# Zscaler EDU-200  ## ZTE Overview 三大元件 Zscaler的元件基本上由ZIA ZPA ZDX 三個組成，藉由這些組件來減少攻擊面(Attack Surface)  整體的功能上請參考下圖(每個區塊都會考) 包含了 * Identity Service * Connectivity Services * Platform Services * Zscaler Digital Experience * Access Control Services * Cyberthreat Protection Services  ## ZIA 藉由Zsclaer 平台上網 Provide users with fast, secure, and reliable internet and SaaS access while protecting against advanced threats and data loss. ## ZPA 藉由Zscaler 平台連回內網 Connect users seamlessly and securely to private apps, services, and OT devices with the industry's only next-gen Zero Trust Network Access (ZTNA) platform. Timeout Policy 最低10分鐘  ## ZDX 藉由Zscaler 平臺監控應用程式網路 Monitor digital experiences from the end user's perspective to optimize performance and rapidly fix application, network, and device issues. # Identity Service ## SAML 專注在Idp與SP使用者身份驗證和授權資料的安全交換，實現單一登入(SSO)功能。 Zscaler 扮演SP(Service Provider) 驗證方式 * LDAP * Hosted Databased * SAML Basics: Enhances security and user convenience by simplifying access to multiple services with a single set of credentials. * Key Components: Involves the Service Provider (SP), the Identity Provider (IdP), and Security Assertions to facilitate seamless authentication and authorization. (Zscaler扮演SAML SP的角色) * SSO and Federation: Facilitates Single Sign-On (SSO) and identity federation, enabling access to various applications through a singular login process. * Authentication Flow: Entails the initiation of authentication requests and the issuance of a secured SAML assertion by the IdP to the SP, which grants access to the user.  ## [SCIM](https://help.zscaler.com/zia/understanding-scim) 跨不同系統管理使用者身份的標準化需求，不僅驗證身份，而在所有平台的資訊都是一致且最新。 The system for cross-domain identity management (SCIM) is the standard for automating the exchange of user identity information between identity domains and provides automatically-driven updates to user attributes on changes in the home directory. It supports the addition, deletion, and updating of users as well as the ability to apply policy based on SCIM user or group attributes. 包含了兩個主要組成 ### Resource Model (資源模型) 標準化使用者和群組跟組織資料定義的框架，用來確保跨平台的一致性。 運作原理 * Standard Schema: It sets up a consistent framework for defining resources such as users and groups, ensuring that all systems understand the data in the same way. 建立一個一致的框架來定義使用者和群組等資源，確保所有系統以相同的方式來理解資料 * Complex Types Support: The model accommodates a range of data complexities, from basic attributes to more detailed sub-attributes and multi-valued attributes, to address diverse organizational needs. 此模型可適應一系列資料複雜性，從基本屬性到更詳細的子屬性和多值屬性，用以滿足不同的組織需求 * JSON Encoding: Information is encoded in JSON, making it easy to handle and exchange data across different web technologies. 藉由JSON格式，較容易在不同的web技術中處理並交換資料 ### REST API What are REST API Operations? REST API Operations are the actions that can be performed using SCIM, such as adding, retrieving, modifying, or deleting user information, to keep systems in sync.(藉由RestAPI的方式以打檔資訊的同步) How REST API Operations Work With REST API, the following operations are essential for interacting with user and group resources within a SCIM-enabled system: * Create: Establish new user or group records. * Read: Access and retrieve details about existing resources. * Update: Modify attributes of users or groups as required. * Delete: Remove users or groups when they are no longer needed. * Search: Locate resources quickly based on specific criteria. * Bulk: Perform actions on multiple resources at once, streamlining management tasks. Zscaler 的ZPA支援多個目錄的SAML跟SCIM 包括 * Okta * AAD * PingFederate  ### What is SCIM Data Management? SCIM Data Management is the process that keeps user identity data synchronized and consistent. It's how we make sure that the information about users in your organization is the same everywhere it needs to be.  How SCIM Data Management Works With SCIM enabled, the system generates protected, view-only lists within ZPA, comprising: * SCIM Users: A register of individual user identities within the organization. * SCIM Groups: Groupings that categorize users based on roles, departments, or access rights. * SCIM Attributes: Specific characteristics or data points associated with users and groups. ### What is SCIM Synchronization? SCIM Synchronization is the mechanism that automatically updates user and group information across different systems to ensure everything is current and accurate.  How SCIM Synchronization Works This synchronization is a regular process that uses the API to refresh data: Automatic Updates: The system is set to sync every approximately **40 minutes.** Manual Triggers: Administrators can initiate a sync at any time to immediately reflect any urgent changes. Event-Driven Updates: Synchronization is prompted when specific events occur, such as: * A user is added to or removed from a group linked to the ZPA service. * A user is directly assigned or unassigned from the ZPA service. * A user is completely removed from the source directory. * Changes are made to user attributes within the source directory. # Zscaler Client Connector The Zscaler Client Connector application on the endpoint device verifies the user and device identity for the accessed application. It acts as a bridge between users and the Zero Trust Exchange, ensuring a seamless and protected experience. Client Connector作為agent 用來驗證使用者跟裝置 包含以下功能 * Consistent Experience on all Platforms * Strict Enforcement Options (Tamper Proof，提供暫時的信任，One time) * Simple Enrollment * Trusted Network Detection * User Attribution and Asset Identification * Transparent Authentication for Users * Install Zscaler or Custom SSL Inspection Certificate ZCC主要功能說明 零信任架構中的 Zscaler ZCC主要功能包含  ## Forwarding Mode ZCC提供各種方式將流量轉送到Zsclaer互聯網接入 * Authenticated Tunnels * ZTunnel - Packet Filter Based * ZTnunnel - Route Based * ZTunnel with Local Proxy * [Enforce PAC](https://help.zscaler.com/zia/understanding-pac-file)(啟用此功能後會強致使用者使用PAC檔案，有安裝ZCC無安裝ZCC皆可) * None (不做控制) ZIA Forwarding Profile and Proxy Tunnel Version * Z-Tunnel 1.0 (支援HTTP) * Z-Tunnel 2.0 (支援多種協定Best Pratice) 原則上建議用2.0版本，若failback則回到1.0 其他建議如下 Enforcing a no-proxy configuration for tunnel mode. Understanding the behavior of Group Policy Object (GPO) updates. Ensuring consistency in proxy settings across different network types * Forwarding Profile[Trust Network Detection](https://help.zscaler.com/zscaler-client-connector/configuring-trusted-networks-zscaler-client-connector) > ZCC藉由評估DHCP IP DNS 伺服器資訊標準來確定受信任的網路狀態 > ZCC 根據 Trust Network提供Forwarding選項 > Best Pratice 使用ZTunnel2.0 並選擇可從DTLS切換到TLS * Forwarding Profile:Profile Action for ZIA Select forwarding mode based on Trusted Network Tunnel, Tunnel with Local Proxy, Enforce Proxy, None Best Practice - Tunnel mode Select Tunnel Version Best Practice - Tunnel 2.0 Ztunnel 2.0 Configuration Configure tunnel transport DTLS vs TLS Connection timeout Fallback methods and behavior(可以設定fallback後的行為) Advanced settings for TWLP configuration * Forwarding Profile: System Proxy Setting * With Ztunnel traffic is intercepted natively - no need for Proxy Settings * Recommendation - Enforce "no proxy” * Automatically Detect Settings - Sends WPAD lookup * Use Automatic Configuration Script - Forwarding PAC file-ZCC sets System PAC file * Use Proxy Server for your LAN - Hardcode Proxy+Port + Bypass local addresses * Execute GPO Update - Windows machine performs GPO Update /force * Different settings for VPN or Off-Trusted Network, or use "Same as on Trusted Network" configuration * Referred to as FORWARDING PAC file if configured TLS vs DTLS | 比較項目 | DTLS (Datagram TLS) | TLS (Transport Layer Security) | | ------------------ | ---------------------------------------------------------------------------------------------- | ------------------------------ | | 通訊協議類型 | 基於 UDP (User Datagram Protocol) | 基於 TCP (Transmission Control Protocol) | | 主要用途 | 適用於即時應用程式，如視訊會議、VoIP | 適用於大部分 Web 流量與應用程式 | | Zscaler 的應用場景 | Zscaler Private Access (ZPA) 內部應用連線 | Zscaler Internet Access (ZIA) 網際網路安全代理 | | 優勢 | ✔️ 低延遲，不需要 TCP 連線建立時間✔️ 抗封包丟失，適用於即時流量✔️ 更快的握手過程，適合高頻連線 | ✔️ 可靠性高，確保封包順序與完整傳輸✔️ 廣泛支援，適用於大多數應用程式✔️ 內建流量控制，減少網路擁塞 | | 缺點 | ❌ 無內建流量控制，容易受到網路擁塞影響❌ 可能有封包丟失，需要應用程式層面補償 | ❌ 建立連線時間較長（TCP 三次握手 + TLS 握手）❌ 延遲較高，特別是在長距離網路 | | 握手機制 | 透過 UDP 進行 DTLS 握手 | 透過 TCP 進行 TLS 握手 | | 安全性 | 與 TLS 相同，使用加密與完整性檢查 | 與 DTLS 相同，使用加密與完整性檢查 | | 適用的應用 | 視訊會議 (Zoom, Teams, WebRTC)、VoIP、內部應用存取 | HTTPS、API 服務、一般 Web 瀏覽 | ## Application Profile It is crucial to configure application profiles for various devices, specifically Windows and Mac systems. These profiles dictate the forwarding methods, tunneling protocols, and proxy settings used to manage traffic across the Zero Trust Exchange.(主要的目的用來定義哪些應用可以被存取) APP Profile 選擇Forwarding Profile，用來定義流量並寫入規則指定哪些應用可以被存取。 * Different App Profile for Windows, Mac, IOS, Android, Linux * App Profile selects Forwarding Profile * Defines which Tunnel Mode * Defines On/Off Trusted Network configuration * Defines if system Proxy is configured * App Profile PAC URL defines ZTE Node to be used (based on GeolP) Traffic to be forwarded/Bypassed * Override Web Proxy Auto-Discovery(WPAD) - Ensures System/GPO WPAD configuration is prevented * Restart WinHTTP - Ensures System refreshes Proxy Configuration Tunnel Internal Client Connector Traffic - Ensures health/profile updates pass through Ztunnels * Cache System Proxy - If ZCC is uninstalled/disabled - put back original Proxy Configuration 1. Client Connector ZIA Enrollment 2. Client Connector ZPA Enrollment 3. Client Connector Refresh Intervals * On network change (connect/disconnect) – the system initiates a refresh of key components, including the App Profile, Forwarding Profile, PAC files, and policy updates to ensure seamless operation. 