Software defined perimeter

A Software Defined Perimeter ( SDP ), also known as Black Cloud , is a security approach in the cloud developed by the Defense Information Systems Agency (DISA) as part of the Black Core Network Initiative ( BCN ) of the Global Information Grid (GIG). Computing environments. SDP is being further developed by the Cloud Security Alliance (CSA).

Procedure

The device identity and device integrity is verified by an attestation service . The user is then authenticated via an authentication gateway . After authentication, the client receives a token (e.g. a SAML token or JSON Web Token (JWT)) from an Attribute Authority , which defines which resources the user is allowed to access.

The client uses the token to log on to an SDP controller . This establishes VPN connections with one or more SDP gateways . The SDP gateway verifies the user's token again. Only when the gateway has successfully verified the token is access to the security group protected by the gateway granted.

Before the user has been authenticated and authorized, all Internet Protocol - data packets rejected, which are not required for authentication.

Automatically Defined Perimeter

An Automatically Defined Perimeter ( ADP ) is an extension of the SDP. Here, the user's connections to protected network resources are dynamically established and disconnected depending on requirements. At any given time, there is only one connection available to those resources that the client currently needs.

advantages

Since the network resources protected by SDP are not entered in the public Domain Name System (DNS) and all access without authorization is denied, the attack surface on the network is significantly reduced. The protected network is therefore not visible from the outside ( black network ).

The following attack scenarios are fended off or at least made much more difficult with SDP:

Distributed Denial of Service (DDoS)
Code injection
Exploits in application software and operating systems
Man-in-the-middle attack (MITM attack)
Cross site scripting (XSS)
Cross Site Request Forgery (CSRF, XSRF)
Pass-the-Hash (PTH)
Extension of rights of an attacker from an on-premises infrastructure to the cloud computing infrastructure and vice versa

It is also possible to audit all accesses to the network, for example to support IT forensics .

Differentiation from Network Access Control

With Network Access Control (NAC), the network connection to a resource is first established and only then is the user authenticated and authorized. With SDP, on the other hand, authentication and authorization are defined first and only then is the network connection established in the form of a VPN.

Web links

SDP Specification 1.0. (PDF) Software Defined Perimeter Working Group, Cloud Security Alliance (CSA), April 2014, accessed on May 16, 2017 .
Software Defined Perimeter for Infrastructure as a Service. (PDF) SDP Working Group, Cloud Security Alliance (CSA), 2017, accessed on May 16, 2017 .

swell

↑ ^a ^b What is the Software-Defined Perimeter? Retrieved May 9, 2017 .
↑ Lawrence Pingree: Software Defined Perimeter Technology is More than a Fancy VPN. September 23, 2015, accessed May 9, 2017 .
↑ ^a ^b Automatically Defined Perimeter. Retrieved May 9, 2017 .
↑ Automatically Defined Perimeter Controller. Retrieved May 9, 2017 .
↑ Network Access Control Security Must Change. Cryptzone, 2017, accessed on May 9, 2017 .

[sdp-1] What is the Software-Defined Perimeter? Retrieved May 9, 2017 .

[gbn-2] Lawrence Pingree: Software Defined Perimeter Technology is More than a Fancy VPN. September 23, 2015, accessed May 9, 2017 .

[adp-3] Automatically Defined Perimeter. Retrieved May 9, 2017 .

[adpc-4] Automatically Defined Perimeter Controller. Retrieved May 9, 2017 .

[nac-5] Network Access Control Security Must Change. Cryptzone, 2017, accessed on May 9, 2017 .