This article understands the important benefits of Software defined perimeter solution compared with the traditional perimeter and how it could help your organization with better security and infrastructure.
1. Benefit over VPN
Remote access VPN technology is used when remote users of an organization requires access to the network and associated resources of the organization. A remote user , requiring access , would connect to the VPN server at the data center. After successful authentication, the user is provided an IP address, which would enable access to the requested resource. Users , now have access to the entire network, since it is IP driven. This becomes a security threat, since the entire network is now exposed to the user where in realty, only a specific service or application is required.
With a software defined perimeter solution, the user is only provided access to the specific application and not the network. Communication between the user and the application is secured using tls which encrypts the data in transit. Compared with IPSEC VPNs , where remote users are assigned IP addresses, the SDP solution would help to mitigate the threats, since a user is not unnecessarily provided access to the entire network.
2. Zero Trust architecture
Zero trust implies that any user or device should not be trusted outside the perimeter. Consider an environment where an application server is hosted behind a firewall / IDS. A user outside the perimeter would first establish connection with the requested service. This is ideally a TCP 3 way connection to the appropriate port number (For TCP applications) based on the application. The firewall /IDS is configured to allow traffic originating from outside the perimeter to the specific port number. Once the connection is successful, the user is authenticated using authentication mechanisms like username /password, certificates etc. Once authentication is successful, the user is provided access.
In a SDP solution, the user is not granted access to the resource unless authentication is successful. The user is first authenticated using policies configured in the SDN controller. Only once the authentication is successful, the access to the appropriate services on the server is provided. This is a significant improvement in the security architecture of traditional perimeter since your are not provided any access to the resource and is completely hidden until successful authentication is completed.
3. Cyber Security threat mitigation
The biggest threat mitigated by implementing a SDP solution is DDOS. DDOS attack, which stands for distributed denial of service, sends numerous connections to the application or service. For example, a DDOS attack to a web server would imply sending numerous tcp connection requests to port 80 (http) or 443 (https) in an attempt to bring it down. This is impossible in a SDP solution since the server is not exposed to the outside world. The requested service on the server is granted access to the user only after the user is authenticated. This would also prove useful for attacks like brute force, reconnaissance, where the server IP address is to be known in advance before launching the attack
4. Distributed architecture Design
Cloud is now become a predominant part of any organization network. Servers are now distributed across different locations and not restricted to traditional data centers. SDP solutions would help to manage and deploy resources which are deployed in multiple geographical locations and helps in integration and ease of management in a mix of cloud, data center environments with a central controller.