發生網路斷聯時，系統會重啟關鍵元件的刷新 * Every 15 minutes, the Client Connector periodically downloads the PAC files of the app profiles and forwarding profiles. This ensures that the latest configurations are readily available for network routing. 用戶定期下載應用程式設定檔，和Forwarding Profile的PAC檔案，確保最新配置可隨時使用於網路路由 * Every 1 hour, the Client Connector checks for policy updates from the app and forwards profiles to implement changes promptly. 每小時檢查來自應用程式的策略更新，並轉發設定檔以便及時實施變更 * If PAC file URLs are modified, the system automatically triggers updates every 1 hour, as this qualifies as a profile change, guaranteeing consistency in network configurations. PAC檔案URL被修改，每小時會自動觸發一次更新，被視為設定檔更改，從而確保網路設定一致性。 * Every 2 hours, the Client Connector performs checks for software updates, ensuring that the system remains up-to-date with the latest enhancements and security patches. ZCC每兩小時會檢查一次軟體更新，確保有更新應用 4. Device Posture and Posture Test 檢查設備狀態與態勢測試 * Define device postures * BYOD vs corporate devices * Domain joined, registry, file, certificate trust * Client certificate + non-exportable private key * Device security * Anti virus * OS version * Disk encryption * Firewall * Endpoint protection * Carbon Black, CrowdStrike, SentinelOne,Defender * ZTA score ## Installing Zscaler Client Connector * Accessing the Zscaler Client Connector Portal. * Selecting the appropriate build for deployment. * Downloading the file. * Distributing it to end-user devices. ## Local Log Location Local Disk Log Locations In Windows systems, manual collection of Zscaler-related data involves navigating to the directory C:\ProgramData\zscaler and gathering the relevant information stored there. For MacOS, manual collection typically involves exporting logs from specific directories. These directories include: ~/Library/Application Support/com.zscaler.Zscaler/ /var/log/zscaler # Application Connector App Connectors provide a secure, authenticated interface between a customer's servers and the ZPA cloud. They establish connections through the Firewall to the Zscaler cloud, which facilitates that connection as a reverse connection to enable users to access applications.(透過Reverse Proxy在應用程式的Server前安裝，用以提供後續的ZPA連線) 安裝APP Connector需要考慮的項目 * Deploying connectors in pairs to ensure resilience.(保證彈性，兩台做備援) * Treating each location as a distinct connector group. * Meeting routing and Layer 4 connectivity requirements. * Ensuring proper configuration for applications such as Active Directory. ## Deploy App Connectors * Deploy app connectors in data centers/laaS * Minimum of a pair of app connectors * Different data center = different connector group * Ensure app connectors can route to the internet and internal applications * [App Connectors have minimum VM requirements](https://help.zscaler.com/zpa/connector-deployment-prerequisites) * App connectors should be able to connect to applications * TCP health check - ports open(443、80、10051) * UDP health check - **ICMP** open, or inferred from TCP health check * Source IP of requests will be IP of app connector -For Active Directory, it is important that these IPs are registered in sites & services ## Deploy App Connectors - Provisioning Keys & Certificates * Create a provisioning key for each connector group * Provisioning keys are signed by an intermediate certificate authority * Intermediate CA is trusted by root CA * Clients are enrolled against a client intermediate certificate authority * Revoking/deleting the intermediates breaks the trust - invalidates the provisioning keys * Treat provisioning keys as credentials - don't share in cleartext * Use APl to retrieve or generate dynamically * Download from Ul, upload to connectors via SCP or copy/paste over SSH ## Application, Application Segment Group and Server Group * An application is a fully qualified domain name (FQDN), a wildcard domain name, or an IP address that you define on a standard set of ports, or range of ports * Applications must be defined within an application segment * An Application Segment is a grouping of defined applications, based upon access type or user privileges * Similar Application Segments should be placed in a Segment Group. For example, if you have a set of defined Application Segments that you want only users from the "Sales"' department to access, you can create a Segment Group called "Sales Applications" and apply to it all sales-related applications  App Connector, App Connector Group and Server Group App Connectors provide a secure authenticated interface between a customer's applications and the ZPA cloud App Connectors which can serve internal applications are grouped inside an App Connector Group. It is recommended to deploy App Connectors in groups for high availability and horizontal scaling App Connector Group which can serve an internal application should be placed in a Server Group. Server Groups contain that are hosting the applications. Instead of explicitly defining each server, you can allow ZPA to discover the appropriate servers for your applications as users request them  ## Pulling it Together - Where Each Component Fits Use case: User accessing Jira in DC1 1. Traffic is identified on the client system to determine if it is an application which needs to be served by ZPA 2. After traffic reaches Zero Trust Exchange (ZTE) policy evaluation takes place to determine if the user is allowed to access the requested application 3. lf access is allowed as per the configured policy, then the App Connector group that is closest to the users location is identified by the ZTE 4. Connection is then brokered, and user is able to access the application  App Connector deployment stresses the secure handling of keys and best practices for trust. **[Dynamic server discovery](https://help.zscaler.com/zpa/enabling-dynamic-server-discovery)** ensures resilient, secure connections for efficient application access. # Zscaler Platform Services ## Device Posture Device Posture is the security stance of a computing device, such as a computer, smartphone, or tablet. It includes various device settings, configurations, and security measures that determine its vulnerability to cyber threats. Essentially, it provides a comprehensive evaluation of the device's security health, providing insights into its potential risks and vulnerabilities. ### Policy Access Control (藉由深入的了解設備安全狀態，實現有效的策略存取控制) Device Posture的關件要素 * Domain Joined Status: Determines whether the device is integrated into the organization's domain network. * Registry, File, and Certificate Trust: Checks for the presence of specific registry keys, files, and trusted certificates, ensuring device integrity. * Client Certificate with Non-Exportable Private Key: Verifies the existence of a client certificate issued by a trusted authority and ensures the private key cannot be exported, enhancing security. * Device Security Measures: Includes assessing antivirus software, operating system version, disk encryption, firewall status, and endpoint protection solutions such as Carbon Black, CrowdStrike, SentinelOne, and Defender. * CrowdStrike ZTA Score: Provides a metric for the device's adherence to zero-trust security principles, aiding policy decisions. ### SAML Authentication Response Upon successful authentication, the SAML IdP sends an XML document called Assertion. This assertion contains various attributes that the service provider (SP), Zscaler, can use to implement policies. Example of a SAML response with attributes: * NameID: Identifies the user (e.g., email address). * IdP EntityID: Identity Provider Entity ID. * SAML Attributes: Contains various attributes such as tenant ID, object identifier, identity provider, authentication methods, device context claims, user name, group memberships, and country information. * SAML Assertion: Additional assertion data.  ### Trusted Networks 可以藉由以下標準來定義哪些是可信任的網路 * DNS Server IP Addresses: The IP addresses of DNS servers provided to the client device. * DNS Search Domains: The domains used for DNS search queries are provided to the client device. * FQDN and IP Address Resolution: Configuration of Fully Qualified Domain Names (FQDN) and their corresponding IP addresses to which the network should resolve. * Condition Match: Setting conditions for matching network criteria, where the connection must meet ANY or ALL specified conditions to be considered a trusted network. 設定步驟上大致遵循 1. Define DNS Server IP Addresses: Specify the IP addresses of DNS servers provided to the client device. 2. Define DNS Search Domains: Specify the DNS search domains provided to the client device. 3. Configure FQDN and IP Address Resolution: Define FQDNs and the corresponding IP addresses they should resolve. 4. Set Condition Match: Determine whether connection criteria must meet ANY or ALL specified conditions to be considered a trusted network. ### Browser Access Browser Access 可以利用Web瀏覽器透過**ZPA**進行使用者驗證和應用程式訪問 而不用安裝ZCC * Control user access to applications on devices with operating systems that are not currently supported by the Zscaler Client Connector. * Provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices). Browser Access enhances your ZPA experience by enabling you to: * Make applications accessible for your users from any web browser without requiring Zscaler Client Connector or browser plugins and configurations. * Use your existing Identity Provider (IdP) to provide access to your current users, contractors, and other third-party users without managing an internet footprint. ## TLS Inspection TLS Inspection, also known as SSL Inspection, is a cybersecurity practice that inspects encrypted network traffic. It involves decrypting and analyzing the contents of TLS-encrypted communications between clients and servers to detect and prevent malicious activity, such as malware or data exfiltration, that may be hidden within encrypted connections. 