Search
Appgate SDP

Appgate SDP Overview

Learn how the industry’s most comprehensive universal ZTNA solution strengthens security and transforms your network with the flexibility, extensibility and integration advantages of direct-routed architecture.

How Appgate SDP Works

Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.

Zero Trust Platform
Integrations and Tech Partners
Appgate SDP for Developers
Use Cases for Securing:
Remote Access Hybrid Enterprise Cloud Access
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Consumer Protection Fraud Protection Phishing Protection Mobile Protection
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Appgate CybersecurityFebruary 23, 2021

Make Resources Invisible with Single Packet Authorization

Digital transformation in the form of cloud adoption, remote work, mobility and edge/branch networking has increased the attack surface. The old, centralized access model no longer works in today’s distributed and decentralized world. In fact, that architecture is an impediment to business agility and these new access points represent known weaknesses with countless vulnerabilities that lead to real-world attacks.

Updated April 2023

Traditional network security approaches, like VPN, firewall and NAC, have demonstrably failed to adequately protect organizations today. The reason for the failure is that TCP/IP—which was originally designed to operate in an environment where the user community knew and trusted each other—is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk, and has enabled far too many data breaches.

In today’s hybrid, distributed IT estates it doesn’t matter where resources reside, because from a network perspective they all look the same protocols associated with ports. The problem is that unless you’re physically plugging into a server, you’re accessing resources over a network, most likely remotely via VPN, using a range of ports (22,80,443….) and protocols (TCP, UDP, ICMP, GRE, etc.). Those ports are exposed doors into your resources listening for inbound connections and susceptible to exploitation. What’s worse is those networks are usually flat, unsegmented and susceptible to lateral movement.

Consider the first phase of the Lockheed Martin Cyber Kill Chain—Reconnaissance. Adversaries are looking for ports as entry points into your network and scanning to find the ones listening for inbound connections. The ability to thwart these initial recon efforts of any adversary could mean the difference between a successful attack or not, ultimately disrupting the kill chain at its earliest stage.

How Single Packet Authorization Reduces Your Attack Surface

Single packet authorization (SPA) uses proven cryptographic techniques to make internet-facing servers invisible to unauthorized users. Only devices that have been seeded with the cryptographic secret will be able to generate a valid SPA packet, and subsequently be able to establish a network connection. This in essence is how it reduces the attack surface and becomes invisible to adversarial reconnaissance.

Single packet authorization enables the Appgate SDP Gateway to distinguish authorized and unauthorized connection attempts, while only needing to evaluate a single network packet. This means that SPA makes software-defined perimeter (SDP) systems much more efficient and less susceptible to brute force attacks while also protecting against a wide range of network-based attacks (DDoS, MITM, CSRF, XSS and SQLi).

In context of Appgate SDP, this is how SPA technology plays a role in supporting our Zero Trust architecture:

  1. The SDP Client connects to the Controller using Single Packet Authorization and mTLS.
  2. The Controller then authenticates the identity of the user and provisions the right level of authorization, issuing a token back to the Client containing policies and entitlements.
  3. Again, using Single Packet Authorization, and mTLS, the Client connects to the Gateway for policy enforcement, using entitlements to grant access only to specific protocols and port numbers. Resources excluded from those entitlements are 100% invisible to the user, which prevents unsanctioned lateral movement.

It’s important to note that because single packet authorization is used to connect to both the Controller and Gateway, they are both hidden from prying eyes. Furthermore, since the Appgate SDP Gateway sits in front of all protected resources, both cloud-hosted and on-premises, they are 100% invisible unless authenticated and authorized to access using the principles of Zero Trust security.

Finally, single packet authorization is embedded into Appgate SDP architecture. Outside of the regular implementation and configuration of Appgate SDP, a universal Zero Trust Network Access (ZTNA) solution, there is no bolt-on software required to unleash the capabilities of single packet authorization. It just works, as designed.

Additional Zero Trust Access resources

Whitepaper: Understanding Single Packet Authorization
Video: Watch How Appgate SDP Works
Whitepaper: Today’s Top Cyberthreats and How ZTNA Protects Against Them

Receive News and Updates From Appgate