Cookie for the client.
Referer: https://app.example.com/+CSCOE+/saml/sp/acs?tgname=
DefaultZeroTrustGroup
SAML Assertion

ZTA
Client
Status: 200 OK app.example.com
ZTA
Set-Cookie: Firewall
cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE;
expires=Fri, 15 Sep 2023 11:20:46 GMT;
path=/; secure; HttpOnly

Browser’s Cache
Cookie Domain Path Lifetime

app.example.com / 1 day

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 Redirect to ZTA app.example.com NAT High Port
Since you have a valid
cookie, you can go to
the ZTA application
GET https://app.example.com/ HTTP/1.1
now.
Cookie: cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE

ZTA
Client
Status: 307 Temporary Redirect ZTA app.example.com
Firewall
Location: Location: https://app.example.com:20000/

Browser’s Cache
Cookie Domain Path Lifetime

app.example.com / 1 day

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 ZTA app.example.com NAT Construct
FTD Outside Interface Application: app.example.com
(203.0.113.2:2000) (192.168.1.10:443)

GET https://app.example.com:20000/
Cookie: cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE
ZTA
Client

ZTA app.example.com
Firewall

show nat detail

...
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 203.0.113.2/24, Translated: 192.168.1.10/32
Service - Origin: tcp destination eq 20000 , Translated: tcp destination eq https

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Private Key

TLS Decryption of the ZTA Flow

GET https://app.example.com:20000/
Cookie: cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE
ZTA
Client

Client ZTA Server app.example.com

Side TLS Firewall Side TLS

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 ZTA Snort3 Cookie Validation Snort3 validates the
ZTA cookie extracted
from the decrypted
HTTP request.

GET https://app.example.com:20000/
Cookie: cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE
ZTA
Client

Client ZTA Server app.example.com

Side TLS Firewall Side TLS

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
 IPS and Malware Protection All ZTA protected
application traffic is
protected with IPS
and/or Malware Defense
policies.

GET https://app.example.com:20000/
Cookie: cscozt_token = FB89EB2D4DF4C3BF5C0E8121F35166DE
ZTA
Client

Client ZTA Server app.example.com

Side TLS Firewall Side TLS

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Secure
Access
New Cisco Zero Trust Access Options
Secure Firewall Cisco Secure Access

Hosting Hardware or VM SaaS

Type Clientless Clientless Client-Based
ZTA Module
Client Web Browser Web Browser VPN Module
OS Native Clients
Client-to-server,
Supported
Client-to-server Client-to-server Client-to-server Client-to-client,
Traffic
Server-to-client
Supported
HTTPS HTTP, HTTPS TCP & UDP TCP, UDP & ICMP
Apps
Client MASQUE over
TLS TLS TLS, DTLS, IPSec
Protocol(s) QUIC or TLS
Device
None (Use Duo) Per-Rule Per-Rule On Connect
Posture
Per-App TLS Decrypt, IPS,
User/Group-Based Access Control, TLS Decrypt, IPS
Controls Anti-Malware

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Cisco Secure Access
Go beyond core Security Service Edge (SSE) to better connect and protect your business

Core SSE

Secure Web Cloud Access Security Zero Trust Access Firewall as a

Gateway Broker (CASB) and (ZTA) Service (FWaaS)
(SWG) DLP and IPS

Cisco delivers the core and more in a single subscription…

DNS Multimode Advanced Sandbox Talos VPN as a Digital Remote

Security DLP Malware Threat Service Experience Browser
protection Intelligence Monitoring* Isolation*

Add-on solutions

* Included in the unified experience / separate license (optional) SD-WAN XDR Duo MFA/ CSPM
SSO

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Cisco Secure Access
Go beyond core Security Service Edge (SSE) to better connect and protect your business

Core SSE

Zero Trust Access

(ZTA)

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Easy, frictionless user experience
Step 1: Log in Step 2: Securely start work

Internet
apps

SaaS
apps
Cisco Secure Access Core
private
apps

Longtail/non-
standard apps

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
User Demo:
Cisco Secure Access
+ Client-Based Zero Trust Access
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco Secure Client Zero Trust Access Module

• Transparent user experience

• Forward proxied resource access with coarse-
grained or fine-grained access control
• Service managed client certificates with TPM-
protected key storage

