Software Defined Perimeter Research Articles

Enhancing the Security of Single-Packet Authentication Protocol Using Multi-Dimensional Factors

This paper proposes a design method for a stealth gateway that supports multi-factor authentication, centered around software-defined perimeter (SDP) technology. The gateway dynamically authorizes user access requests initiated from authenticated devices and blocks such requests from unauthenticated devices. After legitimate users’ access requests are authenticated through multiple factors including passwords, one-time passcodes, IP addresses, etc., they are forwarded by the stealth gateway. Compared to traditional Virtual Private Networks (VPNs), firewalls, and other security measures, the stealth gateway effectively reduces the attack surface of the network, achieves multi-factor authentication and perimeter invisibility, thereby enhancing overall data security.

Securesdp: a novel software-defined perimeter implementation for enhanced network security and scalability

Securesdp: a novel software-defined perimeter implementation for enhanced network security and scalability

Toward Zero-Trust 6GC: A Software Defined Perimeter Approach with Dynamic Moving Target Defense Mechanism

Toward Zero-Trust 6GC: A Software Defined Perimeter Approach with Dynamic Moving Target Defense Mechanism

Research on the Security Protection of Secondary Distribution System Based on Software defined Perimeters

<p>With the new technologies including big data, cloud computing, the Internet of Things (IoT), mobile Internet, and Artificial Intelligence (AI) coming into widespread in the secondary distribution system, it makes the network boundary more fuzzy, and the network security risk points and exposed surfaces significantly increase. Therefore, the traditional boundary-based security protection model has been unable to meet the protection needs. As one of the most popular security concepts at present, the zero trust mechanism can achieve the dynamic protection of information intranets. Based on the concept of zero trust security and software defined perimeter (SDP) technology, this paper designs and implements a security scheme suitable for the secondary distribution system and proposes a novel identity authentication model which can solve the problems of port exposure that existed in the traditional authentication scheme. In addition, the model applies the SM9 identification algorithm to reduce the computational cost of the encryption and decryption in the proposed scheme. Finally, the performance analysis demonstrates that the proposed scheme is effective and suitable for the secondary distribution system which can effectively resist multiple types of network attacks.</p> <p> </p>

Dynamic access control method for SDP-based network environments

With online work environments and other distributed computing systems—such as cloud technologies or Internet of Things systems—becoming increasingly popular today due to the COVID-19 pandemic and general technological advances, the question of how to keep them secure has also become a pertinent concern. With this increased dependence on online systems for companies, cyberattacks have also been on the rise. To protect terminal devices, many companies have resorted to implementing a single boundary-defense model. This method has yielded positive results in securing the network from external threats, but it does not effectively protect network from internal security threats. With the vulnerabilities in the internal network security in mind, a dynamic access control method used with a zero-trust software-defined perimeter security model could be a viable solution. This study proposes a dynamic access control method using an engine with a new reward and penalty point-based system (RP Engine) and a dynamic task engine (DT Engine) for a zero-trust SDP security model.

Optimal Federation Method for Embedding Internet of Things in Software-Defined Perimeter

In the digital transformation (DX) era, the Internet is rapidly evolving, as represented by the Internet of Things (IoT) and artificial intelligence (AI). Accordingly, information security incidents are increasing and diversifying. An example of this diversification is the emergence of internal fraud in telework and other scenarios. As a countermeasure, the software-defined perimeter (SDP), a zero-trust model, is attracting attention. SDP ensures that users are always secure by authenticating and authorizing them each time a service is provided. SDP is expected to be integrated with the IoT in order to expand its application. However, it is difficult to ensure the security of the IoT itself due to the lack of resources such as CPU power and storage. Therefore, when embedding IoT devices into SDP, the main issue is how to ensure the reliability of the IoT itself, but this has not been sufficiently studied. In this paper, we propose a method to compensate for the lack of IoT resources so that it can be securely embedded into SDP. We investigated several federation methods and found through qualitative evaluation that the identity provider (IdP) is the most effective and can efficiently achieve authentication and authorization in SDP.

An efficient and provably secure certificateless protocol for the power internet of things

The Power Internet of Things (IoT) is a specific application of the IoT in the power grid. The threat existing in the Power IoT mainly comes from the terminal deployed in the open environment, which has the risk of being tampered with and impersonated. Thus, we design a certificateless anonymous key agreement protocol for the Power IoT to solve the problem of terminal access. The proposed protocol completes session key agreement in only one round exchange of key materials on the basis of certificatelessness, which saves the cost of certificate management. It also achieves anonymity by encrypting the authentication information to ensure the identity privacy of terminals. In addition, the protocol prevents malicious connections of internal systems by setting up software defined perimeter (SDP) controllers to complete pre-access authentication of terminals. Moreover, an improved eCK security model is designed and applied to demonstrate the proposed protocol. An experiment and analyses indicate that our scheme has advantages in terms of the communication and computation costs that are suitable for Power IoT.

