Design Use Case
Uploaded by
fotedarsuyash15Design Use Case
Uploaded by
fotedarsuyash15<customer>
Netskope Security Cloud Platform Design
Month DD, YYYY
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 1
Version History
Date Author Version Details
dd/mm/yyyy 0.1 Initial draft
Distribution
Name Organisation Role
Stability Security Lead
Technical Project Lead
Project Manager
Netskope Sr. Cloud Security Consultant
Netskope Technical Account Manager
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 2
Table of Contents
<customer> 1
1 Introduction 6
1.1 Executive Summary 6
1.2 Document Structure 7
1.3 Glossary of Terms 7
2 Scope 9
2.1 In Scope 9
2.2 Out of Scope 10
2.3 Dependencies 10
2.4 Assumptions 10
3 Solution Overview 11
3.1 Netskope Cloud Security Platform 11
3.2 Foundational Components 11
3.2.1 Netskope UI and Tenant Management 11
3.2.2 Users and Groups Provisioning 11
3.3 Forward Proxy - Real-time Protection 11
3.3.1 Netskope Client 11
3.3.2 IPSec/GRE 11
3.3.3 IOS VPN Profiles 11
3.4 Reverse Proxy - Real-time Protection 11
3.4.1 Reverse Proxy for O365 11
3.5 Netskope Private Access 11
3.6 API-enabled Protection 12
3.6.1 API-enabled Protection for SAAS 12
3.6.2 API-enabled Protection - Public Cloud (IAAS) 12
3.7 Risk Insights – Discovery 12
3.8 Netskope Integrations 12
3.8.1 Integration with SIEM 12
3.9 Reports 12
4 Solution Design 13
4.1 Netskope Cloud Security Platform 13
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 3
4.2 Netskope Components 15
5 Application Architecture 16
5.1 Foundational Components 16
5.1.1 Netskope UI and Tenant Management 16
5.1.1.1 Netskope UI 16
5.1.2 Tenant Management 17
5.1.2.1 Login Settings 20
5.1.2.2 IP Allowlist 20
5.1.3 Directory Synchronization - Users and Groups Provisioning 21
5.1.4 Directory Importer settings 22
5.2 Forward Proxy - Real-time Protection 24
5.2.1 Netskope Client 24
5.2.1.1 NS Client Packet Flow 25
5.2.1.2 NS Client Packet Flow in Explicit Proxy Mode 26
5.2.1.3 NS Client Packet Flow in DNS Mode 26
5.2.1.4 Netskope Client Setup, Configurations and Settings 27
5.2.1.4.1 NS Client packaging 27
5.2.1.4.2 Traffic steering policy 27
5.2.1.4.3 Traffic steering exceptions 27
5.2.1.4.4 SSL/TLS certificates 28
5.2.1.4.5 Client Configurations 28
5.2.1.4.6 Device Classifications 29
5.2.2 IPsec Tunnel 30
5.3 API-enabled Protection 32
5.3.1 O365 (OneDrive, SharePoint, Outlook) 33
5.3.2 Forensics/Legalhold/Quarantine Profiles 35
5.3.3 API-Enabled Threat Protection Settings 35
5.4 Netskope Integration with SIEM - Splunk 37
5.5 Netskope Policies 40
5.5.1 API-enabled Protection Policies 40
5.5.2 Real-time Protection Policies 41
5.5.2.1 Inline Cloud App and Web Policies 42
5.5.2.2 User Notifications 57
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 4
6 Infrastructure Architecture 58
6.1 Netskope Directory Importer VM Specifications 58
6.1.1 Netskope Directory Importer Software Prerequisites 59
6.1.2 Netskope Directory Importer Permissions 59
7 Network Architecture 60
7.1 Netskope Directory Importer Firewall Rules 60
7.2 Real-time Protection - Netskope Client 61
7.3 Real-time Protection - IPSec 62
8 Project Timelines 64
8.1 Project High Level Dates 64
8.2 Project Milestone Estimated Delivery Dates 64
9 Appendix 65
9.1 Netskope Datacenters 65
9.2 Confidentiality / Integrity / Availability 65
9.3 Data Residency & Processing 65
9.3.1 Data at Rest 66
9.3.2 Data at Transit 66
9.3.3 Storage Confidentiality 66
9.4 Data Retention 67
9.5 Identity Management 67
10 Appendix B 69
10.1 Reference Documents 69
11 Decision Points 69
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 5
Netskope Cloud Security Platform Design
1 Introduction
The purpose of this design is to describe the detail design and configuration of the Netskope Cloud
Security Platform for <customer> Remote Worker Laptops.
1.1 Executive Summary
The increased adoption of cloud-based services with <customer> equates to corporate data process are
stored beyond the tightly controlled and managed perimeter. New security and compliance challenges
arise related to the use of cloud services that cannot be addressed with the operational and security
services currently in use within <customer> on-premise data centers. To address the issue, a modern
security solution referred to as a ‘Next Generation Secure Web Gateway’ (NGSWG) powered by
Netskope is to be delivered to assist <customer> in the transformational change to align with business
strategy. This document describes the solution design related to deploying the Netskope Cloud Security
Platform and the integration with the existing <customer> corporate IT environment.
Strategically, <customer> is leveraging cloud-based services as part of their core technology capability to
support the ongoing transformational business change. In parallel, the workforce is increasingly more
mobile and will be utilizing laptops for workers to be used remotely.
With adoption of these services, comes increased concern around the trustworthiness of services, the
security posture of endpoints and real-time governance of access to services. A set of security
capabilities are required to allow the <customer> business to safely adopt these services and operational
modes and place less reliance on traditional on-premise network oriented controls as the primary risk
mitigants. Furthermore the capability needs to allow for easy on boarding of current and future cloud
based services to provide flexibility and value realization:
The Netskope Cloud Security Platform will provide capabilities to:
control data exchange based on data classification
monitor suspicious cloud login activity and identify account compromises
improve visibility on the use of Shadow IT services
improve insight into user behaviour of cloud usage
apply remediation actions, audit risky behaviour
identify and mitigate phishing threats and malware from cloud services, and
continuously monitor cloud services for audit and compliance objectives.
This design will provide configuration and implementation details for:
Foundational components (Tenant SSO, Directory Synchronization)
Forward Proxy (NS Client, IPSec)
API-enabled Protection (O365)
Risk Insights (Log Collection, parsing and correlation)
Reverse Proxy
Netskope Integrations (SIEM, CTE, CTO)
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 6
1.2 Document Structure
This section provides an overview of the solution context and outlines the structure of the Design.
Glossary of Terms outlines acronyms that are used throughout the document, and the Scope,
Constraints, Dependencies, Assumptions and References are also outlined.
The Solution Design provides a summary of the capability for the solution as outlined in the HLD and is
included for reference.
The Application Architecture covers the capabilities and application settings of the solution.
The Infrastructure Architecture describes the configuration and builds of any on-prem component within
customer infrastructure.
The Network Architecture covers networking, application specific flows and other operational aspects.
The Appendix section covers non-functional aspects of the solution.
1.3 Glossary of Terms
Acronym / Abbreviation Description / Definition
AD Active Directory
API Application Programming Interface
CASB Cloud Access Security Broker
CCI Cloud Confidence Index
CDPP Customer Data Privacy Protection
DC Domain Controller
Dev Development
DLP Data Leak Prevention
DNS Domain Name System
DPOP Dataplane On-Premise
DR Disaster Recovery
EM / EDM Exact Match or EDM Exact Data Match
GTM Global Traffic Management
HA High Availability
HLD High Level Design
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
LDAP Light-weight Directory Access Protocol
LLD Low Level Design
MSI Microsoft Installer
O365 Microsoft Office 365
OAuth Open Authentication Protocol
OPLP On Premise Log Parser aka Log Parser
OU Organizational Unit
OVA / OVF Open Virtual Appliance / Open Virtualization Format
PAC Proxy Auto Configuration
POC Proof of Concept
POP Netskope Point of Presence
REST Representational State Transfer API
SCIM System for Cross Domain Identity Manager
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 7
SIEM Security Incident and Event Management
SSL Secure Socket Layer
SAM Security Admin accounts
SSO Single Sign-On
TLS Transport Layer Security
UI User Interface
UPN User Principal Name
VA Virtual Appliance
VDI Virtual Desktop Infrastructure
VM Virtual Machine
VPN Virtual Private Network
SAML Security Assertion Markup Language
SCP Secure Copy using SSH
SHA Secure Hash Algorithm
SkopeIT Netskope UI Reporting Tool for customer's cloud/web events and alerts
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 8
2 Scope
2.1 In Scope
The following constituents are in scope for the project and are specific to this document.
Creation of Netskope tenant in AU/US/EU/DE Netskope Management Plane
Foundational Use Cases
- Single Sign On (SSO) and Role Based Access Control for Netskope Tenant Access
- User Identity Provisioning with SCIM / Directory Importer
- Enable security analyst to review DLP incident data (metadata and content) in Netskope
Tenant.
Forward Proxy CASB/Web
- Provide visibility and real-time protection controls for the following types of managed
devices using Netskope Client Laptop/Desktop (Windows/Mac) Virtual Desktop
(Windows), Kiosk
- Provide visibility and real-time protection controls for the following types managed
devices using IPSec/GRE tunnels(up to 2 IPSec/GRE tunnels) Chromebook (SWG Only)
Servers (Windows, Linux) IOT
- Provide visibility and real-time protection controls for Guest WiFi networks using
dedicated infrastructure (up to 2 IPSec/GRE tunnels, Maybe 90)
- Provide real-time Threat Protection controls
- Provide real-time Acceptable Use controls
- Provide real-time Data Loss Prevention controls
- Provide real-time Access controls
API-enabled Protection
- Identify risk exposure due to publicly shared files from for upto three (3) sanctioned
applications
- Identify and control sensitive data shared externally or publicly from for upto three (3)
sanctioned applications PCI-DSS US PII GDPR
- Identify and/or quarantine malicious files from for upto three (3) sanctioned application
Risk Insights
- Discover shadow IT SaaS application usage from one (1) log source
- Report shadow IT SaaS application usage based on Organization Unit (OU) and other
directory attributes
- Basic report of data generated in Netskope (CASB/SWG/NG-SWG/API-enabled
protection)
Reverse Proxy
- Provide visibility and real-time protection controls for one (1) sanctioned application from
unmanaged devices (May be 90)
Netskope Integrations
- Integrate Netskope with Security Information and Event Management (SIEM) solutions
- Splunk
- QRadar / LogRhythm / Azure Sentinel / Syslog - Using Cloud Log Shipper (CLS)
Following table shows the coverage and deployment methods for the Netskope Cloud Security Platform
for maximum coverage. It shows the different access method, whether the machine is managed or
unmanaged and whether user accesses sanctioned or unsanctioned cloud apps.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 9
The access methods with is the recommended deployment method under each category.
2.2 Out of Scope
The following constituents are out of scope:
TBD
2.3 Dependencies
The dependencies below are specific to this design:
TBD
2.4 Assumptions
The assumptions below are specific to this design:
TBD
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 10
3 Solution Overview
The below Netskope components will be deployed:
3.1 Netskope Cloud Security Platform
The platform offers cloud-native solutions to businesses for data protection and defense against threats in
cloud applications, cloud infrastructure and the web. One Netskope Tenant will be provisioned for
<customer>.
3.2 Foundational Components
3.2.1 Netskope UI
The Netskope user interface (UI) and dashboards provide traffic steering, visibility into network activities,
and analytics to help you define policies to protect your enterprise from security violations.
3.2.2 Netskope Tenant Management
The Netskope tenant provides administrative controls for account management.
3.2.3 Users and Groups Provisioning
The Netskope Directory Importer will sync user and group information to the Netskope tenant which will
be used in real-time protection policies. The Netskope Directory Importer will get deployed on a Windows
64-bit VM.
Note: All users must have a value populating the Mail attribute field in AD, and this value must be in email
address format. This will be used as the primary identifier for Netskope client user validation (optional
use UPN if matches email address).
OR
Netskope SCIM integration will be used to on-board/off-board user and group attributes from <enter IDP>
into the Netskope tenant; this is a one-way sync only from <enter IDP> to Netskope.
