AppGate Blog: Software-Defined Perimeter

Written by Christopher Scheels on September 19, 2019

Preventing Network Cyber Attacks with a Software-Defined Perimeter

Cyber attacks are ever-present but a Software-Defined Perimeter can help mitigate the few tried and tested methods hackers love, from Distributed denial-of-service (DDoS) to Man-in-the-Middle attacks.

Gone are the days of the trusted perimeter. Today attacks come from every direction, whether they are malicious insiders or external threats, it is essential to protect your perimeter-less environment. A Software-Defined Perimeter (SDP) that implements Zero Trust helps prevent some mainstream methods of attacks. This sentiment is echoed by the Cloud Security Alliance (CSA):

“The SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat.”

A Software-Defined Perimeter architecture was developed to mitigate these network attacks. SDP consists of five layers of security controls including Single Packet Authorization (SPA), mutual Transport Layer Security (mTLS), Device Validation (DV), dynamic firewalls, and Application Binding (AppB). Detailed descriptions of each of the five layers are summarized here.

How a Software Defined Perimeter Prevents Common Cyber Exploits

There are four common exploits hackers use to access networks but these can be eliminated with a Software-Defined Perimeter. Here we outline the common exploits and how a SDP can be beneficial.

Distributed Denial-of-Service

What it is: The number of global Distributed Denial-of-Service (DDoS) attacks are increasing, making it one of the most common forms of cyber-attacks. A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination.

How SDP helps: A Software-Defined Perimeter eliminates DDoS attacks against network resources by making them invisible or “black” (a Department of Defense (DoD) term meaning the infrastructure cannot be detected). mTLS and DV both contribute, but the primary security control that prevents DDoS is SPA. It is based on the concept of port knocking and includes a cryptographic hash as an improvement.  SPA has been around for a while and it is the 1st layer of security for SDP. It makes the SDP solution itself invisible preventing bad actors from finding anything to attack. If an attacker somehow obtained inside knowledge of the SPA, it still cannot be DDoS’ed because the server will discard the DoS attempt before entering the mTLS handshake. Also, SPA has a much lower CPU overhead than traditional authentication by an order of magnitude.


What it is: A Man-in-the-Middle (MitM) attack is when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers can leverage MitM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data. There are many tactics, techniques, and procedures (TTPs) that are used to perform MitM attacks, but they all involve the attacker silently sitting in the middle, between the source and destination. 

How SDP helps: Software-Defined Perimeters incorporate dynamic firewall rules. SDP enables users to access protected resources by dynamically creating and removing firewall rules in the SDP gateways, binding each individual device to specific users. SDP analyzes the user’s identity, project/time, and location and evaluates their context against pre-defined conditions before granting access.

The Software-Defined Perimeter uses the full TLS standard to provide mutual, two-way cryptographic authentications. SDP ensures that the device requesting access possesses a private key that is neither expired or revoked. Device validation (DV) proves that the key is held by the proper device using mutual TLS. DV checks that the device is running trusted software and is being used appropriately.

Public Facing Application Exploits

Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and SQL injection (SQLi) are all application exploits that injects code, tricking browsers or applications into undertaking malicious actions.

  • Cross-Site Request Forgery (CSRF) is an attack that forces an end user’s web browser into executing an unwanted action in an application to which a user is currently authenticated.
  • Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
  • A SQL injection (SQLi) attack consists of insertion of a SQL query via the input data from the client to the application.
  • Support all protocols on any device (including IoT)
  • Support legacy (non SAML) apps
  • Simplify resource entitlement assignments to scaled resources using auto-resolvers
  • Hybrid cloud on single platform
  • Provide North/South and East/West micro-segmentation
  • Carrier tested scale (to 36Gbps on 40Gbps NIC) and high availability

In this context we define a public facing app as any application that is running a service which is exposed on a network. An internal network application becomes exposed if an attacker gains a foothold inside the network and these apps can be systematically exploited using these same techniques (CSRF, XSS, SQLi).

How SDP helps: SDP provides fine grained micro-segmentation, between clients and protected servers, to constrain applications to only communicate to specific approved IP’s, ports, and/or protocols through encrypted tunnels. Essentially building a micro-perimeter around a workload, app, or database. Microsegmentation  

Single-Packet Authorization technology cloaks infrastructure so that only verified users can communicate with the system, leaving it invisible to port scans. Gateways and controllers that protect applications, are completely cloaked so they cannot be probed, scanned, or attacked. A port scan of the system would display NO open ports which significantly reduces the network attack surface and prevents network reconnaissance and limits lateral movement on the network.

Lateral Movement

There are many TTP’s to move laterally, credential-based or otherwise. Pass the Hash (PtH) and Pass the Ticket (PtT) attacks focus on authenticating user access, both capturing credentials using different techniques to access systems. Attackers often use these techniques to move laterally inside the network once they have established a foothold or persistence (MITRE ATT&CK framework). Here are two examples of lateral movement using credential-based attacks.

  • Pass the Hash (PtH) captures a password hash which is then used by the hacker to authenticate as that user.
  • Pass the Ticket (PtT) is an method that leverages Kerberos authentication. Kerberos tickets for Valid Accounts are captured by credential dumping and a valid ticket allows access to a particular resource. Kerberos authentication can be used as the first step to lateral movement to a remote system.

How SDP helps: DV and mTLS are the primary security layers that help mitigate lateral movement with PtH and PtT techniques. SDP creates mutually encrypted TLS tunnels to protected applications after authenticating and authorizing both the device and the user. Communication is only allowed through the encrypted tunnel. All other applications are blocked from using the tunnel, while other devices can be blocked from even accessing the network hosting the application in the first place, which renders these attacks DOA. The dynamic firewall layer also plays a key role in preventing lateral movement attacks. It tethers users to devices, and then dynamically enables those users to access protected resources by dynamically creating and removing firewall rules.

AppGate SDP, the leading Software-Defined Perimeter 

AppGate SDP is the leading Software-Defined Perimeter that meets and exceeds the Cloud Security Alliance’s specification. AppGate SDP is the industry’s only SDP provider that can:

  • Support all protocols on any device (including IoT)
  • Support legacy (non SAML) apps
  • Simplify resource entitlement assignments to scaled resources using auto-resolvers
  • Hybrid cloud on a single platform
  • Provide North/South and East/West micro-segmentation
  • Carrier tested scale (to 36Gbps on 40Gbps NIC) and high availability

To learn more about AppGate SDP, click here