Software-Defined Perimeter architecture

A Software-Defined Perimeter (SDP) is an approach to network and communication security where no trust model exists. It is based on the Defense Information Systems Agency (DISA)'s black cloud. Black cloud means information is shared on a need-to-know basis. An SDP can mitigate attacks such as DDOS, MITM, zero-day exploits, and server scanning among others. Along with providing an overlay and micro-segmentation for each attached device, the perimeter creates an invitation-only (identity-based) security perimeter around users, clients, and IoT devices.

An SDP can be used to create an overlay network which is a network, built on top of another network. A historical reference is legacy internet services built upon the pre-existing telephone network. In this hybrid networking approach, the distributed control plane remains the same. Edge routers and virtual switches steer data based on control plane rules. Multiple overlay networks can be built on the same infrastructure. Since an SDN remains persistent in much the same way as a wired network, it is ideal for real-time applications, remote monitoring, and complex event processing. The ability to create multiple overlay networks using the same edge components allows for micro-segmentation where different resources have a direct relationship with different consumers of data. Each resource-consumer pair is a separate immutable network that is only able to see outside of its virtual overlay as the administrator chooses. 

The ability to create multiple overlay networks using the same edge components allows for micro-segmentation where each endpoint in a globally distributed IoT network can build individual and isolated network segments over the existing network infrastructure. In theory, every sensor could be isolated from another. This is a powerful tool for enabling enterprise connectivity for IoT deployments as services and devices can be isolated and protected from each other. 

The following graphic depicts an SDN overlay example. Here, a corporation has three remote franchises with a number of different IoT and edge devices at each store. The network resides on an SDN overlay network with micro-segments isolating POS and VOIP systems that are corporately managed from various sensors for security, insurance, and cold storage monitoring. Third-party service providers can manage various remote sensors using an isolated and secure virtual overlay network only for the device they manage:

An example SDN Overlay Network. 

An SDP can further extend security by developing an invitation system, forcing a pair of devices to authenticate first and connect second. Only a pre-authorized user or client may be added to a network. That authorization is extended by an invitation from the control plane via email or some registration facility. If the user accepts the invitation, client certificates and credentials are extended to that system alone. The resource extending the invitation maintains a record of extended certificates and will only provide an overlay connection when both parties accept the role. 

The real-world analogy is how one sends invitations for a party. Invitations are mailed out to selected individuals, with a date, time, address, and other details. Those individuals may or may not want to attend at the party (it is up to them). The alternative is to advertise on the web, TV, and radio that you are having a party and then authenticate each person as they arrive at the door.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.193.172