3.3 Forward Proxy - Real-time Protection
3.3.1 Netskope Client
The Netskope client will be deployed on endpoints for real-time visibility and control of cloud applications
and web.
3.3.2 IPSec/GRE
IPSec/GRE tunnels will be established between the firewalls/routers and Netskope datacenters to forward
traffic from Guest WiFi and Servers for real time visibility and policy control.
3.3.3 IOS VPN Profiles
IOS devices will be configured with VPN profiles deployed using InTune MDM solution to connect to
Netskope for real-time protection of cloud applications and web traffic.
3.4 API-enabled Protection
3.4.1 API-enabled Protection for SAAS
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 11
API-enabled protection enables introspection of sanctioned apps (e.g. OneDrive/SharePoint) to provide
visibility and inventory of data at rest.
3.4.2 API-enabled Protection - Public Cloud (IAAS)
Continuous Security Assessment (CSA) will be configured for <AWS/Azure/GCP> account with a
maximum total of <enter total no. of resources for both IAAS> resources to provide visibility on
vulnerability and security misconfigurations of IAAS.
3.5 Risk Insights – Discovery
Log ingestion of Proxy logs to provide visibility of un-sanctioned and sanctioned cloud applications.
3.6 Netskope Integrations
3.6.1 Integration with SIEM
Netskope REST API will be configured on the SIEM to download events from the Netskope tenant for
longer retention period of events and incident management.
3.7 Reverse Proxy - Real-time Protection
3.7.1 Reverse Proxy for O365
The Netskope Reverse Proxy will be integrated with existing IDP to use EndPoint URL redirection to
Netskope for real-time visibility and control of O365.
3.8 Netskope Private Access
Netskope for Private Access (NPA) enables zero-trust secure access and will be deployed in AWS/Azure
to provide secure access to AWS/Azure hosted private enterprise applications.
3.9 Reports
Netskope reporting functionality provides a deep level of visibility to satisfy various regulatory standards.
Insight gained through reports can help you determine how to best steer traffic to protect your
organization.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 12
4 Solution Design
4.1 Netskope Cloud Security Platform
The Netskope Cloud Security Platform revolves around two aspects including a management plane and a
data plane. The management plane for each customer includes a unique tenant URL that allows for
management of policies, users, clients and non-real time services like API-enabled protection and risk
insights. The data plane for Netskope involves a globally distributed set of datacenters (POPs) for
handling real-time user’s data traffic. The users can be served from any datacenter globally by default,
and they are automatically routed to the closest datacenter.
One Netskope tenant will be provisioned for <customer>.
TYPE NETSKOPE TENANT HOME POP GTM
(MANAGEMENT PLANE) (DATAPLANE)
PROD <tenantname> MEL2 – Melbourne (Australia) Global Zone
SV5 – San Jose (United States) or
SJC1 – San Jose (United States) <specific> Zone Only
AM2 – Amsterdam (Netherlands)
FR4 – Frankfurt (Germany)
The Netskope Cloud Security Platform enables a variety of advanced security services to be deployed
and administered seamlessly as microservices across SaaS, IaaS and Web environments
The following diagram is a holistic overview of the various Netskope components that will deployed in the
environment. There are more comprehensive diagrams throughout the document for each of the deployed
components.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 13
Holistic View High Level Design Diagram
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 14
4.2 Netskope Components
The table below outlines the major platform or technologies in this solution.
PLATFORM / DESCRIPTION
TECHNOLOGIES
Netskope Tenant A tenant provisioned in Netskope cloud to proxy cloud applications & web traffic
Netskope Adapter Connects to a domain controller (DC) and periodically fetches user and group
(Directory Importer) attributes from Active Directory and syncs to the Netskope tenant
Netskope Client The Netskope Client steers HTTP/HTTPS for cloud apps & web traffic to the
Netskope tenant
IPSec/GRE Site to Site tunnel for policy based routing or PAC file steering of web traffic to
Netskope POP
Netskope API- Uses an out-of-band API connection into sanctioned cloud services to provide
enabled Protection visibility of sensitive content, enforce near real-time policy controls, quarantine and
malware detection.
On-Premise Log The OPLP Virtual Appliance (VA) is used to parse log files from the perimeter
Parser (OPLP) virtual devices. All log processing happens locally, and only the extracted events are sent to
appliance the tenant in the Netskope cloud
Underlying platform/Operating System that the Netskope OPLP virtual appliance
operates on is a hardened Ubuntu v16.04.6 LTS
Netskope REST API Used to retrieve Alerts, Applications, Audit, Client and Connections events
Netskope Reverse Reverse Proxy services to apply inline controls for unmanaged devices for
Proxy sanctioned applications within Netskope tenant
Netskope Private Enables zero-trust secure access to private enterprise applications
Access
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 15
5 Application Architecture
5.1 Foundational Components
A Netskope tenant will be provisioned for <customer> in the Netskope Cloud Security Platform. The
Netskope tenant or Admin console, provides the ability to use all the Netskope products and services in
one location. Starting with administrative functions, like tenant access and privileges, to viewing
informative dashboards, managing incidents, using SkopeIT to monitor activity, assess app risk and
advanced analytics, and create reports.
5.1.1 Netskope UI
The Netskope UI provides full access to deploying and managing the Netskope solution. It provides
administrative controls for account management and traffic steering, visibility into network activities, and
analytics to help you define policies to protect your enterprise from security violations.
The following tools are available in Netskope UI:
Netskope Dashboard: Provides the overall enterprise risk score and also allows you to drill-down
further to analyze user and app risk.
Incidents: Provides views into DLP, anomalies, compromised credentials, malware, malicious sites,
quarantine, and legal hold incidents.
API-enabled Protection: Provides views for all of your API-enabled Protection instances.
Policies: Provides views of your Real-time Protection and API-enabled Protection policies, profiles,
templates, and encryption.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 16
Cloud Infrastructure: Provides an overview of your inventory, compliance posture, and DLP
incidents across your deployments in AWS, Microsoft Azure, and Google Cloud Platform.
SkopeIT: Provides views generated by the Netskope Analytics engine for applications, sites, users,
alerts, and events.
Cloud Confidence Index: Analyze risky apps and verify the Cloud Confidence Index/level of all the
discovered apps in the network.
Reports: Create, view, and manage custom report templates.
5.1.2 Tenant Management
The Netskope UI provides full access for deploying and managing admin rights for the Netskope solution.
There are several administrator account types and you can assign each admin a specific role which has
different admin privileges. In addition, you can create custom designed roles based on your business
needs.
Netskope Tenant provides support for both local account and integration with Single Sign-On Identity
Providers for authentication. The Netskope tenant for <customer> will be configured with SAML based
authentication for Single Sign-On (SSO) with Azure AD. This will support the management of
administrative users within the tenant as users will be managed using Active Directory groups.
The below local accounts will be required for tenant access in case of SSO with Azure not available and
assistance from Netskope Support.
[email protected] (Fall-back account - Password managed by security team)
<Customer to decide fall-back account email name>
[email protected] (Account used by Netskope Support – Enabled when required to
troubleshoot issues with the tenant)
To login with a local account the following URL would need to be used:
https://<tenantname>/locallogin
Figure 2: Netskope UI SSO with Azure
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 17
APPLICATION ROLE IN THE ARCHITECTURE
COMPONENT
Netskope Tenant Admins with roles assigned to manage the tenant
Admin Desktop Used for management of Netskope components
Azure IDP for SSO
Netskope Roles:
There are several predefined roles within the Netskope tenant. Each admin will be assigned a specific
predefined role or a custom role which has different admin privileges. All activities performed on the
Netskope UI are logged and accessible only to the Tenant Admin role.
Admins can also be kept from viewing sensitive data by creating custom roles which applies to Events,
API-enabled Protection, Reports, Incident Management and Malware functional areas. Below fields can
be obfuscated:
User names and IPs
Source location information
File and object names
App names, URLs and Dest IPs
Below Netskope roles and IDP settings will be configured for SSO to the Netskope Tenant UI.
Name
Netskope Role
TenantAdmin
DelegatedAdmin
ReadOnly
L1Support
All privileges except Read only Access to
Role Top level admin has all managing other all sections except Read only Access to
Description privileges admins admins Events and Users
Administrators View and Manage None None None
Advanced
Settings View and Manage View and Manage View Only None
Settings View and Manage View and Manage View Only None
CCI View and Manage View and Manage View Only None
Events View and Manage View and Manage View Only View Only
Introspection View and Manage View and Manage View Only None
View, Manage and View, Manage and View Only
Policies Apply Apply None
Reports View and Manage View and Manage View Only None
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 18
Name
Netskope Role
TenantAdmin
DelegatedAdmin
ReadOnly
L1Support
End Users View and Manage View and Manage View Only View Only
Incident View Only
Management View and Manage View and Manage None
Threat View and Manage View and Manage View Only None
IaaS/PaaS View and Manage View and Manage View Only None
File Content Allow Access Allow Access - -
Obfuscate None None None None
Scope All Events All Events All Events All Events
LOCAL / IDP ACCOUNTS ASSIGNED ROLE
<enter email address> Tenant Admin (pre-defined)
<enter email address> TenantAdmin (custom)
<enter email address> DelegatedAdmin (custom)
<enter email address> ReadOnly (custom)
<enter email address> L1Support (custom)
Azure SSO Configuration:
NETSKOPE SETTINGS VALUES
Identifier (Entity Id) <Get Entity ID from tenant under Settings > Administration > SSO>
Reply URL (Assertion Consumer <Get ACS URL from tenant under Settings > Administration > SSO>
Service URL)
User attributes and claims 1) NameID = user.principalname or NameID = user.mail
(use any one attribute which has email address format)
2) admin-role = <The is an AD attribute with a claim value matching
roles in Netskope tenant; e.g Tenant Admin>
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 19
Netskope IDP Configuration in Tenant:
IDP SETTINGS VALUES
SSO Enabled
Sign SSO Authentication Request
Disable Force Authentication
IdP URL <get iDP URL from Azure>
IdP Entity Id <get entity id from Azure>
IdP Certificate <get cert from Azure>
SLO Enabled
Sign SLO Request/Response
iDP SLO URL
Note: Netskope also has a built-in role Super Tenant Admin which can be configured to send email
notifications for policy alerts and can also be used as a break glass account for SSO troubleshooting.
Only one local account with Tenant Admin privileges can be assigned this additional role of a Super
Tenant Admin.
Customer can select an existing local or create a new local account. Recommendation is to set a group
email address (e.g., [email protected]) and the password can be stored in a password safe as
this account will normally not be used for any administrative tasks within the tenant.
<enter email address> Super Tenant Admin
5.1.2.1 Login Settings
You can specify the number of log in attempts that can be allowed before the admin user is locked out of
the UI. The default setting allows up to 5 failed login attempts.
SETTINGS VALUE
Maximum failed login attempts 5
Idle timeout 15 mins
Password expiration 90 days
Disallow concurrent logins by same admin ✘
5.1.2.2 IP Allowlist
A list of IPs can be configured as an allowlist to access the Netskope tenant. <customer> egress IP
addresses assigned to the Netskope appliances like the on-premise log parser (OPLP), DPOP and
Netskope admins egress IPs will be added to the allow list in the tenant.
NO. ALLOWED IP ADDRESS
1
2
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 20
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 21
5.1.3 Directory Synchronization - Users and Groups Provisioning
Netskope Directory Importer periodically fetches users and groups information from Active Directory and
syncs to the Netskope tenant. This is a one-way sync only from Netskope Directory Importer to the
Netskope tenant.
Once the users and groups are provisioned in the tenant we can determine user activity in cloud and web
traffic and enforce cloud app and web policies.
Figure 3: Netskope Directory Importer
APPLICATION COMPONENT ROLE IN THE ARCHITECTURE
Netskope Tenant Stores Metadata of Active Directory users and groups and AD attributes in
the tenant
Netskope Adapter – Directory Connects over LDAP 636 to synchronize Active Directory users and groups
Importer into the Netskope Tenant for Netskope Client user authorization and set
validation ID in Netskope tenant for AD attribute = Mail or UPN
Active Directory Active Directory stores the organizations user and group attributes
Admin Desktop Used for management of Netskope components
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 22
5.1.4 Directory Importer settings
Below are the settings for the Directory Importer and list of AD groups synced to the tenant.
