Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.
2. What is a Software-Defined Perimeter (SDP)?
Simple. Secure. Dynamic.
A new network security model that dynamically
creates 1:1 network connections between
users and the data they access
2
3. How Does a SDP Work?
Software-Defined Perimeter
Traditional TCP/IP
Not Identity Centric – Allows Anyone Access
Identity-Centric – Only Authorized Users
“Connect First,
Authenticate Second”
“Authenticate First,
Connect Second”
3
4. SDP Architecture
• Controller is the authentication point,
containing user access policies
• Clients are securely onboarded
• All connections based on mutual
TLS connectivity
• Traffic is securely tunneled from
Client through Gateway
4
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Identity
Management
Policy Model
6. SDP in Action
6
Controller uses PKI and IAM to establish trust
Controller is an authentication point and policy store
System is administered via graphical admin console
1
Protected
Applications
AppGate
Controller
AppGate
Gateway
AppGate
Client
Control Channel
Encrypted, Tunneled Data Channel
PKI
Identity
Management
Policy Model
Graphical Admin Console
1
7. SDP in Action
7
Controller uses PKI and IAM to establish trust
Controller is an authentication point and policy store
System is administered via graphical admin console
Gateways protect cloud and network resources
Application network traffic passes through Gateway
1
2
Protected
Applications
AppGate
Controller
AppGate
Gateway
AppGate
Client
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
Identity
Management
Policy Model
Graphical Admin Console
1
8. 3
SDP in Action
8
Controller uses PKI and IAM to establish trust
Controller is an authentication point and policy store
System is administered via graphical admin console
Gateways protect cloud and network resources
Application network traffic passes through Gateway
Clients securely onboarded, authenticate to
Controller, communicate with mutual TLS
1
2
3
Protected
Applications
AppGate
Controller
AppGate
Gateway
AppGate
Client
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
Identity
Management
Policy Model
Graphical Admin Console
1
9. 4
3
SDP in Action
9
Controller uses PKI and IAM to establish trust
Controller is an authentication point and policy store
System is administered via graphical admin console
Gateways protect cloud and network resources
Application network traffic passes through Gateway
Clients securely onboarded, authenticate to
Controller, communicate with mutual TLS
Clients access resources via Gateway
• Mutual TLS tunnels for data
• Real-time policy enforcement by Gateway
1
2
3
4
Protected
Applications
AppGate
Controller
AppGate
Gateway
AppGate
Client
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
Identity
Management
Policy Model
Graphical Admin Console
1
10. 4
3
SDP in Action
10
Controller uses PKI and IAM to establish trust
Controller is an authentication point and policy store
System is administered via graphical admin console
Gateways protect cloud and network resources
Application network traffic passes through Gateway
Clients securely onboarded, authenticate to
Controller, communicate with mutual TLS
Clients access resources via Gateway
• Mutual TLS tunnels for data
• Real-time policy enforcement by Gateway
Controller can enhance SIEM and IDS with detailed
user activity logs
Controller can query ITSM and other systems for
context and attributes to be used in Policies
1
2
3
4
5
Protected
Applications
AppGate
Controller
AppGate
Gateway
AppGate
Client
2
Integration with other
IT and Security Systems
5
SIEM
IDS
ITSM
Control Channel
Encrypted, Tunneled Data Channel
PKI
Identity
Management
Policy Model
Graphical Admin Console
1
11. All users in ProjectX allowed SSH access to all virtual instances where Tag key
equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
Descriptive Entitlements
12. All users in ProjectX allowed SSH access to all virtual instances where Tag key
equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Identity provider Y
Client will authenticate to controller
• Check for an Identity claim ProjectX
• Launch a script to collect AV state
• Send matching entitlements to client
ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
12
Descriptive Entitlements
1
13. All users in ProjectX allowed SSH access to all virtual instances where Tag key
equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Identity provider Y
Client will authenticate to controller
• Check for an Identity claim ProjectX
• Launch a script to collect AV state
• Send matching entitlements to client
Client connects to Gateway
• Brings the descriptive entitlement:
• SSH access to AWS://tag:SSH=*ProjectX* ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
13
Descriptive Entitlements
1
2
14. All users in ProjectX allowed SSH access to all virtual instances where Tag key
equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Cloud API
Identity provider Y
Client will authenticate to controller
• Check for an Identity claim ProjectX
• Launch a script to collect AV state
• Send matching entitlements to client
Client connects to Gateway
• Brings the descriptive entitlement:
• SSH access to AWS://tag:SSH=*ProjectX*
Gateway connects to local cloud API
• What are the instances that have a tag
with Key SSH and Value containing
ProjectX
• Translate it to IP access rules
ProjectX ProjectX2
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
14
Descriptive Entitlements
1
2
3
15. All users in ProjectX allowed SSH access to all virtual instances where Tag key
equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Cloud API
Identity provider Y
Client will authenticate to controller
• Check for an Identity claim ProjectX
• Launch a script to collect AV state
• Send matching entitlements to client
Client connects to Gateway
• Brings the descriptive entitlement:
• SSH access to AWS://tag:SSH=*ProjectX*
Gateway connects to local cloud API
• What are the instances that have a tag
with Key SSH and Value containing
ProjectX
• Translate it to IP access rules
Detect changes
• Update IP access rules again
ProjectX ProjectX2
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
15
Descriptive Entitlements
1
2
3
4
16. Summary
16
Utilizes an authenticate first approach
Removes attacks including zero day, DDOS and lateral movement
The Cloud Fabric can now be extended all the way to the user and device
Leverages legacy applications by extending the SDP Architecture
No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.)
• Identity-centric security • Policies on user and cloud instances
Identity-Centric Network Security
Secure military networks
Controller is the authentication point
typically linked with one or more Identity providers
Controller contains descriptive user access policies
define access to applications
Clients are securely onboarded
All connections based on mutual TLS connectivity
Traffic is securely tunneled from Client through Gateway to Protected Applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications
Bring Controllers online
Integration with Identity, Multi-Factor and PKI services
Bring Gateways online
Create a mutual TLS connection with Controller after SPA
Do not acknowledge Communication from any other host
Do not respond to any non-provisioned request
Gateways are now in “stealth mode”
Bringing Clients online
Create mutual TLS connection to Controller after SPA
Authenticate to Controller
List of authorized Gateways determined for this Client
Controller could contact remote services for context
Controller creates a list of Gateways
Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible
Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one
Accept communication from Client
Controller instructs Gateways to accept communication from this Client
Receive list of IP’s of SDP Gateways
Initiating host receives a list of IP’s to connect to
Set up mutual TLS Tunnels to transfer data after SPA
Client can now connect to the proper applications