Product Overview

InstaSafe Secure Access (ISA) is an innovative enterprise remote access software solution based on software defined perimeter delivered as a service. It provides enterprises a simplified setup to secure and manage application access. 

ISA provides user access to only those applications which they are authorized to access. The platform allows businesses to create and manage secure networks for their remote teams, with features such as multi-factor authentication, user access controls, network segmentation, and geo location. The approach provides secure, isolated network segments for specific groups of users and devices, rather than using traditional network-based access controls.

ISA is designed to provide secure, flexible, and easy-to-manage remote access for businesses, with the emphasis on security of data and networks.

The use cases for ISA are:

Remote Access Connectivity to corporate applications - Allow users to connect to a corporate network and access applications from a remote location.

Remote Access Connectivity to cloud hosted applications - Allows remote users to access applications hosted in public or private cloud securely.

Site-to-Site Connectivity - Allows services or applications in two or more sites to communicate with each other. Example: Branch office to main office connectivity or branch office to branch office connectivity.

Cloud to Cloud Connectivity - Used for inter-cloud or intra-cloud connectivity. The gateway deployments in each of the entities ensures services across the cloud regions or platforms communicate with each other.

Application to Application Connectivity - Allows a specific application to connect to another application. For Example: Web applications to database connectivity or application to application replication or inter-communication.

Product Architecture

The InstaSafe Secure Access (ISA) Architecture consists of 3 planes.

1. Management Plane

2. Control Plane

3. Data Plane

Management Plane

The management plane refers to a set of functions to configure, monitor, and manage ISA. It comprises the cloud-based web console for Operations, Administration and Management (OAM) of ISA. This provides centralized management and control of access to resources, and enforces security policies. This allows dynamic updates to security policies, to make it a more flexible and adaptive security approach.

InstaSafe implements Role-Based Access Control (RBAC), also known as Role-Based Security (RBS). In this access control model, permission and access rights are assigned to users based on their role or job function within the organization. The roles are defined and assigned to users, and each role has a set of associated permissions or access rights. When a user tries to access a resource, the system checks the user's role and compares it to the permissions associated with that resource. If the user's role has permission to access the resource, access is granted, otherwise it is denied.

Control Plane

The Control Plane refers to the set of functions and processes that are responsible for the authentication and authorization. The assumption is that all incoming network traffic is untrusted until it is verified as coming from an authenticated and authorized user. 

It acts as the gatekeeper for all access to the protected resources and enforces the security policies. It creates a secure perimeter around a network and only allows authorized users to access the network after they have been authenticated and authorized. It verifies the User Agent with username, password, Geo Binding, Device Binding, Device Checks, and multi-factor authentication (MFA).

Data Plane

The Data Plane refers to the set of functions and processes responsible for the actual transmission of data between the user and the protected applications. 

Once a user is authenticated and authorized by the control plane, the data plane allows the user to access the protected resources by creating a secure, encrypted tunnel between the user's device and the Gateway to allow access to the protected applications. It is responsible for maintaining data integrity and data confidentiality using encryption and hashing methods.

InstaSafe Cloud Delivery Platform

InstaSafe Cloud

InstaSafe Cloud provides options to configure, authenticate, monitor and provide access control. InstaSafe Controller comprises multiple components that is explained below.

Controller

InstaSafe Controller is one of the key modules in the InstaSafe Cloud infrastructure that enforces access control for network connectivity. It is also the central point to which InstaSafe User Agent and Gateway Agent establish independent DTLS tunnels. It enforces policies and accepts/denies application access based on the configured policies. 

The Controllers are provisioned in multiple cloud providers in various geo locations. The Controllers are strategically placed as close as possible to customer premises to ensure minimum latency Each tenant requires the provisioning of one or more Controllers. 

The Controller IP and the port number is pushed to the ISA Agent in the configuration file, after authentication and compliant checks are successfully completed.  In the context of ISA User Agents, the Controller's role commences after the User Agent successfully completes authentication, Geo Location check, Device Binding check, Device Check, and secondary authentication, such as 2FA/MFA. 

The Controller listens on the IP address and the TCP or UDP port for tunnel establishment requests. The ISA Agents initiates the connection to the Controller and the Controller identifies the organization based on the signature in the first UDP packet it receives and proceeds to establish the tunnel. 

The Controller is responsible for tasks such as: 

● Allocate IP addresses and routes to the ISA User Agent.

● Route data between the Agent and the private network

● Enforce security policies.

Web Portal

The web server consists of two subcomponents: the Web service and the API service. These services both listen on 443 for HTTPS connections for the published tenant portal, tenant name.instasafe.com. InstaSafe admins, company admins, and users log into the web portal and they can perform authorized operations based on their roles.

