Post on 09-May-2020
transcript
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
1
Zscaler Internet Security Frequently Asked Quest ions
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
2
PRODUCT LICENSING & PRICING How is Zscaler Internet Security licensed?
Zscaler Internet Security is licensed on number of Cradlepoint devices forwarding DNS queries. Organizations should purchase one license per router forwarding the traffic to Zscaler.
How many users can I have at a location?
Should we contact Cradlepoint every time we add a new device?
The service license per router allows for as many users as you need at the location, including GUEST WiFi filtering & security.
YES. Every device requires a license. Although, once you purchase the Zscaler Internet Security license, your admin can add/create the new location on the Zscaler portal without any involvement from Cradlepoint.
Should we contact Cradlepoint if we add more users to the location?
No. We do not price or license based on number of users from each location. Although we do monitor the number of DNS queries coming for each licensed device forwarding DNS queries to Zscaler Internet Security.
DEVICE CONFIGURATION AND PROVISIONING How do I forward traffic to Zscaler Internet Security?
Cradlepoint recommends using router firmware 5.3 or higher with Zscaler Internet Security. With firmware 5.3 or higher, you simply;
! Edit the routers configuration using Enterprise Cloud Manager or the localrouter UI, go to Network Settings>Content Filtering and select Cloud Based Filtering/Security to setup Zscaler Internet Security.
! Detailed instructions are on the Cradlepoint Knowledgebase athttp://knowledgebase.Cradlepoint.com/articles/Support/Configuring-‐Zscaler-‐Internet-‐Security
How does my Cradlepoint router connect to the Zscaler Internet Security service?
If they are public anycast DNS servers, anyone can use them. What is different?
Supported options for Cradlepoint routers with FW5.3 and higher include; • Fixed IP address: For locations with a fixed public IP address• DNS over TLS tunnel: For locations with dynamic IP addresses on the WAN
side, (e.g. 4G cellular connections that are NAT’ed or ISPs that intercept DNS traffic to redirect to their DNS servers).
• Dyn DNS Service: for locations with dynamic IP address if the customerprefers to use DynDNS
YES, they are public global DNS servers. We are not restricting end-‐users from using our DNS service and configuring Zscaler Internet Security servers for look-‐ups. Although, without registering with Zscaler as a customer, no security policies will be applied to the end user. It’s ONLY when the DNS queries are coming from a known customer, location &/or user, the company security policies will be applied. Otherwise, it is like any other DNS service the end user chooses to configure (similar to Google DNS)
Technical FAQ
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
3
How do you identify what company security policies to apply?
The customer’s Zscaler Administrator sets up a location through the Zscaler Portal, and then can assign content filtering and security polies to each individual location or groups of locations. Administrators can define as many policies as required, including custom policies, and manage these policies by location.
Can I create custom filtering and security policies? What if I have multiple WAN providers at the same location?
Yes. Administrators can define any number of custom filtering and security policies. Administrators can select from 90+ categories for content filtering/classification. Administrators can also import custom URL categories and define as whitelist or blacklist policy. All security rules apply automatically to each Administrator defined Policy. Administrator can add multiple Public, TLS, or DynDNS) IP addresses per location in the Zscaler Portal. This will associate those providers IPs to the same location and will receive the same location policies during active/active or fail-‐over scenarios.
SECURITY & PRIVACY CONCERNS Is DNS based filtering secure? Zscaler Internet Security is configured by setting DNS to 8.34.34.34 and 8.35.35.35 – but it’s
much more than traditional domain filtering. It combines the simplicity of DNS and the powerful functionality of proxy technology in an intelligent and transparent way. Network traffic is redirected using anycast technology to the nearest Zscaler Internet Security datacenter. Real-‐time threat intelligence and corporate policies are applied to route the traffic:
! Known malicious or unauthorized sites are blocked ! Access to reputable or permissible sites are allowed ! Potentially malicious or suspicious traffic that require deeper functionality
and control such as Google safe search, is routed through Zscaler’s proxy transparently. This dynamic inline inspection or traffic steering is called Intelligent Routing.
