Remote Internet Security with One Time Authentication

This article explains how to use Cato features to provide users with Remote Internet Security with One Time Authentication and secured private access on demand.

Overview

Cato can provide users with secured remote Internet access after one time authentication. This means users always have Internet connection and protection with minimal interaction with the Client. Access to your private network (WAN) can be provided on demand.

This is configured by defining the level of authentication users require for secured access to either the Internet or your private network (WAN). For example, you can always allow users to have secured access to the Internet after their initial authentication, but only allow access to your private network (WAN) after a user re-authenticates.

In addition, you can control the user re-authentication experience. A prompt can be displayed to users either before or after the authentication token expires.

Configurations for Secured Access to the Internet or Private Network (WAN)

Remote Internet Security with One Time Authentication is enabled by defining the user Confidence Levels and the level of access (Action) in Client Connectivity Policy rules. The Confidence Level describes how reliable the user's authentication is. The Action defines if the user can access the Internet and private network (WAN) or only the Internet.

Understanding Confidence Levels

The Confidence Level describes how reliable the user's authentication is. The Confidence Levels are:

  • High: The user is authenticated to the Client and the Cato token is valid

  • Low: The user has authenticated to the Client, but the Cato token has expired

  • Any: The user has authenticated to the Client and the Cato token is either valid or expired

Confidence levels are applied to users after authenticating with any authentication method. The Cato token never expires for users that authenticate with a Username and Password or Registration codes. These users always have a High confidence level.

Understanding Actions

The Action defines the level of access provided to the user. The Actions are:

  • Allow WAN and Internet: The user has secured Internet access and can access the private network (WAN)

    Note

    Note: This option provides permission for a user to access the private network (WAN). A user's access to the private network (WAN) is dependent on rules in the WAN Firewall.

  • Allow Internet: The user only has secured Internet access and cannot access the private network (WAN)

    Note

    Note: This option provides permission for a user to access the Internet. A user's access to the Internet is dependent on rules in the Internet Firewall.

Prerequisites
  • Supported from Windows Client v5.9 and higher

  • Users must be assigned an SDP license to have secured internet access

  • Users must authenticate and have a valid token at least once for confidence levels to be enforced

Use Case - Secured Internet Access After Authenticating Once

A publishing company has sales reps who work remotely that rarely need access to the company WAN.

The company creates these rules for the sales rep user group:

  • In their Always-On policy they ensure the Client connects with anyone working remotely

  • In the Client Connectivity Policy, they lets users with a Low Confidence Level access the Internet

When sales reps arrive at a prospect, they are securely connected to the Internet without any interaction with the Cato Client.

Low_Confidence_Level.png

Use Case - Re-Authentication Always Required

A bank has strict Internet security requirements and needs to always ensure users remotely accessing the Internet and private network (WAN) are authenticated.

The company creates these rules for all remote users:

  • In their Always-On policy to ensure the Client always connects

  • In the Client Connectivity Policy, they provide access to the Internet and private network (WAN) to users with a High Confidence level.

When a user connects remotely, they must authenticate before they can access the Internet or private network (WAN).

High_Confidence.png

Configuring Remote Internet Security with One Time Authentication

Follow these steps to enable Remote Internet Security with One Time Authentication:

  1. Define a rule in your Always-On policy so that the Client always connects to the Cato Cloud protecting users and devices.

  2. Define a rule in your Client Connectivity policy that defines the level of access based on the user's Confidence Level.

  3. Configure how users are prompted to re-authenticate to provide the best experience for your users.

Step 1: Applying the Always-On Policy to Always Protect Remote Users

The Always-on Policy enhances Internet security by defining rules for when users or User groups always connect to the Cato Cloud. This ensures all traffic goes through a PoP and Cato security engines inspect the traffic to ensure it complies with your security policies.

For more information on how to create a rule in your Always-On policy, see Protecting Users with Always-On Security.

If you already have a rule for the relevant user groups in your Always-On policy, this step is not required.

Step 2: Configure Client Connectivity Policy to Provide Access Based on Confidence Level

The Client Connectivity policy secures your network by ensuring devices or users only connect when they comply with the organizational security requirements.

Including the Confidence Level and Actions in a Client Connectivity Policy rule lets you define the access available to users and User groups based on how reliable their authentication is.

For more information on how to manage network access in your Client Connectivity Policy, see Configuring the Client Connectivity Policy.

Client Connectivity Policy rules can only be applied to users with an SDP License.

