Bad Actors Can’t Attack What They Can’t Find

ZTNA or Zero Trust Network Access is a network security model that operates on 3 core principles:

• Always verify – Do not assume an entities identity
• Least privilege – Give access to only the resources the user, device, or application should have
• Assume breach – A proactive approach to network security that includes reducing the attack surface and isolating potential threats

Cloud Connexa allows Owners and Administrators to:

• Use SSO Authentication with LDAP, and SAML to connect to their WPC.
• Limit access to only specific resources by configuring access controls to select User Groups, Networks, or Hosts with Access Groups.
• Provide access to applications using domain names instead of the network to reduce your attack surface — eliminating lateral movement to other network resources from potential threats.

Network lateral movement is a technique used by cybercriminals to move through a compromised network to search for additional vulnerabilities and data.

In network security, Micro-Segmentation is the practice of separating network subnets. This provides a reduced attack surface for potential threats and allows administrators to isolate and contain potential breaches.

Tenant means a customer. A service or equipment is called multi-tenant when the same equipment can serve multiple customers by logically separating them instead of using multiple instances of the same equipment and dedicating each instance to one customer. The servers in a Cloud Connexa PoP are shared by multiple customers/tenants and isolated by virtualization.

Domain-based routing is an OpenVPN feature that allows network administrators the ability to route traffic to different connected networks using FQDN (Fully Qualified Domain Names) assigned to applications hosted in those networks instead of using the network’s IP address subnet. To learn more about domain-based routing, read Cloud Connexa Launches Domain Routing Feature.

Cyber Shield content filtering is a feature of Domain Filtering that analyzes the domain names in DNS queries received from WPC clients only when domain filter monitoring is turned on. When Monitoring is active, Cyber Shield checks which content category each domain name being queried belongs in. If a domain name is matched to any of the 43 Cyber Shield Domain Filtering Categories that is configured to be blocked, the domain name is not resolved as expected and a “This site can’t be reached” page is displayed. Content can be blocked by chosing any of those categories or by using 1 of 3 domain filtering preset modes:

• Basic
• Safe Browsing
• High Productivity

Cloaking hides the private IP address ranges of your network from discovery. Even after connection to Cloud Connexa, the IP address ranges of connected private networks are not pushed to the connected device as routes when exclusively using Application Domain Name routing.

Multi-tenancy allows high scalability, reduced setup time, and better cost-effectiveness than single-tenant solutions.

Cloud Connexa DIVE is an additional security control to enforce Least Privilege, by allowing Owners and Administrators to restrict user access to only trusted devices. This is accomplished by establishing a 1:1 relationship with a user’s connection Profile and the device’s UUID - restricting profile re-use from an unregistered Device.

If you have not already done so:

1. Create your Wide-area Private Cloud based on your use case:
   1. Remote Access
   2. Site-to-Site
   3. Restricted Internet Access
2. Define your trusted Applications and IP Services
3. Define trusted Users and Devices. To learn how to activate Device Enforcement, read our User Guide - Device Identity Verification & Enforcement (DIVE).
4. Define Access Policies
5. Shield against cyber threats

Yes, your users must have the OpenVPN client running the minimum client version for their Operating System to enable Device Enforcement.

The following are the minimum client versions to enable Device Enforcement for users within their respective WPC: