Beginner's Guide to Software Defined Perimeter

Frederick Scholl, Ph.D., CISSP, CISM

?About Me

Dr. Frederick Scholl is Director of the MS Cybersecurity program at Quinnipiac University in Hamden, CT.?He provides cybersecurity risk consulting services through Monarch Information Networks, LLC.

?

Introduction

Software Defined Perimeter (SDP) is another one of those security acronyms that drive me crazy.?Great technologies have been invented to help protect enterprises, but if they are all part of acronym vegetable soup, how does a CISO learn how to defend against attackers??Throwing everything into the pot might make great soup, but not great cyber defense!?This post is one of my series on attacking the acronyms…with sunlight, to reveal their true content.?My goal is to explain the underlying technologies, with minimal marketing overlay.?I will provide my best, curated references for further research.?By doing so, I hope to empower everyone to build better security defenses. Zero Trust (ZT) or Zero Trust Architecture (ZTA) was my previous post, which you can find here .?

SDP is an acronym whose time has come because of the pandemic.?It is a networking technology, designed to provide better security for workers connecting remotely to the data center.?Everyone’s connecting remotely now.?The tried-and-true method of remote access, the VPN, (Virtual Private Network) has served well since 1995, but the fact that everyone is now using VPNs has increased its attack surface.?Attacks from 2021 illustrate the increased risk (references from Bleeping Computer[1] ):

·??????“Hackers leak passwords for 500,000 Fortinet VPN accounts” (September 8, 2021)

·??????“Zerodium wants zero-day exploits for Windows VPN clients” (October 19, 2021)

·??????“Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code” (May 13, 2021)

·??????“South Korea’s Nuclear Research agency hacked using VPN flaw” (June 19, 2021)

·??????Colonial Pipeline Co. attack:?What really happened…[2]

SDP provides a cryptographically strong alternate to VPN technology.?Next up a quick review of VPN technology which sets the stage to describe SDP. Then, I will outline SDP origins.?I follow up with a dive into technologies and architectures that are key to understanding SDP.?Finally, a look at the present and future of SDP.?Unfortunately, this includes more acronyms.

?

Background on Remote Access VPN’S

The basic VPN idea is that you set up a secure tunnel between two endpoints; the tunnel provides data confidentiality and integrity.?The tunnelling concept is still utilized by SDP offerings.

This diagram illustrates the set up for client-enterprise VPN connections; this is the layout for remote workers connecting back to the mother ship.

?

Figure 1:?Simple VPN Architecture for Client-Host Remote Access

The end user wishes to have remote access to the host LAN positioned behind the VPN Gateway/Firewall.??A secure tunnel from user PC to the host network is set up by a combination of the VPN Gateway and VPN client software running on the PC.?The packet from user PC to remote LAN is carried within, or tunneled, via an IP packet destined for the VPN Gateway server.?Typically, the user would be authenticated to the Gateway server with a username password combination, or more recently using Multifactor Authentication (MFA).

The setup is further clarified by the IP configuration of the user PC, shown below.?In this case it was situated on a home wireless network and had local, unroutable IP address of 10.0.0.251.?The second, virtual interface on the same laptop has IP address of 10.254.0.192, another unroutable IP address on the remote host LAN. The result of this is that the user has a secure connection to any resource on that host LAN.

?

Figure 2:?Illustrating Real and Virtual Network Adapters

The attacks highlighted above and many others demonstrated that this technology can be readily attacked:?the VPN gateway is exposed to the Internet; also, hackers can steal username/password combinations and pose as legitimate employees or contractors.?Finally, the VPN gives the remote users full access to the enterprise LAN or VLAN to which it connects.?It is necessary to have other security controls in place to protect those resources.

??

Introducing Software Defined Perimeter

SDP is a type of Software Defined Network (SDN).?It is focused on providing remote access security.?The original concepts for SDN were contained in Martin Casado’s 2007 PhD thesis[3] .?Interestingly, this thesis is all about improving network security management.?The basic idea was to separate the “data-plane” and the “control plane” in managing distributed systems’ security.?For the VPN systems in Figure 1 the VPN Gateway contains both the data plane (packet forwarding or dropping) and control plane (configuration to manage who has access to what).?By splitting control plane and data plane, qualitatively stronger security can be designed into the remote access system.

One of the first commercial blueprints illustrating this design was created by the Cloud Security Alliance: “SDP Specification 1.0”, April 2014.[4] ?Figure 1 from this specification--Figure 3 below-- illustrates the separation of control channel and data channel, thus facilitating an attack proof perimeter for the SDP host.?In this diagram the user PC would be the initiating SDP host and the target gateway would be the accepting host.?Access to this host is under the control of the “controller”.

Figure 3:?Cloud Security Alliance SDP Architecture.

Some of the key security ideas in the CSA document include:?accepting hosts do not accept connection requests from clients; SDP controllers make use of external authentication/authorization services; controllers maintain a list of hosts that clients may access; hosts require SPA (single packet authentication—explained below) before allowing any connection.?The biggest single difference between the CSA SDP architecture and the VPN in Figure 1 is that the SDP approach secures access to specific applications and hosts, not networks.

?

SDP Today

This section describes how the above architecture has been implemented.?Actual commercial SDP solutions combine these and other techniques in proprietary architectures.?Remember that the key feature of all these SDP solutions is that they provide secure access to applications, not just networks.?They also seek to “black out” the end points protecting enterprise network applications, thereby eliminating one of the vulnerabilities of VPN technology.?Gartner has published a good post on the two major architectures used by SDP’s[5] .?They call the two:?endpoint initiated, and service initiated.?This definition focuses on how access is provisioned.?In both cases, access is initiated by a request from the client.?

