Software-defined perimeter: Identity-centric enforced network perimeter

Traditional VPNs no longer cut it.

ipsecurity protocols network security vpn3
Thinkstock

With the introduction of cloud, BYOD, IoT and virtual offices scattered around the globe, the traditional architectures not only hold us back in terms of productivity but also create security flaws that leave gaps for compromise.

The network and security architectures that are commonly deployed today are not fit for today's digital world. They were designed for another time, a time of the past. This could sound daunting...and it indeed is.

What we had in the past?

Traditionally, we have had a static network and security perimeter with clear network and security demarcation points. In terms of security, the perimeter-based approach never worked. It did, however, create a multi-billion-dollar industry. But the fact is, it neither did, not will it provide competent security.

A persistent bad actor will eventually get by even the most guarded walls. It’s not a matter of if, it's a matter of when. The bad actor is equipped with the sophistication and skills to go undetected and perform lateral movements unless the network is properly segmented.

Evolution of the bad actor

Bad actors have existed since time immemorial in the evolution of the internet. And threats will continue to grow. Why? Because there's a rapid evolution of the bad actor's skill set. They are growing in sophistication and the hacking tools are readily available for hire – such as phishing-as-a-service.

Surprisingly, cybercrime is now a trillion dollar industry. This is alarming! Today, there is a dire need to evolve rapidly. We live in a world of cyber warfare. The major problem is that trust is assumed. There's an implicit trust between two entities as Internet Protocol (IP) has no authentication mechanism. It was actually designed for the ease of connectivity.

As a result, there are so many different attack vectors bad actors can choose from:

General hacking

General hacking includes data theft and corporate espionage. Today, a stolen enterprise relationship management (ERM) package could sell for about $1,000 per record. It’s all about money. If a bad actor can hack into a private healthcare system, they get access to all the personal and financial information. Health care records have a lot of value in the black market.

You can't undo your health history. As a result, bad actors can blackmail and put pressure on the target for monetary gains. This is unlike a credit card, which is insured and can be blocked when compromised.

Phishing

Social engineering via phishing is quite fashionable in 2019. The average lifespan of a phishing site is around six hours. As a result, you can't identify and protect against these sites – their lifespan is too short.

Internal attacks

Internal attacks are a significant threat and should be of serious concern. More than 80% of breaches get triggered through a malicious employee or malware on an affected device. Hackers are like spies when it comes to recruiting employees for nefarious gain.

Besides, we even have viruses/malware and botnets embedded into the hardware chipsets. The list is seemingly endless when it comes to the bad actor's toolset.

Zero-trust

We are getting hacked every day and even major networks with skilled staff are crashing. Unfortunately, the perimeter-approach to networking has failed to provide adequate security in today's digital world.

If we examine our past, we can see that we've taken huge steps to evolve our thinking regarding networking and security. But given the challenges of the day, we need to take another high-priority step. And that step is to approach the problem with a zero-trust security mindset.

The zero-trust approach is becoming more popular across security and network architectures. Objectively, zero-trust starts with a security posture of default deny, where nothing is trusted whether internal or external to the network.

Trust is then assessed upon the initiation of network connectivity commonly at the edge of the network. Trust assessment is a continual process and not just a once off authentication check. No user datagram protocol (UDP) or transmission control protocol (TCP) session is allowed to be established without prior authentication and authorization.

In a zero-trust environment, everything either inside or outside of the network boundary is beyond the domain of trust. Authentically, nothing is trusted. This makes perfect sense especially when we have a boundary-less environment.

Projects in the zero-trust environment

There are two main projects in the zero trust movement; software-defined perimeter (SDP) and micro-segmentation. Apparently, the remote browser isolation (RBI) is next in line to be added, and I’m sure there will be more arriving in the near future.

The power of RBI is that it does not identify before it stops something. It simply stops everything. Nothing is touched by the end user’s device, making surfing the internet more secure than ever. These projects are exciting to watch as the vendors compete with different approaches.

Software-defined perimeter

Let's examine the software-defined perimeter that challenges the traditional way to access the virtual private network (VPN). VPN access to internal resources is not a luxury, it’s rather a necessity...but the traditional VPNs are not fit for a perimeter-less world.

Today, when the network perimeter is becoming obsolete, how are you expected to secure all of your distributed operations? Typically, to gain access to the internal network resources, a user would VPN into the demilitarized zone (DMZ) and then the user gains access to an entire segment.

In a world that should employ zero-trust, this is far too much implicit trust and broad access. So we need a new design that protects your corporate assets. Essentially, from the user’s perspective, we need to design a network where there is no inside or outside of the network boundary. The applications should be accessible from anywhere, without requiring the user to do anything differently. Software-defined-perimeter offers this attribute and provides a perimeter that follows the user, regardless of location.

Instead of having a static perimeter with clear network and security demarcation points, we now have many small perimeters that follow the user. In the near future, we are likely to witness a major shift in how perimeters will be designed. There will be an increase in the perimeter numbers. They will also become more granular, shifting closer to the logical entities that they protect.

Issues with VPN

Site-centric topology

I’m sure if you are familiar with traditional VPNs you will understand the many reasons why both the users and administrators dislike them. One of the main issues with traditional VPNs is design. They follow a site-centric topology with a broad level of trust.

