The Software-Defined Perimeter (SDP) model requires an architecture that allows the physical freedom to locate users, appliances, and networks wherever they are needed. It also requires that the control plane is separated from the data plane. Appgate SDP follows this model using its principal components: Controllers, Clients, and Gateways. Unlike other SDP implementations, Appgate SDP relies on a Token-based architecture. Token passing enhances the way the three principal components interact, creating new levels of flexibility and resilience. Token flows eliminate the need for the principal components to interact with each other in real-time.
The SDP model mandated the separation of decisions and enforcement; tokens allow the added benefit of separation of operations. By example, Client devices have operational independence over their own connectivity and are free to failover to an alternative Gateway at any time - even while the Controller is shut down. The tokens from the Controllers include all the information required to configure and enforce the use of specific routes on the connecting device, as well as informing the Gateway how to set up and manage the user's access rules.
Tokens
Tokens are used to pass information from the Controller to the Gateway via the Client. Tokens contain all the information needed for authentication, authorization, and real-time access control.
The Controller (the Certificate Authority) creates and sends signed tokens to the Clients.
The Client has operational independence to use the Claims and Entitlement tokens as and when it sees fit.
The Gateway that receives the tokens uses them to configure firewall rules and control access on a per-user basis.
Tokens use JSON Web Token format, key value pairs.
All tokens have an expiration date, but the Administrator can manually revoke tokens at any time.
Controller
The Controller provides centralized administration and control of security Policies, user , administrator privileges, network configuration, logging and monitoring using the Admin UI (or REST API calls). A self signed certificate is generated when the first Controller is started and this is used to establish the Controller as the trusted authority for all tokens, certificates and TLS connections.
Gateway
The Gateway is the enforcement point, responsible for controlling user access to protected resources. After seeding, it registers with the Controller and will then be listed for the Site to receive Client connections. Once registered it runs as a stateless Appliance, needing only to receive the token revocation list from the Controller. The Gateway uses the Claims and Entitlement tokens from each user to manage firewall rules and provide real-time access control.
Client
Has operational control and with each new connection it makes, the Gateway checks the claims token, then starts the firewall service and creates the firewall rules using information from the Client's Entitlement token.