Cryptzone AppGate Update Secures the Software Defined Perimeter

AppGate 3.0 release adds new capabilities to help organizations provide secure, authenticated access to resources, including Single-Packet Authorization technology that keeps network resources hidden from unauthorized users.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

AppGate Software Defined Perimiter

Security vendor Cryptzone today announced its AppGate 3.0 release, providing organizations with new capabilities that follow the Software Defined Perimeter specification for securing IT applications, users and data.

The Software Defined Perimeter(SDP) is an initiative that first started back in November 2013 as an effort led by the Cloud Security Alliance (CSA). The basic idea behind the SDP is that modern IT usage is no longer defined by physical attributes or fixed locations, but rather by software.

"AppGate implements the Software Defined Perimeter specification across a distributed architecture," Jason Garbis, VP of Products at Cryptzone, told eWEEK.

From a technical perspective, there is a controller that acts as a centralized authentication point and policy store for an SDP network. Additionally, there are a set of network gateways that protect network resources and then there is a client piece which is installed on an endpoint device. The client is used to create a secure and encrypted virtual private network (VPN) tunnel from the device through the network gateway, to access resources, as allowed by policy.

Garbis emphasized that the AppGate approach to securing access is more evolved than simply using software firewalls and Access Control Lists (ACLs). He explained that AppGate policies define in descriptive terms, the set of resources that users are permitted to access.

"What AppGate does is it provides a new way of looking at and enforcing network security that is based on the user and not an IP address," Garbis said.

Most organizations already have some form of identity management system in place, with many organizations using Microsoft's ActiveDirectory. Garbis commented that Cryptzone built AppGate with the ability to make use of an organization's existing identity systems.

Among the new features in the AppGate 3.0 release is support for a technology known as Single-Packet Authorization (SPA).

"With Single-Packet Authorization authorized client devices can obtain access to the system through a single cryptographically signed network packet," Garbis said.

With SPA, all AppGate entry points are not visible to unauthorized users, which helps to also make the network more secure. The first step of any cyberattack is for hackers to scan a network to enumerate the devices and services that are running. The basic idea is that if an attacker doesn't see a particular resource, it's more difficult to target and attack.

"With Single-Packet Authorization we're basically turning off the ability for scanners to see if AppGate is running on a particular port and therefore we're hiding resources from potential attackers," Garbis said.

Garbis added that the SPA approach is a low-overhead way to establish secure and authorized connections. Unauthorized clients in the SPA model are rejected, without consuming resources on the server side.

AppGate 3.0 also provides enhanced capabilities to detect and respond to malicious or unauthorized attempts at network access. With SPA, unauthorized users are unable to connect to the system, but authorized users may potentially attempt to access resources they the are not permitted to access.

Looking forward, Garbis said that Cryptzone has a few items on its roadmap for improving AppGate in future releases. Among the items on the list are helping to improve internet of things (IoT) security as well as additional cloud and scalability improvements.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.