Using Zscaler Internet Access for a safe and secure internet experience

The internet today has become the wild, wild, west. There is a mushrooming of many types of websites, especially after the dot com boom. It has become difficult to keep track of legitimate websites versus malicious ones. When the Internet Service Providers (ISPs) themselves cannot keep track of these harmful websites, we cannot expect the end user to keep up with it. This is why we need a security solution to give the end users a safe internet experience.

Why safe internet?

Employees of the enterprise have a business need to access the internet on an almost daily basis. This could be for researching solutions, learning new skills, or to log into internet-based applications for company work.

Employees may be directed to go to a website through various means. For example, they may receive an email with a link where they can access the latest content on an interesting topic. A friend or a co-worker could send a web link through an instant chat message.

When employees are using corporate-issued devices to access these websites, it is the duty of the enterprise to provide employees with safe and secure internet access. If the employees inadvertently access malicious websites and those websites install some sort of malware on the corporate-issued device, then that malware could spread to other enterprise systems, including critical infrastructure, which will have a massive impact on the enterprise.

This is no different than someone catching a viral infection and then going around spreading it inadvertently – hence the need for safe internet. For example, an employee receives a seemingly legitimate email telling them they can find more information on a topic at www.help.com. A spammer or a bad actor can easily change the letter "l" in the website URL to the number "1" so that the malicious URL is www.he1p.com. Based on the font used by the employee's email program, the difference may not even be that visible.

The employee then proceeds to click on the malicious link, thereby triggering the malware and compromising the machine. Internet security is needed because not all malicious emails may be caught by the company's email security software. This is where Zscaler Internet Access (ZIA) comes in.

How ZIA works

ZIA is a cloud-based web proxy whose primary purpose is to provide safe and secure access to the internet. Simply put, ZIA sits between the end user and the target internet website resource. The enterprise will purchase the necessary subscription and internet security feature set as part of their contract. A company Zscaler administrator will provision and activate these security settings in the ZIA portal. Those changes take effect immediately.

Once this has been set up, suppose an employee receives an email with a malicious link in it, as described in the previous section. When the employee clicks on that link, the browser on the machine tries to navigate to that malicious website. But that initial website request is now intercepted by Zscaler. Zscaler then checks this URL against its dynamic list of malicious websites and identifies it as a malicious website. Zscaler will then display a warning message that says this is a malicious website and hence the request was blocked.

A very impressive feature of ZIA is that it can detect botnet callbacks. Although we will talk about it in more detail in later chapters, we will provide an example here. Let's say that an employee takes their corporate device home and then accesses the internet in an insecure way, so the bot is now installed on their device. When the employee uses the same device in the Zscaler-protected corporate environment, Zscaler will identify and block that botnet callback to the central bot server and can also alert an administrator. The administrator can then immediately identify the device and the user, and then either quarantine that device or get it cleaned immediately using anti-malware software, thereby eliminating the root problem and preventing it from spreading. This can be visualized with the following diagram:

Figure 1.1 – Fundamental operation of Zscaler Internet Access (ZIA)

ZIA is also famous for its cloud sandbox feature. When malware is initially released on the internet, its signature (the bit pattern in binary) is not known to many anti-malware engines. ZIA can (adding a little bit of delay) identify this unknown signature and detonate it safely in its cloud sandbox environment and observe its effects. If there is no fallout, ZIA will forward that packet normally. If, however, it is observed that the malware is harmful, ZIA will immediately update its threat signature database and propagate that information to all its clouds, thus protecting all the remaining customers within a matter of minutes.

There are many ways ZIA can be provisioned. If a user is at a corporate location, GRE or IPSec tunnels can be established from the location to the two (there could also be more or less than two, depending on the customer's choice) nearest Zscaler cloud locations. If the user works remotely or travels a lot, an application called the Zscaler Client Connector (ZCC) can be installed on the user's device. Before the user can access the internet, the user will have to log into the ZCC using their credentials manually or by using their Active Directory Domain credentials. This makes sure the user is always protected.

Zscaler estimates that over 80% of the traffic on the internet is now using SSL. Hence, SSL inspection is an integrated, most basic feature that is supported by ZIA.