Software-defined perimeter

Last updated November 26, 2024

A software-defined perimeter (SDP), sometimes referred to as a black cloud, is a method of enhancing computer security. The SDP framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. In an SDP, connectivity follows a need-to-know model, where both device posture and identity are verified before access to application infrastructure is granted.^[1] The application infrastructure in a Software-Defined Perimeter is effectively "black"—a term used by the Department of Defense to describe an undetectable infrastructure—lacking visible DNS information or IP addresses. Proponents of these systems claim that an SDP mitigates many common network-based attacks, including server scanning, denial-of-service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle attacks, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.^[2]

Background

The traditional enterprise network architecture is based on the premise of creating an internal network that is separated from the outside world by a fixed perimeter, typically consisting of firewall functions. These firewalls block external users from accessing the internal network while allowing internal users to connect to external resources.^[3] Traditional fixed perimeters help to protect internal services from external threats. This is achieved by blocking external visibility and access to internal applications and infrastructure. However, the weaknesses of this traditional fixed perimeter model are becoming increasingly problematic due to the widespread use of user-managed devices and phishing attacks, which provide untrusted access inside the perimeter. Additionally, the rise of SaaS and IaaS has extended the perimeter into the internet.^[4] Software-defined perimeters address these issues by allowing application owners to deploy perimeters that maintain the traditional model's value of invisibility and inaccessibility to outsiders, while being deployable anywhere—on the internet, in the cloud, at a hosting center, on a private corporate network, or across some or all of these locations.^[1]

Authorization techniques

There are several techniques for delivering a software-defined perimeter (SDP). These include:^[5] ======

Single Packet Authorization (SPA) uses proven cryptographic techniques to make internet-facing servers invisible to unauthorized users. Only devices that have been seeded with the cryptographic secret can generate a valid SPA packet and, as a result, establish a network connection.^[6]
First Packet Authentication involves a single-use, cryptographically generated identity token inserted at both ends of a TCP/IP session for authentication. If the request is allowed, the gateway applies a security policy forward, redirects, or discards, based on the identity.
Authenticate Before Connect ensures that endpoints are provisioned with unique, cryptographically generated identities (commonly using X.509 certificates and JSON Web Tokens). These endpoints establish outbound connectivity into a mesh overlay that only "listens" for authenticated and authorized endpoints. This approach ensures that both the source and destination never require inbound connectivity and can work even in challenging NAT scenarios.

Architecture

In its simplest form, the architecture of the Software-Defined Perimeter (SDP) consists of two components: SDP Hosts and SDP Controllers. SDP Hosts can either initiate or accept connections. Interactions with the SDP Controllers manage these actions through a control channel (see Figure 1). As a result, the control plane is separated from the data plane in a Software-Defined Perimeter, enabling greater scalability. Additionally, all components can be made redundant for higher availability.

The SDP framework has the following workflow (see Figure 2):

One or more SDP Controllers are brought online and connected to the appropriate authentication and authorization services (e.g., PKI, device fingerprinting, geolocation, SAML, OpenID, OAuth, LDAP, Kerberos, multifactor authentication, and other similar services).
One or more Accepting SDP Hosts are brought online. These hosts connect to and authenticate with the Controllers. However, they do not acknowledge communication from any other host and will not respond to any non-provisioned requests.
Each Initiating SDP Host that comes online connects to and authenticates with the SDP Controllers.
After authenticating the Initiating SDP Host, the SDP Controllers determine a list of Accepting SDP Hosts with which the Initiating Host is authorized to communicate.
The SDP Controller instructs the Accepting SDP Hosts to accept communication from the Initiating SDP Host and applies any optional policies required for encrypted communications.
The SDP Controller provides the Initiating SDP Host with the list of Accepting SDP Hosts and any optional policies required for encrypted communications.
The Initiating SDP Host establishes a mutual VPN connection with all authorized Accepting SDP Hosts.

SDP deployment models

While the general workflow remains the same for all implementations, the application of SDPs can favor certain implementations over others.

