Back to top
Home / Samsung Knox / Samsung Knox white papers / Samsung Knox Mobile Security / Network Security /

Secure remote access

Last updated March 7th, 2025

Knox ZTNA

This feature is exclusively available to enterprise customers and specific use cases. This feature can be used in any deployment mode.

Traditional Virtual Private Network (VPN) solutions grant broad network access, increasing the attack surface and potential risks. These solutions lack the granular control and context-based access required to meet the needs of modern mobile workforces and cloud environments. Legacy solutions struggle to adapt to the dynamic nature of mobile devices, cloud applications, and evolving security threats.

As the global workforce becomes increasingly mobile, remote work and Bring Your Own Device (BYOD) is becoming a standard practice. So, ensuring secure remote access to corporate resources is critical for maintaining productivity, data security, and regulatory compliance.

Knox Zero Trust Network Access (ZTNA) framework is a network flow interception framework designed for advanced zero trust network access solutions. It allows for granular network controls on a per-app and per-domain basis, enabling protocols such as:

  • Quick UDP Internet Connections (QUIC)
  • Multiplexed Application Substrate over QUIC Encryption (MASQUE)

Knox ZTNA facilitates the networking redirection of the widely used protocols, such as User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Domain Name System (DNS). For integrating this framework, support from a service provider is required. For more information on supported partners and device configuration, refer to Zero Trust Network Access.

ZTNA

Capabilities supported by the Knox ZTNA Framework

  • Host based micro-segmentation: Isolates network traffic on a per-app or per-domain basis. It enhances security by ensuring that apps and domains are only accessible to authorized users, thereby reducing the attack surface. Administrators can implement this as a device-wide or profile-wide policy.

    • Split DNS tunneling: Enables separation of DNS queries, selective DNS queries (internal and/or external) can go through respective ZTNA proxy servers configured by IT admin. This improves both security and performance by directing traffic appropriately.

  • Context-based metadata injection: Dynamically adds metadata to network traffic based on the context, such as app package name, app signature, app version, and so on. It can be used for policy enforcement, logging, and enhancing security measures.

  • Dynamic firewall support: Enables configuration of firewall rules dynamically by forwarding only DNS queries (allow/block/resolve) to cloud. It provides flexibility in managing security policies and adapting to potential threats swiftly.

  • Privacy presumed proxy: Ensures that user data is protected by anonymizing or encrypting traffic as it passes through the proxy, thereby maintaining data privacy and enhancing data security.

  • Co-existence with VPN/Mobile Threat Defense (MTD): Operates independently of VPN framework, so it can function alongside VPNs and/or MTDs. It allows for secure remote access while maintaining the benefits of proxy-based architecture, such as improved performance and enhanced security management.

  • Robust enterprise VPN integration: Seamlessly integrate with client VPNs through the built-in Knox VPN framework, with support for advanced features like per-app VPN, device-wide VPN with or without disallowed apps, and Proxy Auto Configuration (PAC) authentication.

Fields supported for metadata injection in Knox Proxy framework

The following fields are supported for metadata injection on traffic handled by the Knox Proxy framework:

  • App package name: Identifier of the application that originated the network flow.

  • App signature: Signature of the application that originated the network flow.

  • App version: Version of the application that originated the network flow.

Knox VPN

Standard Android provides basic VPN capabilities that are adequate for most consumers. However, enterprises often require enhanced security and more flexible VPN controls for larger deployments.

The Knox VPN Framework

The Knox VPN framework offers the most advanced enterprise-focused feature set, ensuring that VPN connections are efficient, reliable, secure, and compliant with industry regulations and best practices. In addition to the built-in VPN client, the framework also supports the integration with third-party VPN clients.

The Knox VPN framework supports all common VPN types, protocols, and configuration options. When deploying VPN solutions, enterprise IT admins must:

  • Ensure VPN deployments work smoothly.
  • Optimize server resource usage.
  • Limit the VPN solution licensing costs.
  • Enforce strict security policies to prevent data leakage.

Unique advantages of the Knox VPN framework

The Knox Platform provides the following differentiators and advantages for VPN solutions:

  • Cost-efficient on-demand VPN tunnels, used only when apps within a VPN profile are running.
  • Convenience to bypass VPN tunnels when a device connects to a local corporate network on-premises.
  • Applications that are added to the VPN configuration can’t bypass the VPN tunnel.
  • Ability to connect multiple tunnels simultaneously from different VPN clients within the same user space.
  • Additional security by chaining VPNs which are also known as cascading or nesting VPNs. This is useful for classified deployments where greater anonymity is required.
  • Web proxy configuration over VPN:
    • Web proxy configurations are VPN tunnel specific.
    • Web proxy support for New Technology LAN Manager (NTLM) authentication, basic authentication, PAC, and PAC with authentication.
  • Advantage of extending VPN tunnels from a mobile device to a tethered laptop, enabling network connectivity even when the laptop lacks network access.
  • Support built-in Android VPN client for Work Profile mode in both personal and corporate devices.

High security built-in VPN client

The built-in Android VPN client is available on all Samsung devices, and it’s integrated with the Knox VPN framework. This integration enables additional properties in the Knox Platform. The built-in VPN client, even without the Knox VPN framework, is differentiated from what Android offers, providing these advanced VPN features:

  • Federal Information Processing Standard (FIPS) 140-2 certified device cryptographic components.
  • Commercial Product Assurance (CPA) certification at the Foundation Grade, based on its successful Common Criteria evaluation against the Protection Profile for Internet Protocol Security (IPsec) VPN Clients v1.4.
  • Security characteristics of IPsec VPN client version 2.5, as set by the National Cyber Security Centre (NCSC).
  • Internet Key Exchange version 2 (IKEv2) and Suite B algorithms:
    • IKEv2 with Pre-shared keys (PSK) and certificate-based authentication.
    • IKEv2 — pre-shared key, certificates, EAP-MD5, EAP-MSCHAPv2, EAP-TLS authentication methods, and mobile extensions.
    • IKEv2 and Suite B cryptographic algorithms supported with Elliptic Curve Digital Signature Algorithm (ECDSA) signatures.

Features dependent on the VPN client

The following Knox VPN features are also available, but are dependent on the VPN client:

  • Quality of Service (QoS) or traffic tracking and shaping. The Knox VPN framework can notify the VPN client when installed apps generate traffic.

  • Automatic reconnection of VPN tunnels upon server-side disconnection. Server-side disconnections are more difficult to detect and handle than device-side disconnections, which are often related to detectable conditions like connectivity loss or presence of new network connections, such as a new Wi-Fi network.

Robust handling of enterprise requirements

Regardless of the features you choose, the VPN should remain predictable and resilient, even during unexpected scenarios. The following are some common scenarios where Knox Platform enhancements ensure proper VPN behavior:

  • VPN tunnels handle system events such as:
    • Power saving mode (entry or exit)
    • Package addition or removal
    • Connectivity changes
    • Admin app changes
  • VPN profiles allow you to specify which non-present apps are permitted or restricted from using the VPN tunnel when installed.
  • Even the free built-in VPN client supports all the advanced VPN features mentioned above.
  • Ability to maintain uptime of the VPN connection even during app configuration changes.
  • Robust blocking rules prevent data leakage outside the tunnel. Common gaps that are correctly handled include:
    • VPN client crashes or other client app issues.
    • DNS leakage during system events like network switches or configuration changes.
    • Proxy port blocks apps which are not added to VPN profile from accessing proxy server, this prevents potential network attacks.
  • Handle captive portal interactions before establishing a VPN tunnel.

On this page

Is this page helpful?