I’ve talked a lot about what is a software-defined perimeter (SDP) and the benefits of SDP over network access control (NAC) solutions. At a high level, a software-defined perimeter looks like the following image.    

And it offers:

  • Individualized perimeter for each user
  • Fine-grained authorization for on-premises and cloud
  • Contextual awareness that drives access and authorization
  • Simplified firewall and security group rules
  • The ability to dynamically adjust to new server instances
  • Consistent access policies across heterogeneous environments 

SDP overcomes security issues compared to traditional TCP/IP.  

TCP/IP was designed for a more open world

TCP/IP was designed for a more open world

Its “connect, authenticate second” approach puts organizations at risk, and exhibits many security vulnerabilities:  

  • Servers are subject to reconnaissance scans
  • Unauthenticated users can exploit servers
  • Systems are vulnerable to DDoS attacks
  • Unauthorized users consume server resources 

The Software-Defined Perimeter stops attackers but allows authorized users connect

The Software-Defined Perimeter stops attackers but allows authorized users connect

It takes an “authenticate ‑first, connect second” approach, ensuring that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security:  

  • All resources are invisible to potentially dangerous reconnaissance
  • Only authenticated users can connect
  • DDoS attacks are ineffective
  • Unauthorized users cannot impact servers 

Cyxtera AppGate SDP Implements the Software-Defined Perimeter Specification  

Cyxtera AppGate SDP is a distributed, scalable and highly available architecture that is protected by Single-Packet Authorization  

Here you can see how Cyxtera’s Software-Defined Perimeter solution works in a production environment:    

Here you can see how Cyxtera’s Software-Defined Perimeter solution works in a production environment

1

• Controller integrates with PKI and IAM systems

• Controller is an authentication point and policy store

• System is administered via graphical admin console  

2

• Secure client onboarding process

• Client authenticates to Controller

• Communication secured with mutual TLS

3

• Distributed Gateways protect cloud and network resources

• Clients securely access resources via Gateways with mutual TLS tunnels

• Real-time policy enforcement by Gateway

• Gateways dynamically adjust user access as systems change

4

• Controller continuously monitors for context changes, adapts entitlements accordingly  

Want to see it in more detail? Download the Software-Defined Perimeter infographic.

Adaptive, Identity-Centric Security for Hybrid IT