George WilkesFebruary 23, 2021
Make Resources Invisible with Single Packet Authorization
Digital transformation in the form of cloud adoption, remote work, mobility and edge/branch networking has increased the attack surface. The old, centralized access model no longer works in today’s distributed and decentralized world. In fact, that architecture is an impediment to business agility and these new access points represent known weaknesses with countless vulnerabilities that lead to real-world attacks.
Updated April 2023
Traditional network security approaches, like VPN, firewall and NAC, have demonstrably failed to adequately protect organizations today. The reason for the failure is that TCP/IP—which was originally designed to operate in an environment where the user community knew and trusted each other—is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk, and has enabled far too many data breaches.
In today’s hybrid, distributed IT estates it doesn’t matter where resources reside, because from a network perspective they all look the same protocols associated with ports. The problem is that unless you’re physically plugging into a server, you’re accessing resources over a network, most likely remotely via VPN, using a range of ports (22,80,443….) and protocols (TCP, UDP, ICMP, GRE, etc.). Those ports are exposed doors into your resources listening for inbound connections and susceptible to exploitation. What’s worse is those networks are usually flat, unsegmented and susceptible to lateral movement.
Consider the first phase of the Lockheed Martin Cyber Kill Chain—Reconnaissance. Adversaries are looking for ports as entry points into your network and scanning to find the ones listening for inbound connections. The ability to thwart these initial recon efforts of any adversary could mean the difference between a successful attack or not, ultimately disrupting the kill chain at its earliest stage.
How Single Packet Authorization Reduces Your Attack Surface
Single packet authorization (SPA) uses proven cryptographic techniques to make internet-facing servers invisible to unauthorized users. Only devices that have been seeded with the cryptographic secret will be able to generate a valid SPA packet, and subsequently be able to establish a network connection. This in essence is how it reduces the attack surface and becomes invisible to adversarial reconnaissance.
Single packet authorization enables the Appgate SDP Gateway to distinguish authorized and unauthorized connection attempts, while only needing to evaluate a single network packet. This means that SPA makes software-defined perimeter (SDP) systems much more efficient and less susceptible to brute force attacks while also protecting against a wide range of network-based attacks (DDoS, MITM, CSRF, XSS and SQLi).
In context of Appgate SDP, this is how SPA technology plays a role in supporting our Zero Trust architecture:
- The SDP Client connects to the Controller using Single Packet Authorization and mTLS.
- The Controller then authenticates the identity of the user and provisions the right level of authorization, issuing a token back to the Client containing policies and entitlements.
- Again, using Single Packet Authorization, and mTLS, the Client connects to the Gateway for policy enforcement, using entitlements to grant access only to specific protocols and port numbers. Resources excluded from those entitlements are 100% invisible to the user, which prevents unsanctioned lateral movement.
It’s important to note that because single packet authorization is used to connect to both the Controller and Gateway, they are both hidden from prying eyes. Furthermore, since the Appgate SDP Gateway sits in front of all protected resources, both cloud-hosted and on-premises, they are 100% invisible unless authenticated and authorized to access using the principles of Zero Trust security.
Finally, single packet authorization is embedded into Appgate SDP architecture. Outside of the regular implementation and configuration of Appgate SDP, a universal Zero Trust Network Access (ZTNA) solution, there is no bolt-on software required to unleash the capabilities of single packet authorization. It just works, as designed.
Additional Zero Trust Access resources