How Software-Defined Perimeter Mitigates Common Security Threats

eWEEK DATA POINTS RESOURCE PAGE: A new paradigm for remote access called Software-Defined Perimeters (SDPs) has taken a zero-trust approach to remote access that replaces broad network access with granular, identity-based access to important IT resources.


Not too long ago, most work was done inside offices. Today, however, most work is conducted remotely—at least a high percentage of the time. We connect from airports, coffee shops, hotels and trains. A significant number of workers work remotely most of the time—as employees or contractors—from home and shared offices such as WeWork.

This shift has had major implications for enterprise security, which was designed to secure a perimeter. Corporate virtual private networks (VPNs) are the most common solution for enabling and securing remote access, giving the remote worker access to the enterprise network, along with access to the applications and data that are on that network. This outdated idea that a user on the local area network (LAN) can be “trusted” leaves a large attack surface for attackers to exploit.

Go here to see eWEEK’s listing of Top Next-Generation Firewall Vendors.

Go here to see a listing of eWEEK's Top SIEM Companies.

Fortunately, a new paradigm for remote access called Software-Defined Perimeters (SDPs) has taken a zero-trust approach to remote access that replaces broad network access with granular, identity-based access to important IT resources. Along the way, the SDP protects enterprises from a wide range of threats and hacking techniques that criminals leverage to attack the enterprise network.

In this eWEEK Data Points article, Etay Bogner, former CEO of Meta Networks and now VP of Zero-Trust Products for Proofpoint, highlights eight common security threats that corporate VPNs fall short in defending. Instead, he points to SDPs as an effective alternative to confronting these threats head-on.

Data Point No. 1: Man in the Middle

A man in the middle (MITM) attack is a type of security breach where the perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is under way. Both SDP and VPN solutions can provide protection from MiTM attacks by sending network traffic over an encrypted tunnel. However, SDPs ensure an always-on deployment that protects web traffic and secures access to the enterprise network. Many conventional VPN solutions use a split tunnel to send web traffic out directly to save costs and reduce latency, leaving endpoints vulnerable. SDPs on the other hand secure open endpoints to address this issue.

Data Point No. 2: DNS Hijacking

DNS hijacking is another hazard of working on public WiFi networks. Hackers can intervene in the DNS resolution to send people to a malicious site rather than the one they intended to reach. It may be accomplished through the use of malicious software or unauthorized modification of a server. Once the individual has control of the DNS, they can direct others who access it to a web page that looks the same but contains extra content, such as advertisements. They may also direct users to pages containing malware or a third-party search engine. An always-on SDP solution based on a network-as-a-service architecture uses a curated, secure DNS service to perform the resolution and protect against DNS hijacking.

Data Point No. 3: SSL Stripping

SSL stripping is a type of MiTM attack that downgrades the communications between the endpoint and the server to unencrypted format in order to be able to read the content. One way to prevent SSL stripping is to install HTTPS Everywhere, a browser extension that enforces HTTPS communication wherever possible, preventing an uninvited party from downgrading communications to HTTP. SDPs also prevent such threats, providing mitigation by sending all traffic over an encrypted tunnel.

Data Point No. 4: DDoS

In a distributed denial-of-service (DDoS) attack, an application is made unavailable by overloading it with requests. Since the attack is distributed, it is difficult to stop. Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service.

There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed. Here, SDP solutions can prevent either type of DDoS attack, protecting the application rather than the end-user device. In the SDP model, applications (and the infrastructure that hosts them) are not directly connected to the internet. The SDP solution acts as a gateway that prevents any access that isn’t authorized from getting through.

Data Point No. 5: Port Scanning

Hackers use port scanning to locate an open port on a network that can be exploited for an attack. There are two major concerns related to port scanning that security administrators must be aware of. First, security and stability issues associated with open ports and the program responsible for delivering the service. Second, the security and stability problems associated with the operating system that is running on the host through either open or closed ports. Since SDP solutions isolate all network resources from the internet, hackers cannot take advantage of this technique to find a way in.

Data Point No. 6: Wormable Exploits

Just like BlueKeep, which recently made headlines, worms are exploits that make their way from one machine to the next. Why the fuss? Because all a user has to do to get infected is to join a network—trusted or untrusted. In other words, conventional endpoint security platforms such as antivirus and EDR cannot prevent this type of exploit, and user awareness training will not help, either. Since no user action is required, the mere act of connecting a user’s laptop or phone to a network while an infected device is connected to the same network is enough. Since worms are exploited over a network, in most scenarios an enterprise firewall or VPN cannot mitigate an exploit like BlueKeep. A zero-trust SDP provides users with a unique, fixed identity and micro-segmented access to only the resources that they need so that any infected device would have very little impact on the network as a whole.

Data Point No. 7: Brute Force Attacks

Similar to DDoS, a brute force attack is one in which the hacker attempts to gain access to a network or application through repeated login attempts. An SDP solution will immediately detect access attempts that fail, but will also note suspicious geolocations or times of day, changes to device posture and the lack of active antivirus on the endpoint—and deny access.

Data Point No. 8: Legacy Applications

Many legacy applications were not designed to be accessible from the internet and lack the basic security that we take for granted in modern software-as-a-service (SaaS) applications, for example. Restricting access to legacy applications through an SDP solution isolates the application from the enterprise network and the internet and adds adaptive controls to reduce risk.

Always-on Software-Defined Perimeters secure gateways at the application layer, both to and between cloud infrastructure, for a robust security framework. With encryption capabilities to guarantee that even third-party application providers do not have access to communications, SDPs promise a highly defended perimeter that is ideally suited for cloud-forward organizations.

If you have a suggestion for an eWEEK Data Points article, email [email protected].