Components for Internet Access Rules

Cisco Secure Access has various resources. Once you add a resource in Secure Access, you can protect the resource by setting up access and security controls on the Access policy. You can create access rules by assembling components that you or others have previously created.

Components described in this topic are reusable; you can use the same component (such as a source) in multiple rules, speeding and simplifying policy creation.

For example, you can define a set of users as a source, then use the same source in an internet access rule and in a private access rule for the same set of users. Some components are profiles, or groups of settings bundled together that you choose as a unit when configuring a rule.

Note: Most components for internet access rules are different from components needed for private access rules.

Table of Contents

Sources

You can configure access policies for specific source-destination pairs. Sources are the users, groups of users, or other entities that comprise the "From" end of traffic that an access policy applies to.

You can use these reusable sources in internet access rules:

  • Users
  • User Groups
  • Network Tunnel Groups
    You can apply rules to traffic originating from IP addresses in network segments defined by Network Tunnel Groups.
  • Registered Networks
    You can apply rules to traffic originating from IP addresses in network segments defined by Registered Networks.
  • Roaming Devices
    You can apply rules to traffic originating from managed devices that have the Cisco Secure Client installed, but that may not currently be on the corporate network.
  • Sites
    You can apply rules to traffic originating from IP addresses in network segments defined by Internal Networks and Secure Access Virtual Appliances (DNS forwarders). For more information, see Internal Networks.
  • Security Group Tags
    You can apply rules to traffic originating from IP addresses in network segments that include Security Group Tags.
  • Catalyst SD-WAN Service VPN IDs
    You can apply rules to traffic originating from IP addresses in network segments that include VPN IDs.

In a rule, you can also specify sources by typing in IP addresses and subnets, but these are NOT reusable source components. If you do this, you can type in port and protocol in the rule's destination.

For more information, see About Configuring Sources in Internet Access Rules.

Destinations

You will configure access policies for specific source-destination pairs. Destinations are the web applications, web sites in particular categories, or other internet destinations that comprise the "To" end of traffic that an internet access policy applies to.

Reusable destinations (destination objects) in internet access rules:

  • Destination Lists
    List groups of domains, URLs, IP addresses, and CIDR blocks to which you want to apply the same policy.
    You can create custom lists of destinations based on any criteria you choose.
  • Content Category Lists
    Create lists of web sites based on the content or type of the site, so you can control access to a variety of sites as a group. For example, you might create a content category list that includes all sites belonging to the Adult, Child abuse, and Pornography categories.
  • Application Lists
    Create lists of web-based applications to which you want to apply the same policy. For example, if you want to apply a single policy to all social media applications, you can create an application list that includes all applications in the Social Networking category.
    For some web-based applications, you can allow access to the application, but block uploads, downloads, and posting or sharing information. You will see these options in each rule when you configure applicable destinations in the rule. For details, see Advanced Application Controls.

When configuring rules, you can also:

  • Specify web sites by content category, or specify web applications or categories of web application, without creating content category lists or application lists.
  • Type destination IP addresses, ports, and protocols directly into the rule.

However, best practice is generally to create reusable destination objects when possible, so that you can apply rules consistently.

See also About Configuring Destinations in Internet Access Rules.

Security Controls

Security controls make use of profiles and other pre-configured sets of settings.

The following types of security controls apply to internet traffic:

Intrusion Prevention (IPS)

Intrusion Prevention protects your network and assets by inspecting traffic for specified threat characteristics.

You will specify a single intrusion prevention profile in each access rule.

Set Up Certificates for Decrypting Internet Traffic

Internet traffic must be decrypted in order to allow it to be inspected by the intrusion prevention and for web security features, for example those defined in a Security Profile. In order to decrypt this traffic, certificates are required. You may have already set up these certificates to decrypt traffic for web security features.

See Certificates for Internet Decryption.