List of AD Groups:
- <enter group name>
DIRECTORY IMPORTER AD ATTRIBUTES
Mail (Mail attribute needs to be present in AD to sync user)
SAM Account
UPN
List of AD attributes uploaded to
First Name
Netskope Management Plane
Last Name
OU
Group Membership
NETSKOPE ADAPTER SETTINGS
Server Name <enter server name>
IP Address <enter ip address>
Subnet <enter subnet mask>
Gateway <enter gateway>
Service Account <enter service account>
Service Account Privileges:
Log on As A Service ✘ (Grants rights to start services that run continuously on a computer)
Local Admin ✘ (Local admin privileges)
Event Log Reader (AD group - used by AD Connector service)
DNS Administrators (AD group - used by DNS Connector service)
Features:
AD Importer ✘
AD Connector
DNS Connector
User Info URL (Get URL from tenant under Settings > Tools > Directory Tools)
Directory Service:
Active Directory ✘
Other Directory Services
Select Domain:
Any ✘
Specific
Filter Options:
None ✘
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 23
LDAP Query
Groups ✘ <enter group name>
Organization Unit
Dynamic Groups
Log File Path C:\Users\Public\Netskope
Advanced Settings:
User Info Collect Interval 180 (In Mins) (min = 60mins & max = 1440mins)
Log Level Info
Proxy Settings Use internet proxy settings of the AD Importer user
Additional User Attributes <enter upto 5 additional attributes which can be used in reporting>
Display Name Attribute
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 24
5.2 Forward Proxy - Real-time Protection
The Real-time Protection is an inline deployment mechanism that routes traffic from managed endpoints
to cloud applications via the Netskope Secure Cloud service. Traffic is decrypted, inspected and sanitised
by inline protection policies. There are 2 Forward Proxy deployment methods:
Agent based - Netskope Client.
Agent-less with the use of IPsec/GRE tunnels to Netskope Cloud / DPOP
5.2.1 Netskope Client
The Netskope Client is a lightweight non-intrusive application installed on a users’ device and provides
the most comprehensive coverage both on-premises and remote (off network). It steers HTTP/HTTPS
traffic from the users device to the Netskope cloud. All other traffic in the network will be handled normally
without any action by the Netskope Client.
The Netskope client will get rolled out to <enter nos.> Windows 10 devices and MAC devices.
The NS client will be installed in multi-user mode on Windows devices.
Figure 4: Netskope Client Traffic Flow
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 25
APPLICATION ROLE IN THE ARCHITECTURE
COMPONENT
Netskope Tenant Stores Metadata of Active Directory users and groups and AD attributes used to
authorize the Netskope clients
Netskope GTM Enabled Netskope client connects to the nearest Netskope POP and establishes a SSL tunnel
and then Netskope POP connects to the managed cloud apps or websites
Netskope Adapter - To synchronize Active Directory users and groups into the Netskope Tenant for
Directory Importer Netskope Client user validation and set validation ID in Netskope tenant for AD
attribute = Mail
Active Directory Active Directory stores the organizations user attributes
Netskope Client Steers http / https traffic to Netskope POP and exceptions go normal route
Desktop (Internal) Accesses cloud apps and websites and has the Netskope client installed on it.
Netskope Client will establish a SSL tunnel to Netskope POP
Remote User with VPN Accesses cloud apps and websites and has the Netskope client installed on it. SSL
and Netskope Client VPN connects (Split Tunnelling is not allowed) and the Netskope Client will establish a
SSL tunnel to Netskope POP
Remote User with Accesses cloud apps and websites and has the Netskope client installed on it.
Netskope Client Netskope Client will establish a SSL tunnel direct to Netskope POP
(Without VPN)
APPLICATION INSTALL COMMAND LINE
COMPONENT
NSClient MSI for msiexec /I NSClient.msi token=<enter organization ID> host=addon-<tenantname>
Windows in multi user mode=peruserconfig /qn
mode deployment
(Get Organization ID from the tenant under Settings > Active Platform > MDM
Distribution)
NSClient PKG for MAC Email Invite
devices
5.2.1.1 NS Client Packet Flow
The NS Client intercepts traffic in DNS mode and in an explicit proxy environment.
<customer> is using the PAC file method to instruct the desktop machines how they can reach SaaS
applications/Internet websites and it is assumed there’s already a mechanism in place to ensure desktop
devices can determine what is the URL of that PAC file. The Netskope Client will read the PAC file
contents and detect the explicit web proxy. As soon as the proxy is detected, the Netskope Client will
intercept all HTTP CONNECT messages sent to that proxy and will tunnel that traffic through the SSL
tunnel established between itself and the Netskope Gateway component existing in Netskope’s cloud. As
Netskope is meant to be <customer> Cloud Web Proxy, all web traffic on TCP ports 80 and 443 not
explicitly configured as an exception will be sent through the above mentioned SSL tunnel.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 26
As part of the project the PAC file will be reviewed and updated. The PAC file will only have an entry to go
Direct or get decommissioned and exceptions going direct in the PAC file will be reviewed and configured
in the Netskope Steering Exception List as a bypass.
5.2.1.2 NS Client Packet Flow in Explicit Proxy Mode
Here are the packet flow details of how the Cloud app traffic is intercepted and sent through the tunnel
when the client is installed in an explicit proxy environment:
1. The Client establishes the SSL tunnel between the Client and the Netskope gateway. The client will
first try to connect directly through default gateway to establish the SSL tunnel. If this is blocked, then
it looks for system proxy settings, such as PAC (proxy auto-config) files, WPAD (Web Proxy Auto-
Discovery Protocol), and manual configuration. The client uses the proxy settings and connects to the
Netskope gateway via HTTP Connect.
2. The browser or native app reads the proxy settings (PAC file, explicit proxy setting) and opens a
connection to an explicit proxy server, for example: ep.customer.com.
3. The client parses the initial header of the connection.
4. If the initial header indicates the connection is a SaaS app, then the client sends the entire payload
through that SSL tunnel to the Netskope gateway.
5. If the initial header does not indicate SaaS app HTTPS access, the TCP proxy opens a connection to
and forwards the entire payload to the explicit proxy server. For example: ep.customer.com
NS Client in Explicit Proxy Mode connection flow diagram
5.2.1.3 NS Client Packet Flow in DNS Mode
Here are the packet flow details of how the cloud app traffic is intercepted and sent through the tunnel
when the client is installed in a non-proxy environment:
1. The Client establishes the SSL tunnel between the Client and the Netskope gateway.
2. Browser/App sends a DNS request for a managed cloud service (For example: Box.com)
3. Browser/App receives a DNS response (For example: 74.112.184.73)
4. The Client driver captures DNS response and creates a map of domain and IP (For example:
Box.com = 74.112.184.73 for cloud app domains)
5. Browser/App sends packets to Box.com (For example: DST IP 74.112.184.73)
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 27
6. Client tunnels Box traffic (For example: DST IP 74.112.184.73) through the SSL tunnel
NS Client in DNS Mode connection flow diagram
5.2.1.4 Netskope Client Setup, Configurations and Settings
5.2.1.4.1 NS Client packaging
Netskope Client will be deployed via <customer> software deployment tools. The client will be deployed in
multi-user mode and the command line to package the software is:
msiexec /I NSClient.msi token=<enter organization ID> host=addon-<ns clint tenant url>
mode=peruserconfig /L*v %PUBLIC%/ncinstall.log /qn
(Get Organization ID from the tenant under Settings > Active Platform > MDM Distribution)
5.2.1.4.2 Traffic steering policy
Steering configuration refers to what traffic is sent to Netskope Cloud before reaching SAAS
Applications/Internet websites. Netskope for Cloud Apps will be enabled for the Default Tenant Config.
Below cloud apps will be configured to be steered to Netskope
All Web Traffiic
5.2.1.4.3 Traffic steering exceptions
Netskope exceptions will be configured for traffic that needs to be bypassed from Netskope. Configuring
any of those exceptions will have the effect of the traffic flowing according to what the PAC file
determined for a given SaaS application/Internet website.
Local IP address range (RFC 1918)
Destination IP Address: <enter any other local ip address>
Destination IP Address: <enter vpn ip address>
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 28
Domains: <enter internal/external domains>
Domains: <enter vpn domains>
Process: <enter vpn process name and domains>
Process: <enter cert-pinned processes>
5.2.1.4.4 SSL/TLS certificates
<customer> users will be sending traffic to Netskope Cloud in order to perform deep traffic inspection. For
SSL/TLS interception, Netskope’s PKI infrastructure will be used, with the following Certification
Authorities (CAs) hierarchy:
Root CA: caadmin.netskope.com
Intermediate CA: ca.<ns client tenant name>.goskope.com
In order to have a successful SSL/TLS interception, Netskope’s Root CA certificate will need to be
installed in the trusted CA store of the desktop machines which are tasks performed by the Netskope
Client installer.
5.2.1.4.5 Client Configurations
When the Netskope Client service starts up, it must also retrieve from the client configurations from the
tenant. That configuration is setup in the WebUI in the ‘Settings -> Security Cloud Platform -> Devices ->
Client Configurations’ section. <customer>’s standard Netskope Client configuration will be using the
default client configuration, with the following relevant settings:
PARAMETERS VALUE
Upgrade clients automatically Disabled
Allow disabling of clients Disabled
Hide client icon on system tray Disabled
Uninstall clients automatically Disabled
Password protection for client uninstallation and Disabled
service stop
Allow users to unenroll Disabled
Enable Push Notifications for iOS Disabled
Interoperate with Proxy – Static Web Proxy None
On-Premises Detection None
Enable device classification and client-based end Disabled
user notifications when the client is not tunneling
traffic
Enable DTLS Disabled
Enable advanced debug option Disabled
<customer> will also require having some selected users with further capabilities to verify and if
necessary, troubleshoot the Netskope Client behavior. In order to achieve that goal, another client
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 29
configuration will be configured, which will be matching security group ‘<enter sec-ops group name>’.
This client configuration will have the additional capabilities of enabling/disabling the Netskope Client and
enabling/disabling the advanced debug option.
5.2.1.4.6 Device Classifications
Additional parameters can be configured if the device meets the minimum requirements to be classified
as Netskope managed or unmanaged. This can then be used in Netskope policies to apply different policy
sets for managed or unmanaged devices. Currently this will be left with default settings as not configured
as there are no use cases to have this feature configured.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 30
5.2.2 IPsec Tunnel (Servers, Chromebook, IOT)
IPSec tunnels will be configured between the Firewalls and Netskope datacentres to provide network
based steering of web traffic for visibility and control. This will apply to Servers based on source IP
address / ranges and Guest WiFi
APPLICATION ROLE IN THE ARCHITECTURE
COMPONENT
Netskope Tenant Stores Metadata of Active Directory users and groups and AD attributes
Netskope Dataplane IPsec tunnel connects to the nearest Netskope datacenters
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 31
NETSKOPE TUNNEL SETTINGS
PEERS
(IPSEC)
Tunnel Name <enter tunnel name>
Source IP Address <enter originating egress ip address for ipsec tunnel>
Source Identity <enter source identity to be configured in ipsec tunnel>
Primary Netskope DC <enter DC IP & Name>
Failover Netskope DC <enter DC IP & Name>
Pre-Shared Key (PSK) <enter key – stored is password safe>
Encryption Cipher:
AES128-CBC
AES128-GCM
AES192-GCM
AES256-CBC
AES256-GCM
Maximum Bandwidth:
50 Mbps
100 Mbps
150 Mbps
250 Mbps
Supported IPsec Options
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 32
5.3 API-enabled Protection
Netskope API protection inspects content that is already resident in a cloud services (data-at-rest),
irrespective of when it was uploaded or where it was created. API protection inventories and classifies
content, content owners, and collaborators as well as provides content sharing status. Additionally, it
enables you to download files for review, and perform a variety of actions such as restrict access, revoke
sharing, encrypt content, quarantine content, and place content on legal hold.
