Transcript
In this series of short videos, we're taking a look at the baseline recommendations for the configuration of Zetscaler Private Access. This is Part 7, Securing Your ZPA Applications. First, let's start by talking about App Protection. App Protection is an integral part of ZPA that allows you to identify and stop attacks against your applications. App Protection does this by allowing you to create inspection profiles, either from scratch or using predefined profiles, that will inspect traffic between the user and the application. Inspection can then be enabled on the application segment and an App Protection policy configured that maps an inspection profile to the application segment. These inspection profiles include several critical security controls for your applications. One of these is the OS Top 10 Prevention model. This will allow Zetscaler to identify and prevent attacks against applications that map to the Top 10 application security risk as identified by the Open Worldwide Application Security Project. App Protection also leverages the Zetscaler Threat Labs research to generate Threat Labs control based on signatures from exploits that our security research team is seeing in the wild. Additionally, App Protection is capable of performing virtual patching by applying security controls to block specific attacks that are being leveraged by threat actors and reported as CVEs. It can also be leveraged to provide SMB, Kerberos, and LDAP inspection and protection, providing you with anomaly detection within AD-related traffic, assistance in prevention of enumeration attacks, and protection against common attacks such as Kerberosting, AD schema mapping, and SMB enumeration. Finally, App Protection also provides browser session protection, allowing you to define session fingerprints using a combination of 27 available indicators in browser session protection profiles, which can then be activated as a browser session protection policy based on applications and SAML or SCIM attributes. This also provides a dashboard, identifying users with a high number of unique fingerprints. Finally, understand that you can leverage Zetscaler internet access to inspect ZPA traffic. This works the following way. Traffic that matches an application segment definition is sent to the ZPA service edge as is normal for ZPA. If ZIA inspection is enabled, the ZPA service edge will establish a TLS tunnel to a ZIA enforcement node so that the traffic is sent to ZIA. Security policy configured on the ZIA side will then be enforced. If traffic violates the ZIA security policy, it's blocked. Otherwise, it's allowed and sent back to the ZPA service edge, after which it's sent onto the app connector and forwarded to the destination. Note that this has several prerequisites and limitations. Obviously, this requires a ZIA tenant that is linked to your ZPA tenant. The ZIA inspection feature must be provisioned for ZPA. This can be enabled with a simple support request if it isn't provisioned. A ZIA root certificate must be deployed to your devices as is required for SSL inspection in ZIA. And there's also a minimum version of 4.4 for the client connector required. This does not support browser access or privileged remote access, ICMP, double encryption, multi-session protocols, ZDX, machine tunnels, or partner tenants. As such, it's recommended that you only leverage this inspection feature for business-critical applications. This will allow you to use ZIA's mature policy enforcement and malware detection capabilities, for example, TLS inspection, sandboxing, data loss prevention policy, et cetera, to enforce these on ZPA flows to your business-critical applications, preventing any client-side compromise. Paired with app protection, this will allow you to provide complete client-side and server-side anti-compromise measures in order to fully protect your applications. That's it for this video. Thank you for watching.