Can a user by-‐pass Zscaler Internet Security security policy by going directly to the website’s IP address?
Possible, but very rare. Although Zscaler does not protect against direct IP to IP communication, most internet sites redirect IP connections back to DNS host names for various reasons., (e.g. most sites have many frames that load from several different services requiring DNS lookups, malicious sites don’t use fixed IP addresses, etc) Once the initial connection is attempted based on IP address, several additional DNS requests are made from the user’s browser, on behalf of the server, to various other destinations, which will then be enforced as normal through Zscaler Internet Security.
Can a user bypass the DNS settings on the router?
Cradlepoint router supports ‘force DNS’ to Zscaler DNS in the setup of Zscaler Internet Security (Enterprise Cloud Manager or locally). An administrator can have Enterprise Cloud Manager ‘lockdown’ the local router config so that no local users can change the configuration.
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
4
Does Cradlepoint or Zscaler have access to any private data within our organization?
No. We do not have access to any user data or information.
What information is stored within the Zscaler cloud?
DNS requests, responses along with the time stamps and the requesting locations identity for all requests sent to Zscaler Internet Security.
Zscaler Internet Security PERFORMANCE Will this security service add latency for end users?
No. For any user or device, on-‐premise or roaming, Zscaler Internet Security security service will add no noticeable latency (and it is possible that an end users performance will actually improve because Zscaler’s distributed service is peered with the top internet providers). You are already using a cloud-‐delivered/ISP-‐offered external DNS service (such as Google or Level 3 DNS IPs), but your ISP does not offer any security policy or threat protection. With Zscaler Internet Security setup on your Cradlepoint router, it will use Zscaler DNS 8.34.34.34 and 8.35.35.35 to get the additional reliability and security.
What happens when Zscaler Internet Security service is down?
That does not happen. Zscaler Internet Security service is a cloud-‐based offering, is always available and is fully redundant and reliable. The Zscaler platform is physically running on thousands of processors in more than 100 of the highest quality data centers around the world. Each location has massive bandwidth, huge processing power and complete redundancy at every level. We provision our data centers so they have massive excess capacity – even during the largest global events like the world cup or the Olympics we see a blip in traffic but little more. In the rare case something fails, we have automatic failover within an individual data center, and then if an entire data center fails, we have additional automatic failover to the next nearest data center. This is totally seamless to your company and to your users. Zscaler is such a large and distributed and inherently resilient system it has literally never gone down – even during major disasters like hurricanes, earthquakes and typhoons that knock out individual data centers or even regions – the system as a whole always continues to run, and your users are automatically re-‐routed.
How scalable is the Zscaler solution?
Zscaler is a Security as a Service platform. With more than 5000 customers across all size enterprises and all vertical markets, Zscaler Cloud processes over 13 Billion internet transactions every day – making it the single largest collection place for malware samples. This provides us a unique opportunity to analyze, identify and stop the most sophisticated
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
5
and persistent threats. The Zscaler platform is physically running on thousands of processors in more than 100 of the highest quality data centers around the world. Each location has massive bandwidth, huge processing power and complete redundancy at every level. We provision our data centers so they have massive excess capacity – even during the largest global events like the world cup or the Olympics we see a blip in traffic but little more. All the service is built ground up by our engineering team and was built to handle scale. Add your locations instantly on our cloud platform, without any delay or impact to the existing solution.
PRODUCT FEATURES AND FUNCTIONALITY Does Zscaler Internet Security replace my existing security point product solution?
Zscaler Internet Security provides several key components of a Unified Threat Management solution, and when used with Cradlepoint router/firewall platforms and CP Secure Threat Management, it delivers an effective layered security solution for the branch office. The Cradlepoint router/firewall provides firewall protection for all WAN/LAN and LAN/LAN segment traffic, and Zscaler Internet Security protects all the Internet/web traffic.
Do I need Zscaler Internet Security when I have Cradlepoint Threat Management (IPS)? Does Zscaler Internet Security provide anti-‐virus protection?
