Traditionally, networks are mapped by their physical structure. Every router, switch, port, and device has a digital identity that corresponds with its physical location in the network. In other words, we’re used to seeing networks that are defined by their hardware.
A Software Defined Perimeter (SDP) takes a more virtual approach to establish a network’s perimeter.
Hardware Defined Perimeters
Think about your home network. It’s simpler to understand compared to business network setups. You most likely have a router that stands between you and the internet. That router defines your home network, and it’s the only thing standing between outsiders and all your stuff. Once the router lets you through, that’s it.
The assumption is that if you’re inside the network, you should be there. This is why Windows asks you if a new WiFi network is public or private. It needs to know whether to trust other devices on the local network. This is the same reason why you must use a VPN if you use public WiFi because you’re inside the hardware-defined perimeter.
Cloudy Days Ahead
The thing is, while the hardware-defined perimeter paradigm has its security issues, they’ve still done pretty well up to know. As long as the access control policies are reasonable and appropriately enforced, it’s rare to see serious breaches happen.
The real problem is that more and more network functions have to cross that local network perimeter. Instead of internal, local servers, everyone is turning to public cloud services like Azure. Instead of working from an office using a local network connection point, more and more employees are working remotely.
This has given rise to the need for extensive VPN use. A VPN acts, essentially, as a virtual Ethernet cable spanning the public internet. It’s a kludge designed to get external users inside the local network perimeter in a virtual way.
As digital resources become decentralized, the “dumb” hardware perimeter becomes less and less sensible, which is why the conversation around SDPs are heating up. A new generation of network use needs a new way of operating a network.
IP Addresses Are Problematic
IP Addresses are, in essence, the unique physical location markers for devices connected to a network. Internal networks own their range of IP addresses, with devices such as routers assigning a public IP address that everyone on the internet can see. Through network address translation (NAT), your router takes packets of data sent to its IP address and passes them along to devices on the local network for whom they are actually intended.
IP addresses make modern internet to work, but they are also a major target for hackers. Any computer will answer if you ping its IP address. Access is granted by systems that are further abstracted from the IP. Even worse, IP addresses are not always static. They can’t be linked to specific identities and can’t function effectively as a way to know who should or should not have access to resources or data.
As a solution to network traffic control, IP addresses are brilliant, but they were never meant to be any sort of passive security measure.
The SDP Difference
As the name suggests, SDPs use software to determine what is inside and outside the network perimeter. The network can span different physical networks, intermingled with resources that belong to other SDPs. When someone is inside the SDP, they only see what they are meant to see.
The idea of connecting to a specific server at a particular address doesn’t make a lot of sense in an SDP world. Instead, you have access to specific applications, people, and functions.
The network is a line drawn according to your needs, and it can be redrawn as needed. The users’ roles and identities on the network can be individual, which means you can have people connected to the local network physically, such as visitors who need internet access, but they are treated as untrusted outsiders. It also means that your own people who are scattered around the world can freely and transparently use the network.
The actual network infrastructure, the physical appliances, and the firmware and software components that deal with those devices become invisible. Physical location and connection are irrelevant. What’s inside the perimeter and outside of it is an act of imagination, rather than a fact of physical structure.
SDP, Zero Trust, and VPNs
The concept of SDP goes hand-in-hand with that of Zero Trust Private Networks – the logical extension of having a network where you can robustly define roles and identities. Where it isn’t assumed that, just because you’re within the physical network perimeter, you’re a trusted agent in the system. The opposite is also true: trusted users outside of the physical network perimeter can seamlessly access resources as if they are locally connected.
Hang on a minute, doesn’t that sound an awful lot like a VPN? Companies use VPNs to create encrypted tunnels across the public internet. So from the user’s perspective, it’s like they’re connected to the local network. It looks that way from the other side as well.
VPNs come with plenty of issues, however. For one thing, remote users rarely want ALL their internet traffic to pass through the local network back at base. It’s one of the reasons that split tunneling exists.
SDP solves that because only traffic intended for resources on the remote network passes onto that network. From this point of view, a VPN is a pretty crude tool to get the job done. It can also be a security risk because VPN authentication is simplistic. If someone gets a VPN user’s credentials, they are inside your perimeter and can do real damage.
SDP is by no means a panacea. However, it’s a solid evolution of a networking approach that could never foresee how we use the internet today.