Enterprise 2 Build 4 (E2B4) - SDP and SASE - Symantec Cloud Secure Web Gateway, Symantec ZTNA, and Symantec Cloud Access Security Broker as PEs Product Guides#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section of the practice guide contains detailed instructions for installing, configuring, and integrating all of the products used to implement E2B4. For additional details on E2B4’s logical and physical architectures, please refer to Architecture and Builds.

Symantec ZTNA#

Symantec ZTNA is a cloud-based service that allows this build to control network access within the enterprise and to control access to enterprise applications and resources.

Installation and Configuration#

This build’s instance of the Symantec Cloud SWG was provisioned and deployed with the help of the Symantec team. The initial configuration process is detailed in the official documentation. Symantec ZTNA was also integrated with many of the other build components, for which details can be found later in this section. Following that, policies were configured in accordance with the official Symantec ZTNA policy guidance.

Integration with Okta Identity Cloud#

Integration with Okta Identity Cloud was accomplished using Symantec by Broadcom’s official documentation.

Integration with Symantec DLP#

Integration with Symantec DLP was accomplished using Symantec by Broadcom’s official documentation.

Integration with Symantec Endpoint Security#

Integration with Symantec Endpoint Security was accomplished using Symantec by Broadcom’s official documentation.

Integration with Symantec Cloud Secure Web Gateway (Cloud SWG)#

Integration with the Symantec Cloud SWG was accomplished using guidance provided in the Symantec ZTNA web interface. Integrating these components depends on linking them together via subscription ID.

Symantec ZTNA Connector#

The Symantec ZTNA Connector provides a secure connection between the cloud-based Symantec ZTNA service and applications and resources that are being protected. The protected applications and resources can be hosted on-prem or in the cloud and can be private or public-facing. Deployment instructions can be found in the Symantec ZTNA web interface.

Symantec Cloud Secure Web Gateway (Cloud SWG)#

The Symantec Cloud SWG is a cloud-based service that can apply policy to user traffic. User endpoints with the Symantec Endpoint Security agent are configured to pass network traffic through the Cloud SWG, allowing policy to be applied and enforced.

Installation and Configuration#

This build’s instance of the Symantec Cloud SWG was provisioned and deployed with the help of the Symantec by Broadcom team. Once deployment was complete, policies were configured in accordance with the official Cloud SWG Policy guidance.

Integrations#

The Symantec Cloud SWG was also integrated with the Symantec Cloud Security Access Broker (CASB) and the Symantec DLP Cloud Detection Service to better enable policy enforcement in those areas. These integrations were accomplished using the official integration documentation for the Symantec CASB and the official integration documentation for Symantec DLP. The Cloud SWG was also integrated with Symantec Endpoint Security to allow endpoint traffic to flow through the Cloud SWG, using the official integration documentation.

Symantec Cloud Access Security Broker (CASB)#

The Symantec Cloud Access Security Broker (CASB) (also known as CloudSOC) integrates with the Symantec Cloud SWG, Symantec DLP, and Symantec ZTNA to control access to cloud-based applications and resources.

Installation and Configuration#

This build’s instance of the Symantec CASB was provisioned and deployed with the help of the Symantec team. Further configuration was accomplished using the official Symantec documentation.

Integration with SpanVA#

SpanVA is an on-prem component of the Symantec CASB that was deployed and integrated with this build’s AD instance. This allowed the CASB to correlate user identities and events. Deployment and integration was accomplished using the official SpanVA documentation.

Symantec Endpoint Security#

Symantec Endpoint Security provides a wide range of endpoint protection capabilities. It functions with a cloud-based management console on the backend and applies policies to endpoints through a software agent deployed to the device.

Installation and Configuration#

This build’s instance of Symantec Endpoint Security was provisioned and deployed with the help of the Symantec by Broadcom team. Once deployed, policies were configured using Symantec’s official documentation, and software agents were deployed to endpoints throughout the enterprise.

Symantec Endpoint Security Agent#

A software agent was deployed onto Windows, macOS, Linux, iOS, and Android endpoints within the build. This software agent provided a range of endpoint protection capabilities, including device health and posture management, and tunneling the endpoint’s network traffic to the Symantec Cloud SWG.

Symantec DLP Cloud Detection Service#

The Symantec DLP Cloud Detection Service provided data loss prevention capabilities for this build. This deployment is primarily a cloud-based service that integrates with Symantec ZTNA, Symantec Cloud SWG, and Symantec Endpoint Security. An on-prem Symantec DLP Management Server was deployed in the build’s on-prem environment for granular policy configuration.

Installation and Configuration#

This build’s instance of the Symantec DLP Cloud Detection Service was provisioned and deployed with the help of the Symantec by Broadcom team. Next, the Symantec DLP Management Server was deployed in the enterprise on-prem environment, using Symantec’s official documentation. Once deployed, policies were configured through the Symantec DLP Management Server, using Symantec’s official documentation.

Okta Identity Cloud#

The Okta Identity Cloud was implemented in the same manner as Enterprise 1. No significant changes were made. Refer to Okta Identity Cloud.

Okta Verify App#

The Okta Verify App was implemented in the same manner as Enterprise 1. No significant changes were made. Refer to Okta Verify App.

Radiant Logic RadiantOne#

Installation and Configuration#

Refer to Radiant Logic RadiantOne Installation and Configuration.

Integrations#

Refer to Radiant Logic RadiantOne Integration for integration of Radiant Logic with SailPoint.

SailPoint IdentityIQ#

Installation and Configuration#

Refer to SailPoint IdentityIQ Installation and Configuration.

Integration with Radiant Logic#

Refer to SailPoint IdentityIQ Integration with Radiant Logic.

Integration with AD#

Refer to SailPoint IdentityIQ Integration with AD.

VMware Workspace ONE#

For installation, configuration, and integration instructions, refer to VMware Workspace ONE.

IBM Security QRadar XDR#

For installation, configuration, and integration instructions, refer to IBM Security QRadar XDR.

Tenable.io#

For installation, configuration, and integration instructions, refer to Tenable.io.

Tenable.ad#

For installation, configuration, and integration instructions, refer to Tenable.ad.

Tenable NNM#

For installation, configuration, and integration instructions, refer to Tenable NNM.

Mandiant Security Validation (MSV)#

For installation, configuration, and integration instructions, refer to Mandiant Security Validation (MSV).

Google Cloud#

The Google Cloud Platform is a cloud computing platform provided that includes a mixture of IaaS, PaaS, and SaaS offerings. This build utilized Google Cloud IaaS resources to serve as a public/private cloud host. This section describes the Google Cloud components that were utilized in this build.

  1. A Virtual Private Cloud (VPC) network was created within the Google Cloud console, and subnets were configured. Step-by-step instructions can be found in Google’s official documentation.

  2. VPC firewall rules were configured to secure the environment. Step-by-step instructions can be found in Google’s official documentation.

  3. VMs to host resources were created using Google’s official documentation. For this build, Google Cloud hosted MSV Agents, a Symantec ZTNA Connector, and GitLab servers that served as applications/resources for demonstrations.

  4. A Google Cloud VPN was configured to connect components of the on-prem environment. This was set up using Google’s official documentation.

For details on the logical architecture of the Google Cloud environment, please refer to IaaS - Google.

DigiCert CertCentral#

For installation, configuration, and integration instructions, refer to DigiCert CertCentral.