Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/18/2015
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Making The Security Case For A Software-Defined Perimeter

With SDP, organizations can create an 'invisible' infrastructure that only authorized users and devices can access. Here's why it's time has come.

In recent times the security industry has lamented the dissolution of the network perimeter. The era of strong perimeter defenses is now PAST because of:

  • Phishing attacks - adversaries within the perimeter
  • Asset migration - to the cloud
  • Storage – small, high capacity storage devices
  • Traversal – of the perimeter by countless end points.

With cyber attacks growing increasingly sophisticated, it’s time we rethink how we secure the network perimeter. The Software Defined Perimeter (SDP) model provides a framework that helps to articulate this important paradigm shift.

The SDP model evolved from work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative. The SDP model secures access from the device/user down to the application server, all centrally managed via a controller. The concept relies on rendering an organization’s infrastructure “invisible;” it then delivers access to authorized resources only, verifying user and device variables before granting access to an application.

How SDP Works
In the SDP model, all user access policies are managed via the central controller. A user’s identity is verified and his/her devices are preregistered with the central controller. When the user needs to access resources on the network, he/she authenticates to the controller, which provisions access based on the security context of the device and user.

When a new device is on a public network or a device that previously failed to log in attempts to reconnect, additional requirements can be enforced (such as two-factor authentication) or access can be denied. Because the user must have a pre-registered device and multifactor, it is more difficult to access sensitive networks or applications with stolen credentials.

The SDP concept introduces Single Packet Authorization (SPA), which is used to initiate communications. SPA is based on the IETF’s RFC4226 (HMAC-Based One-Time Password algorithm). This model requires adoption within TLS and IKE protocols, as it uses a form of the Online Certificate Status Protocol stapling which allows an initial handshake to be effectively "signed."

Clearly the SDP model represents a great move forward for Internet security in general and would eliminate many potential types of threats as well as things like DDoS attacks. Some challenges exist. For instance, to get the full advantages of SDP, all accepting hosts would need to be running the latest software, which supports the SPA concept. SDP also requires devices to be on-boarded – a weakness in any system. The architects of SDP may want to consider the degree of flexibility in any implementation of SDP such that a "trusted" device that supports SPA might be allowed more access than a "new" device, or that the user of a "new" device might be required to present additional credentials.

SDP Context
SDP secures based on the user and device profile. SDP model early adopters may want to consider a richer selection that might include temporal measures, IP information, even current security status. Better still, context should be measured at the time that any specific access is attempted. The reasoning being that context is not a one-off measurement taken at login time, but something that is reassessed continuously.

SDP Gateways
Today, the SDP model is primarily being used for web-based access (to host). However, it can also be used on the network layer as a new approach to virtualized network access control and dynamic firewall policies by use of a gateway protecting micro-segments inside the enterprise network. And this will work inside or outside the network because it uses the TLS protocol.

However, until the widespread adoption of SPA, virtualized and physical gateways are the only way to implement an SDP-like solution. And gateways have some huge advantages, which would be hard to realize within hosts. First, they can look at traffic and make security decision based on what a user or device appears to be doing; second, they offer a line of defense against zero-days and other forms of attack which the host may be vulnerable to; and last, they offer a unified log reporting mechanism for compliance audits.

The SDP model aims to help organizations secure their infrastructures from an ever more sophisticated, well-armed, and well-funded set of attackers and it will be exciting to see its use evolve. The concept of Single Packet Authorization is very powerful and is a welcome addition to the armory. As organizations realize the need for truly agile access security, SDP represents an opportunity to move the traditional security model in a better direction, operating on the assumption that you cannot attack what you cannot see.

 

Kurt A. Mueffelmann is president and chief executive officer of Cryptzone. Mueffelmann draws on over 20 years of experience helping high-tech companies reach their growth potential. He is responsible for defining and directing Cryptzone's worldwide strategic vision and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.