Cisco Secure Access Architecture and Core Components

Learning Objectives

Pre-Reading Check — The Unified Cloud Platform

1. Cisco Secure Access is architecturally organized into three cooperating planes. Which plane is responsible for actually inspecting and enforcing on live traffic?

2. What is the primary design goal achieved by placing security controls in distributed cloud Points of Presence (PoPs) close to users?

3. An administrator writes a single DLP rule: "Block outbound transfers of documents containing customer Social Security numbers." Why does this rule apply consistently across web uploads, Microsoft 365 sharing, and internal-app access?

4. According to Cisco, what is the main risk of a "fragmented SSE" built from separate point products (SWG from one vendor, CASB from another, ZTNA from a third)?

5. Which set of components correctly belongs to the management / control plane?

1. The Unified Cloud Platform

Cisco Secure Access is a cloud-native Security Service Edge (SSE) platform grounded in zero trust. It unifies DNS-layer security, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), and Zero Trust Network Access (ZTNA) behind a single policy engine, a single client, and a single management console — delivering all of these controls from distributed cloud points of presence to users and sites anywhere.

Think of the platform as a modern airport built for security screening: instead of every traveler driving back to one central checkpoint in a distant city (the old "backhaul to headquarters" model), Cisco builds identical, fully-staffed checkpoints in every major metro area. Those metro checkpoints are the Points of Presence, the screening lanes are the security services, and the rulebook is the unified policy engine.

Key Points

The three planes

PlaneWhat it doesKey components
Management / Control PlaneDefines and evaluates policy; where admins configure everythingCloud-native policy engine, single management console, IdP and EDR/MDM integrations
Data / Enforcement PlaneActually inspects and enforces on live trafficDistributed cloud PoPs running DNS, SWG, CASB, FWaaS, and ZTNA engines
Connectivity / Edge PlaneGets traffic to the enforcement planeCisco Secure Client, clientless browser access, site-to-cloud IPsec tunnels, Resource Connectors

Figure 2.1: The three cooperating planes of Cisco Secure Access

flowchart LR subgraph Control["Management / Control Plane"] Console["Single Management Console"] Policy["Unified Policy Engine"] IdP["IdP + EDR / MDM Integrations"] end subgraph Data["Data / Enforcement Plane"] PoP["Distributed Cloud PoPs
DNS · SWG · CASB · FWaaS · ZTNA"] end subgraph Connectivity["Connectivity / Edge Plane"] Client["Cisco Secure Client"] Browser["Clientless Browser Access"] Tunnel["Site-to-Cloud IPsec Tunnels"] RC["Resource Connectors"] end Console --> Policy IdP --> Policy Policy -->|"Defines & evaluates rules"| PoP Client --> PoP Browser --> PoP Tunnel --> PoP RC --> PoP PoP -->|"Forwards to app"| App["Applications / Internet / SaaS"]
Animation 1 — The three planes light up in sequence
Control plane defines policy → enforcement plane inspects at the PoP → connectivity plane steers traffic in.
Control Plane Mgmt Console Policy Engine IdP + EDR/MDM Data / Enforcement Cloud PoP DNS · SWG CASB · FWaaS ZTNA (inspects live traffic) Connectivity / Edge Secure Client IPsec Tunnels Resource Connectors Browser Access
Key Takeaway: Cisco Secure Access is one cloud-native SSE platform organized into three planes — a control plane (single console + unified policy engine + identity/posture integration), a data plane (distributed PoPs running every security engine), and a connectivity plane. A single console and single policy engine mean you write a rule once and it applies everywhere, eliminating the gaps and complexity of stitching together separate point products.
Post-Reading Check — The Unified Cloud Platform

1. Cisco Secure Access is architecturally organized into three cooperating planes. Which plane is responsible for actually inspecting and enforcing on live traffic?

2. What is the primary design goal achieved by placing security controls in distributed cloud Points of Presence (PoPs) close to users?

3. An administrator writes a single DLP rule: "Block outbound transfers of documents containing customer Social Security numbers." Why does this rule apply consistently across web uploads, Microsoft 365 sharing, and internal-app access?

4. According to Cisco, what is the main risk of a "fragmented SSE" built from separate point products (SWG from one vendor, CASB from another, ZTNA from a third)?

5. Which set of components correctly belongs to the management / control plane?

Pre-Reading Check — Core Security Services

1. Which core service inspects DNS resolution and can block malware, phishing, and command-and-control callbacks over any port simply by refusing to resolve malicious domains?

2. A plain URL filter cannot distinguish a sanctioned corporate Dropbox tenant from a random personal file-sharing account. Which service can tell them apart and enforce different policies?

3. Which service is described as covering the "non-web, generic-IP traffic beneath" SWG and CASB — the arbitrary ports and protocols that the web-focused engines do not handle?

4. CASB operates in two complementary modes. What does the API-based (out-of-band) mode add that inline CASB cannot do on its own?