傳輸過程中仍可見到 Server or Domain Name. 這是唯一可以看到的訊息 When an HTTPS transaction is encrypted, it becomes unreadable to anyone who tries to view it. However, the Server or Domain Name can still be seen without inspection during a TLS Handshake. This is the only piece of information that is visible to a viewer. 解密之後可以再看到 * HTTP Headers * Request and Response Headers * Full Request URL * Request Method * All of the Payload "TLS" will be used here to refer more accurately to the actual protocol that secures the communication. Since "SSL Inspection" is still the commonly used term, it will be used here to describe the activity of performing the inspection of TLS encrypted traffic. (TLS作為描述實際上保護通訊的協定，SSL雖已經被棄用，但仍然用來描述執行TLS加密流量檢查的活動) Zscaler可以檢查並解密，例如從Google Chrome的Google Drive下載PDF，Zscaler會解密流量並檢查檔案的實際內容。 如今在網路上絕大部分都是加密的，但攻擊者也可能包裝在加密流量內 * Visiting non-HTTPS websites that give you a warning that you are not secure. * Services such as “Let’s Encrypt” made it simple for any website to become a TLS website. * Protocols like HTTP 2 are only delivered over TLS, leading to increased encrypted traffic. ### TLS Inspection Pillars 1. Scalability(不受限制的檢查並100%解密TLS流量) 2. Easy to use 3. Decrypt securely 4. Privacy design 5. Visibility SSL Inspection Modes in the Zero Trust Exchange(ZIA使用MITM中間人置換憑證的方式，APPConnector則用同一張)  How does ZIA SSL Inspection/SSL Proxy Work  Certificate Chain   #### 五階段部署TLS inspection  1. Pre-work * Obtain legal/privacy/security stakeholder buy-in * Security without impacting privacy * Study what data Zscaler processes and mitigating controls * User/Device obfuscation * Content never stored on disk * Restricted and monitored access controls (ISO, SOC-2, etc.) * Develop communication plan to end-users (typically an acceptable-use policy update) 2. Root CA Enrollment  3. Initial Roll-out * Granular rule-based engine * User/group/department * URL Category/Cloud App * Destination IP/FQDNgroup * Device: Name, OS, Trust Level * Avoid breaking cert pinned apps * Client OS, User Agent, Device * Enforce secure TLS usage * Minimum TLS versions * Certificate validation/revocation for inspected and uninspected tratfiC * Exclude from M365 One Click * Inspect OneDrive, Sharepoint 4. Measure & Report * Attribute of a client application - not a server; not to be confused with HPKP (RFC 7469) * Application is hardcoded with server certificate(or CA certificate) public key * Clients treats any other certificate as invalid * Prevents MITM attacks, but also prevents trusted MITM * Common with iOS and Android * DigiCert recommends to not use pinning 5. Extended Roll-out(加解密在後面階段再開) [SSL Inspection](https://help.zscaler.com/zia/about-ssl-inspection) [Deploying SSL Inspection](https://help.zscaler.com/zia/deploying-ssl-inspection) [Certificate Pinning and SSL Inspection](https://help.zscaler.com/zia/certificate-pinning-and-ssl-inspection) ## Policy Framework Policy Framework, as part of Zscaler’s Platform Services, builds on various layers of the Zero Trust Exchange by consuming information from Identity platforms and Connectivity services (such as Browser Access, Client Connector). This information on user and device information is then used to enhance the Policy Framework and provide context to other layers such as **Risk Score, User Analytics, Access Control and Device Posture** as well as strengthen our controls within Cyber Protection, Data Protection, and Access Control services. Policy Components of the Zero Trust Exchange * How does the Zero Trust Exchange identify the user/device？ SAML Authentication - Which IDP to use？ * Is this user/device allowed to connect to the exchange？ SAML IDP Policy & Zscaler Policy * How is this user/device allowed to connect to the exchange？ Trusted Network Policy Browser Based Access, Privileged Remote Access, Isolated Access, Client Connector * Which Zero Trust Exchange point should the user connect to？ Trusted Network Policy Private Service Edge * Client Connector Policy Version control & Profile control * What services can this user/device consume from the exchange？ - ZIA/ZPA/ZDX Group Based - Conditions based on Identity of user & device * What is this user/device allowed to access through the exchange？ Attribute Based - Browser, SAML Attributes, Risk Score, Posture Device Based - Managed or Unmanaged Group Based - SAML or SCIM attributes Public/Private Applications? Allow/Deny/Other？ * How will Encrypted traffic be handled？ Trusted/Untrusted - Inspected/Pass-Through :::success The Zero Trust Exchange identifies user through SAML assertions from the SAML Identity Provider (IdP) during authentication. ::: ### User Authentication and Policy Configuration in Zero Trust Exchange Zscaler 根據以下標準決定使用者身份驗證 * Client Connector Authentication * If the user is prompted to enter a Username, the Domain (after the @) is used to identify the corresponding Identity Provider, and the user is redirected to authenticate with that provider. * If the client was installed with a –userDomain option, the Domain directly maps to the Identity Provider for authentication. * Browser Based Access Authentication * Users are prompted to enter a username/email for multiple configured identity providers. The Domain (after the @) helps determine the appropriate Identity Provider for redirection, and users authenticate with that provider. * If only a single Identity Provider is configured, the system automatically directs users to authenticate with that Identity Provider. * Single vs. Multiple Identity Providers In most organizations, a single Identity Provider is commonly used for authentication purposes. However, there are instances such as during Mergers and Acquisitions or Cloud Migration when multiple Identity Providers are required to manage user authentication effectively. In order to configure multiple Identity Providers, the following steps should be followed * **Add IdPs:** Incorporate the additional Identity Providers into the Administration Configuration. * **Configure Domain:** Establish domain configurations to link Identity Providers with user domains. * **Login:** When accessing Zscaler Client Connector or Browser Based Access, users may be asked to provide their credentials. * **Policy:** Create policies that associate domains with specific Identity Providers. During authentication, users may encounter prompts, or these prompts can be bypassed using installer options within Zscaler Client Connector. * Service Entitlement After being authenticated into the Zscaler Internet Access, the system uses the SAML attributes, which are then transferred to the Mobile Admin. The Mobile Admin policy governs whether users will be enrolled in Zscaler Private Access and Zscaler Digital Experience, based on their group affiliations. To configure this process, you need to follow these steps: * **Add IdPs:** Incorporate the Identity Providers into Zscaler Internet Access. * **Configure Group Attributes:** Define the user's group affiliations. * **Establish Entitlement Policy in Mobile Admin:** Determine which groups have access to Zscaler Private Access or Zscaler Digital Experience. Alternatively, you can set a policy to enable access by default. ### Policy for Zscaler Internet Access #### Policy Framework and Operational Flow in ZIA Zscaler Internet Access follows a well-structured policy framework for traffic flow. This framework includes various policies for inspection and enforcement, such as the proxy engine, URL and file type control, data loss prevention, firewall, NAT control, IPS policy, bandwidth control, and more. The policies ensure comprehensive security measures by inspecting HTTP/HTTPS traffic, data loss prevention, sandboxing, and URL policies. Internet Access Order of Operations  * Resourece - To be used in Policy * Access Control * URL Categories - Predefined and custom categories * Bandwidth Classes - Group Categories to apply Bandwidth Management * Time Intervals - Time windows to apply policy * Rule Labels - Labels to apply to rules * Data Loss Prevention * Dictionaries and Engines - Definitions for matches * Firewall Filtering * Network Service- L4 (TCP/UDP Port) Definitions & Groups * Network Applications - L7 (DPl) Definitions & Groups * IP & FQDN groups - Source IP, Destination IP/FQDN/Wildcards * Application Services - Zscaler Managed Services - E.g. M365 * Forwarding * Proxies & Gateways - Upstream proxies to forward to * Zscaler Private Access - Forward to ZPA Applications * Location Management - Static Locations for Policy & Bandwidth Management #### Structured Rules and Criteria in Web Proxy Configuration Zscaler's web proxy configuration actively structures and manages rules. It prioritizes rule order, naming conventions, SSL inspection, and criteria for rule application (including URL categories, user groups, and request methods), as well as DLP criteria and actions. Web Proxy Rules 遵循Order Layer概念，從上至下處理規則 * Traffic Type Traffic identified as HTTP/HTTPS is subject to Web Proxy Rules * Rules * Rule Order - Rules are processed top-down, first-match * Admin Rank - Role Based Admin Controls - administrators of equal or lower rank and manage rules * Rule Name - Freeform name for the rule * Rule