Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/18/2015
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Making The Security Case For A Software-Defined Perimeter

With SDP, organizations can create an 'invisible' infrastructure that only authorized users and devices can access. Here's why it's time has come.

In recent times the security industry has lamented the dissolution of the network perimeter. The era of strong perimeter defenses is now PAST because of:

  • Phishing attacks - adversaries within the perimeter
  • Asset migration - to the cloud
  • Storage – small, high capacity storage devices
  • Traversal – of the perimeter by countless end points.

With cyber attacks growing increasingly sophisticated, it’s time we rethink how we secure the network perimeter. The Software Defined Perimeter (SDP) model provides a framework that helps to articulate this important paradigm shift.

The SDP model evolved from work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative. The SDP model secures access from the device/user down to the application server, all centrally managed via a controller. The concept relies on rendering an organization’s infrastructure “invisible;” it then delivers access to authorized resources only, verifying user and device variables before granting access to an application.

How SDP Works
In the SDP model, all user access policies are managed via the central controller. A user’s identity is verified and his/her devices are preregistered with the central controller. When the user needs to access resources on the network, he/she authenticates to the controller, which provisions access based on the security context of the device and user.

When a new device is on a public network or a device that previously failed to log in attempts to reconnect, additional requirements can be enforced (such as two-factor authentication) or access can be denied. Because the user must have a pre-registered device and multifactor, it is more difficult to access sensitive networks or applications with stolen credentials.

The SDP concept introduces Single Packet Authorization (SPA), which is used to initiate communications. SPA is based on the IETF’s RFC4226 (HMAC-Based One-Time Password algorithm). This model requires adoption within TLS and IKE protocols, as it uses a form of the Online Certificate Status Protocol stapling which allows an initial handshake to be effectively "signed."

Clearly the SDP model represents a great move forward for Internet security in general and would eliminate many potential types of threats as well as things like DDoS attacks. Some challenges exist. For instance, to get the full advantages of SDP, all accepting hosts would need to be running the latest software, which supports the SPA concept. SDP also requires devices to be on-boarded – a weakness in any system. The architects of SDP may want to consider the degree of flexibility in any implementation of SDP such that a "trusted" device that supports SPA might be allowed more access than a "new" device, or that the user of a "new" device might be required to present additional credentials.

SDP Context
SDP secures based on the user and device profile. SDP model early adopters may want to consider a richer selection that might include temporal measures, IP information, even current security status. Better still, context should be measured at the time that any specific access is attempted. The reasoning being that context is not a one-off measurement taken at login time, but something that is reassessed continuously.

SDP Gateways
Today, the SDP model is primarily being used for web-based access (to host). However, it can also be used on the network layer as a new approach to virtualized network access control and dynamic firewall policies by use of a gateway protecting micro-segments inside the enterprise network. And this will work inside or outside the network because it uses the TLS protocol.

However, until the widespread adoption of SPA, virtualized and physical gateways are the only way to implement an SDP-like solution. And gateways have some huge advantages, which would be hard to realize within hosts. First, they can look at traffic and make security decision based on what a user or device appears to be doing; second, they offer a line of defense against zero-days and other forms of attack which the host may be vulnerable to; and last, they offer a unified log reporting mechanism for compliance audits.

The SDP model aims to help organizations secure their infrastructures from an ever more sophisticated, well-armed, and well-funded set of attackers and it will be exciting to see its use evolve. The concept of Single Packet Authorization is very powerful and is a welcome addition to the armory. As organizations realize the need for truly agile access security, SDP represents an opportunity to move the traditional security model in a better direction, operating on the assumption that you cannot attack what you cannot see.

 

Kurt A. Mueffelmann is president and chief executive officer of Cryptzone. Mueffelmann draws on over 20 years of experience helping high-tech companies reach their growth potential. He is responsible for defining and directing Cryptzone's worldwide strategic vision and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.