5. In the worked example of a user browsing the internet, what is the correct order in which the services act on the connection?

2. Core Security Services

The enforcement plane bundles four core internet-and-SaaS security services — DNS-layer security, SWG, CASB, and FWaaS — plus ZTNA for private apps (covered in the next section). Rather than four unrelated products, think of them as stacked, complementary layers of a screening line: each inspects a different aspect of the same traffic, and each hands context to the next.

ServiceInspectsPrimary layerHow it is delivered
DNS-layer security (DNS Defense)DNS queries (domain resolution)First-line, any portDNS queries steered to Cisco cloud resolvers
SWGHTTP/HTTPS web trafficWeb / application contentClient tunnel, PAC/proxy, or site tunnel to PoP
CASBSaaS application usage and dataSaaS governanceInline (via SWG) + out-of-band API integration
FWaaSGeneric IP / non-web traffic (L3/L4 + NGFW)NetworkIPsec/route-based tunnels from sites to PoP

Key Points

How the four services chain together (user browsing the internet)

  1. DNS request. The device sends its DNS query to Cisco's cloud resolvers; a known-malicious domain is blocked or redirected right here.
  2. Web connection. For an allowed domain, the browser connects via the SWG (through the client tunnel or a proxy), routed to the nearest PoP.
  3. SWG inspection. The SWG applies URL category rules, malware filtering, SSL decryption (if policy allows), and DLP — with identity and posture from the shared engine influencing the decision.
  4. FWaaS and network controls. If the traffic originated from a branch, it reached the PoP through a FWaaS tunnel, and FWaaS enforces any L3/L4 rules in parallel.

Figure 2.2: The four core services as a stacked screening line

flowchart LR User["User Device"] subgraph PoP["Nearest Cloud PoP"] direction TB DNS["1. DNS-layer Security
Domain reputation · allow / block / redirect"] SWG["3. SWG
URL filtering · malware · SSL decrypt · DLP"] CASB["CASB
SaaS-aware policy (inline via SWG)"] FWaaS["4. FWaaS
L3 / L4 · NGFW for non-web traffic"] end Engine["Shared Policy Engine
identity · device · location · app"] User -->|"DNS query"| DNS DNS -->|"Allowed domain"| SWG SWG --> CASB User -->|"2. Web connection"| SWG User -->|"Generic IP / branch tunnel"| FWaaS Engine -.->|"Consulted by every layer"| PoP SWG --> Internet["Internet / SaaS"] FWaaS --> Internet
Animation 2 — One packet screened through the stacked layers
A request passes DNS → SWG → CASB → FWaaS inside a single PoP, then out to the internet/SaaS.
User Dev Nearest Cloud PoP DNS domain reputation SWG URL · malware SSL · DLP CASB SaaS-aware policy FWaaS L3/L4 · NGFW non-web Internet / SaaS
Key Takeaway: The four core services are stacked, complementary layers, not competitors. DNS-layer security makes fast domain decisions first (the bouncer at the door); SWG deep-inspects web content; CASB adds SaaS-awareness and data control on top of SWG plus out-of-band API scanning; and FWaaS covers the non-web, generic-IP traffic underneath. All four run in every PoP and share one policy engine, so a single connection can be screened by every layer in one pass.
Post-Reading Check — Core Security Services

1. Which core service inspects DNS resolution and can block malware, phishing, and command-and-control callbacks over any port simply by refusing to resolve malicious domains?

2. A plain URL filter cannot distinguish a sanctioned corporate Dropbox tenant from a random personal file-sharing account. Which service can tell them apart and enforce different policies?

3. Which service is described as covering the "non-web, generic-IP traffic beneath" SWG and CASB — the arbitrary ports and protocols that the web-focused engines do not handle?

4. CASB operates in two complementary modes. What does the API-based (out-of-band) mode add that inline CASB cannot do on its own?

5. In the worked example of a user browsing the internet, what is the correct order in which the services act on the connection?

Pre-Reading Check — Traffic Steering and Connectivity

1. Which on-ramp is designed for roaming/remote users on laptops, using Tunnel Mode and Split DNS settings to decide per-packet whether traffic goes to Secure Access?

2. What is the defining trait of a Resource Connector that lets it reach a private app with no inbound firewall ports or public IPs?

3. In the Cisco Secure Client per-packet steering decision, what happens when a packet's destination matches an exclude / bypass rule?

4. Two properties of a branch IPsec network tunnel are worth memorizing. Which pair is correct?

5. How do Resource Connectors represent a philosophical shift from legacy Umbrella cloud tunnels?

3. Traffic Steering and Connectivity

None of the enforcement engines can help unless traffic actually reaches a PoP. Traffic steering is the discipline of deciding which flows are sent to Secure Access and which stay local. Cisco offers three primary on-ramps — one for roaming users, one for branches, and one for private applications — and all three make their decisions based on policy: destination IP/prefix, domain name, application, or proxy/PAC rules.