What is trust?

Virtually, trust is the bidirectional belief that is established and maintained between the two entities. Trust ensures that the communicating entities are doing what they should be doing and are behaving in an expected way during the duration of their interaction. And with a software-defined perimeter, the default security posture is one of no implicit trust.

Trust can then be based on the logical entities and not physical, for example, a certificate or tag/label. An identity-centric design is based around the user identity and not the IP address. Ultimately, this offers a multi-dimensional profile of a user or device and then authorizes before granting access to the network resources.

Broad access

With traditional VPN network access, there's too much trust. Once the users land on a VLAN, they have the potential to view and access all the other devices on that segment. IP addresses are virtual identities. As a result, they need to be bound to a physical entity, that is a media access control (MAC) address.

Within a virtual LAN (VLAN), a host can broadcast the address resolution protocol (ARP) to check if anything else is connected to the segment. Because the ARP is a broadcast packet, it gets sent to a MAC address that all the connected devices on the network receive. This eventually creates a pretty large attack surface for hackers to play with.

The complexity of traditional VPNs

Traditional VPNs also produce a lot of complexity. What do you do if you have multiple sites? Ideally, in that scenario, the cost of management would be high. Traditional VPNs are complex for the administrators to manage and for the users to operate.

Many organizations have different departments, such as security operations center (SOC) and network operations center (NOC) teams where individuals with different job roles share the machines. This is where a multi-user and multi-platform VPN platform would be useful, which is not dynamically available in case of traditional VPNs. The VPN access method demands contextual awareness with the ability to connect with different profiles based on user device access.

User experience

Poor user experience is most likely to surface as you backhaul the user traffic to a regional data center and then have the user choose from a list of VPN gateways used for different applications. In this case, you will never be on the right latency. Contrarily, a cloud-based SDP approach with strategically placed software-based PoPs will certainly help and improve the customer experience.

Moving to a software-defined perimeter

Moving the traditional VPN architecture to a software-defined perimeter completely inverses the network and security model. For every network resource, user, device and data center, the application is connected to the SDP cloud.

Contrary to the traditional site-centric approach, the user now becomes the center of the network. In such a scenario, we now have a user-centric topology which is indeed better suited for today’s digital world. The user is in the center and has access to the applications from everywhere, be it in the clouds or the legacy data center.

The entire software-defined perimeter model assumes zero trust. It does not assume any trust between the user, device, and service. The zero trust is not only based on identity: the ID of the users, their devices, but also on the services, applications, and networks they access. Identity-based access controls are used to block or allow network connections.

Also, everything should be microsegmented, based on the least-privileged access principal and delivered as a service.

Software-defined perimeter – How does it work?

A unique ID can be assigned to the user to be authenticated and verified before connecting to the cloud-based service. The user should connect to the network – only after passing all the factors are they allowed to receive identity and gain access. This works by the principle of a need-to-know basis.

Essentially what this offers is what could be called as the dynamic segment. The dynamic segment creates a connection between the user and the application during the time of connection. It then gets torn down once the connection between both entities is completed.

This offers fine-grained and individualized network access. All other network resources are in the dark, hidden from the user. This eventually reduces the attack surface to an absolute minimum. Hence, no attack surface, no damage.

Initially, having all network resources in the dark initiates what's known as the whitelist policy approach to security. The whitelist approach is the opposite to that of the traditional blacklist approach.

Traditionally, once a user is connected to the network, they are connected to everything that is connected to that segment. The blacklist approach starts with, for example, security ACLs that are added to restrict the access between certain segments.

On the other hand, the whitelist approach to security works the other way around. Whitelist starts with a default ‘deny all’ approach. Whitelist rules are then created to allow the resources to communicate with one another. The whitelist rules explicitly allow access and impart the ability to allow the session to be established or not.

With SDP, policies should be completely whitelist based. By default, everything is blocked until admins choose to unblock per identity. Let’s say, the network is dark until the administrator turns the lights on.

Cloud management

With the cloud-based approach, there’s nothing to install, everything is delivered as a service. All the intelligence is in the cloud. Primarily, edge connectors and gateway should not be heavy or complicated appliances. Thin appliances tend to connect the network resources to the SDP cloud more seamlessly.

Simple gateways are needed to establish a connection to the cloud network. All the enforcement, auditing, and security functions should reside in the cloud.

Instead of maintaining multiple connections to multiple locations, you are connected to a single point – the closest cloud PoP. Since now all the resources are connected to the SDP cloud, you can access any of the enterprise data centers, clouds, and applications. Besides, you can egress from the closest PoP to your target application.

With strategically software-based PoPs, you can route traffic on the best optimal route and keep it secure as it traverses the network. This results in lowering the latency between the user and the required network resource.

Not only does this help in lowering the latency, but also helps to scale. A cloud-based SDP approach is completely distributed and as scalable as the Internet itself. If you need to support a customer in a specific area, just spin up a new software-based PoP, which allows you to scale your network as you go.

The software-defined perimeter approach to VPN access is an exemplary way to transform your organization’s remote access.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT