[DRAFT] pkj-wip-Trusted Networks for Zero Trust Access Connections

A trusted network is a network that is secure, reliable, and well-protected against unauthorized access, data breaches, and other cyber threats. Trusted networks are typically within your corporate network, or a trusted partner's network that has all the necessary network security measures in place. Different trusted networks might represent different site locations, for example Hong Kong or London. Trusted Network Detection (TND) gives you the ability to recognize a predefined trusted network and automatically disconnect a VPN connection inside the trusted network (corporate network) and start the VPN connection when the user is outside the trusted network (corporate network).

Secure Access allows you to define trusted networks using the criteria that Cisco Secure Client uses to detect when the user endpoint device is connected to a defined trusted network and route the user's traffic as intended. For example, if you have configured certain destinations to be connected using Zero Trust Access, you can choose not to use Zero Trust Access when the user is in the office, and instead use the security and connectivity mechanisms that apply to on-network traffic.

Caution: Secure Access allows you to define any network as a trusted network. Define your trusted networks carefully and ensure that all expected security and connectivity mechanisms are in place.

To define a trusted network, perform the following steps:

  1. On Secure Access, navigate to Connect > End User Connectivity > Zero Trust Access.

  2. In the Default Profile section, click Manage Trusted Networks.

  3. Click + Trusted Network (for the first network) or + Add.

  4. In the Trusted Network Name field, enter the name of the trusted network.

  5. From the Criterion dropdown list, select one of the following criteria:

    • DNS Servers - Enter all DNS server addresses available in the trusted network in the DNS Servers field. The client needs to detect only one of the specified DNS Servers.

    • DNS Domains - Enter the DNS suffixes (comma separated) available in the trusted network in the DNS Domains field. The client needs to detect only one of the specified DNS suffixes.

    • Trusted Servers - Enter a trusted server address in the Trusted Servers field. A DNS server specified in this profile must resolve this server and provide a TLS certificate.
      (Optional) Enter the hash of this certificate in the Certificate Hash field.
      Note: Certificate hash is not applicable for iOS devices.
      Click +Add Trusted Server to add up to 10 trusted servers. Only one of the trusted servers is required to pass validation.

  6. Click +Add Criterion and then perform the previous step to add more criteria.
    Note: You can add each criterion only once.

  7. Click Save.

Example:

If you configure the following criteria:

  • DNS Domains: YourCompany.com and AcquiredCompany.com
  • DNS Servers = 10.10.10.10 and 10.10.10.11
  • Trusted Servers = server1.YourCompany.com with hash xyz and server2.YourCompany.com with hash abc

Then the client will recognize a trusted network if it detects:

  • AcquiredCompany.com
  • 10.10.10.11
  • server2.YourCompany.com with hash abc

Addresses That Never Use Zero Trust Access < Trusted Networks for Zero Trust Access Connections > Manage Internet Security