This deployment option doesn’t have any infrastructure dependencies and, as such, is simple to deploy.
Target applications are configured to grant access from the Netskope tenant using an OAuth token. This
technology is referred to as API introspection and uses the native API interfaces from SaaS applications
to inspect activity, newly added content, and content that already resides in the sanctioned app.
API enabled Protection has following constraints:
Control is out-of-band, therefore policy enforcement actions occur shortly after the event has
happened but not in real-time
Only selected sanctioned cloud services are supported. Unsanctioned cloud services cannot be
scanned with API policies.
The API policies capabilities are not uniformed and vary from application to application as it is very
dependent on the SaaS application API capabilities.
API-enabled Protection can be used to provide the following outcomes:
Secure sensitive content: Depending on the application APIs, sensitive content can be protected by
generating alerts, encrypting data, removing external links, quarantining or legal hold the data for
further review, and / or by removing it from the cloud. Availability of the corrective action depends on
the native API provided by the sanction application, different applications provide different level of
functionality.
Audit activities: API enabled dashboard provides insight into who has access to data, or what
actions have been performed by various parties (download, share, edit, etc.).
Discover sensitive data: Allows discovery of sensitive data in sanctioned services using either
predefined or custom DLP profiles, (e.g. personally identifiable information (PII), protected health
information (PHI), payment card industry information (PCI), or other confidential profiles). Discovered
sensitive data can then be secured, for example encrypted as per above, or collaborators /
administrators notified of the policy violation, so that action can be taken.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 33
5.3.1 O365 (OneDrive, SharePoint, Outlook)
Netskope’s API integration uses OAuth tokens with O365; webhooks mechanism for OneDrive,
SharePoint and Outlook to detect changes and events that occur in the endpoint application.
APPLICATION ROLE IN THE ARCHITECTURE
COMPONENT
Netskope Tenant Use an out-of-band API connection leveraging OAuth tokens into your sanctioned
cloud services to provide visibility of sensitive content, enforce near real-time policy
controls, and quarantine malware
O365 OneDrive for OneDrive API provides introspection, quarantine, legalhold, malware, forensic
Business API
O365 SharePoint API SharePoint API provides Introspection, quarantine, legalhold, malware, forensic
O365 Outlook API Outlook API provides Introspection
Admin Desktop Used for management of Netskope components
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 34
O365 DETAILS SETTINGS
Service Account Email <enter service account email>
Netskope Introspection v2 App for (to be deployed in SharePoint App catalog - available from
OneDrive/SharePoint Netskope support portal)
API-ENABLED PROTECTION - SETTINGS
ONEDRIVE API
Instance Name <enter instance name>
Enable Multi Geo ☐
Instance Type:
Introspection
Quarantine
Malware
Legalhold
Forensic
Admin Email <enter service account email>
List of Internal Domains <enter internal email domains>
Grant RMS ☐
API-ENABLED PROTECTION - SETTINGS
SHAREPOINT API
Instance Name <enter instance name>
Enable Multi Geo ☐
Instance Type:
Introspection
Quarantine
Malware
Legalhold
Forensic
Admin Email <enter service account email>
List of Internal Domains <enter internal email domains>
API-ENABLED PROTECTION - SETTINGS
OUTLOOK API
Instance Name <enter instance name>
Instance Type:
Introspection
Admin Email <enter service account email>
List of Internal Domains <enter internal email domains>
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 35
5.3.2 Forensics/Legalhold/Quarantine Profiles
Netskope does not store cloud service data on its systems or in its data centers. A SharePoint site
“<enter site name>” has been created by <customer> and will use the Netskope O365 API integration
with SharePoint to store customer data for Forensics//Legalhold/Quarantine DLP use cases.
DLP - FORENSICS PROFILE SETTINGS
Profile Name
App Microsoft Office 365 Sharepoint Sites
Instance
Site
DLP - LEGALHOLD PROFILE SETTINGS
Profile Name
App Microsoft Office 365 Sharepoint Sites
Instance
Site
Notification Emails
DLP - QUARANTINE PROFILE SETTINGS
Profile Name
App
Instance
Site
User Email
Notification Emails
Encrypt
Tombstone Text
Use Default Text
Use Custom Text <enter text>
Malware Tombstone Text
Use Default Text
Use Custom Text <enter text>
Customer Provided Tombstone File
5.3.3 API-Enabled Threat Protection Settings
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 36
Netskope can scan files stored in your cloud storage application for malware. This has been enabled for
OneDrive and SharePoint and below are the configuration settings
API-ENABLED PROTECTION SETTINGS
Low Severity
SkopeIT Alert
Quarantine File
Remediation Endpoints
Medium Severity
SkopeIT Alert
Quarantine File
Remediation Endpoints
High Severity
SkopeIT Alert
Quarantine File
Remediation Endpoints
Quarantine Profile <select quarantine profile>
Remediation Profile <select remediation profile; if applicable>
Zip Pasword -
Notify
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 37
5.4 Netskope Integration with SIEM - Splunk
Netskope REST API endpoints are available to provide alert, event, and client data, manage quarantine
and legal hold files, update hash file and URL lists, and perform several other functions. The following
endpoints are available via the Netskope Platform APIs:
Get Alerts Data: This endpoint returns alerts generated by Netskope, including policy, DLP, and
watch list alerts. Policy alerts are triggered when traffic matches policy. DLP alerts are generated
when there is a DLP violation triggered by the policy. Watch list alerts are triggered when watch list
matches.
Get Events Data: This API call returns events extracted from SaaS traffic and or logs.
Get Client Data: This endpoint returns information related to the Netskope Client.
Get Reports Data: This endpoint returns the result of a report generated on one of the fields in the
summarization database.
Get Steering Configuration List: This endpoint returns all the Steering Configuration names and the
Steering Config IDs associated to them. Use this API to get the Steering Config name or Steering
Config ID to get values about the configured steering configuration(s) to use in the Get Steering
Configuration Information endpoint.
Get Steering Configuration Information: This endpoint is used to get details about a particular
steering configuration.
Get User Configuration Data: This endpoint returns the user configuration items for specified users.
Allows retrieval of the iOS mobile profile or Netskope Client config for a user.
Get Log Upload Token: This endpoint returns the log upload token. Only the token parameter is
needed.
Manage Quarantine Files: This endpoint allows different operations to be performed on quarantined
files.
Manage Legal Hold Files: This endpoint allows different operations to be performed on legal hold
files.
Update File Hash List: This endpoint updates the File Hash List with the values provided. This
overwrites the existing values with the new values, so include any existing values to be kept in the
list.
Update URL List: This endpoint updates the URL List with the values provided. This overwrites the
existing values with the new values, so include any existing values to be kept in the list.
Acknowledge Anomalies: This endpoint should be used to acknowledge the anomalies for a user or
a list of users.
Acknowledge Compromised Credentials: This endpoint can be used to acknowledge a user whose
credentials had been compromised, and subsequently changed their passwords. Note that when a
request is made for users with compromised credentials, this user will not be returned, preventing a
multi-factor authentication being invoked again for this user.
Netskope will store <customer>’s Metadata and Summary of events for 90 or 365 days. To keep events
for a longer period of time <customer>’s will configure their on-premise SIEM to download the Netskope
application, alerts, connection and client events via Netskope REST API.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 38
APPLICATION ROLE IN THE ARCHITECTURE
COMPONENT
Netskope Tenant Stores Metadata of Application Events, Page Events, Anomalies,
Compromised Credentials, DLP incidents and Alerts
Splunk Servers Splunk servers connect to Netskope Tenant to download events from
Netskope via REST API
Splunk Admin Connects to Splunk UI to view Netskope events
Desktop
SPLUNK NETSKOPE SETTINGS
INPUT
Modular Input Name Netskope
Tokens (Get token from tenant under Settings > Tools > REST API)
Hostname <enter tenant url>
Query -
Event Types:
Connection ✘
Alert ✘
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 39
Audit ✘
Application ✘
Clients ✘
Limit 5000
Interval (s) 60
Index -
Proxy Name -
Netskope REST APIs use an authentication token to make authorized calls to the API. Netskope REST
APIs provide access to resources via URI paths as shown in the table below. The token must be used in
every REST API call for the tenant. For each tenant, a separate token must be generated in the
respective Netskope tenant UI by going to Settings > Tools > Rest API. The same menu can be used to
revoke the token.
The table below lists the API endpoints that will be initially used to retrieve data from the Netskope tenant.
REST API SETTING (GET TOKEN FROM TENANT UNDER SETTINGS > TOOLS > REST API)
Events
Application events https://<enter tenant url>/api/v1/events?type=application&token=<enter
token>&timeperiod=<enter time period>
Page events https://<enter tenant url>/api/v1/events?type=page&token=<enter token>&timeperiod=<enter
time period>
Audit events https://<enter tenant url>/api/v1/events?type=audit&token=<enter token>&timeperiod=<enter
time period>
Alerts
Anomalies https://<enter tenant url>/api/v1/alerts?type=anomaly&token=<enter token>&timeperiod=<enter
time period>
DLP https://<enter tenant url>/api/v1/alerts?type=dlp&token=<enter token>&timeperiod=<enter time
period>
Malware https://<enter tenant url>/api/v1/alerts?type=malware&token=<enter token>&timeperiod=<enter
time period>
Policy https://<enter tenant url>/api/v1/alerts?type=policy&token=<enter token>&timeperiod=<enter
time period>
Clients
Client Status https://<enter tenant url>/api/v1/clients?token=<enter token>&timeperiod=<enter time period>
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 40
5.5 Netskope Policies
When you have visibility into the activities performed by users on cloud apps and websites, the next step
is to define policies to enforce your business rules. Policies allow you to enforce an action (like alert or
block) based on the cloud apps, cloud app categories, website categories, users and groups, app activity,
and so on. In addition to this, you can also define data loss prevention (DLP) and threat protection profiles
to prevent sensitive and critical data leaks and exposure.
There are 4 types of policies that can be applied to SaaS, IaaS and Web traffic.
API-enabled Protection policies: API-enabled Protection policies detect violations on files,
messages, attachments, and more in near real-time.
Real-time Protection policies: Real-time Protection policies detect violations by inspecting traffic in
real-time.
Behavior Analytics policies: The user and entity behavior analytics (UEBA) detect anomalies, in
real time and API-enabled protection. It also detects unusual and excessive data movement, insider
threats, or compromised credentials.
Security Assessment policies: Security Assessment policies access and analyze the posture of the
AWS, Azure, or GCP resources
5.5.1 API-enabled Protection Policies
API policies consist of the following elements:
Application. Defines the Cloud App and Instance.
Users and groups. Select users and groups to which the policy applies. Users and groups that
participate in the policies are users and groups (including nested groups) synced by Directory
Importer, manually created users or manually imported from file.
Content. Specify which files, objects, records etc. trigger policy violation and type of data, i.e. fields,
attachments.
Activity. Specifies file activity performed by user i.e. share, upload, edit etc.
DLP. Select DLP profile such as PCI, PII, custom defined etc.
Action. See below the list of possible actions.
Notification. Specify who and when to notify about policy violation.
Set Policy. Sets policy name and description.
Retroactive scan. This feature enables scanning of existing content (on demand) in SaaS application
instances.
List of possible actions in the API policies are:
Alerts. Generates alerts on the SkopeIT > Alerts page when a policy matches.
Change Ownership. Designates the administrative owner of files and folders for which the policy is
applied.
Encrypt. Encrypts a file if it matches policy criteria and is enabled in licencing.
Quarantine. Quarantines a file if a user uploads a document that has a DLP violation.
Legal Hold. Preserves all forms of relevant information when litigation is reasonably anticipated. A
copy of the file can be saved for legal purpose if it matches policy criteria.
Forensic. Applies forensic profile that flags policy violations and then stores the file in a forensic
folder.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 41
Azure Rights Management: Azure Rights Management Services (RMS) is cloud-based service which
uses encryption, identity, and authorization policies to secure Microsoft files (Word, Excel,
PowerPoint, and more). The RMS action applies an RMS template to a Microsoft Office file uploaded
in OneDrive or SharePoint.
