Goodbye VPN and Welcome SDP

We all been used to using VPN. An application installed on your laptop or on your mobile device that allows you to access internal applications, whilst traversing an insecure public network. VPN has its advantages; However, the list of disadvantages is long and so in 2007 a new solution was created – the software defined perimeter. In this short blog I will provide an overview on VPN and SDP.

VPN

VPN (virtual private network) started first with an approach called Peer to Peer Tunnel Protocol (PPTP). The request for comment (RFC) 2637 being published by a consortium led by Microsoft in July 1996 and the main idea what to create a secure connection between two endpoints, allowing for secure communication between the two end points (typically an end user device and a secure endpoint like a firewall). The connection is also referred to as tunnel.  PPTP is not in use anymore as apparently the NSA managed to enter a PPTP rendering it unsecure.

As noted, VPN basically creates a secure (encrypted) connection between a client (say a laptop running windows or linux) and a server (being a network component). Secure means that the traffic between the two end points are encrypted with an encryption protocol.

The VPN security model provides:

  • confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and deep packet inspection), an attacker would see only encrypted data
  • sender authentication to prevent unauthorized users from accessing the VPN
  • message integrity to detect any instances of tampering with transmitted messages

However, as VPN is a design from the mid-1990s a number of challenges and restrictions exists (The list is longer, however here we consider only the key points): 

  1. All or nothing:
    • Traditional VPN services are too lenient, allowing staff to access much more network areas than they need for their day-to-day work. As a result, these resources assume unwarranted visibility and become more susceptible to compromise for phishing attempts
  2. Speed : 
    • As every communication has to traverse the server in order to be encrypted and decrypted each packet it can slow down the overall end to end performance
  3. Open to attacks (MITM) : 
    • In a security breach known as “man in the middle” (MITM), a cyber thief enters a communication channel between an application and a user that has an open VPN, resulting on potentially leaving an open door for the hacker
  4. Not ideal for hybrid landscape : 
    • As soon as the application moves across the local data centre to public cloud providers, hosing IaaS, SaaS or PaaS capabilities, VPN can become very complex

Because VPNs can be rather slow for users, introduce security risk, and are difficult to manage, Gartner predicts that, “By 2023, 60% of enterprises will phase out most of their remote access VPNs in favour of Zero Trust Network Access [SDPs].”

Software Defined Parameter

SDP was first developed by the Defense Information Systems Agency (DISA) that resulted from the Global Information Grid project back in 2007. In 2011, while SDP was still a new concept, Google became an early adopter with the development of its own SDP solution known as GoogleBeyond Corp.

SDP is a security approach that covers local, cloud and mobile. While VPN is typically focused around in data center, SDP is everywhere that uses business context policy to determine who gets access to what resources. SDP distributes access to internal applications based on a user’s identity and with trust that adapts based on context. SDPs are 100% software-defined and built on a “need-to-know” model, with trust that is constantly monitored and adapted based on a range of criteria. SDP makes application infrastructure invisible to the internet, so it evades network-based attacks (DDoS, ransomware, malware, server scanning, etc.), and reduces business risk.



  1. One or more SDP Controllers are brought online and connected to the appropriate optional authentication and authorization
  2. One or more Accepting SDP Hosts are brought online. These hosts connect to and authenticate to the Controllers.
  3. Each Initiating SDP Host that is brought online connects with, and authenticates to, the SDP Controllers.
  4. After authenticating the Initiating SDP Host, the SDP Controllers determine a list of Accepting Hosts to which the Initiating Host is authorized to communicate.
  5. The SDP Controller instructs the Accepting SDP Hosts to accept communication from the Initiating Host as well as any optional policies required for encrypted communications.
  6. The SDP Controller gives the Initiating SDP Host the list of Accepting Hosts as well as any optional policies required for encrypted communications.
  7. The Initiating SDP Host initiates a mutual VPN connection to all authorized Accepting Hosts

Summary

It seems that like PPTP, VPN will be phased out over the next couple of years to be replaced with SDP. SDP seems like the new way for us to access confidential and secure applications and systems.

Thanks for Reading

Comments

Post a Comment

Popular posts from this blog

What is Microsegmentation?

Image
Sometimes dismissed as a “security term” and therefore ignored by many, it is a new blueprint that we all (as IT Architects) should understand.  Microsegmentation as a term refers to the ability to segment compute, storage and network into one virtual zone in order to control in and outbound traffic in both north-south as well as east-west direction. The main aim of Microsegmentation is to significantly increase security by containing threats within a small(er) area – Zero Trust approach  Breaches in security are well documented in the press nowadays, and with the increase of digital (in particularly automation and full connectivity) it seems that attacks exploiting unknown vulnerabilities are one of the key threats’ organisation have to protect themselves against. In a 2015 Forrester study (see here ) software exploits are with ~ 37% of all attacks top the list of the most used attacked mechanisms. With the rise of so-called Exploit Kit’s many environments are increasingly at risk
Read more

Event based versus Data based Programming

Image
  Over the years our landscapes have significantly changed, shifting from monolithic to client server to now cloud based microservices architectures :  Along the shift to cloud based microservices, programming styles have also changed and in this short blog I will focus a bit on programming paradigms by discussing : Event based versus Data based Programming When I started programming in the mid-1980, only a small number of so-called “programming paradigms” where available – most notably imperative languages [ 1 ] or better procedural / functional languages like C++ developed around 1980 as well as Modula and Ada.   For me the work that Bjarne Stroustrup did related to programming was hugely influential – his book “The C++ Programming Language” issue in 1985 was in of my first IT books and it was the start of my IT career. Today, 30 years later, there are between 25 and 30 different programming paradigms. Everything from “action” and “agent oriented” to “symbolic” and “Value-level”
Read more

Agile Architecture

Image
Agility is a central requirement for many organizations and agility is also impacting the way we, as (IT) Architect's work. We work in an agile way to drive change that creates business opportunity through technology innovation. We will shape and translate business and IT strategy needs into realizable, sustainable technology solutions, whilst taking end-to-end solution delivery ownership from idea to benefits delivery. Being able to respond to change means, that we do not longer create a Big Design Up Front (BDUF) where we define an architecture to be realized over a long period. Instead, the architecture design in an agile context : provides the vision (intentional architecture) where the teams fit in with their (development) work, gives the guard rails between which the agile teams make their own design decisions (emergent architecture), shows where teams need to connect to ensure interoperability between systems/services (solution architecture), provides guidance on generic
Read more