Client-To-Gateway

In the Client-To-Gateway implementation, one or more servers are protected behind an Accepting SDP Host, which acts as a gateway between the clients and the protected servers. This implementation can be used within an enterprise network to mitigate common lateral movement attacks, such as server scanning, OS and application vulnerability exploits, password cracking, man-in-the-middle attacks, Pass-the-Hash (PtH), and others.^[7]^[8]^[9] Alternatively, it can be implemented on the internet to isolate protected servers from unauthorized users and mitigate attacks like denial-of-service, OS and application vulnerability exploits, password cracking, man-in-the-middle attacks, and others.^[10]^[11]

Client-To-Server

The client-to-server implementation offers features and benefits similar to the previously mentioned Client-To-Gateway implementation. However, in this case, the protected server runs the Accepting SDP Host software, rather than using a gateway in front of the server running that software. The choice between the Client-To-Gateway and Client-To-Server implementations is typically based on factors such as the number of servers being protected, load balancing methods, server elasticity, and other topological considerations.^[12]

Server-To-Server

In the Server-To-Server implementation, servers offering a Representational State Transfer (REST) service, a Simple Object Access Protocol (SOAP) service, a remote procedure call (RPC), or any kind of application programming interface (API) over the internet can be protected from unauthorized hosts on the network. For example, in this case, the server initiating the REST call would be the Initiating SDP Host, and the server offering the REST service would be the Accepting SDP Host. Implementing an SDP for this use case can reduce the load on these services and mitigate attacks similar to those mitigated by the client-to-gateway implementation.

Client-To-Server-To-Client

The Client-To-Server-To-Client implementation creates a peer-to-peer relationship between the two clients and can be used for applications such as IP telephony, chat, and video conferencing. In these cases, the SDP obfuscates the IP addresses of the connecting clients. As an alternative, a user can opt for a Client-To-Gateway-To-Client configuration if they wish to hide the application server as well.

SDP applications

Enterprise application isolation

For data breaches involving intellectual property, financial information, HR data, and other sensitive data exclusively available within the enterprise network, attackers may gain entry by compromising a computer on the network and then moving laterally to access high-value information assets. In this scenario, an enterprise can deploy an SDP inside its data center to partition the network and isolate high-value applications. Unauthorized users will be denied access to the protected application, thereby mitigating the lateral movement on which these attacks depend.^[13]

Private cloud and hybrid cloud

The Software-Defined Perimeter (SDP) model, traditionally used to secure physical infrastructures, is also adaptable to private cloud environments, offering flexibility and scalability. Enterprises can use SDPs to secure public cloud instances, either in isolation or as part of a unified system that spans private and public clouds, as well as cross-cloud clusters.

For Software-As-A-Service (SaaS) providers, SDPs enhance security by designating the service as an Accepting Host and all users as Initiating Hosts. This configuration allows SaaS vendors to leverage the internet's global reach while reducing exposure to potential threats.

Infrastructure-As-A-Service (IaaS) providers can offer SDP-as-a-Service, providing customers with a secure on-ramp to their cloud infrastructure. This mitigates various attack vectors while enabling customers to benefit from IaaS agility and cost savings.

Platform-As-A-Service (PaaS) providers can integrate SDP architecture into their offering, providing an embedded security solution that mitigates network-based attacks.

As a growing number of new devices are connected to the Internet,^[12] back-end applications that manage these devices and/or extract information from them can become mission-critical, acting as custodians for private or sensitive data. SDPs can be used to conceal these servers and their interactions over the internet, thereby enhancing security and uptime.^[14]

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

<span class="mw-page-title-main">Client–server model</span> Distributed application structure in computing

The client–server model is a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients. Often clients and servers communicate over a computer network on separate hardware, but both client and server may be on the same device. A server host runs one or more server programs, which share their resources with clients. A client usually does not share any of its resources, but it requests content or service from a server. Clients, therefore, initiate communication sessions with servers, which await incoming requests. Examples of computer applications that use the client–server model are email, network printing, and the World Wide Web.

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

The Secure Shell (SSH) Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

<span class="mw-page-title-main">Thin client</span> Non-powerful computer optimized for remote server access

In computer networking, a thin client, sometimes called slim client or lean client, is a simple (low-performance) computer that has been optimized for establishing a remote connection with a server-based computing environment. They are sometimes known as network computers, or in their simplest form as zero clients. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a rich client or a conventional personal computer; the former is also intended for working in a client–server model but has significant local processing power, while the latter aims to perform its function mostly locally.