• Support for TCP and UDP applications

Zero Trust Access module in • Cisco and third-party VPN client interop
Cisco Secure Client 5.1 (formerly AnyConnect)
• Next-generation protocol (MASQUE + QUIC)

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Why Is It Called Zero Trust Access (ZTA) Instead
of Zero Trust Network Access (ZTNA)?
ZTNA ZTA
Multifactor Authentication

Device posture checks

Micro-segmentation

Complete separation between the user and the enterprise network

Next-generation protocols

Native OS support

Flexible backend connectivity options

Hardware protected credentials

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Rule Basics: User Authentication & MFA via SAML
Use Duo or any IdP that supports SAML to strongly authenticate users

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Rule Basics: Write Policy Based on User or Group
Using user and group info loaded From Active Directory or via SCIM

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Rule Basics: Define Private Resources / Apps
Based on IP, FQDN, protocol and port

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Rule Basics: Define and Enforce Device Posture
Posture can be enforced globally or at the rule level

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Rule Basics: Apply TLS Decrypt and IPS
Traffic security settings can be applied globally or at a rule level

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
High-Level Traffic Flow for Zero Trust Access

New York
US
Chrome UK
MASQUE Resource App1
Cisco Secure
connector or
RDP Access IPsec tunnels
ZTA client or MASQUE
ZTA enabled OS
User (London) Australia App2
Sydney

• ‘No click’ seamless access • Full separation between users and the enterprise
• Advanced protocols reduce latency and network
speed content delivery • Fast deployment with no firewall setting changes

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
What is QUIC and MASQUE?
• QUIC (not an acronym):
• UDP-based, stream-multiplexing, encrypted transport protocol.
• First used in Google Chrome in 2012.
• Used for HTTP/3, iCloud Private Relay, SMB over QUIC, DNS over QUIC, etc.
• Optimized for the next generation of internet traffic with reduced latency compared to TLS over TCP.

• MASQUE (Multiplexed Application Substrate over QUIC Encryption):

• IETF working group focused on next generation proxying technologies on top of the QUIC protocol.
• Provides the mechanisms for multiple proxied stream and datagram-based flows inside HTTP/2 and HTTP/3.
• Used by iCloud Private Relay since 2021.
• HTTP/2 and HTTP/3 extensions allow for the signaling and encapsulation of UDP and IP traffic.
• A more technically accurate acronym would be MASQUOTE (Multiplexed Application Substrate over QUIC or
TLS Encryption) as MASQUE can operate over QUIC or TLS (e.g. if QUIC is blocked).

When combined, MASQUE + QUIC provides an efficient and secure transport mechanism for TCP,
UDP and IP traffic for both web and non-web protocols.
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Why Use QUIC as the Protocol?

Less framing overhead

Ability to change IPs without renegotiation (Connection migration)

No waiting for partially delivered packets (Individually encrypted packets)

Not vulnerable to TCP meltdown (UDP transport)

No head-of-line blocking (Stream multiplexing)

Can simultaneously use multiple interfaces (Multipath)

Note: Not all features of QUIC as a protocol are currently used by Cisco Secure Access BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Why Use MASQUE?

No direct Broad application Fallback to Flexibility to Native OS

resource access support (TCP and HTTP/2 (TCP support per- support
(Proxy UDP) 443) if QUIC connection, per-
architecture) (UDP 443) is app or per-
blocked device tunnels

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
 ZTA Connectivity vs. Other Methods App Data Stream
TCP/UDP Connection
Tunnel

App Data Server

Direct IP Packet
Client

App Data
VPN / ZTNA Packet Client Headend Server
Tunnel Packet
IPSec, TLS or DTLS

ZTA App Data

Client
Reverse
Server
(Clientless) Packet Proxy

ZTA App Data

Client
MASQUE
Server
(Client-based Packet Proxy
or OS Native) Multiplexed App Data Streams
via MASQUE over QUIC/TLS

ZTA eliminates the overhead of VPN tunnels and improves security

with full separation between users and the enterprise network

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
ZTA Connectivity vs. Other Methods App Data Stream
TCP/UDP Connection
Tunnel

