Software Defined Perimeter
Originally conceived by the Defense Information Systems Agency (DISA), Software-Defined Perimeter (SDP) technology was created to defend against large and sophisticated DDoS attacks by only allowing access to restricted network resources on a “need-to-know” basis. SDP complies with the Zero-Trust model that promotes least privileged access to protected applications only after the device and user have been verified and authorized. In addition to DDoS, SDP addresses many other prevalent cybersecurity issues such as man-in-the-middle connection hijacking, port scanning, and credential theft. A key component of SDP entails rendering an organization’s critical IT infrastructure “invisible” or “dark”, meaning no DNS information or IP address information is visible and protected application resources cannot be detected from the Internet on other internal networks. After all, you can’t hack what you can’t see.
Securing the New Perimeter
What if all critical Internet resources were inherently “invisible” to all users? And what if only users and their devices were authorized and verified “prior-to” accessing those hidden business critical application and data resources? It would be like having your own “Cloak of Invisibility” to shield yourself from the Death Eaters, and only those individuals that you can identify and who can recite the secret incantation password would be able to see you.
The good news is you don’t need to travel to the Harry Potter™ universe to get this type of security. Impulse has developed a NAC industry-first solution that extends visibility and device security for remotely connected Public Wi-Fi and Mobile 4G-5G devices accessing private cloud or public cloud application resources.
SafeConnect Software-Defined Perimeter (SDP) cloud-based service offering “hides” enterprise application and data resources from the Internet and internal networks and adheres to a “verify first, connect second” Zero-Trust access model as compared to today’s “connect first, authenticate second” approach. SafeConnect SDP encrypts communications between user devices and enterprise applications, and integrates with Multi-Factor Authentication and Identity Access Management providers to deliver a seamless and consistent user experience.
SafeConnect SDP is comprised of three main components:
- SDP Client – is available for Windows, macOS, iOS and Android devices that ensures the certificate-based mutual TLS VPN only connects to services in which the user is authorized. The SDP Client becomes the network-level device security assessment and policy enforcement point where access control and network isolation is performed after the user’s device and identity have been cryptographically verified. The SDP Client can be distributed to managed devices or downloaded as part of a Patent-Pending BYOD onboarding process.
- SDP Controller – functions as a trust broker between the SDP Client and security policy controls such as Identity Access Management, Issuing Certificate Authority, and Device Compliance. Once the identity of the SDP client has been verified and applicable application services authorized, the SDP Controller configures a mutual TLS VPN session between the SDP Client and SDP Gateway to enable per-session application access. The SDP Controller is cloud-hosted and fully integrated with SafeConnect’s Policy Manager.
- SDP Gateway – is the termination point for the mutual TLS VPN connection from SDP Client. It is usually deployed as topologically close to the protected application as possible. The SDP Gateway is provided with the SDP Client’s IP address and Certificates after the identity of the requesting device has been verified and the authorization of the user is determined by the SDP Controller.
SafeConnect SDP includes a cloud-hosted SDP Gateway connector for Public Cloud SaaS applications, and offers a downloadable VMware virtual appliance or docker container SDP Gateway instance to protect private cloud and internally-hosted application environments.
Main Use Cases
Legacy VPN Replacement
Less expensive than VPN or NGFW remote access alternatives; no throughput degradation due to VPN encryption; lightweight client requires no end user configuration; greater security based on application-session only (least-privileged) zero-trust access model
Make your applications invisible, rendering them undetectable and inaccessible to outsiders; enhance your application and data access security for internal wired and wireless-based network perimeter devices; addresses regulatory compliance for a wide variety of industries
Borderless Data Protection
Protect your data with mutual TLS VPN encryption as it leaves your perimeter and as its accessed from devices connecting outside of the network perimeter (i.e. Public Wi-Fi and Mobile 4G-5G); protects against credential theft, connection hijacking and data loss