Towards more secure network architectures with Software-Defined Perimeters
The surge in the evolution and adoption of new technologies, architectures and paradigms in recent years has given rise to a new set of security and privacy challenges and concerns. These challenges and concerns include proper authentication, access control, privacy and data integrity, among others.
As a result, the exploration of new security measures for the protection of cloud-based networks has begun, as traditional defense techniques have proven inadequate to protect the infrastructure from network attacks, one of the most important being Software-Defined Perimeters (SDP).
Software Defined Perimeters is a concept proposed by the Cloud Security Alliance (CSA) as a security model or framework to protect networks dynamically. This concept has been developed based on the Global Information Grid (GIG) Black Core initiative proposed by the Defense Information Systems Agency (DISA). The model follows a strategy based on the Zero Trust security model, where the identity of the device or application to be communicated is verified and authenticated before access to the infrastructure is granted.
The architecture of the SDP frameworks is composed of three components:
- SDP Controller: The controller is the central element of the framework and is responsible for all control messages that are exchanged, as it functions as a trust agent between the SDP Initiating Host and the backend security controls. This includes the tasks of device identification and authentication, as well as determining which programs or services are authorized for each device.
- SDP Initiating Host (IH): The Initiating Hosts are the clients that want to make a connection to a given application or service. This connection must be previously accepted through a request to the SDP Controller. Once the authentication is completed, a mutual TLS tunnel is created that connects the client (IH) to the service or application for which it is authenticated.
- SDP Accepting Host (AH): Accepting Hosts are the devices that are instructed to accept certain authorized services or applications. By default, and following the Zero Trust model, it is configured to reject all incoming packets and requests with the exception of the SDP Controller.
In this way, SDPs provide a way to hide all information about where and how services and applications are running from the outside. An authenticated user receives his encrypted network connection, which no other user or server can access, along with the applications or services to which he has been granted access.
SDP Frameworks Softwares:
- Twingate: It provides an intuitive interface and allows to deploy a network architecture based on the SDP framework in a simple way. Provides a free layer of up to 5 users.
- HashiCorp Boundary: Identity-based access system for zero trust security. It is not exactly an SDP but follows a similar philosophy based on the Zero Trust models. Open Source.
- Waverley Labs OpenSource SDP: Serves as the basis for free and open Black Cloud platform. Allows create Black Cloud on premise or in a public or private cloud, DMZ, server in a data center, or inside an application server