
Jason GarbisDecember 18, 2017
Software-Defined Perimeter: Identity-Based Security for Hybrid Environments
Software-Defined Perimeter: Identity-Based Security for Hybrid Environments
I’ve talked a lot about what is a software-defined perimeter (SDP) and the benefits of SDP over network access control (NAC) solutions. At a high level, a software-defined perimeter looks like the following image.

And it offers:
- Individualized perimeter for each user
- Fine-grained authorization for on-premises and cloud
- Contextual awareness that drives access and authorization
- Simplified firewall and security group rules
- The ability to dynamically adjust to new server instances
- Consistent access policies across heterogeneous environments
SDP overcomes security issues compared to traditional TCP/IP.
TCP/IP was designed for a more open world

Its “connect, authenticate second” approach puts organizations at risk, and exhibits many security vulnerabilities:
- Servers are subject to reconnaissance scans
- Unauthenticated users can exploit servers
- Systems are vulnerable to DDoS attacks
- Unauthorized users consume server resources
The Software-Defined Perimeter stops attackers but allows authorized users connect

It takes an “authenticate ‑first, connect second” approach, ensuring that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security:
- All resources are invisible to potentially dangerous reconnaissance
- Only authenticated users can connect
- DDoS attacks are ineffective
- Unauthorized users cannot impact servers
AppGate SDP Implements the Software-Defined Perimeter Specification
AppGate SDP is a distributed, scalable and highly available architecture that is protected by Single-Packet Authorization
Here you can see how AppGate’s Software-Defined Perimeter solution works in a production environment:

1
- Controller integrates with PKI and IAM systems
- Controller is an authentication point and policy store
- System is administered via graphical admin console
2
- Secure client onboarding process
- Client authenticates to Controller
- Communication secured with mutual TLS
3
- Distributed Gateways protect cloud and network resources
- Clients securely access resources via Gateways with mutual TLS tunnels
- Real-time policy enforcement by Gateway
- Gateways dynamically adjust user access as systems change
4
- Controller continuously monitors for context changes, adapts entitlements accordingly
Want to see it in more detail? Learn more about Appgate SDP here