Appgate SDP uses a direct-routed Zero Trust Network Access (ZTNA) model. This model allows systems to be hidden from unauthorized users, and then requires detailed contextual information to establish trust before any access is authorized to the protected networks.
The Software Defined Perimeter (SDP) is a concept that aims to deliver ZTNA with appliances that protect themselves using Single Packet Authorization (SPA). Connection attempts to port 443 are denied unless a pre-determined and mutually agreed, cryptographically signed SPA packet is received first.
Clients (and appliances) use SPA prior to establishing any TLS connection to an Appliance.
Controllers authenticate and authorize new user/device sessions and provide the required tokens that the Gateway will consume.
Gateways render the protected networks invisible and provide users/devices access via their own micro-firewall instances each started on a separate thread. The individualized firewall rules are defined by the payload within the tokens.
Establishing trust using the 6 layer model
Appgate SDP uses a multi-layer authorization model to provide real-time, context-aware control over all user access attempts. The numbers below correspond to the process layers in the diagram that follows.
Single Packet Authorization cloaks the Appgate SDP system, allowing only Clients with the pre-shared key to open a communications channel. The Appgate SDP system will accept one or more SPA keys that are included in the Client profile.
MFA at sign-in registers a user's device, turning it into a second, trusted authentication factor, thus blocking authentication when stolen credentials are tried. Any configured multi-factor authentication (MFA) can be used, and once a device or browser is registered this removes the need for users to perform MFA at every sign-in.
Authentication validates the user's or device's credentials against defined trusted sources such as a local database or LDAP.
Authorization. Policy assignment criteria evaluate the user's or device's Claims data. Based on this, a specific set of is assigned to each user or device.
Access controls monitor Entitlements to see if the risk model or Conditions require any additional access criteria be checked in real-time before granting access. The Gateway dynamically manages the access rights for each user or device based on any actions defined in Entitlements (such as <ALLOW>, <BLOCK>, etc).
Alert actions trigger a system response as a result of bad behaviors, for example, such as performing unauthorized port scans.
Once the Client has been seeded with the profile link and the device has been on-boarded, then the user can select "keep me signed-in". This makes the 6-layer mode transparent to the user who will now require fewer interactions than with a normal VPN. The only point at which the user may be required to interact with the system is if a Condition requires a user interaction.