The internet was designed with ease of communication in mind and security was not designed into it. This design is the bane of all cyber-security issues today and so needs new thinking. Software Defined Perimeter shows promise of solving this huge challenge.
Internet Design and Cyber Attacks
A phishing attack is the most common origin of a data breach these days. It all starts with a user’s device being compromised after which the attacker moves laterally in the network gaining access to all the resources resulting in significant damage.
In the entire life-cycle of the attack, the perpetrator goes through many hoops to spread in the network. The hoops are mostly in the form of bypassing security layers and exploiting vulnerabilities in applications/servers using custom-made software (malware) to grab passwords, gain wider access and move across the network. Of course, the skill for the attacker here is to stay in stealth mode, i.e. avoid being detected by the vast number of security layers, continuously till the goal is achieved. This is similar to guerrilla attacks unless of course, the goal is to just randomly attack everything and hope to hit as many targets as possible - something like the carpet bombing done during WW2 or Vietnam war. Both these tactics are used by cyber-criminals and sometimes together - where the carpet bombing in one area distracts the victim, from the guerrilla attack happening elsewhere. In the cyber-attacks, you can classify the Sony, Target, Equifax, Iran nuclear plant and even the Yes Bank’s payment switch gateway attack as a guerrilla attack, while the DDoS attacks like the Mirai Botnet attack and many others are the carpet bombing attacks.
While the military has developed many defences against both these types of attacks, cyber-attacks of both types, are extremely difficult to defend against due to the very design of the internet - in particular how the TCP/IP (networking) protocol is designed. The internet, or let’s just say the IP network, was designed to allow free communication between computing devices with an IP address. Security was never designed into it to check if the communication between the devices is authorised. Cyber defences were developed later, in response to initial attacks and continuously since then, to control the communications between the devices in a network and the users using the devices. However, attacks still bypass the best of cyber defences as is validated by the infamous incidents mentioned earlier.
Software Defined Perimeter & Airport Security
can you imagine that you can walk all the way to an aircraft and take a seat after which they check your identity, frisk you and screen your baggage?
The IP network allows any device with an IP address to establish a connection with another device that it can reach (i.e. the firewall allows the source IP to reach the destination IP) without any validation or checks on its need to connect. This single aspect is a huge disadvantage dealt with all cybersecurity practitioners, making life very difficult on a daily basis. To bring the aspect of ‘need to connect’ into perspective - can you imagine that you can walk all the way to an aircraft and take a seat after which they check your identity, frisk you and screen your baggage? Of course not! That’s ridiculous! Right? Your identity is checked, baggage checked, you are frisked and allowed to board only the aircraft that you are supposed to and take only the seat that has been assigned to you. We need to bring this perfectly sensible process into the network communications between the endpoints and applications/servers to ensure that hackers cannot move freely in the network.
This means every connection to an application, server, database etc. in your enterprise must be first checked for the ‘need to connect’ and only after the trust is established allow the connection to happen from the endpoint to the server.
Software Defined Perimeter (SDP), designed by the Cloud Security Alliance (CSA) SDP Working Group is an open source design bringing the concept of ‘need to connect’ checks into IP network communications. The SDP specifications and the architecture concepts ensure that all connections to resources are first verified on its identity and authorisation before allowing the connection (handshake) to happen.
Stealth Mode Cyber-security
Attackers and defenders use many tricks in their arsenal to do their job. And one of the most common is the ‘stealth mode’. Be it the “Invisibility Cloak” of Harry Potter, James Bond’s invisible car (the beautiful Aston Martin Vanquish in Die Another Day (2002)) or in real life fighter planes and submarines with stealth technology to evade detection by radar; stealth mode or technology is a very significant tool in one’s arsenal to fight the enemy.
stealth mode or technology is a very significant tool in one’s arsenal to fight the enemy.
SDP design ensures that the enterprise resources containing all the sensitive information is made “invisible” from prying eyes. This means that attackers ‘probes’, searching for the next target to move laterally in the network, is not successful due to the stealth mode design of SDP. SDP design achieves this by incorporating Single Packet Authentication (SPA) technique, invented by Michael Rash, kept open source and protected by a patent. The SPA concept is to ensure a ‘handshake’ between the Client device and the protected resource happens only if the very first packet of a TCP/IP connection contains a unique signature of the device and the user.
While many vendors have achieved the similar goal using different techniques, the concept of hiding all information of the enterprise resources is the key takeaway towards improving their security, since attackers can’t attack what they can’t see or detect. So, what about carpet bombing? Well, the SPA and it’s similar implementations performs the dual role and protects against both types of attacks discussed earlier.
The SPA concept is to ensure a ‘handshake’ between the Client device and the protected resource happens only if the very first packet of a TCP/IP connection contains a unique signature
Intelligent Access Control
So, how are the resources kept "invisible" and, importantly, if the resources are “invisible”, how will valid and authorised users do their job? Similar to how the central command centre of the Navy or the Airforce know where their resources are located and communicate with the stealth fighters and submarines/ships using authenticated codes, SDP design has built in steps to pre-authenticate and pre-authorise access requests to applications/data prior to granting access. The SDP architecture separates the ‘Control Channel’ from the ‘Data Channel’ as seen in the architecture diagram below.
SDP design has built in steps to pre-authenticate and pre-authorise access requests to applications/data prior to granting access.
As you can see in the diagram above, the Controller is the “Central Command Centre”, keeping the information of the all the resources and therefore invisible to the public. The Controller then ensures all the Clients are verified for their “trust level” and then grants access to specific resources hidden behind the Gateway. This trust level is verified using multiple layers that help determine the context of the access request from the Client. Some of the different layers or checks are:
- Client certificate (using built-in PKI setup)
- Device fingerprint
- Device inventory status (owner, user, etc.)
- Device compliance status (hardware/OS and other software patch status)
- User identity and role
- User relationship with device (corporate issued, BYOD etc.)
- Other context details such as geolocation, time of day, day of week etc.
While the context checks can be high level or granular based on the features provided by different vendors, the concept of verifying the device and the user together allows making a more intelligent context driven decision of granting, limiting or denying access. We, at InstaSafe, have taken these concepts into our product Secure Access to enable enterprises to mitigate cybersecurity risks in their current setups and also while migrating to newer technologies.
The concepts described above; of separating the Control Channel from the Data Channel and the SPA, effectively hides all the enterprise resources and grants access based on the trust established first, just as the security team at the airport would do prior to your boarding the aircraft. The SDP architecture and integrated technology prevent many common network-based attacks like MITM, DoS, DDoS, server exploitation and others. These benefits enterprises by way of drastically reducing the attack surface and therefore cybersecurity risks.
Further, enterprises will benefit from the highly reduced number of events that their security teams need to monitor, as only events from authorised devices and users need to be monitored instead of looking at all the noise coming in today due to the open networks. Next, the efficiency of your existing security stack is improved by ensuring they handle network traffic that has been identified and validated to come from known sources. And most importantly, such an architecture allows enterprises to adopt transformational technologies that enable them to increase revenues, improve customer experiences and scale rapidly with the confidence of the security of their sensitive data.