In telecommunications, provisioning involves the process of preparing and equipping a network to allow it to provide new services to its users. In National Security/Emergency Preparedness telecommunications services, "provisioning" equates to "initiation" and includes altering the state of an existing priority service or capability.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

Internet Small Computer Systems Interface or iSCSI is an Internet Protocol-based storage networking standard for linking data storage facilities. iSCSI provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI facilitates data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.

Extensible Messaging and Presence Protocol is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML, it enables the near-real-time exchange of structured data between two or more network entities. Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses.

Terminal Access Controller Access-Control System refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks including but not limited to the ARPANET, MILNET and BBNNET. It spawned related protocols:

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Within a storage network, encryption of data may occur at different hardware levels. Array controller based encryption describes the encryption of data occurring at the disk array controller before being sent to the disk drives. This article will provide an overview of different implementation techniques to array controller based encryption. For cryptographic and encryption theory, see disk encryption theory.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

"Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand." according to ISO.

A distributed firewall is a security application on a host machine of a network that protects the servers and user machines of its enterprise's networks against unwanted intrusion. A firewall is a system or group of systems that implements a set of security rules to enforce access control between two networks to protect the "inside" network from the "outside" network. They filter all traffic regardless of its origin—the Internet or the internal network. Usually deployed behind the traditional firewall, they provide a second layer of defense. The advantages of the distributed firewall allow security rules (policies) to be defined and pushed out on an enterprise-wide basis, which is necessary for larger enterprises.

ConnectWise ScreenConnect, previously ConnectWise Control, is a self-hosted remote desktop software application. It was originally developed by Elsinore Technologies in 2008 under the name ScreenConnect, and is now owned by ConnectWise Inc.

Software-defined networking (SDN) is an approach to network management that uses abstraction to enable dynamic and programmatically efficient network configuration to create grouping and segmentation while improving network performance and monitoring in a manner more akin to cloud computing than to traditional network management. SDN is meant to improve the static architecture of traditional networks and may be employed to centralize network intelligence in one network component by disassociating the forwarding process of network packets from the routing process. The control plane consists of one or more controllers, which are considered the brains of the SDN network, where the whole intelligence is incorporated. However, centralization has certain drawbacks related to security, scalability and elasticity.

There are, in essence, three kinds of Cloud printing.

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users.

References

1 2 "Software Defined Perimeter". Cloud Security Alliance. Retrieved 29 January 2014.
↑ Gartner, Market Guide for Zero Trust Access. "Gartner SDP Guide". gartner.com.
↑ Barrie, Sosinsky (May 2004). "Perimeter networks". Search Networking. Retrieved 30 January 2014.
↑ Wagner, Ray; Ray Wagner; Kelly M. Kavanagh; Mark Nicolett; Anton Chuvakin; Andrew Walls; Joseph Feiman; Lawrence Orans; Ian Keene (2013-11-25). "Predicts 2014: Infrastructure Protection". Gartner. Retrieved 19 February 2014.^{[ dead link ‍]}
↑ "DEFINITIVE GUIDE TO SOFTWARE-DEFINED PERIMETER" (PDF). Appgate. 2020. Retrieved 2024-09-18.
↑ "Appgate | Make Resources Invisible with Single Packet Authorization". Appgate. Retrieved 2024-04-07.
↑ McClure, Stuart (July 11, 2012). Hacking Exposed 7 Network Security Secrets & Solutions. McGraw Hill. ISBN 978-0071780285.
↑ Micro, Trend. "LATERAL MOVEMENT: How Do Threat Actors Move Deeper Into Your Network?". Trend Micro. Retrieved 19 February 2014.
↑ "Data Breach Investigation Report". Verizon. Retrieved 19 February 2014.
↑ "IBM X-Force 2012 Mid-Year Trend and Risk Report". IBM X-Force Research and Development. Retrieved 19 February 2014.
↑ "Global Threat Intelligence Report". Solutionary. Retrieved 19 February 2014.
1 2 Middleton, Peter; Kjeldsen, Peter; Tully, Jim (November 18, 2013). "Forecast: The Internet of Things, Worldwide, 2013". Gartner (G00259115). Retrieved 29 January 2014.^{[ dead link ‍]}
↑ Moubayed, Abdallah; Refaey, Ahmed; Shami, Abdallah (October 2019). "Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Network". IEEE Network. 33 (5): 226–233. doi:10.1109/MNET.2019.1800324. S2CID 189892671.
↑ Refaey, Ahmed; Sallam, Ahmed; Shami, Abdallah (October 2019). "On IoT applications: a proposed SDP framework for MQTT". Electronics Letters. 55 (22): 1201. Bibcode:2019ElL....55.1201R. doi: 10.1049/el.2019.2334 . S2CID 203048330.