Suitable Scalability Management Model for Software-Defined Perimeter Based on Zero-Trust Model

The software-defined perimeter (SDP), a zero-trust model developed by the Cloud Security Alliance, has been attracting attention in the technological industry since its introduction to a world adapting to digital transformation. Many trust models have been introduced to meet the growing demands for cyber security, such as the public key infrastructure, soft-ware-defined network, and virtual private network. SDP has particularly gained importance as a zero-trust model because no one in the digital world can be trusted. With the introduction of new models and technical devices, there is now a need to improve newly introduced technology on various grounds when customers adapt to devices. In this work, we discuss how to overcome the current issues of SDP relating to scalability, reliability, usability, etc. As the number of organizations that share information online continues to expand, there is a need for scalable and reliable SDP models that are both easy to maintain and cost efficient for evolving organizations. To meet this need, we proposed several scalable SDP models that enable easier installation management of real networks of organizations with different organizational structures. Specifically, we propose hierarchical, bridge, hybrid, and mesh models. The results of qualitative and quantitative evaluations showed that the bridge model is the most suitable of the four as an extension of SDP.

Securing the Software-Defined Perimeter Framework with Automated Security Configuration Deployment Systems

Securing the Software-Defined Perimeter Framework with Automated Security Configuration Deployment Systems

A data plane security model of segmented routing based on SDP trust enhancement architecture

Segment routing (SR) technology is a new network functional technology derived from MPLS technology and based on SDN. Combining SR with software-defined perimeter (SDP), a new network security technology, is expected to solve the traditional problems such as data monitoring, denial of service, and new threats such as loop attack and label detection faced by SR data plane. Focusing on the security management of access devices in the SR data plane, first, this paper proposes an SR security model SbSR (SDP-based SR) based on SDP trust enhancement architecture, then, two-level SDP AH trust verification mechanism and 4 trust management mechanisms including initial trust value, trust evaluation, trust renewal, trust inheritance are designed. In the trust evaluation mechanism as the core of the model, System cloud grey model (1,1) weighted Markov prediction model is introduced to obtain real-time trust based on the historical behavior of device nodes, and 4 indexes, namely benign message ratio, loyal forwarding ratio, forwarding ratio stationarity coefficient, packet rate stationarity coefficient, are introduced to distinguish malicious devices from normal devices. Finally, the simulation test results of 5 security functions and security costs show that the proposed architecture can solve port scanning, traffic monitoring, topology detection, loop attack, and DoS attack of SR network data plane with an average access delay cost of 2.84 s for each new network agent, and realize multi-faceted protection of SR network data plane.

Zero Trust Architecture (ZTA): A Comprehensive Survey

We present a detailed survey of the Zero Trust (ZT) security paradigm which has a growing number of advocates in the critical infrastructure risk management space. The article employs a descriptive approach to present the fundamental tenets of ZT and provides a review of numerous potential options available for successful realization of this paradigm. We describe the role of authentication and access control in Zero Trust Architectures (ZTA) and present an in-depth discussion of state-of-the-art techniques for authentication and access control in different scenarios. Furthermore, we comprehensively discuss the conventional approaches to encryption, micro-segmentation, and security automation available for instantiating a ZTA. The article also details various challenges associated with contemporary authentication mechanisms, access control schemes, trust and risk computation techniques, micro-segmentation approaches, and Software-Defined Perimeter, that can impact the implementation of ZT in its true sense. Based upon our analysis, we finally pinpoint the potential future research directions for successful realization of ZT in critical infrastructures.

Hierarchical Security Paradigm for IoT Multiaccess Edge Computing

The rise in embedded and IoT device usage comes with an increase in LTE usage as well. About 70% of an estimated 18 billion IoT devices will be using cellular LTE networks for efficient connections. This introduces several challenges, such as security, latency, scalability, and quality of service, for which reason edge computing or fog computing has been introduced. The edge is capable of offloading resources to the edge to reduce workload at the cloud. Several security challenges come with multiaccess edge computing (MEC), such as location-based attacks, the man- in-the-middle attacks, and sniffing. This article proposes a software-defined perimeter (SDP) framework to supplement MEC and provide added security. The SDP is capable of protecting the cloud from the edge by only authorizing authenticated users at the edge to access services in the cloud. The SDP is implemented within a mobile-edge LTE network. Delay analysis of the implementation is performed, followed by a Denial-of-Service (DoS) attack to demonstrate the resilience of the proposed SDP. Further analyses, such as CPU usage and port scanning were performed to verify the efficiency of the proposed SDP. This analysis is followed by concluding remarks with insight into the future of the SDP in MEC.

