Appgate SDP provides a secure access management solution for users and devices that operates across cloud and hybrid environments
Appgate SDP enables organizations to adopt a Zero Trust Network Access approach to provide granular, context aware access control to distributed cloud and hybrid environments. Appgate SDP introduces the concept of the 6-layer trust model with separate verification steps that extend beyond just signing-in. This allows further verification to be required when an attempt is made to connect to a specific resource.
Appgate SDP does not depend on a traditional network perimeter model or require specific hardware; it can be used across cloud and hybrid environments through a distributed topology and by leveraging software virtualization.
One or more Controllers define access rights for all users or devices on an individual basis. The Controller authenticates the user or device based on verifying user Claims unique to each session, such as browser type, device posture, geo-location and identity. Upon authentication, Entitlement tokens are issued to the Appgate SDP Client.
The Portal offers an alternative way for users to connect to protected network resources. Instead of having to install a Client, the users connect with a browser through a Client instance hosted on the Portal Appliance.
The Portal utilizes the same approach for trusted connectivity as Appgate SDP Clients. Each time a user connects they will be assigned an available Client instance. They then sign in with any Policy assigned to that Client, setting the access rights and routing. In a typical environment, a Portal would be deployed as a standalone appliance outside the protected network, such as in the cloud.
The Connector on-boards under-protected and over-privileged devices into the Zero Trust environment. The Connector accomplishes this by hosting un-manned Appgate SDP Client instances with their own . This allows local resources such as sensors, cameras, and servers to seamlessly connect with users, cloud services, and (protected) hosts.
Whether the Entitlement tokens are used by freestanding Clients or in the Connector, they identify which Gateways to connect to. The tokens are then passed on to these Gateways which provision a micro-firewall instance for that session. For each packet received, the firewall instances parse the rules and conditionally allow or block access to the (protected) hosts, applications, or servers.
The Connector simplifies integration into any network environment; its only requirement is to establish an outbound connection on port 443. Thereafter it establishes a bi-directional, multi-protocol tunnel. This tunnel provides a broad capability which has been previously unavailable, insecure, or impractical due to network reconfiguration complexity. This makes it easy to allow access to additional distributed resources beyond the Site, by adding one or more Connectors to the Site. Down rules to these remote Connectors then allow (protected) hosts (on the Site) and users (connecting to the Site) to easily access the local resources behind these Connectors.
Any access solution must ensure that all activity is logged for audit and compliance purposes. The LogForwarderis a powerful distributed means of forwarding selective audit log records to external systems. Each instance includes the ability to select multiple input sources, output destinations, and apply in-line filters. A local LogServer is also available as an alternative within a Collective.
Appgate SDP Key Concepts and Features
Before attempting to configure the system it is important to understand the Eight Key concepts as well as key features of the Appgate SDP system.