Chris ScheelsSeptember 19, 2019
Preventing Network Cyber Attacks with a Software-Defined Perimeter
Cyber attacks are ever-present but a Software-Defined Perimeter can help mitigate the few tried and tested methods hackers love, from Distributed denial-of-service (DDoS) to Man-in-the-Middle attacks.
Gone are the days of the trusted perimeter. Today attacks come from every direction, whether they are malicious insiders or external threats, it is essential to protect your perimeter-less environment. A Software-Defined Perimeter (SDP) that implements Zero Trust helps prevent some mainstream methods of attacks. This sentiment is echoed by the Cloud Security Alliance (CSA):
“The SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat.”
A Software-Defined Perimeter architecture was developed to mitigate these network attacks. SDP consists of five layers of security controls including Single Packet Authorization (SPA), mutual Transport Layer Security (mTLS), Device Validation (DV), dynamic firewalls, and Application Binding (AppB). Detailed descriptions of each of the five layers are summarized here.
How a Software Defined Perimeter Prevents Common Cyber Exploits
There are four common exploits hackers use to access networks but these can be eliminated with a Software-Defined Perimeter. Here we outline the common exploits and how a SDP can be beneficial.
What it is: The number of global Distributed Denial-of-Service (DDoS) attacks are increasing, making it one of the most common forms of cyber-attacks. A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination.
How SDP helps: A Software-Defined Perimeter eliminates DDoS attacks against network resources by making them invisible or “black” (a Department of Defense (DoD) term meaning the infrastructure cannot be detected). mTLS and DV both contribute, but the primary security control that prevents DDoS is SPA. It is based on the concept of port knocking and includes a cryptographic hash as an improvement. SPA has been around for a while and it is the 1st layer of security for SDP. It makes the SDP solution itself invisible preventing bad actors from finding anything to attack. If an attacker somehow obtained inside knowledge of the SPA, it still cannot be DDoS’ed because the server will discard the DoS attempt before entering the mTLS handshake. Also, SPA has a much lower CPU overhead than traditional authentication by an order of magnitude.
What it is: A Man-in-the-Middle (MitM) attack is when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers can leverage MitM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data. There are many tactics, techniques, and procedures (TTPs) that are used to perform MitM attacks, but they all involve the attacker silently sitting in the middle, between the source and destination.
How SDP helps: Software-Defined Perimeters incorporate dynamic firewall rules. SDP enables users to access protected resources by dynamically creating and removing firewall rules in the SDP gateways, binding each individual device to specific users. SDP analyzes the user’s identity, project/time, and location and evaluates their context against pre-defined conditions before granting access.
The Software-Defined Perimeter uses the full TLS standard to provide mutual, two-way cryptographic authentications. SDP ensures that the device requesting access possesses a private key that is neither expired or revoked. Device validation (DV) proves that the key is held by the proper device using mutual TLS. DV checks that the device is running trusted software and is being used appropriately.
Public Facing Application Exploits
Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and SQL injection (SQLi) are all application exploits that injects code, tricking browsers or applications into undertaking malicious actions.
- Cross-Site Request Forgery (CSRF) is an attack that forces an end user’s web browser into executing an unwanted action in an application to which a user is currently authenticated.
- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
- A SQL injection (SQLi) attack consists of insertion of a SQL query via the input data from the client to the application.
- Support all protocols on any device (including IoT)
- Support legacy (non SAML) apps
- Simplify resource entitlement assignments to scaled resources using auto-resolvers
- Hybrid cloud on single platform
- Provide North/South and East/West micro-segmentation
- Carrier tested scale (to 36Gbps on 40Gbps NIC) and high availability
In this context we define a public facing app as any application that is running a service which is exposed on a network. An internal network application becomes exposed if an attacker gains a foothold inside the network and these apps can be systematically exploited using these same techniques (CSRF, XSS, SQLi).
How SDP helps: SDP provides fine grained micro-segmentation, between clients and protected servers, to constrain applications to only communicate to specific approved IP’s, ports, and/or protocols through encrypted tunnels. Essentially building a micro-perimeter around a workload, app, or database. Microsegmentation