Skip to main content

Mission: Securing Public Internet Access

Rohit Kalbag
Updated

Overview

Cipherscale secures internet traffic by functioning within its broader Zero Trust framework, allowing administrators to implement strict access control over internet traffic based on the specific User, Device, or Group.

The platform controls internet security primarily by evaluating Internet Access Policies and Admission Rules, which dictate exactly how a user's undefined internet traffic (traffic not destined for configured private resources or SaaS applications) should be handled.

When configuring an Internet Access Policy, administrators define the routing behavior using one of three modes:

  1. Local Mode: This allows the internet traffic to route normally over the user's local connection without diversion.

  2. Restricted Mode: This enforces a strict lockdown, blocking access to all public internet destinations. Users under this policy can only access resources explicitly configured as Cipherscale SaaS Applications and Private Resources.

  3. Internet Access Point Mode: This setting forces all of a user's internet traffic to be routed through a designated Cipherscale Gateway, which acts as the "Internet Access Point".

By using the Internet Access Point mode, organizations can deploy gateways on networks that house their existing third-party security appliances. This allows you to force all user internet traffic through these gateways for third-party Deep Packet Inspection (DPI) to proactively hunt for cyber threats. To ensure this routing doesn't impact user experience, administrators can distribute these gateways globally across multiple sites, IaaS, or VPS providers, routing traffic based on the user's physical location to minimize latency.

Like all resources in Cipherscale, internet access is continuously evaluated. Internet Access Policies are linked to Admission Rules, meaning you can restrict a user's internet capabilities based on contextual factors like their geographic location, the time of day, and their device's security posture (such as OS type or the presence of antivirus software).

Note that a Default Internet Access Policy is always present to allow local access, but new policies are created with higher priority.

Internet Access Configuration

Cipherscale supports three internet access modes. The setup required depends on which mode you choose:

  1. Local Internet Access: Users access the internet directly from their device — traffic does NOT route through a gateway.

    1. What you need: Just an Internet Access Policy with mode set to LOCAL. No gateway or internet access point resource required

    2. Best for: Allowing unrestricted direct internet access with optional admission rules (e.g., time-based or OS-based restrictions)

  2. Restricted Internet Access: Blocks all internet access for the specified users/groups.

    1. What you need: An Internet Access Policy with mode set to RESTRICTED. No gateway or resource required

    2. Best for: Completely blocking internet access for certain users or devices

  3. Internet Access Point (Routed):Routes all internet traffic through a Cipherscale gateway — giving you full control and visibility.

    1. What you need:

      1. A deployed online Gateway

      2. An Internet Access Point resource

      3. The online Gateway assigned to the Internet Access Point resource

      4. An Internet Access Policy with mode set to INTERNET_ACCESS_POINT, associated with the Internet Access Point resource

    2. Best for: Enforcing security policies on internet traffic, geo-routing, or monitoring all outbound traffic

Internet Access Point Intent: What the AI Needs

  • Name (required): A descriptive label for the resource (max 40 characters). Example:HR Portal

    Note

    No special characters like. or @.

  • Description (optional): A short description of the resource (max 120 characters). Example:Internet point for all groups

  • Gateways (optional): One or more gateway names to assign for routing

Example Prompts

Create an Internet Access Point (Resource)

  • "Create an Internet Access Point called 'Corporate Internet Gateway'"

  • "Add a new Internet Access Point named 'Branch Office IAP' with the description 'Used for branch office internet routing'"

  • "Set up an internet access point for routing all employee internet traffic"

Assign a Gateway to an Internet Access Point

  • "Assign gateway 'GW-US-East' to my Internet Access Point 'Corporate Internet Gateway'"

  • "Assign gateways 'GW-Chicago' and 'GW-San-Francisco' to the Internet Access Point 'bos-sf-chicago-internet'"

  • "Unassign gateway 'GW-Old' from Internet Access Point 'Corporate Internet Gateway'"

Configure Load Balancing

  • "Set load balancing to automatic for the Internet Access Point 'Corporate Internet Gateway'"

  • "Switch the load balancing mode to manual for my internet access point"

  • "What is the current load balancing configuration for my Internet Access Point?"

