Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/18/2015
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Making The Security Case For A Software-Defined Perimeter

With SDP, organizations can create an 'invisible' infrastructure that only authorized users and devices can access. Here's why it's time has come.

In recent times the security industry has lamented the dissolution of the network perimeter. The era of strong perimeter defenses is now PAST because of:

  • Phishing attacks - adversaries within the perimeter
  • Asset migration - to the cloud
  • Storage – small, high capacity storage devices
  • Traversal – of the perimeter by countless end points.

With cyber attacks growing increasingly sophisticated, it’s time we rethink how we secure the network perimeter. The Software Defined Perimeter (SDP) model provides a framework that helps to articulate this important paradigm shift.

The SDP model evolved from work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative. The SDP model secures access from the device/user down to the application server, all centrally managed via a controller. The concept relies on rendering an organization’s infrastructure “invisible;” it then delivers access to authorized resources only, verifying user and device variables before granting access to an application.

How SDP Works
In the SDP model, all user access policies are managed via the central controller. A user’s identity is verified and his/her devices are preregistered with the central controller. When the user needs to access resources on the network, he/she authenticates to the controller, which provisions access based on the security context of the device and user.

When a new device is on a public network or a device that previously failed to log in attempts to reconnect, additional requirements can be enforced (such as two-factor authentication) or access can be denied. Because the user must have a pre-registered device and multifactor, it is more difficult to access sensitive networks or applications with stolen credentials.

The SDP concept introduces Single Packet Authorization (SPA), which is used to initiate communications. SPA is based on the IETF’s RFC4226 (HMAC-Based One-Time Password algorithm). This model requires adoption within TLS and IKE protocols, as it uses a form of the Online Certificate Status Protocol stapling which allows an initial handshake to be effectively "signed."

Clearly the SDP model represents a great move forward for Internet security in general and would eliminate many potential types of threats as well as things like DDoS attacks. Some challenges exist. For instance, to get the full advantages of SDP, all accepting hosts would need to be running the latest software, which supports the SPA concept. SDP also requires devices to be on-boarded – a weakness in any system. The architects of SDP may want to consider the degree of flexibility in any implementation of SDP such that a "trusted" device that supports SPA might be allowed more access than a "new" device, or that the user of a "new" device might be required to present additional credentials.

SDP Context
SDP secures based on the user and device profile. SDP model early adopters may want to consider a richer selection that might include temporal measures, IP information, even current security status. Better still, context should be measured at the time that any specific access is attempted. The reasoning being that context is not a one-off measurement taken at login time, but something that is reassessed continuously.

SDP Gateways
Today, the SDP model is primarily being used for web-based access (to host). However, it can also be used on the network layer as a new approach to virtualized network access control and dynamic firewall policies by use of a gateway protecting micro-segments inside the enterprise network. And this will work inside or outside the network because it uses the TLS protocol.

However, until the widespread adoption of SPA, virtualized and physical gateways are the only way to implement an SDP-like solution. And gateways have some huge advantages, which would be hard to realize within hosts. First, they can look at traffic and make security decision based on what a user or device appears to be doing; second, they offer a line of defense against zero-days and other forms of attack which the host may be vulnerable to; and last, they offer a unified log reporting mechanism for compliance audits.

The SDP model aims to help organizations secure their infrastructures from an ever more sophisticated, well-armed, and well-funded set of attackers and it will be exciting to see its use evolve. The concept of Single Packet Authorization is very powerful and is a welcome addition to the armory. As organizations realize the need for truly agile access security, SDP represents an opportunity to move the traditional security model in a better direction, operating on the assumption that you cannot attack what you cannot see.

 

Kurt A. Mueffelmann is president and chief executive officer of Cryptzone. Mueffelmann draws on over 20 years of experience helping high-tech companies reach their growth potential. He is responsible for defining and directing Cryptzone's worldwide strategic vision and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
CVE-2021-32623
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
CVE-2021-32676
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...