Greg ShieldsApril 3, 2023
Inside ZTNA: The Secret Sauce of Better Single Packet Authorization
Much has been written about the basic concepts of single packet authorization (SPA), a sophisticated form of port knocking that helps cloak internet ports that if left exposed are easy targets for threat actors. And CSA’s Zero Trust Software Defined Perimeter (SDP) Specification guide elevates SPA as a key architecture design principle. So, when it comes to Zero Trust Network Access (ZTNA) built on SDP principles, what if the simplistic concept of SPA could be made even better than it already is?
Appgate SDP, our universal ZTNA solution built for complex enterprise networks, has a proprietary TCP/UDP SPA mechanism that leverages the best of both protocol options and can approve who on the network is able to “open the door” to your enterprise network. And that’s just one ingredient in our better “SPA secret sauce,” if you will.
Before diving deeper into what makes Appgate SDP’s SPA implementation better, you can find background on the topic in previous blogs: Why is Your Network’s Front Door Still Unlocked? and Make Resources Invisible with Single Packet Authorization.
Now let’s review key differentiation highlights of the SPA implementation built into Appgate SDP:
- Isolated key distribution: Appgate SDP employs an overall protective key distribution system, which utilizes specific keys for each interaction. There are keys used for Clients to interact with Controllers, and these keys are unique from those used to communicate with the Gateways within a given site. Likewise, the inter-appliance interactions between Controllers, Gateways and other appliances are protected with unique SPA keys.
- Spoof protection (revolving key assignment): Another important benefit of the Appgate SDP SPA approach over a typical SPA implementation is the fact that it does not leverage static keys for authorization requests. With static keys, a bad actor can spoof a SPA packet and gain access to the critical resource in question. The SPA implementation within Appgate SDP uses a revolving key, which means that within seconds a new key has been generated and a spoofed SPA packet is denied access because the key being spoofed is obsolete.
- Replication protection: Each Appgate SPA message is also crafted in a special way so that malicious users cannot recreate it, replay it, or do any other action that would compromise each authorization interaction.
And when it comes customers, it’s the “make resources invisible” benefits of single packet authorization and our robust implementation of it that they cite as one of the top reasons they love Appgate SDP.
For a SPA primer and the full list of what makes our SPA implementation unique, read the whitepaper which covers additional benefits including full verification of authorization, user protection behind NAT gateways, and ensured SPA delivery complete with SPA flow diagrams for the extra techy folks. And did you know that SPA also helps protect against DDoS attacks? Check out our whitepaper on that subject here.
Additional ZTNA resources
Video: Watch How Appgate SDP Works
Whitepaper: Today’s Top Cyberthreats and How ZTNA Protects Against Them
eBook: Securing the Hybrid Enterprise
Case study: Jellyvision Enables Secure Access Across Hybrid Environments