Status - Enabled or Disabled * Rule Label - Predefined Labels for grouping rules * Inspection * SSL Inspection - Data inside Encrypted Tunnels * URL Filtering - HTTP Header or HTTPs SNI * File Type Control - Magic Bytes, Extension, MIME Type * Sandbox - Content Type * DLP - Content Type * Rule Expiration * Rules can expire, after which they become disabled Web Proxy Criteria Criteria * Users, Groups or Departments - Based on SAML/SCIM attributed provided * Locations or Location Groups - Fixed Locations (defined) Road Warrior is default undefined Location * Request Methods - HTTP Request Methods - CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE) * Time - Time-of-day based policy (defined under Administration Resources) * Protocols - Traffic types detected through HTTP tunnel - Native HTTP, Native HTTPS, SSL * User Agent - Browser user agent strings * Devices or Device Groups - From Zscaler Client Connector, Isolation, or Os Types Web Proxy Criteria - DLP Criteria * Extends criteria to select DLP Engines * DLP Engines are defined as collections of Dictionaries to trigger on * Cloud Applications or URL Categories to apply policy on * Defined Minimum data size to apply DLP rules to * Applies only to HTTP/HTTPS/FTP traffic Web Proxy Actions Actions * Allow - Allow is Criteria are met * Caution - Allow if Criteria are met, and user acknowledges caution page. Custom or Default page * Block - Block if Criteria are met. Display custom block page or default page * Block with Override - Block if Criteria are met. Allow a user to override the block through authentication. * Isolate - Redirect user to Isolated Container before allowing access #### Security Policy and Firewall Configuration in ZIA The security policy requires that all incoming and outgoing traffic be inspected, but there may be exceptions for specific URLs. Advanced Threat Protection assesses traffic using different factors to assign a risk score. Firewall rules are applied from top to bottom, taking into account user, device, and service criteria to make decisions, and the actions can include allowing, blocking, or logging traffic. Security Policy * Malware & ATP Policy Inspection is either on or off Actions are either Allow or Block * Page Risk Score Tolerance for Risk or page. Score is Percentage confidence Zscaler calculated of content being malicious. 30 is default. * Security Exceptions * Unscannable & Password Protected * Do Not Scan URLs - Applies to both Malware & ATP Firewall Rules * Rules-Rules apply to all non-web traffic (TCP/UDP) * Rule Order - Rules are processed top-down, first-match * Admin Rank - Role Based Admin Controls - administrators of equal or lower rank and manage rules * Rule Name - Freeform name for the rule * Rule Status - Enabled or Disabled * Rule Label - Predefined Labels for grouping rules * Standard vs Advanced Firewall * Standard - Port Based - e.g. Port 80 is HTTP * Advanced - Deep Packet Inspection(DPI) Based - e.g. first bytes are "GET /" flow is HTTP Firewall Criteria - Logical AND * Who, Where, When * Users, Groups or Departments -Based on SAML/SCIM attributed provided * Locations or Location Groups - Fixed Locations (defined) . Road Warrior is default undefined Location * Time - Time-of-day based policy (defined under Administration Resources) * Devices or Device Groups - From Zscaler Client Connector, Isolation, or OS Types Services (AND) * Services OR Service Groups - Defined Services (L4) * Applications (AND) * Applications OR Application Groups - Defined Applications (L7) * Source IP (AND) * Source IP Groups (Defined in Resources) OR Specific IPs * Destination IP (AND) * Destination IP Groups (Defined in Resources) OR Specific Ips * Countries OR URL Categories Firewall Actions * Allow Allow Transaction * Block/Drop Silent Drop- May result in retransmissions * Block/ICMP ICMP Port Unreachable - Port unreachable(e.g. UDP Traffic) * Block/Reset TCP/RST - Reset Connection to Client for TCP, otherwise Drop * Logging Aggregate - Transactions are grouped and logged periodically Full - Log full transaction information for non-HTTP/HTTPS #### Policy Configuration and Actions in Network Address Translation (NAT) and Intrusion Prevention System (IPS) In Zscaler, NAT control operates similarly to firewall control, applying policies based on various criteria such as user attributes, location, time, and device type. It involves performing destination address translation and port address translation. Similarly, IPS criteria involve applying policies based on user, group, and location attributes, with actions including allowing, blocking, or resetting transactions and logging transactions for analysis. NAT Criteria - Logical AND * Who, Where, When Users, Groups or Departments - Based on SAML/SCIM attributed provided Locations or Location Groups - Fixed Locations (defined) . Road Warrior is default undefined Location * Time - Time-of-day based policy (defined under Administration Resources) * Devices or Device Groups - From Zscaler Client Connector, Isolation, or OS Types * Services (AND) Services or Service Groups - Defined Services (L4) * Source IP (AND) Source IP Groups (Defined in Resources) OR Specific IPs * Destination IP (AND) Destination IP Groups (Defined in Resources) OR Specific Ips Countries OR URL Categories NAT Actions * DNAT IP Address or FQDN * Translate Destination IP from client request * Translate TO Specific Destination IP * Translate TO Specific FQDN - Perform DNS Lookup - DNAT to Result * DNAT Port (PAT) * Translate destination Port from client request * Translate port TO specific port IPS Criteria - Logical AND * Who, Where, When * Users, Groups or Departments -Based on SAML/SCIM attributed provided * Locations or Location Groups - Fixed Locations (defined) . Road Warrior is default undefined Location * Time - Time-of-day based policy (defined under Administration Resources) • Devices or Device Groups - From Zscaler Client Connector, Isolation, or OS Types * Services (AND) * Services or Service Groups - Defined Services (L4) * Advanced Threat Categories - IPS Signature Category * Source IP (AND) * Source IP Groups (Defined in Resources) OR Specific IPs * Destination IP (AND) * Destination IP Groups (Defined in Resources) OR Specific Ips * Countries OR URL Categories IPS Actions * Allow * Allow Transaction * Block/Drop * Silent Drop- May result in retransmissions * Block/Reset * TCP/RST - Reset Connection to Client for TCP, otherwise Drop * Bypass IPS * Bypass IPS Engine * Logging * Aggregate - Transactions are grouped and logged periodically * Full - Log full transaction information for non-HTTP/HTTPS ### Policy for Zscaler Private Access ZPA enables secure access to internal applications without requiring a traditional VPN. The policy for ZPA involves defining rules and configurations to ensure secure and controlled access to specific resources within an organization's network. Here's a general overview of the policy aspects for Zscaler Private Access: #### Private Access Order of Operations ZPA prioritizes user authentication via SAML/SCIM attributes and device posture checks. It evaluates policies based on user credentials and device attributes, including compliance status and network context. The order of operations involves: * Connecting through the ZPA Public or Private Service Edge. * Evaluating access policies. * Applying isolation and inspection policies. * Establishing tunnels between the Zscaler Client Connector and App Connectors.  Private Access Policy * User Attributes * SAML * User Attributes * Device Attributes * SCIM Attributes * User Attributes* User Attributes * Device Attributes from Connection * Client Connector Device Postures * Client Connector Trusted Network * Client Type * Client Connector * Web Browser * Cloud Browser (Isolation) * ZIA Service (Traffic Forwarding) * Cloud Connector * Machine Tunnel #### Analyzing Access Policy Criteria for ZPA In the Zscaler Zero Trust Exchange, the access policy combines various criteria such as application segments, SAML/SCIM attributes, client types, posture profiles, and trusted networks to determine access rights, reauthentication intervals, idle timeouts, client forwarding, inspection, and isolation policies. Policy Criteria * Application Segment OR Segment Groups * SAML/SCIM Attributes * Multiple Attributes selected * Default - Attributes are A OR B * Selective - Attributes are A AND B * Client Types -A OR B * Client Connector Posture Profiles * Default - Attributes are A OR B * Selective - Attributes are A AND B * Client Connector Trusted Networks * Network A OR Network B Create Multiple rules where single rule construct cannot be built Access Policy * Action - Allow or Deny * Additionally - override App Connectors based on policy  Example - China users only use China App Connectors, even though other Connectors might be more suitable(中國限定) Timeout Policy 最短時間10min * Authentication Timeout * Should the user re-authenticate to access application？ * Examines SAML Issue time - compare with timer * Idle Connection Timeout * Should ZPA terminate a connection if idle？ * Criteria are App Segment, SAML/SCIM, Client Type, Posture * Trusted Network Criteria not considered * Cloud Connector & Machine Tunnels do not support reauthentication timer Client Forwarding Policy * Defines which App Segments Zscaler Client Connector downloads * Default - All Segments - Policy applied in cloud * Alternative - Specific Segments based on policy * Explicitly based on attributes - Forward or Bypass * Explicitly based on Access Policy * Define Policy, or select “Only Forward Allowed Applications" * Access Policy evaluated, and list of segments built * Client Connector downloads segment list ### Policy for Zscaler Digital Experience Zscaler Digital Experience policy determines probe activation based on user attributes like groups, users, locations, and devices or exclusion criteria, such as avoiding probe activation for specific user groups or locations, like in-office scenarios. Digital Experience Policy * Per-Probe * Probing Criteria - Is Probe Enabled * User Groups * Users * At locations * Departments * Devices * Exclusion Criteria * User Groups * Users * At locations * Departments * Devices Example: Web probe enabled for all users, exclude probe when at location "office" # ZDX * Endpoint Monitoring * Network Monitoring * Application Monitoring * UCaaS(通訊及服務) Monitoring ## Introduction to ZDX & its Architecture Overview ### ZDX Architecture The ZDX solution architecture is composed of the following blocks: * ZDX Central Authority (CA) The ZDX CA is the brain and nervous system of ZDX. It monitors the cloud and provides a central location for software and database updates as well as policy and configuration settings. The design is similar to that of the Zscaler Internet Access (ZIA) CA. * Zscaler Client Connector The Zscaler Client Connector provides device metrics at negligible additional CPU consumption. The Zscaler Client Connector exchanges information with the telemetry and policy gateway to receive configuration from ZDX and reports metrics to the cloud service for consumption. The service also provides latitude and longitude coordinates for geolocation if the operating system location services are enabled. * Zero Trust Exchange (ZTE) The ZDX cloud connects and authenticates to ZIA and Zscaler Private Access (ZPA) clouds to retrieve users, departments, and locations. It also connects to the Zscaler Client Connector Portal for integrated management of Zscaler Client Connector and ZIA definitions. User-definition infrastructure and integration for ZDX standalone deployments without ZIA/ZPA services are also included. * Telemetry and Policy Gateway (TPG) 負責監控裝置狀態，並根據政策決定應用程式存取權限。 This is a multi-tenant RESTFUL application for traffic control. The TPG acts as a gateway for monitoring metrics, policies, and data lake. Zscaler Client Connector metrics are sent to Microsoft Azure Data Explorer (ADX) and policies are sent to the Zscaler Client Connector. This also includes a stateless design for scalability. * ZDX Admin Portal With administrator access for configuration, reporting, alerting, and analysis, the ZDX Admin Portal integrates with ZIA/ZPA management to provide a centralized configuration. ZDX provides granular role-based access control with single sign-on (SSO) in the Zscaler Client Connector Portal for administrators. :::danger Receive and review in-depth [alert](https://help.zscaler.com/zdx/about-alerts) details in the ZDX Admin Portal or triggered alerts that are sent via **emails and webhooks** based on the ranges and limitations. Create configurable alert rules that are triggered when a preset threshold is reached for different types of events. ::: * ZDX Analytics The ZDX cloud leverages the Microsoft ADX analytics service. * Call Quality Monitoring The ZDX cloud integrates with Microsoft Graph API or Zoom to read meetings and call quality data. Customer-specific onboarding is needed so that ZDX can read call quality data. ### How ZDX Score Works  ZDX Score作為分數評斷標準，用來幫助評估使用者體驗，注意滿分一百 The ZDX Score is calculated by observing the **Page Fetch Time and availability of an application for a given user.** This is then baselined across all the users in that geolocation (Country) accessing that particular application. ZDX periodically sends a probe to an application, by default, every **5 minutes**. For each 5-minute period, measurements are taken and given a numerical value from 1 to 100. The lowest value within an hour becomes the ZDX Score for that hour. 1. Applications Find the lowest value of each user that accessed the application during the selected time range. 2. Departments, Locations, & Cities Find the lowest value of users accessing the application during the time intervals, based on the selected time range. 3. Organizations Identify the lowest value of each application for time intervals, based on the selected time range. 4. Users Compare values of all accessed applications.  The power of ZDX is being able to use these calculated scores in order to drill into issues when a score seems to be visibly low. Let's understand what might cause a good score to go down？ The table below summarizes the potential causes of a low ZDX score and their corresponding descriptions.  ## Exploring Key Features, Use Cases, and Dashboard  **Application**  * Predefined Applications: Predefined applications are available in the ZDX Admin Portal when you log in. The predefined applications provide quick and seamless application onboarding for admins. * Custom Applications: Customizable SaaS or web applications thatyou can create and onboard in the ZDX Admin Portal for your organization. ZDX裡的探針([Probe](https://help.zscaler.com/zdx/about-probes)) ### Web Probes 從伺服器提取資料，不進行本機Cache * Page Fetch Time: This metric collects the network fetch time of the web page from the URL-specified Web probe. It requests only the top-level page document and does not request all embedded links within the web page. This provides users with a metric similar to other developer tools. * DNS Time: This metric represents the time it took to resolve the DNS name for the hostname specified in the Web probe URL. Server Response Time: Time to First Byte (TTFB). * Availability (based on the HTTP Response code): If a success code is returned, the availability is either 1 or 0. If the probe times out, the availability defaults to 0.  ### Cloud Paths Cloud Paths負責測試與 Zscaler Zero Trust Exchange 之間的連線路徑，確保最佳網路連線品質，透過ICMP、TCP、UDP。   ### [ZDX sheet](https://www.zscaler.com/resources/data-sheets/zscaler-digital-experience.pdf) ## ZDX Features and Functionality ### Visibility into SaaS & Private Applications 在使用Zscaler之前，難以檢查到網路路徑，藉由ZDX去做到hop-by-hop，每個節點的偵測   ### UCaaS Monitoring UCaaS通訊及服務的問題，缺少了一個完整的方式來去處理Teams or Zoom的問題 * Troubleshooting blind spots IT Teams risk incomplete understanding of performance issues due to network blind spots such as internet, home WIFl et al * Lack of common context(難以從單方面找出問題) Network, service desk/help desk and application team have no easy way to collaborate on any single UCaas performance issue * Complexity and fragmentation Many point monitoring tools that contribute to telemetry data silos, add complexity towards troubleshooting and increase overall resolution times Bringing One Integrated View for Monitoring UCaaS Services  Correlate Rich Telemetry Data Across all Sources  ### Software & Device Inventory Software Inventory allows you to view current and historical information about software versions and updates on your users' devices. Device Inventory allows you to view current information about your organization's devices and their associated users. ### Automated Root Cause Analysis (Y-Engine) ZDX’s **Y-Engine (Automated Root Cause Analysis) **allows an organization to automatically isolate root causes of performance issues, spend less time troubleshooting, eliminate finger-pointing, and get users back to work faster. Whereas, ZDX’s APIs integrate digital experience insights with popular ITSM tools like ServiceNow to provide additional insights and trigger remediation workflows. Fast Root Cause Analysis * Problem * Troubleshooting takes time and requires domain specific tools * Mastering the tools requires a learning curve * Effective troubleshooting requires domain expertise * Obvious difference (like change in PFT, DNS etc.) may not be the contributing factor * Solution * Use Al as an expert assistant for Troubleshooting * Use Al to find problems and indicate remediation options **Y-Engine** Automate Root Causes Analysis(用來做自動化的Root Cause分析) * across apps, services, users, regions, time, etc. * due to ISP, wifi, backhaul, VPN, internet, egress, etc. ### ZDX APIs ZDX APIs * Access ZDX data to get more insights for specific scenarios * Useful for integration with third-party platforms like ITSM (ServiceNow) & AIOps (Moogsoft) API Access Flow  ### ZDX Use Case * Real-time Detection of SaaS Outages * Baselining Performance Between Office and Working from Anywhere * Detecting Employee Home Wi-Fi Issues * Detecting High CPU Causing Application Degradation * Visibility into Private Applications via ZPA * Call Quality Monitoring for Microsoft Teams and Zoom # Access Control Services ## Access Control Overview 傳統防火牆的問題(漏洞、效能、成本&複雜性) In today's world, where employees require access to the company's network from any location, at any time, and using any device, traditional on-premise firewalls are no longer effective. The main challenge with these legacy firewall appliances is that they use zone-based architectures to create boundaries between trusted internal and untrusted external networks. This approach introduces three significant business risks: **security vulnerabilities, performance issues, and higher costs and complexity.