The Software-Defined Perimeter (SDP) Model
The SDP model necessitates an architecture that allows users, appliances, and networks to be located flexibly. It also requires a separation between the control plane and the data plane. AppGate ZTNA adheres to this model through its key components: Controllers, Clients, and Gateways. Unlike other SDP implementations, AppGate ZTNA employs a token-based architecture, enhancing interaction among these components and providing greater flexibility and resilience. Token flows eliminate the need for real-time interaction among the principal components.
The SDP model requires the separation of decisions and enforcement; tokens further allow for the separation of operations. For instance, Client devices can independently manage their connectivity and switch to an alternative Gateway at any time, even if the Controller is down. Tokens from the Controllers contain all necessary information to configure and enforce specific routes on the connecting device and inform the Gateway about user access rules.
Tokens
Tokens transmit information from the Controller to the Gateway via the Client, containing all data required for authentication, authorization, and access control.
The Controller (Certificate Authority) generates and sends signed tokens to the Clients.
Clients have the autonomy to use claims and Entitlement tokens as needed.
Gateways utilize the tokens to configure firewall rules and manage access on a per-user basis.
Tokens are formatted as JSON Web Tokens, using key-value pairs.
All tokens have expiration dates, but Administrators can revoke them at any time.
Controller
The Controller offers centralized administration and control over security policies, user Entitlements, administrator privileges, network configuration, logging, and monitoring via the Admin UI or REST API. A self-signed certificate is created when the first Controller starts, establishing it as the trusted authority for all tokens, certificates, and TLS connections.
Gateway
The Gateway acts as the enforcement point, controlling user access to protected resources. After registration with the Controller, it operates as a stateless appliance, requiring only the token revocation list from the Controller. The Gateway uses Claims and Entitlement tokens to manage firewall rules and provide real-time access control.
Client
Clients maintain operational control, and with each new connection, the Gateway checks the claims token, initiates the firewall service, and establishes firewall rules based on the Client's Entitlement token.