Vidder PrecisionAccess

Transcription

1 Vidder PrecisionAccess Security Architecture February E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA P: F:

2 Table of Contents I. Overview... 3 II. Components... 3 PrecisionAccess Client... 3 PrecisionAccess Gateway... 3 PrecisionAccess Controller... 4 III. Protocol... 4 Device Authentication... 4 User Authentication... 5 Service Provisioning... 5 Architecture Diagram... 6 IV. Conclusion... 6 PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY

3 Overview Modern day organizations are very complex ecosystems that span across multiple trust domains and security zones in order to enable their supply chain, remote workers, and general convenience of users. This type of business enablement is great for productivity and continuity but also introduces many security challenges surrounding remote access, cloud-migration, and ecosystem collaboration. This paper will discuss Vidder s new security architecture based on software-defined perimeter (SDP) that enables business while increasing the security posture of corporate applications. Vidder PrecisionAccess Vidder PrecisionAccess (PrecisionAccess) is Vidder s implementation of the software-defined perimeter. PrecisionAccess is designed to build trust before connectivity and initiates connection by implementing a secure one-time passwordbased device authentication, user authentication, and then provisions connections to protected applications. This concept of a zero-trust and pre-authenticated network has been used by government agencies for many years. However, it has never been implemented in a way that is consumable for the enterprise. Vidder has taken the concepts created in the SDP standard and implemented them in a way that achieves the versatility, security, and agility required in modern day enterprise networks. Components PrecisionAccess Client The PrecisionAccess Client (Client) is a very lightweight, cross-platform piece of software that enables the client to talk to the SDP. This piece of software intercepts application data and encapsulates it for transport into the SDP. It also provides the capability to enumerate and enforce policies. Upon execution, the client will start to intercept specific applications that need to access SDP-protected resources. This startup process is completely transparent to the user and enables a seamless user experience. PrecisionAccess Gateway The PrecisionAccess Gateway (Gateway) is a lightweight daemon that runs on a virtual machine located near the protected application. The Gateway acts as a TCP- PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY

4 gateway for access to the protected service this way clients never need to make a direct connection to a protected service. In order to protect the end service, the Gateway firewall drops packets with a deny any any rule. Rules to allow authorized clients are dynamically created on a per-device basis after the user has proven to be authenticated and authorized. This means that an unauthorized user cannot scan, connect, or attack the protected service because it is completely hidden from network communications. After a user has authenticated to a Controller and makes a connection to a Gateway, a dynamically created mutual TLS tunnel is created. These TLS connections are created with ECDHE_RSA_WITH_AES_256_GCM_SHA384, which provides a tunnel that is indistinguishable in a chosen plaintext attack or chosen ciphertext attack. PrecisionAccess Controller The PrecisionAccess Controller (Controller) is a vital component in the SDP architecture. It provides a secure location to manage, authenticate, authorize, resist denial of service, and automate secure connection provisioning. The Controller, similarly to the Gateway, is also hidden from normal network communications by utilizing single packet authorization (SPA). Single packet authorization, a form of port knocking, achieves this by sending a packet to the Controller, which will contain cryptographic proof that the packet is legitimate. This SPA token is sent in a TLS ClientHello packet, embedded inside the header. This allows the Controller to check the validity of the application that is creating the TLS connection, mitigating attacks against SSL and denial of service. Finally, the mutual TLS connection will be established to continue the authentication process. After the secure connection is established to the Controller, the user is presented with a login page to enter in their credentials. This is typically done through a redirection to a SAML identity provider that integrates with the enterprise directory system. This can consist of one or many different authentication mechanisms including username and password, multi-factor authentication, Geolocation, and device fingerprinting. After logging in, the Controller will check the user s authorization for each protected service based on the groups returned by the SAML assertion. Protocol Device Authentication The first step in the process is to authenticate the software and device. This can take on a variety of forms depending on the level of trust required for the deployment, but generally it will include SPA, mutually authenticated TLS, device fingerprinting, and context-based device authorization policies. First, it generates PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY

5 and sends a one-time token embedded within a TLS ClientHello packet this is referred to as SPA. Now the Client is able to establish a secure connection to the Controller, accomplished using a mutually authenticated TLS connection. Mututally means that a valid client certificate is required. Following the connection to the Controller, the current fingerprint of the device is sent to the Controller to ensure it matches with the initial fingerprint taken at on-boarding time. The fingerprinting process can be done either with a Trusted Platform Module (TPM) chip or by creating a signature based on hardware IDs and randomized, hidden data on the system. This process results in the connection requiring something you have, your device, as an authentication factor. This implementation is referred to as Transparent Multi- Factor Authentication ( tmfa ) because it has no impact on the user experience. An additional, but optional, step in the device authentication process is Contextbased Authorization. This is a set of per-service policies that can be configured in the Controller to set additional requirements for access. Some common examples of this is managed vs unmanaged device, source IP address, and geolocation. User Authentication After the device and software has been proven to be trusted, the user will be presented with a login page in their browser. Note that if the customer has implemented single sign-on ( SSO ) then the user will be automatically authenticated. This user authentication is verified by connecting to the enterprise directory system via SAML or a Directory Connector. After entering valid credentials, the user can be prompted for a multi-factor authentication token if it is enabled by the customer. Note that this would be considered a third factor of authentication as the tmfa already provides a second factor of authentication. Now that the user has proven their identity, the Controller will check which groups the user is a member of. These groups, taken from the customer s directory system, will be mapped to services in order to determine the level of access. Service Provisioning The final step in the protocol is connecting to the protected services by provisioning dynamic firewall rules and mutual TLS connections. The Controller will tell the Gateways to expect a user to connect, opening a pinhole in the firewall for the authenticated user. Once TCP port 443 is opened for the user, the same device authentication process outlined earlier will occur to the Gateway. This includes SPA and another mutual TLS connection, which will ultimately provide secure access to the protected services. PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY

6 Architecture Diagram Conclusion The concepts within SDP have proven to be an effective architecture for the Department of Defense for many years. This solution provides a significantly higher security posture for applications and communication paths by requiring strong multi-factor authentication before any connections can be established. PrecisionAccess has taken these concepts and created a technology that allows enterprises to enable business, increase agility, and revolutionize their security architecture. Contact Us [email protected] Phone: PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY