Everything seems to point to the protection measures that we have implemented in our routers, switches and network in general, are not enough. Attacks become increasingly complex, effective and difficult to fight. There is a solution that consists in the implementation of a perimeter defined by software (Software Defined Perimeter) . This is one more case that demonstrates the way in which new software-based technologies have a positive impact on the security of the network and the users that connect to it.
SDP or Software Defined Perimeter is an architecture that aims to change the way it works in the field of network security. The acronym for SDP is translated to Software Defined Perimeters. It uses a combination of authentication, authorization and network segmentation strengthened enough to allow access to the network from any point. These perimeters seek to function as a shield of protection against the large number of cyber attacks. It is considered safer than a firewall and much more granular, that is, thorough in relation to the NAC (Network Access Control) .
This architecture uses techniques to ensure secure access to the network. It does it as follows:
- This architecture uses techniques to ensure secure access to the network.
- Perform a granular type authentication to restrict any service that is not necessary for the user’s role and permissions.
Once access is facilitated, apply a kind of layer to the resources of the network (Resource Cloaking) in order to avoid any invisible information related, for example, to the DNS servers and the visible IP ports of the resources. That is, the risk of network resources being exposed is minimal.
Protection against dangerous attacks and detailed network scans
DDoS attacks are one of the most dangerous also the most recurrent when it comes to carrying out high-range cyberattacks. During the year 2019, the frequency of these attacks has increased by 967%. What is very worrying is that DDoS are already offered as one more service, called rental DDoS (DDoS as a Service) . This implies that anyone can hire this type of services to carry out denial of service attacks by paying a subscription, as well as any other service, and can even perform the attack on its own.
The SDP architecture protects the network by avoiding Internet exposure of resources and applications that run on its different servers. Let’s not stop considering that the single exposure of the ports already provides a lot of important information to the attackers. Therefore, it is recommended not to expose ports of great importance to the Internet.
One of the main threats to web applications are Cross-Site Scripting and SQL injection attacks. These work thanks to the vulnerability of any web application that requires data input. For example, if you are filling out a contact form, one of the fields will usually be email. An attacker takes advantage of each field that asks for an input, and through it, sends malicious code with the ability to interact with the server that stores the data received from that form. On the other hand, Public-Facing Application Exploits take advantage of all ports that are open and exposed to the Internet. Recall that the attacker can have information about open ports by performing a detailed scan and according to each number, perform other types of attacks.
What role does SDP play to mitigate this? It is responsible for “hiding” any port that is exposed, and also any data that facilitates access to the infrastructure of the network itself. This protection layer prevents ports from being traceable when performing port scans and other information gathering techniques.
That the ports or any related data are not visible does not give the attacker any chance to act. It will only carry out its malicious actions based on the visible information it may collect, whether or not we are aware of it.
SDP as an alternative to avoid DNS Hijacking
When a user enters a URL in their browser, one of the processes that occur is a request to the DNS server to see if that domain is included in their records. If it is effectively between these records, the user can access the desired page. However, if an attacker manages to take control of the router, he will find a way to alter the normal operation of said DNS server, this technique is known as DNS Hijacking .
This will be so through actions that lead to malicious DNS resolutions. It can happen that the affected user accesses a malicious website that looks quite similar to what they visit regularly. Although in reality, it is a site created by the attacker who steals your access credentials and other data, once you have entered them on that site.
A great solution that SDP offers to mitigate this type of attack is the DNS resolution built into its architecture . Even if the attacker takes control of the router, with its malicious settings it will not be able to pass over the DNS resolution of the software defined perimeter.
These are the most important attacks that can be avoided by this interesting architecture. However, there are others well known as Man-in-The-Middle attacks and those oriented to traditional systems (not cloud-oriented). It is essential to take the time to learn more about the advantages of SDP, especially in the long term. Networks require more and more protection because personal and corporate data do not stop being manipulated, nor do they stop being generated every second.
Data is the most important asset of our lives, as well as the integrity of all organizations. Not being aware of the risks, nor of the consequences of not working for them, can result in losses of the highest economic value.