Multilevel Security Framework for NFV Based on Software Defined Perimeter

The rapid increase in global IP traaffic and the adoption of mobile devices have challenged network service providers to scale and improve infrastructure to meet this new demand. To improve return on investment for scaling networking infrastructure and capitalize on advancements in virtualization technologies, Network Function Virtualization (NFV) has been proposed. NFV does present some newfound security challenges, however, by combining elements of networking and virtualization technology. These challenges include protecting against attacks like remote hypervisor attacks, Denial of Service (DoS) attacks, Virtual Machine (VM) Hopping, and port scanning. Software- Defined Perimeter (SDP) is proposed as a framework to provide logical perimeters around these services, restricting network access and connections to the SDP-enabled Virtual Network Functions (VNFs) to trusted clients only. Several security benefits present themselves as a result of a combined NFV-SDP architecture. The deployment and access control are customize-able, catering to a wide array of user needs. The aforementioned proposed architecture was tested within a virtual environment. The test results show that the combined architecture is indeed resistant to DoS attacks. Additionally, the results lead to a discussion regarding future research and implementation potentials for this architecture.

Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service

The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP's ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.

Research on SDP Software Defined Perimeter Initiating Host Protocol Configuration Algorithm

With the popularity of digital and cloud services, the demand for network security products and solutions is increasing day by day. At the same time, the network security problems are becoming more and more serious. The network security architecture and platform are far from meeting the challenges brought by the current situation. As a new generation network security solution concept, the Software Definition Perimeter was first proposed by the Cloud Security Alliance in 2013. The whole central idea is to build a virtual enterprise boundary in the mobile + cloud era through software. The use of identity-based access control is to cope with the problem of coarse control and poor validity caused by boundary fuzziness, so as to achieve the purpose of protecting data security. This paper mainly changes the infrastructure of the Software Defined Perimeter SDP, and adds the message queue, which mainly stores the control information in the message queue to solve the peak congestion and network congestion problem.

On IoT applications: a proposed SDP framework for MQTT

In this work, the software-defined perimeter (SDP) is considered for the Message Queuing Telemetry Transport (MQTT) protocol framework in the Internet of Things (IoT) applications. In fact, the SDP provides an additional layer of security with or without SSL/TLS by replacing the traditional login method (username/password) with a single-packet authorisation (SPA) process. This will blacken the end devices, by cloaking and causing them to be inaccessible by attackers. Consequently, this prevents the log-in information from being compromised in the absence of encryption. Eventually, the framework is evaluated through an implementation testbed and system proved to be secure against denial of service active and off-line dictionary types of attacks, even with the use of weak login credentials. All the while, achieving measurable efficiency over the traditional use of MQTT.

A matter of trust

As identity becomes the new perimeter, there is an ongoing trend that suggests that a ‘zero trust’ security model can augment conventionalfirewalls and VPNs to fortify an organisation's security posture. This movement towards more available access but with dynamic authorisation is growing asIT becomes more hybrid and applications migrate to the cloud. Prior requirements of forcing users to go through the corporate network – for example,using simple two-factor authentication registration – will change as well. This movement towards more available access but with dynamic authorisation is growing as ITbecomes more hybrid and applications migrate to the cloud. Prior requirements of forcing users to go through the corporate network will change as well.And software defined perimeter (SDP) technology can deliver the new trust models we need, argues Scott Gordon of Pulse Secure.

On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter

The widespread adoption and evolution of Software Defined Networking (SDN) have enabled the service providers to successfully simplify network management. Along with the traffic explosion, there is decreasing CAPEX and OPEX as well as an increase in the average revenue per user. However, this wide adoption of SDNs is posing real challenges and concerns in terms of security aspects. The main challenges are how to provide proper authentication, access control, data privacy, and data integrity among others for the API-driven orchestration of network routing. Herein, the Software Defined Perimeter (SDP) is proposed as a framework to provide an orchestration of connections. The expectation is a framework that restricts network access and connections between objects on the SDN-enabled network infrastructures. There are several potential benefits as a result of the integration between SDP systems and SDNs. In particular, it provides a completely scalable and managed security solution. Consequently, it leads to flexible deployment that can be tailored to fit the need of any generic network security perimeter. The proposed Integrated frameworks are examined through virtualized network testbeds. The testing results demonstrate that the proposed framework is malleable to both port scanning (PS) attack and Denial of Service (DoS) bandwidth attack. In addition, it clarifies some interesting potential integration points between the SDP systems and SDNs to further research in this area.

Improved Single Packet Authentication and Network Access Control Security Management in Software Defined Perimeter

Improved Single Packet Authentication and Network Access Control Security Management in Software Defined Perimeter

Should jump box servers be consigned to history?

Jump boxes have been utilised for decades to protect and isolate critical systems. The main purpose of the jump box is to act as a security guard at the entrance to the infrastructure. It checks the credentials of users approaching the gate, ensuring that only authorised users can log into the network environment and from there can safely get access to any of the other servers or boxes. Jump boxes have been used for decades to protect and isolate critical systems. However, even though they don't store sensitive data, they raise serious security concerns. With the growing popularity of hybrid ecosystems, where enterprises are transitioning to cloud-based infrastructure and incorporating third-party services and/or contractors, jump boxes become harder to implement effectively. A software-defined perimeter approach will not only solve jump box concerns, but will also strengthen security and compliance, explains Chris Steffen of Cyxtera.