Cradlepoint Threat Management (IPS) running on Cradlepoint’s stateful firewall, when combined with Zscaler Internet Security, addresses the key elements of a Unified Threat Management solution for branch offices. Cradlepoint’s Threat Management solution provides additional layered security at the stateful firewall using Layer 4-‐7 Deep Packet Inspection to detect and prevent network intrusions. This enhances network security for all applications across LAN, WLAN and WAN segments. Zscaler Internet Security provides content filtering and security for all web-‐based applications and traffic. Yes for known viruses. Zscaler Internet Security receives the same URL and threat feeds as the cloud proxy platform. The Zscaler Cloud Platform processes over 13 Billion internet transactions every day – making it the single largest collection place for malware samples. This provides us a unique opportunity to analyze, identify and stop the most sophisticated and persistent threats. If we identify a virus on a network once, we can then block it via Intelligent Internet Protection. Although, any first time virus (to Zscaler cloud) or file cannot be blocked using Zscaler Internet Security as it is not an in-‐line proxy solution. Zscaler does not look at all the content. In order to get always in-‐line content protection, upgrade to Zscaler Secure Web Gateway product. Cradlepoint routers also support Zscaler Secure Web Gateway (additional cost as licensed on a per-‐user basis).
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
6
Does Zscaler Internet Security block malicious attachments for web-‐based e-‐mail? Does Zscaler Internet Security provide DLP solution?
Zscaler Internet Security does not scan attachments downloaded using mail applications. However, any malicious attachments that subsequently call web services (botnets, Command-‐Control Networks, etc.) will be blocked by Zscaler Internet Security for all known malware. No. Zscaler Internet Security does not look at the content. In order to get full content and data loss prevention, upgrade to Zscaler Secure Web Gateway product.
Does Zscaler Internet Security provide anti-‐spam solution? Does Zscaler Internet Security inspect SSL traffic? What protections does Zscaler Internet Security provide for SSL traffic? When should SSL inspection be used? How does Zscaler Internet Security compare to a URL-‐list filtering solution running on a firewall/router?
No. Zscaler is not an e-‐mail security platform. It will block and protect against any known malicious virus in the email attachment. Also block and protect against any malicious links clicked from within the email. Although it is not in-‐line between your exchange server and client to protect against spam. Yes. However, SSL inspection requires a certificate be installed on the end-‐user device in order for the SSL inspection to work. Zscaler’s SSL inspection provides protection across the same threat categories as non encrypted traffic – filtered content sites, safe search results, malicious content, phishing, CnC botnets, etc., are all filtered and blocked. Most often, the SSL inspection would be deployed on computers used by employees in the branch office where additional security is desired. SSL inspection is not advised for guest WiFi subnets. Zscaler’s URL filtering capabilities are superior to legacy firewall and router based solutions for the following reasons:
1. Zscaler is ‘cloud real-‐time’ security and filtering with global threat intelligence updates immediately. No need for signatures/patches to be developed, downloaded, and deployed to the router/firewall. Zscaler currently averages over 100k threat updates per day, all in real-‐time. As soon as a new threat is discovered, the next transaction anywhere in our cloud is protected.
2. Simple URL-‐based filtering on routers generally use a very static 'reputation only' list that is often out of date and incomplete. Zscaler's real-‐time dynamic security cloud on the other hand uses a proprietary 'Page Risk Index' that utilizes many types of threat intelligence feeds and analytics to ensure that its list of compromised domains is the most accurate and effective on the market.
3. Many of today’s hackers use exotic 'fast flux' techniques (rapid DNS name
changes) to keep their web resources free from simple IP/URL based security – branch router based URL filtering can’t keep up to date with these threats as even high quality 'reputation only' block lists are often very slow to add these new domains.
Global leader in 4G LTE Network Solutions 805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | Cradlepoint.com
7
4. Zscaler cloud uses best-‐of-‐breed intelligence and reputational scoring based on billions of global web transactions every month, which delivers the most accurate, comprehensive and up-‐to-‐date web security and content filtering.
5. The Zscaler cloud has virtually unlimited capacity -‐ no processor or bandwidth limits to create a bottleneck or single point of failure. Customers have no risk of outgrowing equipment, as the cloud capacity scales with them.