Software-Defined Perimeter

The Challenge

The Internet is a marvelous achievement. Its ability to share information instantaneously across the globe has fundamentally transformed businesses and enhanced our quality of life. Ironically, it is that same openness and collaborative nature of the Internet that now represents its most challenging impediment to continued growth and sustainability – Security. The foundation of the Internet is built on a communication access protocol (TCP/IP) that allows every IP addressable device on the Internet to effectively “see” every other device.  Secure access to applications and data is based on an outdated “trust and verify” approach, which has become a treasure-trove of opportunity for malicious activity and hackers.  The security industry has valiantly focused on implementing countless layers of security to guard against the never-ending deluge of cybersecurity attacks and threats.  Unfortunately, it’s not a matter of if, but when the next security event or data breach will occur. The security industry has now resorted to focusing on how quickly it can identify an exploitation and remediate to limit the organization’s risk exposure. Additionally, the accelerated movement towards remotely accessing cloud-based applications and data from outside an organization’s traditional network perimeter (e.g. through Public Wi-Fi and Mobile 4G-5G networks) represents an even greater challenge of securing valuable data and preventing credential theft. Organizations have been exposing their critical computing resources to the world in the same way for over 30 years (since the invention of the firewall), and no matter how many layers of security are added, hackers are able to infiltrate cybersecurity defenses services or bring down services using Advanced Persistent Threats and Distributed Denial of Service (DDoS) attacks. It’s time to rethink the way organizations allow access to their valuable data and application services.

Software Defined Perimeter

Originally conceived by the Defense Information Systems Agency (DISA), Software-Defined Perimeter (SDP) technology was created to defend against large and sophisticated DDoS attacks by only allowing access to restricted network resources on a “need-to-know” basis.  SDP complies with the Zero-Trust model that promotes least privileged access to protected applications only after the device and user have been verified and authorized.  In addition to DDoS, SDP addresses many other prevalent cybersecurity issues such as man-in-the-middle connection hijacking, port scanning, and credential theft.  A key component of SDP entails rendering an organization’s critical IT infrastructure “invisible” or “dark”, meaning no DNS information or IP address information is visible and protected application resources cannot be detected from the Internet on other internal networks. After all, you can’t hack what you can’t see.

Securing the New Perimeter

What if all critical Internet resources were inherently “invisible” to all users?  And what if only users and their devices were authorized and verified “prior-to” accessing those hidden business critical application and data resources?  It would be like having your own “Cloak of Invisibility” to shield yourself from the Death Eaters, and only those individuals that you can identify and who can recite the secret incantation password would be able to see you.

The good news is you don’t need to travel to the Harry Potter™ universe to get this type of security.  Impulse has developed a NAC industry-first solution that extends visibility and device security for remotely connected Public Wi-Fi and Mobile 4G-5G devices accessing private cloud or public cloud application resources.

SafeConnect Software-Defined Perimeter (SDP) cloud-based service offering “hides” enterprise application and data resources from the Internet and internal networks and adheres to a “verify first, connect second” Zero-Trust access model as compared to today’s “connect first, authenticate second” approach.   SafeConnect SDP encrypts communications between user devices and enterprise applications, and integrates with Multi-Factor Authentication and Identity Access Management providers to deliver a seamless and consistent user experience.

SafeConnect SDP is comprised of three main components:

  • SDP Client – is available for Windows, macOS, iOS and Android devices that ensures the certificate-based mutual TLS VPN only connects to services in which the user is authorized.  The SDP Client becomes the network-level device security assessment and policy enforcement point where access control and network isolation is performed after the user’s device and identity have been cryptographically verified.  The SDP Client can be distributed to managed devices or downloaded as part of a Patent-Pending BYOD onboarding process.
  • SDP Controller – functions as a trust broker between the SDP Client and security policy controls such as Identity Access Management, Issuing Certificate Authority, and Device Compliance.  Once the identity of the SDP client has been verified and applicable application services authorized, the SDP Controller configures a mutual TLS VPN session between the SDP Client and SDP Gateway to enable per-session application access.  The SDP Controller is cloud-hosted and fully integrated with SafeConnect’s Policy Manager.
  • SDP Gateway – is the termination point for the mutual TLS VPN connection from SDP Client.  It is usually deployed as topologically close to the protected application as possible.  The SDP Gateway is provided with the SDP Client’s IP address and Certificates after the identity of the requesting device has been verified and the authorization of the user is determined by the SDP Controller.

SafeConnect SDP includes a cloud-hosted SDP Gateway connector for Public Cloud SaaS applications, and offers a downloadable VMware virtual appliance or docker container SDP Gateway instance to protect private cloud and internally-hosted application environments.

Main Use Cases

Legacy VPN Replacement

Less expensive than VPN or NGFW remote access alternatives; no throughput degradation due to VPN encryption; lightweight client requires no end user configuration; greater security based on application-session only (least-privileged) zero-trust access model

Application Security

Make your applications invisible, rendering them undetectable and inaccessible to outsiders; enhance your application and data access security for internal wired and wireless-based network perimeter devices; addresses regulatory compliance for a wide variety of industries

Borderless Data Protection

Protect your data with mutual TLS VPN encryption as it leaves your perimeter and as its accessed from devices connecting outside of the network perimeter (i.e. Public Wi-Fi and Mobile 4G-5G); protects against credential theft, connection hijacking and data loss

SafeConnect SDP Benefits

Easy to Install

No additional hardware or network integration required; seamlessly operates with existing network access control offerings

Address Regulatory Compliance


Adheres to Zero-Trust/Least Privileged Model

Verify first-connect second access to private and public cloud applications

Customer-Provisioned Cloud Offering

Rapid deployment and maintenance-free 24/7 support

Superior VPN Alternative

Least privileged per-session application access and higher performance Mutual TLS network encryption, while delivering a better user experience

SaaS Annual Subscription Model

Cost effective and predictable; Term commitment discounts

Extend Control Beyond Your Perimeter

Prevent data loss from devices accessing public or private cloud application and data resources from outside of your network perimeter

Decreases Network Attack Surface

Hide your applications from the Internet and corporate networks to address DDoS attacks, credential theft, connection hijacking and data loss