?

Figure 4:?Endpoint Initiated SDP Access Model

The “endpoint-initiated’ architecture is built with separate controller and gateway.?It ?reflects the original CSA architecture reference earlier.?The controller can be behind an enterprise firewall, or in a separate cloud enclave.?(Note that in the above diagram the controller has been labelled ZTNA or Zero Trust Network Access).?The controller manages access, provided by the gateway; one controller can manage multiple gateways.?An end user wanting to access a protected application first queries the controller to get a suitable authentication and access information to forward to the Gateway.?This information is then used (in step 5) by the gateway to dynamically provision access to the application.?It seems at first sight that this is no better than a two step VPN process in that ports on the controller and gateway must be accessed from the unsafe Internet.?This is where another technology, SPA (Single Packet Authentication), comes in.

SPA was first described in papers and patents and was then implemented in SDP solutions.?SPA blocks any connection to a system until after the user’s packet is authenticated.?It does this by carrying the authentication information in the packet itself.?After the firewall or gateway recognizes an authenticated packet, it then opens a port for communication.?I think of this as a dynamic firewall, where the firewall rules are configured by incoming, authenticated packets.

A good tutorial on SPA is to be found in Michael Rash’s book[6] and the patent describing the technique.[7] ?The basic idea is that an asset is protected by a dynamic gateway (firewall) that is programmed by a special SPA packet containing authentication information.?The firewall blocks and does not respond to packets that do not contain this authentication information.

Figure 5.?Illustrating concepts relating to Single Packet Authorization

The diagram above shows a client attempting to access resources protected by the Gateway/SPA Server middlebox.?The Gateway/SPA Server corresponds to either the ZTNA Controller or ZTNA Gateway in Figure 4.?The Gateway, or firewall, blocks all packets by default.?However, when it receives and authenticates a SPA packet, the SPA Server can dynamically add a rule to the Gateway, thus permitting packets to enter.?This authentication information is contained in the SPA packet itself.

The packet’s format is shown below:

Figure 6.?SPA Packet Format

The entire packet is encrypted using a key known only to the SPA server.?Upon successful decryption, the packet’s “access request/command string” is read along with the username or other token identifying the user requesting the services.?

The second method of implementing SDP is the “application initiated” approach, illustrated in the diagram below.

Figure 7.?Application initiated approach to SDP.

?

A good explanation of this approach is to be found here[8] .?In this case, the user accesses an Authentication Gateway outside of the enterprise network, but visible on the Internet; a request is made to access an internal application.???Access to that application is blocked by firewalls and the Access Gateway.?However, through a polling process the Access Controller connects outbound to the Authentication Gateway and learns of the external access request from the user.?if suitable authentication and authorization is provided, the Access Controller can open a port in the Access Gateway to permit connection to the desired Application Server.

?

Present and Future of SDP

There are three major trends:?continued hacks of VPN’s; improvements in VPN security; and incorporation of SDP technology into integrated service offerings such as SASE[9] (Secure Access Service Edge) architecture and SSE[10] (Security Service Edge).?Regarding VPN attacks and vulnerabilities, we have:

·??????Quickfox VPN provider reported breach of one million records[11]

·??????Continued attacks by Russian actors on US Defense Department contractors[12]

On the other hand, VPN providers have incorporated host context aware logins using MFA and other technology. This context can include information such as patch levels, AV software, DLP software and so on. This will help reduce attacks resulting from credential theft.

New acronyms have been minted to describe the evolution of SDP and its positioning in enterprise technology architecture.?For one thing, the term SDP is now often used interchangeably with ZTNA (Zero Trust Network Architecture).?This usage is riding on the wave of interest in Zero Trust principles.?A second trend is towards integrated security services rather than stand alone services or products. ??SSE and SASE, previously referenced, are two frameworks supporting this trend.?Vendor offerings include full-suite services and standalone products for enterprises as well as MSSP offerings for SMB users.?More on these terms and trends in another edition of “Beginner’s Guide to Advanced Security Concepts”. ??

?

?References

[1] www.bleepingcomputer.com

[2] https://www.cybertalk.org/2021/06/09/colonial-pipeline-co-attack-what-really-happened/

[3] “Architectural Support for Security Management in Enterprise Networks”, Martin Casado (https://klamath.stanford.edu/~nickm/papers/martin-thesis.pdf )

[4] ?https://downloads.cloudsecurityalliance.org/initiatives/sdp/SDP_Specification_1.0.pdf

[5] https://www.jamf.com/blog/how-to-choose-a-zero-trust-network-access-architecture-software-defined-perimeter-or-reverse-proxy/

[6] Linux Firewalls, Michael Rash, 2007.

[7] “Method for Secure Single-Packet Remote Authorization”, US 8,413,248 B2, 2013.

[8] https://www.youtube.com/watch?v=ncpINTZrmSU :?How Safe-T Does Software Defined Perimeter, Part 2.

[9] Neil McDonald, Lawrence Orans, Joe Skorupa, “The Future of Network Security is in the Cloud”, Gartner, August, 2019.

[10] https://www.gartner.com/smarterwithgartner/4-must-have-technologies-that-made-the-gartner-hype-cycle-for-cloud-security-2021

[11] https://threatpost.com/vpn-exposes-data-1m/175612/

[12] https://www.cisa.gov/uscert/ncas/alerts/aa22-047a