Vera: Netskope integrates with Information Rights Management (IRM) systems such as Vera to
protect sensitive information from being shared with unauthorized users through cloud applications.
Microsoft Information Protection (MIP): Netskope integrates with Information Rights Management
(IRM) systems such as MIP to protect sensitive information from being shared with unauthorized
users through cloud applications.
Expire Externally Shared Links: Sets an expiration in days for files with publicly shared links.
Restrict Access: Depending on the app, there are various options available to restrict a publicly or
externally shared file:
Restrict Access to Owner
Restrict Access to Internal User
Restrict Access - Remove Individual Users
Restrict Access to Specific Domain
Restrict Access - Remove Public Links
Restrict Access - Remove Organisation Wide Link
Restrict Collaborators to View-only Permission
Restrict Access – Allow list of External Domains
Restrict Access - Blocklist
Restrict Collaborators - Disable Print and Download from External Domains
5.5.2 Real-time Protection Policies
Real-time policies apply to the cloud apps and web traffic that is steered via Netskope Cloud Security
Platform.
Inline Policies have following 4 main categories:
Source: This element defines the subject to whom policy applies. Users and groups that were
provisioned into the Netskope Tenant can be selected in the policy. When a user is added into a
synchronised AD group that is referenced by a real-time policy, it will enforce the policies for that user
as per others in the common group.
Destination is the SaaS cloud app (or group of SaaS cloud apps) to which the policy applies.
Types:
Cloud App is used to identify individual cloud application (all instances) for example
Google Drive, MS OneDrive etc.
Category is used to identify cloud applications of certain type, for example Cloud
Storage, Webmail etc.
App Instance is used to identify a particular instance of the same service, for example
the corporate instance of MS One Drive, and distinguish it from any other non-
corporate managed instances.
Any Web Traffic is all traffic destined to cloud applications.
Destination Activities are the action that user can perform in cloud application such as
Browse, Download, Upload, Share etc. Those activities can be further filtered by applying
constraints, for example Share action can be constrained to users from certain email
addresses.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 42
Criteria. Criteria is a metadata attribute that is associated with the cloud applications in scope,
that can be used to further filter out the selected cloud services:
Cloud Confidence Index (CCI) index, i.e. Poor, Low, Medium, High, Excellent etc.
App Tag. App Tags can be added to individual application in the CCI menu.
Destination Country, i.e. allow or disallow services hosted from certain countries.
Profile and Action: Action item that is enforced when conditions are matched. Action items vary for
different Activities and they could be Alert, Allow, Block, User Alert etc.
Profiles:
Data Loss Prevention Profile – either pre-defined to meet regulatory or other common
requirements (PCI, PII, etc.), or custom defined based on regex patterns.
Threat Protection Profile – either malware scan profile (default), or custom defined.
Policy Name. Free text descriptor for the policy. It is recommended to name the polices as per the
following convention: <Action>-<Activity>-<Profile>-<App/App Category/Instance>-<User or Group>-
<Misc> for example Block-Upload-DLP-PCI-Cloud Storage Unmanaged-Finance
5.5.2.1 Inline Cloud App and Web Policies
Netskope Inline policies are evaluated sequentially in order from top to bottom to find a match and apply
the required action. Netskope’s CASB and Web solution best practices are as follows:
Risk prevention-oriented policies (Threat Protection and DLP related policies used to prevent risky
activities) should be implemented at the top of the inline policies.
Cloud App (Activity oriented) policies should precede Web/Secure Web Gateway, SWG (Access
oriented) policies.
Policies should be implemented from more specific to less specific.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 43
Below is the list of policies for NS Client deployment for O365 and Web:
Rule Name Source Destination Activity Profile Action
No.
1 Threat - Block Malware Any All Categories Upload / Default Malware High,Medium,Low
Download Scan Block
2 Web - Allow List URLs Any <specific urls> Any None Allow
3 Web - Block List URLs Any <specific urls> Any None Block
4 CASB - Allow O365: Protected Any Microsoft Office 365 OneDrive for Business:Protected, Any None Allow
Microsoft Office 365 SharePointOnline:Protected
5 CASB - Block O365 Any Microsoft Office 365 OneDrive for Business, Any None Block
Microsoft Office 365 SharePointOnline
6 CASB - Alert O365: Protected Govteams Any Microsoft Teams:govteams Post DLP-Protected Alert
7 CASB - Block MS Teams Any Microsoft Teams Post DLP-Protected Block
8 Web – Block Downloads Uncategorized Any Uncategorized Downloads Executables Block
Sites
9 Web – Block Uploads Uncategorized Sites Any Uncategorized Uploads None Block
10 Web - Block Risky Sites Any Security Risky Categories Any None Block
11 Web – Block Prohibited Sites Any Prohibited categories Any None Block
12 Web – Silent Block Online Ads Any All Categories Browse None Silent Block
Below is a list of Web and Cloud App categories that are allowed/blocked:
Number Category Name Definition Block/Allow
APP-CAT-01 App Admin Console App Admin Console is a collection of apps for which the Netskope NACE can detect Allow
administrative actions performed by the app's administrator.
APP-CAT-02 Application Suite Application Suite indicates that applications listed under this category have multiple Allow
products from their respective companies in various other categories.
APP-CAT-03 Business Intelligence Business Intelligence applications provide insights to decision makers by aggregating Allow
and Data Analytics operational data from multiple sources. Typical features include: text and data mining,
trend indicators, predictive analytics, benchmarking tools, business and financial
analytics, business performance management, etc.
APP-CAT-04 Business Process Business Process Management applications enable companies to design, implement, Allow
Management and track workflows for various organizational functions. BPM applications also help
analyze process efficiency through various metrics in order to enable users to fine-tune or
change processes. Features include: PLM, CPQ, Q2C, compliance, business process
associated with legal like docket management, and process around travel (not travel
sites), etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 44
APP-CAT-05 Cloud Backup Cloud Backup applications address both enterprise and consumer backup needs for Allow
storing peripheral and server data in the cloud to prevent data loss in case of disk
failures, data corruption, or disasters. Backup vendors do not provide features that allow
content collaboration. Their features are less about the UI and more about the accuracy,
frequency, and reliability of backup and restore.
APP-CAT-06 Cloud Storage Cloud Storage applications are used both by enterprises and consumers for storing all Allow
types of data and file formats. Pricing is typically a function of capacity utilized or
reserved. Cloud storage applications typically provide capabilities like sync (with a native
client such as on a desktop, laptop, or mobile device). Also, some cloud storage
applications provide basic social features like sharing via popular social networks. Cloud
storage vendors targeting enterprise customers provide additional security capabilities
such as encryption of data-at-rest.
APP-CAT-07 Collaboration Collaboration applications enable teams to create, share, and manage content, plus meet Allow
online via audio/video towards a common goal such as a project. Collaboration features
include change tracking of documents, project management capabilities, common storage
space, roles and access management, etc.
APP-CAT-08 Consumer Consumer applications are built for individuals for personal use such as fitness Allow
management, personal effectiveness, etc. Applications in this category are categorized by
the lack of any serious data security or business continuity features that would make
them suitable for enterprise use.
APP-CAT-09 Content Management Content Management applications are built to enable organizations to build, publish, and Allow
manage web content in a collaborative environment. Features include blog publishing,
version control, content replication, web-based form building capabilities, etc.
APP-CAT-10 Customer Customer Relationship Management (CRM) and SFA applications provide a wide variety Allow
Relationship of features for custom relationship management and salesforce automation. Features
Management include contact management, lead management, website live chat, etc.
APP-CAT-11 Development Tools Software development applications in the cloud enable teams to work together by Allow
providing code repositories, review boards, branch management functions, bug tracking,
flowcharts, and UI mockups. They reduce complexity and boost productivity by
maintaining the version control infrastructure and tools required to develop software.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 45
APP-CAT-12 Ecommerce Tools Ecommerce applications enable sellers of goods and services to create an online store. Allow
Typical features include: store design, electronic shopping cart, payment processing
related to ecommerce, product review forums, and sales data analysis.
APP-CAT-13 Education Education applications are targeted at school and college administrators and enable the Allow
automation of administrative tasks such as admissions, course content maintenance,
grading, fee details, etc.
APP-CAT-14 Enterprise Resource Enterprise Resource Planning (ERP) applications cover a broad range of enterprise Allow
Planning functions. ERP applications aim to integrate data from multiple functions and/or include
features like procurement, inventory management, supply chain, manufacturing, service
delivery, etc.
APP-CAT-15 Finance/Accounting The Finance/Accounting category covers applications that cover functions like fund Allow
management, accounting, enterprise expense management, budgeting and tracking, etc.
APP-CAT-16 Forums Community site services are cloud-based applications that enable companies, non- Allow
profits, and civic communities to create forums and online communities.
APP-CAT-17 General General is a placeholder for Netskope's internal functions to enable the Netskope Allow
Universal Connector.Applications are not placed in this category.
APP-CAT-18 Help Desk Help Desk Management applications are intended for enterprises that serve existing Allow
Management customers via online portals. They offer customers the ability to design support
workflows, open tickets, build a knowledge base, create FAQs, define escalation rules,
etc.
APP-CAT-19 HR Human Resource applications offer features that enable HR professionals and people Allow
managers to perform administrative functions like recruiting, keeping employee records,
managing benefits, etc.
APP-CAT-20 IaaS/PaaS IasS and PaaS includes application hosting providers, platform-as-a-service, virtual Allow
machine, and bare metal services.
APP-CAT-21 Identity Access Identity Access Management applications provide features such as single sign-on (SSO), Allow
Management password management, multifactor authentication, etc. They enable enterprises to
manage a unified list of users across multiple applications.
APP-CAT-22 IT Service/Application IT service management and application management includes IT operations, app Allow
Management deployment, license management, app management, app maintenance and upgrading,
and app scenario testing.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 46
APP-CAT-23 Knowledge Knowledge Management applications, also referred to as learning management systems Allow
Management (LMS), are used by enterprises to create training programs, track employee participation,
manage skill-based incentives, etc.
APP-CAT-24 Logistics Logistics and transportation applications enable enterprises to automate the processes Allow
that move people and goods. They provide features such as label printing, order tracking,
vehicle tracking, route optimization, driver payment, etc.
APP-CAT-25 Marketing Marketing applications in the cloud cover a wide variety of marketing functions like Allow
marketing analytics, brand management, email marketing, social media management,
campaign management, and SEO tools.
APP-CAT-26 Security Security applications in the cloud provide services such as encryption and anti-virus Allow
protection.
APP-CAT-27 Social Social networking applications allow users in their capacity as individuals or employees to Allow
connect with friends, colleagues and others with a shared interest. Such connections
enable users to receive updates from others in their network.
APP-CAT-28 Survey Solutions Survey Solutions collect data from users based on a predefined question set. Features Allow
include: target audience selection, branching and skip logic, analytics and visualization
tools, and multi-language support.
APP-CAT-29 Telecom and Call Telecom applications use the VoIP protocol to enable telephone connectivity in inter- Allow
Center office and intra-office environments. Vendors create virtual PBX in their data centers to
handle multiple customers. Call Center applications provide enterprises with the features
and tools to automate the process of receiving and responding to customer phone calls.
Features include: call tracking, monitoring, multimedia recording, employee evaluation of
call handling capabilities through automated feedback, multi-site routing, voice
recognition, etc.
APP-CAT-30 Web Analytics Web Analytics applications are used to track website usage and aid in web design Allow
decisions. Features include: click analysis, conversion tracking, A/B testing, behavioral
data like clickstreams, time spent per page, exit points, etc.
APP-CAT-31 Web Design Web design services offer custom design and templates for web sites on a subscription Allow
basis.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 47
APP-CAT-32 Web Web proxies and anonymizers are services that allow users to hide their identity, IP Block
Proxies/Anonymizers address, and location when they browse the web. Unlike apps in other categories, which
might have a justification for being used in the enterprise, proxies and anonymizers pose
a security and legal risk to the organization and should be blocked. Netskope's Cloud
Confidence Index (CCI) does not apply to these apps.
APP-CAT-33 Webmail Webmail covers consumer email and hosted enterprise email services. Block
WEB-CAT-01 Abortion Sites that discuss abortion from a historical, medical, legal, or other not overtly biased Allow
point of view. Examples are abortion pill, pregnancy termination, fetal abortion etc.
WEB-CAT-02 Adult Content - Other Sites with adult content ( Sex, Nudity, Gambling,Gay, Lesbian or Bisexual,Violence ) are Block
categorized under this category.
WEB-CAT-03 Adult Content - Pornography sites are the ones which allow portrayal of sexual subject matter. Block
Pornography
WEB-CAT-04 Advocacy Groups & Industry trade groups, lobbyists, unions, special interest groups, professional Allow
Trade Associations organizations and other associations comprised of members with common goals. These
organizations typically use public relations campaigns, advertising, political donations,
and/ or lobbying to achieve those goals. Also includes groups formed to achieve
standardization and collaboration between companies in a particular industry. Examples
are lawyers association, lobby group, human rights group etc.
WEB-CAT-05 Aggressive Sites that do not fall to any specific category under Aggressive belong to this category. Block
Also includes web pages that have three or more aggressive categories should be under
this category.
WEB-CAT-06 Alcohol Sites that show alcoholic drinks (cocktails), beers and wine. Examples are whiskey, Block
vodka, merlot, ale, etc.
WEB-CAT-07 Arts Sites that contain creative art judged solely for its intellectual or aesthetic components. Allow
Cannot be combined with any other category under Arts group. For two Arts categories,
use Arts-Other.
WEB-CAT-08 Auctions & Person to person selling or trading of goods and services through classifieds, online Allow
Marketplaces auctions, or other means not including traditional online business-to-consumer models.
Excludes buying and selling of vehicles which falls under Automotive - Buying/Selling
Cars and real estate homes and properties which belong to Real Estate - Buying/Selling.
Examples are online classifieds, swap, trade etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 48
WEB-CAT-09 Automotive Sites that do not fall to any specific category under Automotive belong to this category. Allow
Also includes web pages that have three or more Automotive categories should be under
this category.
WEB-CAT-10 Business Sites that do not fall to any specific category under Business belong to this category. Also Allow
includes web pages that three or more categories should be under this category.
Examples are airport parking, funeral homes, florists etc.
WEB-CAT-11 Chat, IM, & other Sites with real-time chat rooms and messaging allowing strangers and friends to chat in Allow
communication groups both in public and private chats. Includes Internet Relay Chat (IRC). Examples are
chat room, group chat, IRC etc.
WEB-CAT-12 Child Abuse Discovery of any such sites should also be reported by email to a supervisor or manager Block
for passing on to law enforcement. Web pages that show the physical or sexual abuse of
children. Cannot be combined with any other Criminal Activities categories. Examples are
kiddie porn, pedophilia, child abuse, Pre-Teen Hard Core, etc.
WEB-CAT-13 Content Server Web servers without any navigable web pages typically used to host images and other Allow
media files with the purpose of improving web page performance and site scalability.
Includes businesses that provide content servers and content delivery networks such as
Akamai. Examples are web application acceleration, media server etc. Sample web
pages are img0.tuita.cc, img01-otodom.sogastatic.pl, pics.taobaocdn.com etc.
WEB-CAT-14 Criminal Activities Sites that do not fall to any specific category under Criminal Activities belong to this Block
category. Also includes web pages that have three or more Criminal Activities categories
should be under this category.
WEB-CAT-15 Dating Online dating, matchmaking, relationship advice, personal ads and web pages related to Allow
marriage (not weddings). Examples are dating advice, blind date, etc.
WEB-CAT-16 Drugs Sites that in any way endorse or glorify commonly illegal drugs, the misuse of prescription Block
drugs, the misuse of inhalants, or any positive references to the culture of drug use
whether specific drugs are mentioned or not. Includes sites giving non-clinical
descriptions or stories about being high as well as blogs and other posts about getting
high. crack, heroine, morphine, etc.
WEB-CAT-17 Dynamic DNS DomainDynamic DNS Domain sites provide a method of automatically updating a name server in Allow
the Domain Name System (DNS), often in real time, with the active DDNS configuration
of its configured hostnames, addresses or other information.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 49
WEB-CAT-18 Entertainment Company manufacturers and web pages which provide electronics for entertainment suchAllow
as television, CD players, DVD players, etc.
WEB-CAT-19 Family & Parenting Sites that do not fall to any specific category under Family & Parenting belong to this Allow
category. Also includes web pages that have two or more categories should be under this
category.
WEB-CAT-20 Fashion Sites that discuss additional fashion elements such as fashion models, agencies and Allow
others. Examples are modeling agency, fashion modeling, etc.
WEB-CAT-21 File Repositories Sites with collections of downloadable software and applications, various of types of files, Allow
etc. Includes repositories of screen savers, wallpapers, web templates, ringtones, and
any site with a collection of files. Excludes downloads of themes which falls to Hobbies-
Themes. Can be paired with Piracy & Copyright Theft if it involves non-licensed
downloads like web templates, file collections, etc.
WEB-CAT-22 File & Software Computer users need different software to meet different needs all the time. This is where Allow
Download Sites the software download websites are helpful. They not only host the software on their own
servers, so that its available for download 24/7, but also categorize them properly so that
its easy for users to explore and find the software they are looking for.
WEB-CAT-23 Financial Aid & Sites that assist to debit loans, credit loans in case of job loss or unemployment. It is also Allow
Scholarships an unemployment benefit in some countries. Other forms of assistance for which
unemployed people might qualify include food stamps, medicaid, assistance with utility
bills, assistance with rent and assistance paying for job training. This category also
include web pages that show relevant information on scholarships or grants for the
jobless, laid-off workers or low-income employees, which can either be a partial or a full
coverage.
WEB-CAT-24 Food & Drink Sites that do not fall to any specific category under Food & Drink belong to this Allow
category. Also includes web pages that have three or more Food & Drink categories
should under this category.
WEB-CAT-25 Gambling Games that involve the winning or losing of money based on strategy and chance. Block
Includes information, tips, strategies, and rules for gambling games. Examples are
bookie, betting, lotto, etc.
WEB-CAT-26 Games Sites for all games and sports. Examples are Board Games, Roleplaying Games, Video & Allow
Computer Games.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 50
WEB-CAT-27 Government & Legal Legal entities made by the government to manage commercial activities on its behalf. Allow
Generally, these includes enterprises or corporations owned by the government but run
by private individuals. This also includes web pages that tackle issues and laws on legal
aspects.
WEB-CAT-28 Health & Nutrition Sites that discuss information, tips, guide and others related to health and wellness, plus Allow
eating healthy and diet plans.
WEB-CAT-29 Hobbies & Interests Sites that do not fall to any specific category under Hobbies & Interests belong to this Allow
category. Also includes web pages that have three or more Hobbies & Interests
categories should be under this category. Examples are indoor hobby, outdoor hobby,
competition hobby, observation hobby, paper modeling, tapestry, origami, etc.
WEB-CAT-30 Home & Garden Sites that do not fall to any specific category belong to this category. Also includes web Allow
pages that have three or more Home & Garden categories should be under this category.
Example is home cleaning (tips).
WEB-CAT-31 Insurance Covers any type of insurance, insurance company, or government insurance program Allow
from medicare to car insurance to life insurance. Examples are accident insurance, travel
insurance, life insurance, etc.
WEB-CAT-32 Internet Telephony Sites that allow users to make calls via the web or to download software that allows users Allow
to make calls over the Internet. Also called Internet Telephony and Voice Over IP.
Examples are IP voice, skype, VOIP system, Viber, etc.
WEB-CAT-33 Investors & Patents Sites that include investing on startup inventions made by hobbyists. It also can be Allow
related to kickstart which refers to funding of new creative projects all of sorts. Once
investing of funds are done, patents follow. Can be combined with other categories under
Hobbies. Examples are kickstart, crowd funding, patents on inventions, patent, patent
registration, patented invention etc.
WEB-CAT-34 Job Search & Careers Job posting pages on company websites, job search sites, interview tips, job-related Allow
classifieds, temp work, contract work asked or offered, etc. This also includes web pages
that show information, tips or guide on career advice; sites that provide information or
step by step process and analysis on how to achieve good career plans; web pages that
show places and/or events full of job hunters and seekers; and sites that do not fall to any
specific category under Careers belong to this category. This also includes web pages
that have three or more Careers categories.
WEB-CAT-35 Kids Sites that do not fall to any specific category under Kids belong to this category. Also Allow
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 51
includes web pages that have three or more Kids categories should be under this
category.
WEB-CAT-36 Lifestyle Sites that do not fall to any specific category under Lifestyle belong to this category. Also Allow
includes web pages that have three or more Lifestyle categories should be under this
category.
WEB-CAT-37 Login Screens Web pages that are used to login to a wide variety of services where the actual service is Allow
unknown, but could be any of several categories (like Yahoo and Google login pages).
WEB-CAT-38 Marijuana Sites that promote or sell marijuana products. No longer combined with drugs as it is legalBlock
in many states.
WEB-CAT-39 Military Sites sponsored by or devoted to the armed forces. This typically refers to the ownership Allow
and/or funding of the web page in a similar way to Government Sponsored, however,
private companies, non-profits, and newspapers that are 100% or nearly 100% dedicated
to the armed forces should also be categorized as Military in addition to any other
applicable categories. Examples are Air Force, Marines, Navy, etc.
WEB-CAT-40 Miscellaneous Sites that do not fit anywhere else. Allow
WEB-CAT-41 Newly Registered All the newly registered domains in the last 14 days are placed under this category. Alert
Domain
WEB-CAT-42 News & Media Media sites are software that can be used to create, edit and play games, videos and Allow
animations. News providing sites also come under this category.
WEB-CAT-43 Nursing Job vacancies, job descriptions and other related information significant for the science of Allow
Nursing. Examples are nursing jobs, nursing hirings, etc.
WEB-CAT-44 Online Ads Sites that do not fall to any specific category under Online Ads belong to this category. Block
Examples are online advertising, pay per click (PPC), cost per click (CPC), etc.
WEB-CAT-45 Parked Domains People can purchase domains and never put any content on them. These domains are Block
typically used to generate revenue by hosting advertisements themed to coincide with the
name of the domain or previous use of the domain, or these domains are for sale. Can be
combined with a specific category applicable except Manufacturing, Business-Other,
Login Screens, No Content Found and Unreachable. Examples are parked domain, for
sale call domain owner etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 52
WEB-CAT-46 Pay to Surf Sites that offer cash to users who install their software which displays ads and tracks Block
browsing habits effectively allowing users to be paid while surfing the web. Extremely
popular for awhile, there are few Pay To Surf sites left. Examples are make money by
surf, paid to surf, surf and earn, etc.
WEB-CAT-47 Peer-to-Peer (P2P) Sites that provide peer-to-peer (P2P) file sharing software. Note that this does not apply Block
to online repositories of files for download over P2P, but only to the P2P software itself
and any company that provides that software. Examples are emule fileswire, file sharing
software, frostwire, etc.
WEB-CAT-48 Personal Sites & Blogs are a format for individuals to share news, opinions, and information about Allow
Blogs themselves in a date-stamped web log and they are inevitably written in the first-person.
Personal pages are web pages about an individual or that individuals family (also written
in the first-person). May be combined with other categories when the blog focuses mainly
on a single topic such as politics. These sites are typically written in the first person. This
category is incompatible with Community Forums and the social networking categories.
Examples are about me, blog, wordpress etc.
WEB-CAT-49 Pets Sites that do not fall to any specific category under Pets belong to this category. Also Allow
includes web pages that have three or more Pets categories should be under this
category.
WEB-CAT-50 Philanthropic Charities and other non-profit philanthropic organizations and foundations dedicated to Allow
Organizations altruistic activities intended to increase the quality of life for groups or individuals.
Excludes incest support and divorce support. Also includes web sites that rate and review
charities or act as conduits for online donations to selected charities. Examples are
charitable giving, fund raisers, disaster reliefs, etc.
