Top

Software Defined Perimeter -a better, virtual security firewall

September 29, 2015

Software Defined Perimeter (SDP) is a new security approach currently standardized by the (). The concept is basically offering an air-gapped network – in a virtual version, so that sensitive data might be secured and companies detaining such data would be better protected against cyber intrusions.
Still at the beginning of its implementation, this cyber-security method might prove a game-changer for the clinical field (health IT), and for cloud computing when sensitive data is involved. The risks of devices and databases being hacked in healthcare is a major concern for the institutions, the public and the security researchers – their consequences could be fatal. Data loss in this field is also a major issue. Better, more efficient cyber-security solutions are needed – and SDP might just be one of the answers.

Software Defined Perimeter and its benefits

Software Defined Perimeter takes the firewall external-blocking function to a whole new level, raising to the challenge of modern security exploits and trying to cover the various possibilities of breach induced by rapidly evolving personal devices. Highly critical data, such as the one from the healthcare system or other infrastructure agencies is currently at risk from the cyber-security perspective – we have seen hackable drug pumps, government agencies suffering data loss, and demonstration exploits of how to breach physically air-gapped systems.

The reasoning is very simple: one cannot attack what it does not see; therefore a wide type of would be excluded by the simple reason that hackers cannot establish their target. In the case this protective layer of invisibility is surpassed, the protocols involved in Software Defined Perimeter protection presume multi-factor authentication and a virtual trust relationship (mutual trust) built and validated in order to classify a virtual presence as being from the inside of the system, and not from the outside.
Such virtually isolated systems can be placed in the cloud if desired, or anywhere else, without the traditional security risks. Cloud computing environments security is actually the core interest in the ongoing CSA research activity.

Evolution of Software Defined Perimeter

Software Defined Perimeter first consisted in DISA (Defense Information Systems Agency) research under the GIG Black Core Network initiative, and then it commercially extended in 2014. Cloud Security Alliance launched the 1.0 version of the specifications. Application infrastructure in this concept is undetectable, and connectivity works on a need-to-know model, checking posture and identity for access control.
The Software Defined Perimeter Working Group launched in 2013 under the aegis of CSA, with the declared goal of attaining research results in the field of cyber protection that would be made available for free. They are the authors of the 2014 1.0 specifications and their 2015 scope is to provide a DDoS-focused open source code base.

The Coca Cola Company started experimenting this approach in 2015, as stated by its chief enterprise architect at a conference in Silicon Valley, on its way towards SaaS and Platform-as-a-Service, and gradually migrating its data to the cloud. Mazda is also reportedly interested in this cyber-security approach and has tested it.

In April 2015, CSA organized an hackaton, offering a $10,000 prize to the person that would hack the former CIA Chief Technology Officer Bob Flores’ account (protected by the SDP method). By August 2015 the account had been exposed to tens of thousands of attacks, and yet it remained uncompromised.

Features of SDP

The SDP approach cloaks the protected system and provides invisibility inasmuch as:
• No visible IP address (DNS entries included);
• No response to pinging;
• No SYN/ACK;
• No open ports whatsoever.

This security system benefits from a meticulous architectural structure (SDP architecture), made up by controllers and hosts. There are several implementation methods:
• Client-to-gateway
• Client-to-server
• Server-to-server
• Client-to-server-to-client

SDP introduces Single Packet Authorization (SPA), relying on the HMAC-Based One-Time Password algorithm (IETF’s RFC4226) – a tool that turns the initial virtual contact into an identification mark. It all has to do with a high degree access control. Currently, mostly the web-based access employs the SDP approach, but the concept may well shift into being an extra layer of any network, or of any enterprise network micro-segments.

More exactly, let’s contemplate the notion of employee’s device. At the first contact, the device is authenticated, the identity validated and paired with the exact access control pattern. The system establishes a one-time use VPN suited with the device’s profile, reducing the risk of such devices turning into weak entry points for a potential attack.

Types of attacks Software Defined Perimeter prevents

  • Credential stealing attacks (the requirements of SDP systems and their multi factor authentication (MFA) procedure mitigate phishing and unauthorized logging);
  • Denial of Service attacks;
  • Server exploitation attacks (SQL injection, XSS);
  • Connection hijacking attacks.

Perspectives for Software Defined Perimeter

As we already mentioned, the main goal is securing cloud migration and allowing cloud computing to overcome its security risk blockage.

You might take a look here to find out about the cloud security issues and debate. Because of this, a number of companies are excluded from the cloud migration movement. Fearing that data might be exposed to intrusions is not an encouraging vibe when it comes to making changes. SDP aims to solve the cloud security issues whilst offering new and better solutions for the other cyber-security areas.

Companies such as Cisco Systems Inc. or Check Point Software Technologies, Ltd. might be seriously impacted by SDP’s future trajectory, since their largest numbers come from network security appliances sales. When asked to comment on SDP, such companies either ignored the request, or simply re-iterated their products’ capabilities. True as it is that SPD depends upon the protected company rigorously updating its identity systems, it is nevertheless an interesting approach that could take cyber-security into a new age.

Currently, as we have mentioned above, the SDP method is an initiative of Cloud Security Alliance , supported by more than 200 organizations globally and included in Gartner’s Hype Cycle for Virtualization. The SDP protocol is taken into consideration for allowing the enterprises to achieve dynamic air-gapped networks in the nearby future. Modeled after the Software-Defined Networking, SDP is an open-source software and therefore the user does not depend on a proprietary system.