The policies configured on the portal get pushed to the database for future use and to tenant controllers for immediate application. The API service provides authentication and authorization assistance for the Agent. 

As a first step of the connection establishment phase, InstaSafe Agent connects to the API server to establish mutual trust between the Agent and the InstaSafe Cloud. The TLS certificates and static key files generated when the User Agent is downloaded will be used by the Agent for authentication and verification. The API server verifies the Agent by examining the client certificate, and the Agent validates the InstaSafe server certificate using the CA certificate contained in the configuration file. 

For Authentication type set to Cert + Password, credentials are sent to the API server. If the user belongs to the local database, the user is authenticated by the API server. If the user belongs to Active Directory (AD) the credentials are forwarded to the AD for authentication. The API server verifies the Agent device for compliance checks, such as Geo Binding, Device Binding, Device Checks, and multi-factor authentication. 

Once these verifications are successful, the IP address and port number of the Controller is inserted into the Agent configuration file. The Agent establishes a DTLS tunnel with the Controller’s IP address and port number. 

The web portal administrator can perform the following in the web portal:

1. Add users and user group 

2. Configure authentication and device compliance checks on the user or user group profile. 

3. Create access rules.

4. Set up reporting profiles.

5. Monitor the status of connections. 

6. View logs. 

Public Key Infrastructure (PKI)

The PKI server generates certificates and revocation lists for the User Agent, Gateways Agents and Controllers. The certificates issued by the PKI are trusted to converse with each other. This module uses OpenSSL for this purpose. 

Scheduler

The scheduler runs routine tasks like directory synchronization, scheduled reports in the background. 

Job Processor

The job processor performs certain tasks asynchronously in the background so that the console is available for other operations. The tasks include report downloads and bulk operations. 

AAA Module

This module handles authentication, authorization and accounting of the users trying to connect and access resources.

Database

There are three databases used:

1. Console database: This database is used to store user information, Gateways, devices, applications, and access policies.

2. Authentication database: To store information related to user authentication

3. Log database: For authentication, authorization, and accounting. Reports are generated based on the information available in the logs.

Notification Module

This module is used to send notification by email and SMS via APIs to third party providers to administrators and users. The notifications include alerts, reports and OTPs.

Gateway Agent

InstaSafe Secure Access (ISA) Gateway Agent is a software that acts as the entry and exit point for user access. It is responsible for encrypting and decrypting data sent over the secure connection, as well as routing data between the ISA User Agent and the private network. The ISA Gateway Agent establishes a DTLS tunnel with the ISA Controller to route traffic between the User Agents and the private network. 

Gateways are deployed at the edge of a private network, and are used to connect remote clients or networks to the private network. It can also be used to connect two separate private networks together, such as in site-to-site configuration. 

The Gateway Agent script or installation file contains the following relevant information:

1. Client certificate 

2. Client private key

3. CA certificate to verify the server certificate 

4. Static key for HMAC operation

5. Domain name and port number of the Controller 

The ISA Gateway Agent connection establishment process:

1. The Agent makes an outbound connection to the domain name of the Controller on the port number in the configuration file. 

2. Agent establishes a DTLS tunnel with the Controller after mutual authentication using the certificates and static key in the configuration file.  

3. Data traffic from the User Agents is routed through the tunnel via the Controller to the Gateway, decrypted, and forwarded to the corporate resource. 

User Agent

The ISA User Agent is a software that is installed on users’ devices, such as laptops or smartphones. The Agent connects to the ISA Cloud Delivery Platform for the authentication and authorization process. 

Once successfully authenticated, the Agent establishes a DTLS tunnel with the ISA Controller to access the remote network. The Agent runs as a service in the user computer. The agent can be configured to auto-connect whenever the computer is turned on.

For the supported platforms to install the ISA User Agent, refer to the article, Platforms Supported for Endpoint Agent Installation.

The ISA User Agent authentication, authorisation, and connection establishment process:

1. Agent connects to domain name.instasafe.com on TCP port 443. 

2. Username and password authentication 

3. Geo Binding check

4. Device Binding check

5. Device Check 

6. Secondary authentication (2FA/MFA)

7. Configuration file company name.conf is stored on Agent end-point device. The configuration file has the following information:

1. Client certificate, 

2. Client private key, 

3. CA certificate to verify the server certificate, 

4. Static key for HMAC operation

5. Domain name and port number of the Controller 

8. Agent connects to the domain name of the Controller on the port number in the configuration file. 

9. Agent establishes a DTLS tunnel with the Controller after mutual authentication using the certificates and static key in the configuration file.  

10. Data traffic is routed through the tunnel via the Controller to the Gateway and decrypted and forwarded to the corporate resource.