**  **Problem with Legacy On-Prem Firewall * Security * Broad Network Access * Increased attack surtace * Lateral Threat movement * Performance * Poor performance with TLS inspection * Long lived connections to apps * Can't sustain peak ramp rate * Cost & Complexity * Increases cost to turn on full stack security * Inconsistent security posture * Onus on customer for patches, pen testing etc. ## Access Control Services Suite ### Cloud App Control, URL Filtering, and File Type Control **Cloud App Control** Cloud App Control and URL Filtering are web control access features that help implement business requirements. These features provide granular control over internet usage by filtering specific applications and URLs according to predefined policies Both features can be used simultaneously, but Cloud App Control takes priority over URL Filtering. By default, if a user requests a cloud app explicitly allowed by the Cloud App Control policy, only the Cloud App Control policy is applied, not the URL Filtering policy.(APP Control優先於URL Filter) However, it is possible to apply URL Filtering even if a Cloud App Control policy explicitly allows a transaction. This is known as Allow Cascading to URL Filtering. **Allow Cascading to URL Filtering** 當APP Control 與 URL Filter的政策都要執行時，可以使用Cascading 讓兩種policy都執行 * Default Behavior: When a Cloud App Control policy explicitly allows access, the URL Filtering policy is bypassed. * With Allow **Cascading** Enabled(啟用此功能後，會採取較嚴謹的做法，使得URL filter的規則優先) Both Cloud App Control and URL Filtering rules are applied. This ensures comprehensive control by checking for Cloud App matches first, followed by evaluating URL Filtering rules, regardless of the initial allow in the Cloud App Control policy URL Filtering    **Tenancy Restrication** Zscaler's tenancy restriction feature allows you to restrict access either to personal accounts, business accounts, or both for certain cloud applications. It consists of two parts, creating tenant profiles and associating them with the Cloud App Control policy rules.(藉由Tenancy Restrication用來限制某些雲端SaaS的個人帳戶 企業帳戶的存取)  **How is Zscaler URL Filtering different than others?**   #### Cloud App Control Policy * Provides granular control over popular websites and applications * Easily access and configure rules in 17 categories and assign the rules in similar apps Categories with Allow or Block options * Collaboration & Online Meetings * Consumer * DNS Over HTTPS Services * Finance * Health Care * HostingProviders * Human Resources * IT Services * Legal * Productivity & CRM Tools * Sales & Marketing * System & Development #### URL Filter Policy URL Filter Rule Attributes * Rule Order * Admin Rank * Rule Name * Rule Status * Rule Label URL Filtering Rule Criteria * URL Categories * Users, Groups, Departments * Locations and Location Groups * Request Methods * Time * Protocols * User Agent * Devices and Devices Groups * Rule Expiration URL Filtering Rule Actions * Allow * Caution * Block * Isolate — Isolation Profile Mandatory * Daily Bandwidth Quota and Daily Time Quota is applicable with Allow, Caution and Isolate Actions. * Allow Override — applicable with Block Action. * Redirect URL — applicable with Caution and Block Actions * [ICAP Receiver (Optional)](https://help.zscaler.com/zia/about-icap-receivers) ICAP是專門用來處理HTTP/HTTPS的協議，當ICAP Client根據設定將部分流量送往ICAP Server進行分析，ICAP Server檢查過後回傳結果給Client，由Client決定是否允許，封鎖或修改流量。 Isolate Action in Internet Access URL Filtering Policies * Enhanced Integration between ZIA and Cloud Browser Isolation. * Dedicated "Isolate" Action and Isolation profile selection in the URI Filtering Policy framework. * Streamlined policy enforcement on traffic originated from the Cloud Browser, without loosing the original user, location or client IP context. * Full and fast SSO from ZIA to Cloud Browser Isolation (CBI)— User if authenticated to ZIA, would never have to authenticate to CBl manually. * Accurate representation of isolated traffic in weblogs-Action as Isolated. Additional Field for User's Original Location, CBl as a Device Type. URL Filter Best Practice * Start with current corporate acceptable internet usage policy and add additional changes as needed * Use "Retain Parent Category" while creating custom categories * Keep the most specific policy at the top and blanket policies at the bottom * Block categories in the Legal Liability class (Adult Material, Drugs, Gambling, Illegal or Questionable, Militancy, Hate and Extremism, Tasteless, Violence, and Weapons/Bombs) * Caution Miscellaneous Category and block New Registered & Observed Domains * Look out for URL duplication within the categories and run a cleanup * Recommended to block "Security Category > Spyware/Adware" and "Anonymizer" URL category * Default Allow (do not configure explicit any/any block) — all content is scanned regardless * Configure blacklist instead of whitelist * For block policies that are critical to be enforced for certain groups, an additional block policy for unauthenticated traffic is recommended (enforces even with any auth issues) #### File Type Controls Prevent Threats with File Type Controls * Control by Policy to Content Types * URL Category * File Type * Block Access by Reputation * Destination (IP, Domain, URL) * File (Hash) * Protection via Content Scanning * AV and [Yara](https://docs.virustotal.com/docs/what-is-yara) engines for Files * IPS and AV engine for Web Content * Protection via Multi Data Points * PageRisk engine (domain, web page features) * Machine Learning engine (file features) * Protect by Isolating content * Render content on external system and Stream content * Prevent exploit delivery * Protection via Behavior Observation * Sandbox execution & dynamic analysis sandbox包含了一個[patient 0](https://help.zscaler.com/zia/configuring-patient-0-alert) 功能，用來處理未知的檔案 * Additional AV, Yara, Reputation detection  ### Bandwidth Control 某些場景下會需要用到頻寬控制，例如提升生產力工具的速率等等 * Improving the performance of productivity apps like 0365, Salesforce, etc., across all or some locations * Limiting bandwidth consumption by non-productivity apps such as YouTube, Facebook, Netflix, etc. * Restricting bandwidth for non-productivity apps during working hours only Controlling bandwidth for Windows and iOS updates * Limiting bandwidth for certain applications in branch locations only Zscaler Bandwidth Control * Algorithm allows full utlization of BW unless there is contention * Once beyond quota, packets are buffered (shaping and buffering vs. packet drop/policing) * Slow down applications using TCP window size and other techniques * Rebalance bandwidth every 1 seconds if multiple rules are defined Policing vs. Shaping(Policing直接檢查流量是否超過頻寬，Shaping透過buffering來平滑流量)  ### Microsoft365 A pivotal element within Zscaler’s suite of Access Control Services is the secure local internet breakout specifically designed for Microsoft 365 traffic. This feature is crucial for enhancing the efficiency and reliability of M365 applications within an enterprise environment, enabling a direct and secure route for traffic and significantly reducing latency. Issue with the traditional mode for Office 365 traffic * Exchange Online * Latency due to distance and operations * Outlook requires multiple TCP connections per user (5-10) * Designed for transient rather than persistent connections * Microsoft Teams * Traditional proxies don't handle User Datagram Protocol (UDP) traffic * Additional persistent connections by client * Teams media traffic prefers UDP for transport * Media traffic can add high load * SharePoint Online & OneDrive for Business * Additional persistent connections by Client * Large amount of data movement * Same destination IP used for all connections * Office and Windows updates * High update frequency * Risk of bandwidth saturation due to repeated downloads for each machine * Microsoft 365 app updates range from about 100-500 MB and can be numerous each year depending on channel Microsoft 365 network connectivity principles  #### M365 Best Pratice Recommend Connective to Zscaler  ### Segmentation & Conditional Access through Policies Zscaler’s Private Application Access securely makes connections into an organization's private applications regardless of the user's location and device. Zero trust is at the heart of our approach to application access, ensuring a user is not brought onto a corporate network and can only access the applications they need and are authorized to access. #### Private Application Access * An application may be in any type of Datacenter(IAAS/PAAS/SAAS/Physical) * Users may be on managed or unmanaged devices * Devices may have any level of trust (AV, Firewall) * Users may have varying levels of trust(Group membership, UEBA, Risk Score) Application Access is based on policy * User Identity — Group Membership, Risk, attributes * Device Identity — Attributes — Managed or Unmanaged？ * Device Posture — Antivirus, Firewall, Endpoint Checks * Application Risk & Controls * Application access Controls — Client Connector, Browser Based Access, Isolated or Privileged Access Policies are based on： 1. Identity — is the user who they say they are？ 2. Device posture — Is the device secure？ 3. Access — Should the user have access to the application？ Overview of configuration steps for secure private application access * Reachability: Where is the application hosted? * Where does application reside？ * Deploy App Connector group in application location * Define Server Groups containing App Connector Group mappings * Application Details: What is the application * Configure App Segment with FQDNs and Ports for application * Map Server Group to App Segment * Use Segment Groups to group applications together for policy * Policies: Who should have access to the application? * Configure least privilege policy to allow access to Segment Groups * Use Access Policy to control access * Use Client Forwarding Policy to define distribution of segments to clients * Use Reauthentication policy to periodically challenge users * Use Isolation Policy to restrict access controls * Use Inspection Policy to protect application #### Segmentation Why Segmentation Segmentation limits the network access only to the application or resource required Contrast to traditional VPNs that provide access to all resources on the network when the user or device connects Eliminates discovery of applications not granted access to Segmentation uses policies to provide conditional access when the application is requested Policies are based on： 1. Identity — is the user who they say they are？ 2. Device posture — Is the device secure？ 3. Access — Should the user have access to the application？ Three levels of app segmentation with a Zero Trust Architecture 1. User to App Segmentataion Business policies connect users to apps, not networks 2. Workload Segmentation in Hybrid, Multi-Cloud Environment * Virtual Private Cloud to Virtual Private Cloud (VPC to VPC) * Network Segment to Network Segment (Cloud to Cloud or DC) 3.Identity-based micro-segmentation * Unique identity for each app or process * ML models comms, automates policy creation  Application Segmentation 5 steps for segmenting applications  Application, Application Segment and Segment Group  ### Firewall Cloud Firewall The Zscaler Cloud Firewall is a NextGen firewall that provides complete control over all ports and protocols as well as applications and/or services for all Zscaler users regardless of location or device type. As previously described, the Zscaler Cloud Firewall provides **unlimited** scale and is not hampered by the limitations of legacy hardware.  * Full Protection for Work-From-Anywhere Users * Cloud-Delivered Local Internet Breakouts * Always-On Cloud Intrusion Prevention System (IPS) * DNS Control & Security * Complete Visibility within a Single Pane of Glass Firewall Control Policy * Network Service： ｛Port+Protocol｝ * Predefined -- HTTP: TCP+80, HTTPS: TCP+443, DNS：UDP/TCP+53 * Network Application：｛Layer 7 metadata+Port+Protocol+IP｝ * Deep packet inspection(DPI) signature: Irrespective of port and IP * Network service & network application criteria in the same rule results in a logical "AND" condition * Telnet network service on Port 23 * Telnet network application on any port * “AND” results in telnet protocol as detected by DPl must be on port 23 * Criteria within the same network service or network app is logical "OR Use Case * Adaptive Work-from-Anywhere policies for all traffic * Dynamically inspects traffic for all users, apps, devices, and locations - both remote and on site/branch * Anomaly detection and dynamic risk computation for user, device and location * Secure Local breakout of M365 and SaaS Applications * Direct shortest path to M365 / Teams, optimized DNS resolution minimizing backhaul latency with easy 'one-click configuration' * Bandwidth Control to Prioritize Teams, M365 * Optimized DNS Resolution, Security & Control * Protects users from reaching malicious domains as the first line of defense * Optimizes DNS resolution to deliver better user experience and cloud appperformance * Provides granular controls to detect and prevent DNS tunneling * Context-aware Cloud IPS * Delivers always-on IPS threat protection and coverage, regardless of connection type or location * Inspects all user, IOT/OT traffic on and off the network, even SSL * Protect ALL traffic * Dynamically identify web and non-web traffic, evasive apps on non-standard ports  Cloud-Gen Firewall Best Pratice * Default block rule approach * Aligns with cybersecurity best practices * Default allow HTTP/HTTPS to proxy module, default block all other ports & protocols(預設允許HTTP/HTTPS) * Leave pre-defined rules "one clicks" at the top * [Zscaler proxy traffic](https://help.zscaler.com/zia/understanding-predefined-firewall-filtering-rules)(提供Zscaler資料中心IP位置的白名單) * UCaaS * M365 * Enable ‘auto-proxy forwarding' configuration * Includes HTTP, HTTPS, FTP, DNS, PPTP, RTSP * Craft rules to allow company approved applications for SSH, TELNET, FTPS * Use granular criteria in rules as needed to support business policies * User identity * Wild card or FQDN as destination * Location & Sub-location * Source IP addresses & Source IP groups * Time-of-day * Device posture # Cyber Protection Service Cybersecurity refers to the practice of protecting systems, organizational networks, and programs from digital attacks that are aimed at accessing, changing, or stealing sensitive information. Cybersecurity is used to defend against unauthorized access, exploitation, or destruction of devices, and data. A strong cybersecurity strategy has layers of protection to defend against cybercrime, including any cyberattacks that attempt to access, change, or destroy data. ## Cyber Security Threat A **Cybersecurity Threat** is anything that can harm systems or data through destruction, theft, alteration, disclosure, or denial of access/service. Cybersecurity threats can be intentional or unintentional, but unintentional ones—such as weak passwords or other security loopholes—are usually called vulnerabilities.(無意的威脅通常稱為漏洞) Current Cybersecurity Landscape  Stages of Cyberattack Framework There are four high-level stages of a cyberattack framework – Attack Surface, Initial Compromise, Lateral Movement, and Data Theft & Exfiltration.  Type of Cyberattacks **Malware** is a type of malicious software that is designed to damage, disable, or get unauthorized access to a computer or other connected devices on the network. **Phishing** is a type of cyberattack where an attacker poses as a legitimate entity, such as a bank, government agency, or a well-known company, to trick users into revealing sensitive information. **Distributed Denial-of-Service (DDoS)** is a malicious act where an attacker floods a target with an excessive amount of traffic, requests, or data causing the system to be overloaded and making it unable to respond to legitimate requests. **Man-in-the-middle (MITM)** is a type of cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. **SQL Injection** is a code injection technique that is used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. **Insider Threat** is a security risk that originates from within an organization. It can be intentional or unintentional, and can be motivated by a variety of factors, such as financial gain, ideology, or revenge. **Cryptojacking** is a type of cyberattack in which a malicious actor uses another person's computer to mine cryptocurrency without their knowledge or consent. It can slow down and make a victim's computer difficult to use. How to stop attacks 可適應的平台、自動化與整合、階層式防禦  Zscaler stops Cyberattacks Layerd approach to threat and malware protection  攻擊主要階段之對應方式  ## Zscaler's Cyber Security Service Suite ### Advanced Threat Protection Advanced Threat Protection (ATP) is a subset of security solutions built to defend sensitive data against complex cyberattacks, including malware, phishing campaigns, and more. ATP often combines cloud security, email security, endpoint security, and more to augment an organization’s defenses amid the ever-changing threat landscape. **Command and Control Channels** In order to set the stage, it is also important to understand command and control channels as they are a part of every cyberattack. Let's take the example of phishing attack to learn about command and control channels. Once a phishing attack occurs and a user is directed to malicious content, the following typically happens: * One or more files could be downloaded. * The attacker may try to download secondary level payloads as well onto the end users machine. * Once the endpoint has been exploited, attackers establish an outbound command and control channel to the adversaries' infrastructure. * The adversaries want to have full control over the remote users endpoint. Adversaries want to see if there is a specific family of malware or second-stage payload that they would like to send to the user to make the attack more effective. To do all of this they need to communicate to the end-user device that they have compromised. This is what the command and control channel does. Example:There is a common open-source tool called Cobalt Strike which has often been used by adversaries to create different levels of command and control traffic. Zsclaer Adcanced Threat Protection URL Security Categories:Reduce the attack surface with policy to control access to sanctioned, sanctioned SaaS applications URL and categories. CONTENT TYPES:Identify and prevent access to potentially dangerous content. such as dangerous file types. REPUTATION:Block known malicious sites, IPs, URLs through IOC exchange with industry peers, Cloud Effect, Threat Research.and PageRisk SIGNATURES & IPS:Signatures based protection in Advanced Threat Protection. Cloud IPS and multi-scan AV engines. ML & ADV.ANALYSIS:Machine Learning based analysis of page content and transactions to detect anomalies and new attacks.  