Client

VPN / ZTNA Chrome Server

App Data Headend
Packet
Packet
RDP Server

IPSec, TLS or DTLS

Client
ZTA
(Client-based MASQUE
Chrome Server
or OS Native) Proxy

App Data
Packet MASQUE
RDP Server
Proxy
MASQUE over QUIC/TLS

With ZTA, each process uses a unique MASQUE connection, even

if the data streams are destined to different servers
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
ZTA Connectivity vs. Other Methods App Data Stream
TCP/UDP Connection
Tunnel

Client

VPN / ZTNA sap.exe

Server
PID 123
App Data Headend
Packet
Packet sap.exe
Server
PID 456
IPSec, TLS or DTLS

Client
ZTA
(Client-based sap.exe MASQUE
Server
or OS Native) PID 123 Proxy

App Data
Packet sap.exe MASQUE
Server
PID 456 Proxy
MASQUE over QUIC/TLS

With ZTA, each process uses a unique MASQUE connection, even

if the data streams are destined to different servers
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Connectivity is sometimes really bad…

…but the user experience doesn’t have to be

© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Demo:
OS Native Zero Trust Access
on iOS vs. VPN on Extremely
Slow Airplane Wi-Fi
 fast.com Speedtest
Connectivity was bad…
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
 VPN OS Native ZTA on iOS 17
ZTA connects + loads a site faster than VPN can even connect
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
OS Native ZTA: Apple iOS and Samsung Knox
• New OS native ZTA functionality built into
Apple iOS 17 and Samsung Knox 3.10

Cloud Data center Branch office

• Transparent user experience for users – no
need to start or wait for VPN
Private apps Private apps Private apps

• Delivers low latency and high throughput

connectivity by directly intercepting traffic
ZTA within the application
Zero trust, high performance connectivity
• Preserves battery life by eliminating the
MASQUE Proxy need for device-wide, continuously running
VPN connections

• iCloud Private Relay compatible (iOS)

Apple iOS and Samsung Knox devices
• Built on industry leading technologies:
MASQUE and QUIC

• Supports all applications, ports and

protocols - not just web applications

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Cisco Secure Access traffic optimization with
Apple iCloud Private Relay

OS Native ZTA with Apple iCloud Private Relay On

Cisco Secure Access

finance.corp.com
iCloud Private Relay: On 45.100.12.02

Single layer of encryption for lightning-fast, secure access

Traffic Flow w/o iCloud Private Relay Enabled: Traffic Flow w/ iCloud Private Relay Enabled:
Device à Secure Access à Application Device à Apple Relay à Secure Access à Application

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
User Demo:
Zero Trust Access
on Apple iOS
More on Apple’s Native OS Support of MASQUE
“Learn how relays can make your
app's network traffic more private
and secure without the overhead
of a VPN. We'll show you how to
integrate relay servers in your own
app and explore how enterprise
networks can use relays to
securely access internal
resources.”

https://developer.apple.com/videos/play/wwdc2023/10002/
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
User Demo:
Cisco ZTA Enrollment on Samsung Knox
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Client ZTA Module - Socket Intercept
Application
Why Socket Intercept?
Zero Trust
Socket Intercept/Filter
Access Module
• Control of DNS and application traffic
Packet Intercept/Filter before VPN clients
• No route table manipulation
Routing Table
• Ability to capture traffic by IP, IP
VPN Clients subnet, FQDN and FQDN wildcard
Packet Intercept/Filter
• Interoperability with Cisco and non-
Cisco VPNs
Virtual Interface

Physical Interface

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
User Demo:
Cisco Secure Access
+ Client-Based Zero Trust Access
+ Third-Party VPN (OpenVPN)
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flexible private application connectivity options

Site-to-site Tunnels with IPsec

• Standards-based IPsec connection
S2S Tunnel
• Connect with (nearly) any brand router or firewall
IPsec
• Single tunnel for Internet and private application access
Apps
• Outbound connection / no firewall holes required
• Static or BGP routing support
Cisco Data Center
• Auto failover for redundancy + ECMP for scale
Cloud

Secure
Access
Resource Connectors
Resource
• Lightweight VM for AWS and ESXi (today)
Connector Tunnels
DTLS • All traffic egresses from Resource Connector IP

DTLS • Access applications with overlapping IPs

Apps
• Outbound connection / no firewall holes required
• No routing configuration required
• Auto failover / load balancing

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Access Overlapping IPs Simultaneously
via FQDN and Resource Connector
VPC Alpha

DNS
DNS Server
DTLS

alpha-101-win
RDP RDP
MASQUE 172.31.0.101
Cisco Secure
RDP
ZTA client or MASQUE Access
VPC Bravo
ZTA enabled OS
DNS
DNS Server
DTLS

bravo-101-win
RDP
172.31.0.101

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
User Demo:
Accessing Servers
with Overlapping IP
Addresses
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Background: Marking Keys as Non-Exportable

Without TPM protection, this is

easily bypassed…

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Exporting “Non-Exportable” Private Keys from
non-TPM Protected Storage
• Paper published in 2011 by Jason Geffner of NGS Secure outlined
how to export non-exportable private keys without code injection or
function hooking:
• https://research.nccgroup.com/wp-
content/uploads/2020/07/exporting_non-exportable_rsa_keys.pdf
• Code turned into a tool called exportrsa in 2016:
• https://github.com/luipir/ExportNotExportablePrivateKey
• Other tools such as Mimikatz and Jailbreak have existed for similarly
long using code injection and/or function hooking
• TL;DR “Non-Exportable” is an obfuscated bit flag
BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Attacker Demo:
Exporting a “Non-Exportable”
Private Key from a Fully Patched
Windows 11 Enterprise System
The Demo Environment
• New Active Directory Forest on Windows Server 2022
• New Certificate Services on Windows Server 2022
• User certificates deployed via Active Directory autoenrollment with
“Allow private key to be exported” disabled in the template.
• Demo workstation running Windows 11 Enterprise, fully patched
• Microsoft Defender is enabled with default protections
• User running with standard user privileges

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Reference

Commands Used in the Demo

ECHO ### 1. Change to the directory where the exported user certificates should be saved ###
cd C:\Tools\UserCerts
ECHO ### 2. Export users certificates with private keys via exportrsa.exe ###
C:\Tools\exportrsa.exe
ECHO ### 3. Copy exported certificates to the desktop ###
COPY *.pfx %USERPROFILE%\Desktop

ECHO ### 1. Extract the certificate from the PFX file ###
openssl pkcs12 -in 1.pfx -nokeys -out 1-pfx-certificate.cer
ECHO ### 2. Extract the certificate public key from the certificate ###
openssl x509 -in 1-pfx-certificate.cer -noout -pubkey > 1-pfx-certificate-public.key
ECHO ### 3. Create hello-world.txt file to be encrypted ###
ECHO "Hello, World!" > hello-world.txt
ECHO ### 4. Encrypt hello-world.txt with the certificate public key ###
openssl pkeyutl -encrypt -in hello-world.txt -pubin -inkey 1-pfx-certificate-public.key -out ciphertext.txt
ECHO ### 5. Verify ciphertext.txt contents ###
more ciphertext.txt
ECHO ### 6. Extract the private key from the PFX file ###
openssl pkcs12 -in 1.pfx -nocerts -nodes -out 1-pfx-private.key
ECHO ### 7. Decrypt ciphertext.txt with the private key###
openssl pkeyutl -decrypt -in ciphertext.txt -inkey 1-pfx-private.key

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Solution for ZTA:
TPM Key Storage and
ACME Certificates
TPM
• Trusted Platform Module
• Hardware storage of cryptographic material
• Even with a complete and total compromise of
the OS, the certificate private key can not be
exported/moved to another device

ACME
• Automated Certificate Management Environment
• Protocol to automate the issuance and renewal
of certificates
• Eliminates user interaction for certificate renewal
and private key rotation, allowing extremely short
certificate lifetimes which drastically reduces
certificate compromise risks

© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fill out your session surveys!

Participants who fill out a minimum of

four session surveys and the overall
event survey will get a Cisco Live t-shirt
(from 11:30 on Thursday, while supplies last)!

All surveys can be taken in the Cisco Events Mobile App

or by logging into the Session Catalog and clicking the
‘Participant Resource Center’ link at
https://www.ciscolive.com/emea/learn/session-catalog.html.

BRKSEC-2079 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Thank you