SOFTWARE DEFINED PERIMETER BETTER THAN VPN
- 1. SOFTWARE DEFINED PERIMETER: Software Defined Perimeter (SDP), also called a "Black Cloud", is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively "black", without visible DNS information or IP addresses. Software Defined Perimeter mitigates the most common network-based attacks,including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users. SOFTWARE DEFINED PEREMETER VIRTUAL PRIVATE NETWORK Adaptive to every network Zero automation of network policies Global Access Lack of Remote user security Precise segmentation Does not Integrate with Identity Providers Secured and Encrypted Weak Network traffic visibility Policies based on users Unable to create identification rules Seamless Audit and Report No network Activity reports Rejects Account hijacking An easy target for hackers Reduced Costs Implementation costs are high Least privilege Access Easy Access to unauthorized users OpenID-OAuth Authentication Layers someorg.com SDP Controller Login with google.com IDP someorg.com/callback SDP Controller Login success IDP SDP Controller Layer Initiating SDP Host Accepting SDP Host Accepting SDP Host Accepting SDP Host 1 Controller on line 2 Mutual VPN to Controller 3 Mutual VPN to Controller 4 List of Authorized Accepting Hosts Determined 5 Accept communication from Initiating Hosts 6 Receive list of IP s of Accepting Hosts 7 Mutual VPN s WORKFLOW: 1 One or more SDP Controllers are brought online and connected to the appropriate optional authentication and authorization services (e.g., PKI, device fingerprinting, geolocation, SAML, OpenID, OAuth, LDAP, Kerberos, multifactor authentication, and other such services). Here I am showing OpenID-OAuth authentication and authorization service where authentication and authorization is done using jwt (json based objects). This comes under claims-based service and all the exchanges of information is done using encryption to satisfy confidentiality and integrity I will show later how the confidentiality & Integrity can be maintained using PKI. SOFTWARE DEFINED PERIMETER BETTER THAN VPN VPN BETTERTHAN
- 2. 2 One or more Accepting SDP Hosts are brought online. These hosts connect to and authenticate to the Controllers. However, they do not acknowledge communication from any other Host and will not respond to any non-provisioned request. 3 Each Initiating SDP Host that is brought online connects with, and authenticates to, the SDP Controllers. 4 After authenticating the Initiating SDP Host, the SDP Controllers determine a list of Accepting Hosts to which the Initiating Host is authorized to communicate. 5 The SDP Controller instructs the Accepting SDP Hosts to accept communication from the Initiating Host as well as any optional policies required for encrypted communications. I will show later how the confidentiality & Integrity can be maintained using PKI. 6 The SDP Controller gives the Initiating SDP Host the list of Accepting Hosts as well as any optional policies required for encrypted communications. I will show later how the confidentiality & Integrity can be maintained using PKI. 7 The Initiating SDP Host initiates a mutual VPN connection to all authorized Accepting Hosts. ENCRYPTION TO ACHIEVE CONFIDENTIALITY, INTEGRITY: When there are 2 parties exchanging information securely there need to be confidentiality and integrity. In the Public-key cryptography there will be two keys private key and public key. PARTY 1 PUBLIC KEY PRIVATE KEY PARTY 1 PKI PARTY 2 PUBLIC KEY PARTY 1 PUBLIC KEY PRIVATE KEY PARTY 2 PKI PARTY 2 PUBLIC KEY COMMUNICATING CONFIDENTIALLY When party 1 communicates with Party 2 the information is encrypted using Party 2 Public key by party 1 and sent. Once party 2 receives the information it decrypts the information using its private key, thus confidentiality is achieved. In the same way when party 2 communicates with Party 1 the information is encrypted using Party 1 Public key by party 2 and sent.Once party 1 receives the information it decrypts the information using its private key, thus confidentiality is achieved. PARTY 1 PUBLIC KEY PRIVATE KEY PARTY 1 PKI PARTY 2 PUBLIC KEY PARTY 1 PUBLIC KEY PRIVATE KEY PARTY 2 PKI PARTY 2 PUBLIC KEY COMMUNICATING WITH INTEGRITY When party 1 communicates with Party 2 the message digest is encrypted using Party 1 Private key by party 1 and sent.Once party 2 receives the information it decrypts the message digest using party 1 public key, thus integrity is achieved. In the same way when party 2 communicates with Party 1 the message digest is encrypted using Party 2 Private key by party 2 and sent. Once party 1 receives the information it decrypts the message digest using party 2 public key, thus integrity is achieved. Th is guarantees the information communication between 2 parties has achieved non-repudiation.