New Registred & Observed Domains(NRD、NOD) * Source * WhoisXMLApi for Newly registered domains * Farsight Feed for Newly Observed Domains * Domains are categorized after 30 days * Customers can block or isolate these categories  Newly Revived Domains * Sources * Farsight Feed for Newly Revived Domains * These are domains that went offline and came back online * Prevents attacks that repurpose old domains with good reputation PageRisk engine Detection via web page and domain features * Suspicious Content Protection (aka PageRisk) * Multi data algorithm applied to web page (not file) * The algorithm determines the riskiness * Blocked based on customer set threshold * Risk (0-100) is based on several factors * Risk TLD (.tk, .ru, etc.) * Unknown user agent * Missing HTTP headers (User-Agent, Accept, etc.) * High entropy domain name * zero-pixe IFRAME * Script or IFRAME before the tag or after the tag (code injection) * Obfuscated Javascript * Signatures for suspicious URL path, HTML/Javascript/CSS code ### Antivirus/Malware Protection **Antivirus / Malware Protection** is a key component of Zscaler that protects organizations and their users from malicious files and attacks. Like Advanced Threat Protection, Antivirus sits under Zscaler’s Cyber Protection capabilities in our Security Services suite. * Maldocs:The Maldoc or Malicious Document malware is used to deliver malicious documents. These documents carry out harmful code or software with an intention to compromise a system or network. Common documents include Microsoft Office or PDFs. * Downloaders:The Downloader malware is used specifically to deliver other malware. Common families include Emotet, SmokeLoader, and Pony. * Ransomware:The Ransomware malware is used to steal data and encrypt everything. Common families include Ryuk, REvil, Maze, and EKANS. * Information Stealer:The Information Stealer malware is used to steal sensitive information from target systems. Common families include Trickbot, Qakbot, Agent Tesla, and Usrnif. * Post-Exploitation Tool:The Post-Exploitation Tool is commonly deployed after adversary has gained access. Common tools include Mimikatz, Meterpreter, and Empire. * Remote Access Trojan:The Remote Access Trojan (RAT) malware is used to provide full remote access to a target system. Common families include Nanocore, njRAT, and Remcos. Common Delivery Mechanisms * Phishing:Using email to deliver malware, either via links or attachments. Most common delivery mechanism today * Exploit Kits:Malicious code looking to exploit browsers or browser related code for non interactive malware delivery. Usually targets Browsers, Plugins,etc * Watering Hole:Targeted or non-targeted malware planted on commonly accessed services. * Pre-existing Compromise:Compromise or unauthorized access initially executed by a different Operator and sold to the highest bidder Malicious File Protections * Virus * PUA * Trojan * Worm * Ransomware * Adware / Spyware * File Reputation * Active Content * Undetectable * Unscannable Detection/Protection via Content Scaning * IPS, AV Engine Content Scanning * Malware * Botnet * Phishing * Anonymizer * Suspicious * Anonymizer * Adware / Spyware * Peer to peer * Web spam * AV, Yara File Scanning * Virus * PUA * Trojan * Worm * Ransomware * Adware/ Spyware ### Detection & Response #### Deception **Deception** involves Detection and Response technology that helps security teams detect, analyze, and defend against advanced threats by enticing attackers to interact with false IT assets deployed within your network. Deception integrates with zero trust, detects the attack sequence, and initiates automated response actions across the Zscaler platform. When an attacker infiltrates the network, Deception detects threats, collects information on the attacker’s actions and intentions, and generates high-fidelity and real-time alerts. Let's now learn about the Detection and Response technology. The Detection & Response capability is designed to protect endpoint devices from cyberthreats like ransomware, fileless malware, and more. The most effective Detection & Response solutions continuously monitor and detect suspicious activities in real time while providing investigation, threat hunting, triage, and remediation capabilities. Alert Framework: Correlaing Logs and Prioritize Alerts * Predefined and custom **correlation rules** continuously evaluate logs to **create alerts** * APl and webhook based notification, enable **integration** into SOAR tools for **response automation.** Alert Contextualization * Threat Insights provided event contextualization through ThreatLabz threat intelligence. * Threat scoring, severity and affected asset information allows for fast prioritization of response. * Webhook 3rd Party support * ServiceNow * Slack Teams * Splunk * OpsGenie # Data Protection Services The adoption of Software as a Service (SaaS) and public cloud has rendered data widely distributed and difficult, if not impossible, to secure with legacy protection appliances. As such, it is easy for both careless users and malicious actors to expose enterprise cloud data. Unlike these complex legacy approaches that can’t follow users, **Zscaler Data Protection is a simple but powerful way to secure all cloud data channels.** Zscaler protects all users anywhere and controls data in SaaS and public clouds, all with a robust and intuitive data discovery engine. Zscaler資料保護 1. Secure data in motion inline proxy inspection 2. Protect data at rest API Inspection 3. Secure BYOD Data Browser Isolation * Security Service Edge(SSE) * Secure Web Gateway * CASB * ZTNA * FWaaS * Browser Isolation * Sandbox * SSL Inspection * Threat Protection * Prevent loss to Internet and Cloud Apps * Prevent loss to BYOD and Unmanaged Assets * Protect data inside Cloud Apps * Manage Security Posture and Data Security  Zsclaer的[DSPM](https://www.zscaler.com/zpedia/what-is-data-security-posture-management#dspm--cspm--and-ciem) ## Protecting data in motion * loud Data Loss Prevention (DLP) * Endpoint DLP * Email DLP (primarily for the corporate exchange and Gmail) * DLP for Private Apps Inline Data Protection use case * Shadow IT Discovery * AI/ML Data Classification * Cloud App Control * Tenancy Restrictions Top Inline Use Cases： * Shadow-IT & Data Discovery 40K Apps & 75 Risk attributes ML powered auto classification & data discovery * Cloud App Control Access Control - 16 Categories, 40k Apps * Tenancy Restrictions Personal vs Corporate - Granular Policies Tenancy Restrictions for Sanctioned apps * DLP inline for Web and SaaS Dictionaries, EDM, IDM, OCR, AIP/MIP Labels * EUBA & Adaptive Access Bulk upload, download, impossible travel, MFA * Data Security on BYOD Isolation Proxy > Azure Information Protection (AIP) / Microsoft Information Protection (MIP) Labels - Microsoft Information Protection (MIP) provides sensitivity labels, Zscaler Content Inspection Capabilities & Custom Dictionaries 可預防的字典種類 * PIl (US and International) * PCI (CC#, ABA Bank routing) * PHI (Patient Records, ICD10) * Source Code * Adult Language/Profanity * GDPR Data 也可以透過正規表示式Regex 設定 例如台灣身分證字號 [A-Z][1-9][1-9].... 在檔案檢查上 會處理三個步驟以減少誤報的可能 1. First, we look at some of the early bytes that we call Magic Bytes 2. Second, we will look at the mime type 3. Third, we will look at the file extension What sets Zscaler Data Protection apart？ * Granular DLP policy based on users, groups, dept and location * Extended boolean logic for building exceptions * Incident Mgmt. via SIEM, email, ticketing & on-prem Incident receiver Secure Custom Data with Exact Data Match  * Predefined Dictionaries: Zscaler provides hundreds of predefined classifiers to identify Payment Card Industry (PCI) data, Personally identifiable information (PII) data, Protected Health Information (PHI) data. A lot of these predefined dictionaries are built based on standard regex and Perl Compatible Regular Expressions (PCRE) engines, and in many of these dictionaries we utilize AI and ML. * Custom Dictionaries: Zscaler's customers can build their own dictionary based on different phrases, keywords and patterns, and regular expressions. For example, documents that have a header and footer with 'company confidential' or 'internal-use only' text. * Exact Data Match (EDM): EDM was designed to learn from structured data. For example you have a large CSV file with 200 million rows and 10 different columns representing employees' PII information. Now, If you want to keep track of all the information contained in this CSV file, then, feed this information to Zscaler's EDM engine and it will help you to keep track of all cloud transactions and match the transactions with the exact data from the CSV file, triggering different types of actions that you have defined. Data Security for BYOD and Unmanaged Assets 對於不受管理的設備或者BYO設備，藉由Isolated Browser 對設備上的串流資料像素處理  ## Protecting data at rest ### Out of Band CASB CASB區分三種模式Out-of-band API setting Inline mode 的 Reverse Proxy，Forward Proxy 1. **Data Discovery (Data at rest introspection)** The first use case is about data discovery, first you need to discover your secure data that is sitting in the cloud. 2. **Prevent Data Exposure (Public share, External share)** Once you have discovered your data sitting in the cloud, the next use case is to prevent data exposure. 3. **Secure Apps from Threats (Known and unknown malware)** The third use case is to protect your applications and data that is sitting in the cloud from known and unknown threats. 4. **Secure Corporate Exchange and Gmail (Threat Prevention for inbound emails and Data Loss Prevention for outbound emails)** The fourth use case is a special module we have with our out-of-band CASB (now known as SaaS Security API) that scans your corporate exchange and Gmail. 5. **SSPM (Misconfiguration and Compliance)** And then last but not least, we have SaaS security posture management (SSPM), which is all about how do you prevent misconfigurations and compliance violations Zscaler的SSPM比較偏向對於應用程式的設定問題 ex:O365未啟用MFA ##補充資訊 [Risk360](https://help.zscaler.com/risk360/what-risk360) 加解密邏輯 Fundamentals 在哪個大項目的功能