CCP.png

To configure access based on Confidence Level:

  1. From the navigation menu, click Access > Client Connectivity Policy.

  2. Click New. The New Rule panel opens.

  3. Configure the scope of the rule:

    1. Define the Confidence Level

    2. Define the Action

  4. Click Apply and then click Save.

    Note

    Note: As a best practice, create a final rule for any User or Group with a Confidence Level of Any and the Allow Internet action. This provides any user that has not matched a higher priority rule with secured Internet access.

Step 3: Define the User Experience for Re-authenticating

You can choose when the Client prompts users to re-authenticate. For example:

  • If a user only needs secured Internet access and does not need regular access to your private network (WAN), they do not need to be disturbed by prompts to re-authenticate.

  • If a user always needs access to your private network (WAN), they can receive prompts to re-authenticate before and after the authentication token expires so that their access is not blocked.

If you configure Any or Low confidence level with the action Allow WAN and Internet, the user is not prompted to re-authenticate after the token expires, and is granted full access with an expired token. For more information about available authentication methods, see Configuring the Authentication Policy for Cato Clients.

When_to_Auth.png

To define when users are prompted to re-authenticate:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Authentication section.

  3. Choose when users are prompted to re-authenticate.

    Note: You can choose, one, both, or neither options. If you leave both options unchecked, the user does not receive any prompts to re-authenticate.

  4. Click Save.

Monitoring Users Confidence Level and Network Access

You can monitor the confidence level of users at any time from the Access > User page. The current confidence level of a user is displayed in the Users Directory tab. An event is also created whenever the Client Connectivity Policy allows a user to connect. For more information, see Configuring the Client Connectivity Policy.

Understanding the User Experience

The Client displays the level of access permitted to the user based on how reliable their authentication is. Depending on the level of access permitted, Secured Private Access and Secured Internet Access are listed with a check or exclamation mark.

 

If the Client has access to both the private network (WAN) and Internet

Trust_Level_Client_Auth.jpg

If the Client only has access to the Internet:

Internet_Only.jpg

Advanced Configurations

Enabling Remote Internet Security with One Time Authentication has impacts on other features.

DNS Configuration

The internal DNS and DNS forwarding configurations for your account are ignored for users granted access only to the Internet.

If a user has only Internet access, the Cato Internet DNS (10.254.254.1) is used as their primary DNS and their secondary DNS is 8.8.8.8.

Office Mode

You can configure users with Always-On enabled to require authentication to Cato when the Client is connected in Office Mode. For more information, see Protecting Users with Always-On Security.

A user configured in a Client Connectivity Policy rule that allows access to the Internet with a Low Confidence Level (Cato Authentication token expired) does not need to authenticate in Office Mode. The Client Connectivity Policy configuration overrides the Always-On configuration in Office Mode.

Pre-Login

Pre-Login configurations are not impacted by configurations for Remote Internet Security with One Time Authentication. Before users authenticate, traffic is routed as follows:

  • Clients with Always-On enabled are only allowed to connect to resources defined in Allowed Destinations, Internet traffic is blocked.

  • Clients without Always-On enabled can connect to resources defined in Allowed Destinations and access unsecured Internet access.

For more information about Pre-Login, see Using Windows Pre Login and the SDP Client.

Technical Details

Remote Internet Security with One Time Authentication is enabled using configurations in the Always-On policy and the Client Connectivity Policy,

After users authenticate and the authentication token is valid, all traffic passes through the Cato PoP and is inspected by Cato's security engines in accordance with your security policies.

After the authentication token expires, you can allow Internet traffic to continue to pass through the Cato PoP. This provides continuous secured Internet access even though the user is unauthenticated. For secured private access, users are still required to re-authenticate to gain access according to your WAN Firewall policy.

Was this article helpful?

0 out of 0 found this helpful

4 comments

  • Comment author
    JM

    Are there plans to support the “Allow Internet” (only) option for iOS and Android clients?

  • Comment author
    Michael Goldberg

    Hi JM, 

    Yes there are plans to support this feature on iOS and Android Client versions. They will be made available in a future Client version. 

  • Comment author
    Derek Wolcott

    are there plans to support this for MacOS Clients?

    DNS question.. if a public DNS server is required, how do you ever resolve internal addresses in the event of connecting the Private Secured Access for on-prem resources? 

    Does this mean we cannot use CatoDNS servers for clients?

  • Comment author
    Michael Goldberg

    Hi Derek Wolcott,

    Support for this feature on macOS devices is already on the roadmap. 

    Using a public DNS server for this feature is no longer a prerequisite. I have updated the article. 

Add your comment