Our software-defined perimeter (SDP) platform continues to evolve according to our vision and our in-depth experience with customers. Recently, we have been working on a number of features that are significant for the different personas that use our platform. We have released a collection of enhancements and features that can be divided into three categories; tighter security, robust management, and enhanced usability.
Device Posture Checks
To further enhance security, we’ve ramped up device posture checks so our customers can make sure that end-user devices are compliant with specific criteria before connecting to Meta NaaS, during the connection phase, or while they are connected.
The device posture checks prohibit access to internal applications for non-compliant devices. You can either choose predefined templates or create advanced, custom posture queries via a flexible language framework.
For example, you can check whether the latest version of endpoint security is running. You can inspect the firewall activation, whether a specific certificate is installed or a certain registry key is present.
If the compliance criteria are not met, the client is either connected to a remediation network, disconnected or an alert is sent.
MetaConnect Web Recording
There are two ways to access the Meta NaaS: with the VPN client or with the clientless browser solution. MetaConnect Web Recording may be used with the clientless browser solution.
For the clientless web application access, Meta uses a proxy that facilitates secure remote access to the internal web applications and allows comprehensive logging of the web session. Administrators have the option to save the logs for either a specific set of defined applications or for all applications.
Why is this feature useful? This feature adds an additional layer of auditing as the traffic coming from a browser often originates from an untrusted and unsupervised endpoint.
For example, it would be useful to know if someone is trying to download 50 document files in one minute. Recording enables administrators to audit for regulatory purposes and identify anomalies by feeding the recordings into an internal alerting system, UEBA, SIEM or any other system via an API. This enables administrators to audit sessions, POST, GET commands, including body and request parameters such as source client ID, and the URL paths of the application and confirm that they are legal, valid and have been performed appropriately.
Please note that it is optional and set by the policy.
Behavioral Alerts & Notifications
We have enhanced the analytical alerts and notification systems and introduced fine-grained filters, offering administrators a very flexible way to define alerts.
Meta NaaS offers 4 types of logs:
- Traffic Log: This first log consists of session metadata. Primarily, there is a lot of information that can be provided without actually opening the traffic. It displays the sessions between the source and destination IP without actually seeing the content of the traffic. In addition, it assists with anomaly detection, such as malware attempting to contact C&C servers, or users accessing suspicious applications.
- Audit Log: The second log includes all the configuration changes. What goes through the system is recorded in this log, for example, when a new rule is added or changed.
- Security Log: This comprises all the security-related incidents. For example, in a case where someone tries to authorize and fails at login, such incidents are logged here.
- MetaConnect Web Log: The last log is the MetaConnect Web log, as described above.
Based on the above four logs, administrators can set alerts - for example, if users are accessing sensitive URLs, a connection is made from a sensitive location or if users attempt to log in several times. Any event can trigger an alert that can be sent to a third party system by webhooks or API calls. It's easy to set up using regular expressions.
Smart Groups (Tags)
Life is easy when you have an aligned hierarchy of people with defined roles. However, usually, this is not the case. When you start to expand to a granular rule set, Smart Groups provide you with all the facilities you need to create heterogeneous groups under any chosen set of policies.
Smart Groups tag elements with labels that allow administrators to easily group any entity statically or dynamically and then apply the policy. Labels can be imported from an Identity Provider, applied manually or provided by built-in entity characteristics.
We encourage customers to follow best practices for central identity management. Therefore, we have introduced the support for SCIM, an open standard that allows the automation of user provisioning and de-provisioning. SCIM is an easy way to reduce the cost, complexity, and risk when the system requires identity in multiple locations and support for accelerated onboarding.
SCIM synchronizes the users, groups, and attributes from any SCIM-enabled identity management system. It then can be used to assign policies, egress, and posture checks. Meta NaaS now has an official application for SCIM with several leading Identity Providers, such as Okta, Azure AD, and OneLogin. In addition, it supports any SCIM-enabled service.
If you look at existing legacy VPN clients, you often find multi-megabyte monsters with conflicting, heavy drivers and a tedious installation and onboarding process. The Meta agent, on the other hand, leverages the native operating system capabilities to provide the necessary NaaS connectivity. Hence, you don't need to install any drivers or compromise your system integrity, stability and security.
The role of the agent is to present a friendly UI for end users, streamline the onboarding process and other user flows (e.g. SSO, 2FA, certificate renewal). We have worked hard to reduce friction and offer a seamless experience for all user flows.
We have created an attractive and efficient UI with increased stability to seamlessly assist the user onboarding experience. We support a variety of operating systems and the user experience has been standardized across all platforms.
The multi-user and multiple profiles are a customer requirement. Many customers have shared-environments, such as a Network Operations Center (NOC) or a Security Operations Center (SOC) where the staff frequently shares computers.
As a result, the VPN client needs to be aware and equipped with the ability to connect with different profiles based on user access.
We have added better forensics and logging capabilities, which enables our support team to troubleshoot issues on our customers’ devices, and offer remediation remotely.
Direct MetaConnect Access
Direct MetaConnect Access enables customers to publish and externalize applications to their customers and partners more easily. When an application is published with the MetaConnect Direct Link, anyone with the right policy and permissions can access an internal application, and the process is as easy as clicking on a link.
Now we have introduced an added feature that enables our customers to define a domain name, select the application and choose a URL. When the end-users access the URL link, they go directly to the application after passing authentication. This enables a direct connection to the web applications from a hyperlink, with the user not even knowing he is accessing an internal app through the NaaS.
Subscribe to the Proofpoint Blog