Create an Internet Policy (INTERNET_ACCESS_POINT mode)

  • "Create a policy to route all users' internet traffic through the Internet Access Point 'Corporate Internet Gateway'"

  • "Allow the Engineering group to access the internet via the access point 'GW-Internet-01' during weekdays 9AM to 6PM UTC"

  • "Create an internet access policy for all groups using the access point 'Branch Office IAP', requiring macOS 15 or later"

  • "Allow userjohn@company.comto route internet traffic through 'Corporate Internet Gateway'"

Create an Internet Policy (LOCAL mode — direct internet)

  • "Create a policy to allow all users direct internet access without routing through a gateway"

  • "Allow the Finance group to access the internet locally during business hours"

Create an Internet Policy (RESTRICTED mode — block internet)

  • "Create a policy to block all internet access for the Contractors group"

  • "Restrict internet access for all devices outside business hours"

Add Admission Rules to Internet Policies

  • "Create an internet access policy for all users via 'Corporate Internet Gateway', but only allow access from Windows devices with disk encryption enabled"

  • "Route internet traffic through 'GW-Internet-01' for all groups, but only on weekdays between 8AM and 6PM EST"

  • "Allow internet access via the access point only if the device is not located in Russia or China"

  • "Create an internet policy requiring Avast antivirus to be installed before routing traffic through the gateway"

Update an Internet Access Point

  • "Rename the Internet Access Point 'Old IAP' to 'Primary Internet Gateway'"

  • "Update the description of my Internet Access Point 'Corporate Internet Gateway'"

Delete an Internet Access Point

  • "Delete the Internet Access Point named 'Test IAP'"

List & View Internet Access Points

  • "Show me all Internet Access Points and their assigned gateways"

  • "List all INTERNET resources with their gateway assignments and status"

  • "Show full details of the Internet Access Point 'Corporate Internet Gateway'"

Manage Policies on Internet Access Points

  • "Show all internet policies that use an Internet Access Point"

  • "Update the internet policy 'All Internet Access' to also require macOS 14 or later"

  • "Delete the internet access policy 'Old Internet Policy'"

  • "Change the admission rule on my internet access policy to 'Business Hours Only'"

System State & Verification

Navigate to Internet Access using the Navigation Menu and use the Details Ribbon to verify the Copilot actions or view the current system state.

The Internet Access Point Data Grid: Click Internet Access Points on the Details Ribbon to view the data grid that displays the list of Internet Access Points with their Name and Status, Description, Gateway, and Access Policy. The copy icon appears when hovering over an Internet Access Point's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching resources.

A Specific Internet Access Point's Data Grid: To view details for a specific Internet Access Point, click that resource's name. You will see details such as the Status and Description. Data Grids for the associated Gateways and Access Policies are also displayed. The Load Balancing mode is also displayed in the Gateways section. To go back to the Internet Access Points Data Grid, click Internet Access Points from the breadcrumb.

Internet Access Point Status

The status is visually represented by the following colors:

  • Orange: No Gateway Selected.

  • Red: Offline.

  • Green: Online

Troubleshooting

Verify the Internet Access Point's Status:

 Check the visual status of the Internet Access Point in the administration portal's Internet Access Points tab. Green means it is online, Red means it is offline, and Orange indicates that no gateway has been selected for it yet.

Ensure Gateway Routing and Reachability:

 Internet access relies on a Gateway deployed with internet access. If a resource is unreachable, verify that the Gateway assigned to it is placed in a network that can actually route traffic to that specific application or service.

Audit Assigned Policies and Gateways:

 If a user cannot connect, you can easily verify the resource's configuration by navigating to Internet Access > Internet Access Points and clicking on the resource's row. This will display the Gateways and Access Policies sections currently associated with it. Remember that access is denied by default unless an explicitly configured Access Policy grants it, and that policy will only grant access if its linked Admission Rules are successfully met.

Leverage AI Root Cause Analysis (RCA):

 You can use the AI-native conversational interface to diagnose access issues instantly. By asking a plain-English query like, "Why can't User A access the internet?", the AI will correlate access policies, admission rules, gateway reachability, and real-time logs to surface the exact point of failure

Comments

0 comments

Article is closed for comments.