Configure Intrusion Prevention (IPS) Profiles

Intrusion Prevention (IPS) detects a large number of known threats. Sets of settings are grouped together in profiles, which you can specify in access rules. Secure Access provides several pre-configured profiles that address common needs, such as Balanced Security and Connectivity or Maximum Security. Or you can create a custom profile using Snort signatures. You can also choose to block or just monitor traffic that matches a profile.

You can choose a different IPS profile for each access rule based on the balance of convenience vs. risk appropriate for the particular traffic.

For details, see Manage IPS Profiles.

Configure the Do Not Decrypt List for IPS

Secure Access must decrypt traffic in order to allow the Intrusion Prevention feature to inspect the traffic for threats.

However, decrypting traffic to certain sites, such as health-related or financial sites, may be restricted by privacy laws in some geographic regions.

Use the default Do Not Decrypt List to specify destinations that should not be decrypted by intrusion prevention processes (IPS.)

Web security features, for example those configured in a Security Profile, also require decryption in order to be effective; you can use this list for web security decryption, or you can create and use a different list or lists for web security.

For details, see Important Information About Do Not Decrypt Lists.

Security Profile

You will specify a single Security Profile in each internet access rule. Each security profile includes multiple components that you should pre-configure.

Configure Threat Category Settings

Choose the types of web-borne threats to block. Blocking some threat categories may affect legitimate traffic.

See Threat Categories.

Configure SAML Authentication

SAML authentication is required for some web security features.

See Security Profiles for Internet Access.

Set Up Certificates for Decrypting Internet Traffic

If you have already set up certificates for this purpose for the intrusion prevention feature, you may not need to do anything more.

Internet traffic must be decrypted in order to allow it to be inspected by the intrusion prevention and web security features, to apply acceptable use controls, for rules in which the rule action is Isolate or Warn, and to display end-user notifications when destinations are blocked.

In order to decrypt this traffic, certificates are required.

See Certificates for Internet Decryption.

Configure Do Not Decrypt Lists

Secure Access must decrypt internet traffic in order to allow Web Security features to protect your network effectively.

However, decrypting traffic to certain sites, such as health-related or financial sites, may be restricted by confidentiality law in certain geographic regions.

Use a Do Not Decrypt List to specify destinations that should not be decrypted by web security processes. You can create different Do Not Decrypt Lists for different regions or purposes.

You can use the same Do Not Decrypt List that you use for IPS, or create one or more Do Not Decrypt lists to use only for security features included in the security profile.

For details, see Important Information About Do Not Decrypt Lists.

(Optional) Configure Custom End-User Block and Warn Notifications

If you do not want to use the default Secure Access-branded notifications, configure the notifications that are presented to end users who attempt to access internet destinations that are blocked, and notifications to present when users attempt to access destinations that match a rule configured with the Warn action.

End-user notifications require decryption.

See Manage Notification Pages.

Configure Security Profiles for Internet Access

Sets of security security settings grouped into profiles control the following aspects of security for internet traffic:

  • Decryption (including Do Not Decrypt lists)
    See information above.
  • SAML Authentication
    See information above.
  • Threat categories
    See information above.
  • File inspection
    File inspection detects threats using Cisco Advanced Malware Protection and Cisco Secure Malware Analytics.
    See Manage File Inspection and File Analysis.
  • File type blocking
    Block files based on their type. For example, you can prevent users from downloading executable files from the web.
    See Manage File Type Control.
  • SafeSearch
    SafeSearch filters out offensive, explicit, unsafe, and harmful results from searches in Google, YouTube, Yahoo, and Bing.
    See SafeSearch
  • End-user notifications
    Web pages shown to users who attempt to access blocked destinations or destinations allowed with a warning.
    See information above.

You will enable these options in a security profile that you will choose in a rule. See Add a Security Profile for Internet Access.

Tenant Controls

If your company uses Microsoft 365, Slack, Google G-Suite, or Dropbox, see Manage Tenant Control Profiles.


Manage Internet Access Rules< Components for Internet Access Rules > Default Settings for Internet Access Rules