External links

Cloud Security Alliance “Introduction to the Software Defined Perimeter Working Group”
Article from GCN - 1105 Public Sector Media Group "Black Cloud Darkens the Enterprise to all but Authorized Devices"
Article from Light Reading - "Verizon and Vidder put SD-Perimeter around Enterprise Security"
Article from CSO - "Goodbye NAC. Hello, software defined perimeter"
IEEE "Software-Defined Perimeters: An Architectural View of SDP"
Article from ComputerWeekly - "Gas distribution network SGN invests in software-defined perimeter"
Moubayed, Abdallah; Refaey, Ahmed; Shami, Abdallah (October 2019). "Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Network". IEEE Network. 33 (5): 226–233. doi:10.1109/MNET.2019.1800324. S2CID 189892671.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[sdp-1] 1 2 "Software Defined Perimeter". Cloud Security Alliance. Retrieved 29 January 2014.

[2] Gartner, Market Guide for Zero Trust Access. "Gartner SDP Guide". gartner.com.

[3] Barrie, Sosinsky (May 2004). "Perimeter networks". Search Networking. Retrieved 30 January 2014.

[4] Wagner, Ray; Ray Wagner; Kelly M. Kavanagh; Mark Nicolett; Anton Chuvakin; Andrew Walls; Joseph Feiman; Lawrence Orans; Ian Keene (2013-11-25). "Predicts 2014: Infrastructure Protection". Gartner. Retrieved 19 February 2014.^{[ dead link ‍]}

[5] "DEFINITIVE GUIDE TO SOFTWARE-DEFINED PERIMETER" (PDF). Appgate. 2020. Retrieved 2024-09-18.

[6] "Appgate | Make Resources Invisible with Single Packet Authorization". Appgate. Retrieved 2024-04-07.

[7] McClure, Stuart (July 11, 2012). Hacking Exposed 7 Network Security Secrets & Solutions. McGraw Hill. ISBN 978-0071780285.

[8] Micro, Trend. "LATERAL MOVEMENT: How Do Threat Actors Move Deeper Into Your Network?". Trend Micro. Retrieved 19 February 2014.

[9] "Data Breach Investigation Report". Verizon. Retrieved 19 February 2014.

[10] "IBM X-Force 2012 Mid-Year Trend and Risk Report". IBM X-Force Research and Development. Retrieved 19 February 2014.

[11] "Global Threat Intelligence Report". Solutionary. Retrieved 19 February 2014.

[:0-12] 1 2 Middleton, Peter; Kjeldsen, Peter; Tully, Jim (November 18, 2013). "Forecast: The Internet of Things, Worldwide, 2013". Gartner (G00259115). Retrieved 29 January 2014.^{[ dead link ‍]}

[13] Moubayed, Abdallah; Refaey, Ahmed; Shami, Abdallah (October 2019). "Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Network". IEEE Network. 33 (5): 226–233. doi:10.1109/MNET.2019.1800324. S2CID 189892671.

[14] Refaey, Ahmed; Sallam, Ahmed; Shami, Abdallah (October 2019). "On IoT applications: a proposed SDP framework for MQTT". Electronics Letters. 55 (22): 1201. Bibcode:2019ElL....55.1201R. doi: 10.1049/el.2019.2334 . S2CID 203048330.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]