AppGate SDP - How It Works
Accelerate Your Journey to Zero Trust with AppGate SDP
Partners / Technology Partners / AppGate / AppGate SDP – How It Works >
Legacy network security solutions were not designed for today’s dynamic perimeter, resulting in vulnerabilities and complexity. The Software-Defined Perimeter is a full-featured network security platform that embodies the core principles of Zero Trust.
Authenticate Identity, Not IP Address
Build a multi-dimensional profile of a user and device that is authorized before granting access.
Dynamically Adjust Entitlements
As context changes the entitlements dynamically adapt based on policy and real-time conditions.
Apply The Principle of Least Privilege
Leverage micro segmentation to reduce the attack surface and eliminate lateral movement to all network resources.
AppGate SDP at work
A Software-Defined Perimeter (SDP) architecture is made up of three primary components: a client, controller and gateway. The controller is where the brains of the system resides, acting as a trust broker for the system. The Controller checks context and grants entitlements. The controller and gateway are completely cloaked.
Step 1
Using Single-Packet Authorization (SPA), Client device makes access request to and authenticates to the Controller. Controller evaluates credentials, and applies access policies based on the user, environment and infrastructure.
Step 2
Controller checks context, passes live entitlement to Client. The Controller returns a cryptographically signed token back to the Client, which contains the authorized set of network resources.
Step 3
Using SPA, Client uploads live entitlement, which the Gateway uses to discover applications matching the user’s context. When the user attempts to access a resource – for example by opening a web page on a protected server – the network driver forwards the token to the appropriate cloaked Gateway. The Gateway then applies additional policies in real time – network location, device attributes, time of day and more. It may permit or deny access, or require an additional action from the user, such as prompting for a one-time password.
Step 4
A dynamic Segment of One network is built for this session. Once granted, all access to the resource travels from the Client across a secure, encrypted network tunnel, and through the Gateway to the server. Access is logged through the LogServer, ensuring there’s a permanent, auditable record of user access.
Step 5
Controller continuously monitors for any context changes, adapts Segment of One accordingly.
AppGate SDP Features
AppGate SDP delivers the industry’s most comprehensive Software-Defined Perimeter solution. It is a proven, more secure alternative to traditional VPNs, so-called next-generation firewalls and NACs.
Live Entitlements: Dynamic, Context-Sensitive Access Policies
Your users are dynamic – they need to work anywhere at any time. AppGate SDP replaces static access rules with live entitlements – dynamic, context-sensitive access policies. Live Entitlements allow you to dynamically change your security based on what your users are doing, where and when. This fine-grained access control ensures individual users access only what they need to do their jobs. You benefit from consistent, automated security and remove the human error factor.
Live Entitlements evaluate whether the user can access the production SAP server database based on a variety of criteria, such as:
A Software-Defined Perimeter uses Live Entitlements to evaluate a user's situation before granting access. In this case, the administrator sets a policy that considers three attributes - identity, project/time, and location.
AppGate SDP determines what network resources the user can access based on those attributes. AppGate SDP "learns" what resources exist in the network. It does this by importing a fixed list of IP addresses, using the auto-resolver or APIs.
Live Entitlements automatically and constantly adjust access based on a user’s identity and environment without manual interactions. When a user’s context changes, access to network resources change in real time based on access criteria pre-determined by your administrators. These criteria are easily configured and can be based on a wide range of information about the user, device and environment.
AppGate SDP also integrates with existing enterprise operations and business systems. The RESTful API allows you to incorporate any external system as you build access policy around your business, rather than the other way around. Regardless of how your hybrid environment changes, AppGate SDP ensures consistent, secure access across all workloads.
Fine-Grained, Individualized Network Access
Traditional network security like VPNs or firewalls connect various roles or groups to a network segment and then rely on application level permissions for authorization. AppGate SDP is fundamentally different. It uses a real-time understanding of policy to create individualized perimeters for each user.
AppGate SDP ensures that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources.
Once authorized, AppGate SDP creates an encrypted tunnel – a “Segment Of One” – allowing traffic to flow only from the user device to the protected resource.
Even while the session is open, live entitlements detect changes in the posture of the user, his or her environment and infrastructure, including changes in the cloud, and automatically adjust access privileges. AppGate SDP can force a step-up authentication or terminate the session completely based on newly detected changes.
AppGate SDP’s Ringfence feature further isolates and protects both the protected resource and the user device from all inbound connections by securing the latter from inbound connections. It’s useful for deploying devices onto untrusted networks such as a coffee shop or airport’s WiFi. Access to internal resources can be granted without concern about malicious users on the local network. Local outbound traffic (DNS, etc.) is untouched.
Benefit from secure, encrypted user traffic that changes based on your users identity and device.
Completely Cloaked From Prying Eyes
Single-Packet Authorization technology cloaks infrastructure so that only verified users can communicate with the system. It’s invisible to port scans and cryptographically hashed as further defense. Gateways and controllers are completely cloaked so they cannot be probed, scanned, or attacked. So, a port scan of the system would show NO open ports. This significantly reduces the network attack surface by preventing network reconnaissance and limiting lateral movement on the network.
Cloud Native, Cloud Scale
AppGate SDP is cloud and hybrid native. This massively scalable system provides consistent security across all your workloads and applications – on dedicated infrastructure as well as public clouds including AWS and Azure. AppGate SDP is not simply a modified perimeter-based device placed into a virtual machine. It is engineered to operate natively in cloud networks, with a network architecture that is completely decentralized, distributed and stateless. Gateways can be deployed anywhere and combined to deliver hyper scale, high performance, and highly available network throughput.
This approach is as scalable as the internet itself, hybrid native and cloud agnostic, yet completely compatible with existing networks. Users can connect to unlimited resources simultaneously, unlike perimeter-based solutions that require massive WAN links to connect diverse backend networks. It integrates with and augments your existing enterprise class network and security infrastructure such as SIEM and IAM.
AppGate SDP is built from the ground up to be highly resilient and scalable to support enterprise-grade, mission-critical and global environments.