WEB-CAT-51 Photo Sharing Sites that host digital photographs or allow users to upload, search, and exchange photos Allow
and images online. Also includes galleries or albums of photos hosted on businesses or
personal websites. Includes also online photo printing where photographs may be
uploaded and ordered as prints. Examples are photo album, photo gallery, photo sharing
etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 53
WEB-CAT-52 Piracy & Copyright Sites that provide access to illegally obtained files such as pirated software (aka warez), Block
Theft pirated movies, pirated music, etc. Also includes information or software available
specifically for the purpose of using or stealing protected copyrighted materials without
paying for them, for example, lists of software serial numbers, cracks,rippers etc. This
category is typically used in conjunction with another category such as File Repositories.
Examples are dvdrip, dvdz, illegal movies, etc.
WEB-CAT-53 Private IP Address Private IP addresses are those reserved for use internally in corporations or homes. Allow
Includes link-local self-assigned zero-conf addresses. Web Analysts should not use this
category. Examples are self-assigned IP, private IP, etc.
WEB-CAT-54 Professional Social networking sites intended for professionals and business relationship building. Allow
Networking These sites are generally more accepted in the workplace than standard social
networking websites. Examples are professional networking, professional networking
tools, etc.
WEB-CAT-55 Real Estate Sites that do not fall to any specific category under Real Estate belong to this category. Allow
Also includes web pages that have three or more Real Estate should be under this
category.
WEB-CAT-56 Religion Sites that do not fall to any specific category under Religion belong to this category. Also Allow
includes web pages that have three or more Religion categories should be under this
category.
WEB-CAT-57 Remote Access Sites that provide remote access to private computers or networks, internal network file Block
shares, and internal web applications. Examples are VPN, SSL, team viewer, etc.
WEB-CAT-58 Science Sites that do not fall to any specific category under Science belong to this category. Also Allow
includes web pages that have three or more Science categories should be under this
category.
WEB-CAT-59 Search Engines Sites primarily intended to search the Internet and find other web pages. Excludes Image Allow
Search and Engines under Shopping group. Includes also white pages, yellow pages,
and business search directories whether global or local. Examples are business listings,
find people, people finder etc.
WEB-CAT-60 Security Risk Sites security risks are pervasive and can pose a direct threat to business availability. A Block
risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-61 Security Risk - Ad Block
Fraud Sites that are a security risk because ad fraud detected.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 54
WEB-CAT-62 Security Risk - Attack Sites security risks are pervasive and can pose a direct threat to business availability. A Block
risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-63 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Botnets risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-64 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Command and Controlrisk management site is essential for managing vulnerabilities and other risks.
server
WEB-CAT-65 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Compromised/malicio risk management site is essential for managing vulnerabilities and other risks.
us sites
WEB-CAT-66 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Cryptocurrency Mining risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-67 Security Risk - DGA The domains that are generated algorithmically using a Domain Generation Algorithm. Block
These domains are used by DGA-based malware as their C2 channel and they aim to
hide the location of the active C2 server.
WEB-CAT-68 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Hacking risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-69 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Malware Call-Home risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-70 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Malware Distribution risk management site is essential for managing vulnerabilities and other risks.
Point
WEB-CAT-71 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Phishing/Fraud risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-72 Security Risk - Spam Sites security risks are pervasive and can pose a direct threat to business availability. A Block
sites risk management site is essential for managing vulnerabilities and other risks.
WEB-CAT-73 Security Risk - Sites security risks are pervasive and can pose a direct threat to business availability. A Block
Spyware & risk management site is essential for managing vulnerabilities and other risks.
Questionable
Software
WEB-CAT-74 Shareware & Sites that offer licensed download on software for evaluation, after which a fee will be Allow
Freeware requested for continued use. It also includes companies offering free use of their software
for life. Examples are free software downloads, trialwires, free trial software, demoware
etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 55
WEB-CAT-75 Shopping Sites that do not fall to any specific category under Shopping belong to this category. Allow
WEB-CAT-76 Social & Affiliation Clubs, social organizations, and groups that form around common interests where the Allow
Organizations primary purpose is to meet for social purposes or to meet people with common interests.
Clubs may be devoted to social activities, hobbies, religion, politics, etc. Excludes sports
clubs, teams and organizations. Examples are book club, scouts, sorority, etc.
WEB-CAT-77 Sports Sites that do not fall to any specific category under Sports belong to this category. Also Allow
includes web pages that have three or more Sports categories should be under this
category.
WEB-CAT-78 Streaming & Sites with repositories of music or that provide streaming music or other audio files that Allow
Downloadable Audio may pose a bandwidth risk to companies. Examples are internet radio, mp3 downloads,
shoutcasts, etc.
WEB-CAT-79 Streaming & Sites with repositories of videos or that provide in-browser streaming videos that may Allow
Downloadable Video pose a bandwidth risk to companies. Examples are flv, movie downloads, streaming
movies, etc.
WEB-CAT-80 Technology Sites that do not fall to any specific category under Technology belong to this category. Allow
Also includes web pages that have three or more Technology categories under this
category. Examples are design web templates, robotics, cloud computing software,
drones, etc.
WEB-CAT-81 Telecommuting Pages that depict working remotely. Employees do not need to commute to a central Allow
place of work. Examples are remote work, telework, home-based jobs, etc.
WEB-CAT-82 Tobacco Sites that promote or sell tobacco products such as cigarettes, cigars, shisha, and chew. Allow
Cannot be combined with any other category under Adult group.
WEB-CAT-83 Trading & Investing Sites assisting in investing, trading, stock and share dealing fall under this category. Allow
WEB-CAT-84 Translation Translate sites from one language to another. Examples are translator site, language Allow
translator, translator, online language translator, etc.
WEB-CAT-85 Travel Sites that do not fall to any specific category under Travel belong to this category. Also Allow
includes web pages that have three or more Travel categories should be under this
category. Examples are Uber, Lyft, GrabCar, public transportation, etc.
WEB-CAT-86 Unreachable/No Only use this category when the browser gives an error, such as Network Timeout. Allow
Content
WEB-CAT-87 Utilities Sites that include tips, information and guide to computer utilities such as disk backup, Allow
etc. Examples are disk performance, system utilities, PC performance tools, etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 56
WEB-CAT-88 Weapons Guns and weapons when not used in a violent manner such as descriptions, sport Allow
hunting, gun clubs, or paintball. Also includes other weapons like crossbows, knives, etc.
Examples are hand guns, crossbow, knives, rifles, etc.
WEB-CAT-89 Web Conferencing Sites that provide information, guide, and research on net conferencing. Examples are Allow
web conferencing, online meeting, video conference etc.
WEB-CAT-90 Web Hosting, ISP & Web hosting and blog hosting sites, Internet Service Providers (ISPs), and Allow
B2Telco telecommunications (phone) companies. Examples are ISP, internet access, cable
modem, etc.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 57
5.5.2.2 User Notifications
The Netskope Client will generate notifications in the form of popups when a policy violation is found.
There are two types of end-user notifications:
Block notifications: make the user aware that the traffic is blocked.
User Alert notifications: inform the end user that a potentially risky activity has been detected and
allow the end user to proceed after typing a justification.
The look and feel of the notifications can be customized and the message can be used to coach the user
to use a sanctioned SaaS application or Internet website.
When a user does some activity that is against <customer>’s policy, the following will happen:
Block notifications – SaaS traffic: a Netskope client popup will appear just above the user’s system tray
notifying the user of the violation and the user will be redirected to the last page browsed in the SaaS
application right after the user click the notification button.
User Alert notifications – SaaS traffic: Should <customer> decides to use it, a Netskope client popup will
appear just above the user’s system tray notifying the user of the violation. The user will have the options
of stopping the action of typing a justification and proceeding. If the user decides to stop the action, the
user will be redirected to the last page browsed in the SaaS application.
The block and end-user notification templates can be configured in the Netskope WebUI’ section ‘Policies
> User Notification’.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 58
6 Infrastructure Architecture
6.1 Netskope Directory Importer VM Specifications
The Netskope Directory Importer will be deployed on a 64-bit Windows server. The specifications for the
VM are as follows:
Item Specification
Processor 2 CORES
RAM 4 GB
Disk 100 GB (Dynamic Provision)
Network 1 IP address required for network connectivity
Domain Joined Yes
Location <enter dacaenter location>
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 59
6.1.1 Netskope Directory Importer Software Prerequisites
● 64 bit Windows machine running either Windows 7, Windows Server 2008 R2 or Windows Server
2012/2016
● Microsoft Visual C++ 2010 runtime
http://www.microsoft.com/en-us/download/details.aspx?id=14632
● Microsoft .NET Framework 4.6
https://www.microsoft.com/en-us/download/details.aspx?id=48130
6.1.2 Netskope Directory Importer Permissions
For the Netskope Directory Importer the following account and permissions are needed.
Create an Active Directory Domain Service account: <enter service account>
The machine running Netskope AD Importer needs to be part of the domain. (It does not need to
run on the Domain Controller).
<enter service account> also requires local admin privileges on server hosting the Netskope AD
Importer / Connector
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 60
7 Network Architecture
7.1 Netskope Directory Importer Firewall Rules
SOURCE DESTINATION PORT DIRECTION DESCRIPTION
<enter <Get value from Tenant > Settings 443 Outbound For uploading AD attributes to
hostname> > Tools > Directory Tools> the Netskope Tenant
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 61
7.2 Real-time Protection - Netskope Client
SOURCE DESTINATION PORT DIRECTION DESCRIPTION
gateway-<tenantname> 443 Outbound Client data plane connectivity.
163.116.192.0/24 This domain needs to be SSL
163.116.198.0/24 Whitelisted on the proxy or
firewall if SSL interception is
enabled
addon-<tenantname> 443 Outbound For downloading configuration
User devices
163.116.xxx.xxx files
download-<tenantname> 443 Outbound Client package downloads and
163.116.xxx.xxx software upgrades
achecker-<tenantname> 443 Outbound For Client Enforcement and
163.116.xxx.xxx Client based notifications
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 62
7.3 Real-time Protection - IPSec
NETSKOPE TUNNEL SETTINGS
PEERS
(IPSEC)
Tunnel Name <enter tunnel name>
Source IP Address <enter originating egress ip address for ipsec tunnel>
Source Identity <enter source identity to be configured in ipsec tunnel>
Primary Netskope DC <enter DC IP & Name>
Failover Netskope DC <enter DC IP & Name>
Pre-Shared Key (PSK) <enter key – stored is password safe>
Encryption Cipher:
AES128-CBC
AES128-GCM
AES192-GCM
AES256-CBC
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 63
AES256-GCM
Maximum Bandwidth:
50 Mbps
100 Mbps
150 Mbps
250 Mbps
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 64
8 Project Timelines
The following section outlines the proposed timeline of the deployment.
8.1 Project High Level Dates
Item Date
Project Commencement date Dec-2020
Estimated Project Completion Date Jun-2021
8.2 Project Milestone Estimated Delivery Dates
Milestone Estimated Delivery Date
High Level Design 15-Jan-2021
Netskope UI - Tenant Management Mar-2021
Directory Importer Mar-2021
Netskope Client Apr-2021
DLP & Web Policies Apr-2021
Splunk SIEM Integration Jun-2021
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 65
9 Appendix
9.1 Netskope Datacenters
9.2 Confidentiality / Integrity / Availability
Netskope’s Global Cloud Infrastructure and data center hosting providers employ state-of-the-art physical
security controls and regularly engage independent auditors to ensure the highest level of compliance
with best-of-breed frameworks and standards.
Netskope data centers, hardware, software, and processes are secure, redundant, meet the most
rigorous standards and deliver the high performance.
Netskope maintains all global data center infrastructure configured with a high availability (HA)
architecture using Global Traffic Management (GTM) and regional disaster recovery (DR) sites and
continues to expand adding additional regional Points of Presence (POPs). Full POPs are backed up to a
designated regional POP location. Micro POPs only host the Netskope data plane systems and are also
used as regional Full POP backup locations. All of the POPs are configured with GTM, and should any
POP be unavailable user traffic is automatically directed to the next closest available POP.
9.3 Data Residency & Processing
POPs (Points of Presence) are deployed using two separate configurations, a “Full” POP or a “Micro”
POP. Full POPs include each Netskope infrastructure system type: management plane including the
admin web user interface (UI) and API Introspection Services, data plane (end user active/inline data
processing), client/tenant user data and Netskope metadata storage systems, and the Netskope systems
orchestration and management systems.
At the time of onboarding and provisioning Netskope services, customers can select one of Netskope’s
Full POPs as their designated “Home” POP. Through this designation, the customer is assured that all
user data and metadata generated by Netskope is stored only in the selected Home POP location and the
corresponding DR POP for backups. Currently, each customer can select only a single Home POP
location per Netskope tenant.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 66
Facts about Enterprise and end user cloud service data (files/structured data) processed by Netskope:
Netskope does not store cloud service data on its systems or in its data centers
Netskope processes cloud service data in memory only. Data residency for this data is dependent on
the cloud application provider, i.e. Office 365, Box, Amazon, etc., and the enterprise infrastructure
and account data residency configurations for these services. Once data residency is defined for a
cloud service, Netskope policies can be configured to manage the cloud service’s use and DLP rules
to enforce the organization’s data residency requirements.
<customer> has two tenants and details are below:
TYPE NETSKOPE TENANT HOME POP GTM
PROD <ns client tenant url> Australia - Melbourne AU region only
PROD <dpop tenant url> Australia - Melbourne AU region only
9.3.1 Data at Rest
Netskope’s API “Introspection” service uses APIs and OAuth tokens to access and process enterprise
data in cloud services. This data is always processed from the customer's designated Home POP, is
processed in memory only, and is not stored or persisted by Netskope.
9.3.2 Data at Transit
Netskope used the strongest encryption to protect customer data and communications including
encryption over HTTPS with 2048-bit key pairs. All transmission of data between clients, Netskope, and
cloud services is performed using TLS or SFTP/SSH enabled with current industry accepted
configurations and ciphers.
9.3.3 Storage Confidentiality
Metadata is only stored in the client’s selected Home POP location and is backed-up only within the same
geographic region to the designated regional DR POP.
Netskope metadata elements can include the following:
User ID (both enterprise User ID and any other alias the user used to login to Netskope and various
cloud applications)
Service (Application) Name
Service (Application) Instance
Category
Cloud Confidence Level (enterprise-readiness score)
DLP Profile and Rule triggered
Data Classification
Policy Name
Activities
Device
OS
Browser or Native Client Used
Device Classification
File Object (like file name or email subject)
Bytes Uploaded
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 67
Bytes Downloaded
Length of Connection
Access Method (Reverse Proxy, Forward Proxy, Introspection, Agent, IOS Mobile Profile)
Operating Unit (OU)
Active Directory (AD)/LDAP Group
Source, Destination and Private IP addresses
Attached is a list of all attributes:
Netskope does not use client metadata or share client metadata with third parties for any purposes
outside of the Netskope CASB service.
Netskope has certified its privacy practices and controls with TRUSTe and the EU-US Privacy Shield
programs.
Netskope Privacy Policy: https://www.netskope.com/privacy-policy/
TRUSTe Certification:
https://privacy.truste.com/privacy-seal/validation?rid=d71c1713-1f31-4fe7-9b1c-b4a0ce56fd66
US Privacy Shield: https://www.privacyshield.gov/list
9.4 Data Retention
Netskope’s Global Cloud Infrastructure and data center hosting providers employ state-of-the-art physical
security controls and regularly engage independent auditors to ensure the highest level of compliance
with best-of-breed frameworks and standards.
DATA TYPE RETENTION PERIOD IN DAYS
Alerts 90 or 365
Analytics (Daily Summary) 90 or 365
Alert Summaries (Hourly and Daily Summaries) 90 or 365
Application Events 90 or 365
Audit Events 90 or 365
Dashboard 90 or 365
Page Events 7 or 365
Reports (Daily Summary) 90 or 365
9.5 Identity Management
The Netskope UI provides full access to deploying and managing the Netskope solution. There are
several administrator account types. You can assign each admin a specific role which has different admin
privileges. You can configure an admin user as one of the admin account types. In addition, you can
create custom designed roles based on your business needs.
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 68
All activities performed on the Netskope UI are logged and accessible only to the Tenant Admin role
Admins can also be kept from viewing sensitive data by creating custom roles which applies to Events,
Introspection, Reports, Incident Management and Malware functional areas. Below fields can be
obfuscated:
User names and IPs
Source location information
File and object names
App names, URLs and Dest IPs
PRIVILEGE / ROLE PURPOSE
Tenant Admin Top level admin that has all privileges
Delegated Admin All privileges except managing other admins
Restricted Admin Has read-only access to all functions
Cloud Intelligence Analyst Has access only to reporting and analytics
Application Risk Analyst Can run reports and analytics and read the CCI
Enterprise Applications Admin Can manage the application CCI
Directory Admin Can manage users
Security Admin Can manage settings
InfoSec Operations Admin Can manage policies
Compliance Officer Can remediate DLP incidents
Security Analyst Can analyze malware and threat
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 69
10 Appendix B
10.1 Reference Documents
Below guide details various components being deployed in this design. Access to the Netskope Tenant
and Support site will be required to access the links.
TERM REFERENCE
Netskope Admin Guide Admin Guide
11 Decision Points
Below are various decision points which were discussed and agreed upon during the course of
deployment and weekly meetings.
No. Date Decision Item Comments
D1
D2
D3
D4
D5
<CUSTOMER> – NETSKOPE CLOUD SECURITY PLATFORM DESIGN 70
You might also like
- 2024 Netskope Sales Presentation for ChannelNo ratings yet2024 Netskope Sales Presentation for Channel30 pages
- Gwen Bettwy CCSP Cloud Guardians A Bulleted Look at The Critical100% (1)Gwen Bettwy CCSP Cloud Guardians A Bulleted Look at The Critical117 pages
- NSCO&A TRAINING PRESENTATION Student v22.50No ratings yetNSCO&A TRAINING PRESENTATION Student v22.50431 pages
- HCIP-CloudServiceSolutionsArchitectV3 0TrainingMaterialNo ratings yetHCIP-CloudServiceSolutionsArchitectV3 0TrainingMaterial604 pages
- Netskope Security Cloud Platform: Data-Centric. Cloud-Smart. FastNo ratings yetNetskope Security Cloud Platform: Data-Centric. Cloud-Smart. Fast4 pages
- Essentials of Cloud Computing Security End Sem PaperNo ratings yetEssentials of Cloud Computing Security End Sem Paper35 pages
- BY S.Praveen Kumar M.Prabu S.Pradap T.Vijaya GaneshNo ratings yetBY S.Praveen Kumar M.Prabu S.Pradap T.Vijaya Ganesh16 pages
- Steps For Creating A Cloud Native ApplicationNo ratings yetSteps For Creating A Cloud Native Application17 pages
- Netskope Security and Compliance PackageQ2-2023No ratings yetNetskope Security and Compliance PackageQ2-202335 pages
- DoD_Enterprise_DevSecOps_Reference_Design_1636809435No ratings yetDoD_Enterprise_DevSecOps_Reference_Design_163680943535 pages
- BRKACI-2291-How To Setup An ACI Multi-Site With Single POD and MultipodNo ratings yetBRKACI-2291-How To Setup An ACI Multi-Site With Single POD and Multipod55 pages
- dL1BJ4mnRCooREbgoN5v CCNA 200-301 Practice ExamNo ratings yetdL1BJ4mnRCooREbgoN5v CCNA 200-301 Practice Exam55 pages
- Certified Cloud Security Professional (CCSP) 5 Days: Domains WeightNo ratings yetCertified Cloud Security Professional (CCSP) 5 Days: Domains Weight2 pages
- Netskope - High Impact Differentiators vs ZscalerNo ratings yetNetskope - High Impact Differentiators vs Zscaler1 page
- Wireless and Mobile Networks: A Note On The Use of These PPT SlidesNo ratings yetWireless and Mobile Networks: A Note On The Use of These PPT Slides62 pages
- CCIE™ and CCDE™ Written Exam Evolving Technologies Study GuideNo ratings yetCCIE™ and CCDE™ Written Exam Evolving Technologies Study Guide39 pages
- NIT2222 Networking Technologies Assignment 1100% (1)NIT2222 Networking Technologies Assignment 143 pages
- Module 2: Single-Area Ospfv2 Configuration: Instructor Materials100% (1)Module 2: Single-Area Ospfv2 Configuration: Instructor Materials76 pages
- Comprehensive Cloud Security Best Practices - The ScriptNo ratings yetComprehensive Cloud Security Best Practices - The Script5 pages
- Introduction To Routing and Packet ForwardingNo ratings yetIntroduction To Routing and Packet Forwarding31 pages
- Cisco Router Basic Network ConfigurationNo ratings yetCisco Router Basic Network Configuration42 pages
- Difference Between Nmap TCP SYN Scan and TCP Connect Scan PDFNo ratings yetDifference Between Nmap TCP SYN Scan and TCP Connect Scan PDF9 pages
- Packet Tracer - Configure Ipv4 and Ipv6 Static and Default RoutesNo ratings yetPacket Tracer - Configure Ipv4 and Ipv6 Static and Default Routes3 pages
- 7280R Series Data Center Switch Router: Product HighlightsNo ratings yet7280R Series Data Center Switch Router: Product Highlights16 pages
- A10 Thunder Threat Protection System: Deployment GuideNo ratings yetA10 Thunder Threat Protection System: Deployment Guide18 pages
- If Your Firewall Allowed Only The Machine With The IP Address 19216811 To SendNo ratings yetIf Your Firewall Allowed Only The Machine With The IP Address 19216811 To Send4 pages
- CCNA 4 Final Exam 2011 Answers Updated - CCNA Exploration 4 - v2011No ratings yetCCNA 4 Final Exam 2011 Answers Updated - CCNA Exploration 4 - v201121 pages
- Oscar Alejandro García Rivera: 26 Years Old Executive SummaryNo ratings yetOscar Alejandro García Rivera: 26 Years Old Executive Summary2 pages
- 24-Port Standalone VDSL2 Switches: 6-Band DMT-Based Ethernet Over VDSLNo ratings yet24-Port Standalone VDSL2 Switches: 6-Band DMT-Based Ethernet Over VDSL6 pages
- Ccnpv6 Route Lab4-4 Eigrp Ospf Case Study StudentNo ratings yetCcnpv6 Route Lab4-4 Eigrp Ospf Case Study Student3 pages
- Laboratory Manual: 18EC3017 Biomedical Electronics & IOT For HealthcareNo ratings yetLaboratory Manual: 18EC3017 Biomedical Electronics & IOT For Healthcare10 pages
- Creating Scalable Cloud Solutions: with Spring Boot and Cloud FoundryFrom EverandCreating Scalable Cloud Solutions: with Spring Boot and Cloud FoundryNo ratings yet
- Mastering Container Orchestration: Advanced Deployment with Docker SwarmFrom EverandMastering Container Orchestration: Advanced Deployment with Docker SwarmNo ratings yet
- Architectural Principles for Cloud-Native Systems: A Comprehensive GuideFrom EverandArchitectural Principles for Cloud-Native Systems: A Comprehensive GuideNo ratings yet
- Advanced Web3 Engineering: React Integration and Ethereum Smart Contract ImplementationFrom EverandAdvanced Web3 Engineering: React Integration and Ethereum Smart Contract ImplementationNo ratings yet
- Container Security Strategies: Advanced Techniques for Safeguarding Docker EnvironmentsFrom EverandContainer Security Strategies: Advanced Techniques for Safeguarding Docker EnvironmentsNo ratings yet
- The Nginx Handbook: Practical Solutions for Load Balancing and Reverse ProxyFrom EverandThe Nginx Handbook: Practical Solutions for Load Balancing and Reverse ProxyNo ratings yet
- The Spring Cloud Handbook: Practical Solutions for Cloud-Native ArchitectureFrom EverandThe Spring Cloud Handbook: Practical Solutions for Cloud-Native ArchitectureNo ratings yet
- About Kubernetes and Security Practices - Short Edition: First Edition, #1From EverandAbout Kubernetes and Security Practices - Short Edition: First Edition, #1No ratings yet