On-rampBest forTransportSteering decision
Cisco Secure ClientRoaming/remote users, laptopsIPsec user/machine tunnels; proxy/PAC for webTunnel Mode (full vs split) + DNS Mode (Split DNS)
Network tunnel (IPsec)Branch offices, whole sitesIPsec (~1 Gbps/tunnel, all ports/protocols)Route-based: which prefixes point at the tunnel
Resource ConnectorPrivate/internal applicationsOutbound-only DTLS/QUIC over 443Application-centric: per-app Private Resources

Key Points

Cisco Secure Client per-packet steering

The steering decision on the endpoint is a rule-matching process. A packet destined for an internal RDP host (a TCP SYN to 10.101.5.20) is evaluated against traffic steering rules: an include match (e.g., 10.101.0.0/16 or a synthetic range like 6.6.0.0/16) places it in the tunnel; an exclude/bypass match sends it direct or to a legacy VPN. There is an elegant interplay between the two knobs: when Split DNS resolves a private-app FQDN to an address in the synthetic range — which is also in the Tunnel Mode exception list — the traffic is automatically steered into the tunnel the instant resolution completes.

Figure 2.3: Cisco Secure Client per-packet steering decision

flowchart TD Start["Device generates packet
(e.g. TCP SYN to 10.101.5.20)"] Eval{"Match traffic
steering rules?"} Include["Include rule matched
(e.g. 10.101.0.0/16 or 6.6.0.0/16)"] Exclude["Exclude / bypass rule matched"] Tunnel["Place packet into
Secure Access tunnel"] Local["Send direct to internet
or legacy VPN (e.g. Cisco ASA)"] PoP["PoP: identity · policy · posture checks"] App["Forward to real application"] Start --> Eval Eval -->|"Include"| Include Eval -->|"Exclude / bypass"| Exclude Include --> Tunnel Exclude --> Local Tunnel --> PoP PoP --> App

Resource Connectors and the three-leg ZTNA path

Reaching a private application flips the direction: the cloud must reach inward to an app with no public exposure. A Resource Connector is a customer-deployed VM (VMware/Azure/AWS) that builds outbound-only tunnels to the PoPs — an MQTT-over-TLS control channel and a DTLS/QUIC data channel, both over port 443. The end-to-end ZTNA path has three legs: (1) Client → Zero Trust Proxy at the PoP via MASQUE over QUIC (HTTP/3), (2) PoP → a healthy Resource Connector selected from the appropriate group, and (3) Connector → the private application. Connectors are organized into Resource Connector Groups for redundancy, load distribution, and segmentation.

Figure 2.4: The three-leg ZTNA private-application path

sequenceDiagram participant C as Cisco Secure Client
(ZTNA module) participant P as Zero Trust Proxy (PoP) participant R as Resource Connector
(in customer environment) participant A as Private Application Note over C,P: Leg 1 — Client to PoP C->>P: App request mapped to ephemeral IP (100.64.0.0/10)
MASQUE over QUIC (HTTP/3) Note over P: Enforce per-user, per-device policy Note over P,R: Leg 2 — PoP to Connector P->>R: Select healthy connector from Resource Connector Group
via established outbound tunnel Note over R,A: Leg 3 — Connector to App R->>A: Resolve FQDN / IP and forward into internal network A-->>R: Return traffic R-->>P: Retrace path P-->>C: Response to client
Animation 3 — The three-leg ZTNA private-app path
Client → Zero Trust Proxy (policy) → Resource Connector (outbound-only) → Private App. Watch the packet traverse all three legs.
Secure Client ZTNA module 100.64.0.0/10 Zero Trust Proxy (PoP) enforce policy Resource Connector outbound-only Private App Leg 1: MASQUE/QUIC Leg 2: outbound tunnel Leg 3: into network
Key Takeaway: Three on-ramps steer traffic to the cloud edge. Roaming laptops use the Cisco Secure Client, whose Tunnel Mode and Split DNS settings decide per-packet whether to send traffic to Secure Access. Branches use ~1 Gbps IPsec network tunnels that carry all ports/protocols and are steered by routing. Private apps are reached via outbound-only Resource Connectors (MQTT/TLS control + DTLS/QUIC data over 443, no inbound ports) organized into groups for resiliency — an application-centric, identity-aware model that replaces network-centric legacy tunnels.
Post-Reading Check — Traffic Steering and Connectivity

1. Which on-ramp is designed for roaming/remote users on laptops, using Tunnel Mode and Split DNS settings to decide per-packet whether traffic goes to Secure Access?

2. What is the defining trait of a Resource Connector that lets it reach a private app with no inbound firewall ports or public IPs?

3. In the Cisco Secure Client per-packet steering decision, what happens when a packet's destination matches an exclude / bypass rule?

4. Two properties of a branch IPsec network tunnel are worth memorizing. Which pair is correct?

5. How do Resource Connectors represent a philosophical shift from legacy Umbrella cloud tunnels?

Your Progress

Answer Explanations