Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cloud Access Security Broker (CASB)

SUMMARY 

Read this topic to learn how to configure CASB on SRX Series Firewalls to enable inline activity control for the selected set of cloud applications.

CASB Overview

Cloud Access Security Broker (CASB) serves as a critical security checkpoint positioned between enterprise users and cloud service providers. Its primary role is to enforce security policies to protect and control access to cloud applications.

CASB is a new Layer 7 service on SRX Series Firewalls which provides inline application activity control. CASB's policy engine allows you to refine access conditions. You can specify rules for accessing, downloading, and uploading files for a set of cloud applications for use within your organization.

Benefits

  • CASB empowers security teams with comprehensive visibility and control over SaaS applications and activities.
  • CASB enables fine-grained control through customized policy rules tied to specific applications and activities.
  • CASB validates through domain validation that the SaaS applications your organization uses are legitimate and not maliciously impersonated.

To use CASB on your firewalls, you must configure CASB policies and apply CASB policy rules in a security policy.

Steps to configure CASB functionality:

  1. Configure CASB policy.
    1. Set CASB policy rule with one of the matching conditions:

      • Application such as Dropbox, Google Docs, OneDrive or application group such as FileSharing, chat, email.

      • Activities such as login, download, and upload. However, not all applications support every activity. When configuring an application, ensure that you only select activities that are supported by that specific application. For a comprehensive view of the mapping between applications and their associated activities, see Table 1.

        Table 1: Mapping of Application and Activities

        Supported Applications

        Supported Activities

        Box Login, Upload, Download, Share
        Dropbox Login, Upload, Download, Share
        Google Docs Login, Upload, Download, Share
        Salesforce Login, Upload, Download, Share
        OneDrive Login, Upload, Download, Share
        SharePoint Login, Upload, Download, Share
        Slack Login, Chat, Audio/Video, File Transfer
        Gmail Login, Read, Compose, Send, Upload Attachment, Download Attachment

        You can configure activity-parameters for share-activity option. You can configure this optional statement to have even more granular control over traffic.

    2. Create an application instance for CASB. For CASB, to differentiate between corporate and non-corporate SaaS application instances, administrators need to configure access policies using the instance parameter. To identify an instance, CASB requires instance ID, domain, and type (optional). Table 2 provides application instance setting options.

      Table 2: Application Instance Settings

      Setting

      Guideline

      Name

      (Required) Application instance name. For example, dropbox123.

      Application instance ID

      (Required) Application instance ID. It refers to unique URL to access SaaS service

      Each application can have its own instance ID. For the following example URLs, common string acmecorp07 as the instance ID taken from application's SaaS URLs:

      • Box URL—acmecorp07.app.box.com

      • OneDrive or SharePoint URL—acmecorp07ms-my.sharepoint.com

      • Salesforce URLs—acmecorp07.my.salesforce.com and acmecorp07.lightning.force.com
      • Slack—Slack URL is acmecorp-zoy8730.slack.com and instance ID is acmecorp-zoy8730.

      Following applications have generic URLs and instance ID is not applicable.

      • Dropbox—dropbox.com

      • Google Docs—docs.google.com

      • Gmail—mail.google.com

      Domain

      (Required) Enter the domain address. It refers to email domain.

      For example, acmecorp07.com is an organization domain. Box, Dropbox, Google Docs, Salesforce, Gmail, and Slack uses the same domain for all the users.

      OneDrive and SharePoint domain value is acmecorp07ms.onmicrosoft.com.

      Type

      (Optional) Enter one of the following values to map a type with an application instance:

      • Work

      • Personal

      Note:

      You must configure the type of value for Dropbox. For other applications, this configuration is optional.

      Tag

      (Optional) Enter one of the following values to map a tagging with an application instance:

      • Sanctioned—Application instances sanctioned by your organization.

      • Unsanctioned—Application instances unsanctioned by your organization.

    3. Define policy action. Each policy has a set of actions (allow/deny and log-action) that the system performs upon success of all matching conditions.

  2. Configure a default rule. The default rule is matched if none of the other rules are matched, or if there are no other rules in the policy. Configuring a default rule is mandatory.

  3. Apply CASB policies in the security policy as application services for the permitted traffic.

Note the followings for CASB rules:

  • Arrange your CASB rules in sequential order to handle specific match criteria for applications or activities.

  • Set up a default CASB policy for the unified policy configuration. This default policy applies to the session until a dynamic application match occurs. Once the final application match is available for the security policy, the corresponding CASB policy will be applied. If no CASB policy is explicitly configured in the final firewall policy, the CASB service disengages for the session.

  • You can configure up to 64 CASB policies for SRX300, SRX320, SRX325, SRX340, SRX550M, and SRX1500. You can configure up to 256 policies for SRX4000-line and SRX5000-line Firewalls.

Sample CASB Policy Configuration

To configure CASB, you must:

The following sample shows configuration of CASB policy to allow users to share to SharePoint application with given domain only.

  1. Configure CASB policy parameters.
    Note:

    In the process of configuring a CASB policy, both application and activity are required components, whereas param-value is an optional element that allows you to specify finer-grained options within the policy.

  2. Apply CASB policies in the security policy as application-services.

The following CASB policy denies downloads from all file sharing applications.

  1. Configure CASB policy parameters.
  2. Apply CASB policies in the security policy as application-services.

You can also perform following activities for the CASB policy:

  • Log activity.

  • Change the order of rule.

  • Set a default policy.

    The default policy is required for unified policies. In case, if no default policy configured, the system displays an error message during commit.

Verification Options

Use the following commands to verify your CASB policy configuration:

  • Use the show security casb casb-policies to display all CASB policies configured on your device.
  • Use the show security casb casb-policies policy-name to display the details of a CASB policy.