Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1559
Views
0
Helpful
0
Comments

ZTNA and Software Defined Perimeter SDP

Meddane
VIP
VIP

on ‎03-13-2023 03:47 PM

Zero Trust Network Access is a security model with a basic principle of trust no one & verify everything. ZTNA can be termed as the replacement of legacy remote access VPN solutions. In traditional networks including SDWAN, once an endpoint somehow gets in the network through a remote VPN connection or by being in a corporate office, that endpoint was deemed trusted and could access any network resource (subject only to application-level security). This means the network itself is vulnerable to attacks from compromised endpoints. ZTNA is a new model aimed to fix that problem by “never trusting” an endpoint on the network unless it was granted specific access.

ZTNA is accomplished using a new technology called as software defined perimeter or SDP. SDP is a new application access technology that is used to authenticate users, authorizes application-specific access rights based on user profiles & also does continuous risk assessment throughout their session.

Legacy networks have a well-defined network boundary or perimeter, usually guarded by firewalls. For accessing any corporate network resource, the endpoints have to be inside this firewalled perimeter. These appliance or virtual firewalls create a very static, fixed network perimeter. SASE uses SDP to dynamically define a virtual network boundary which is flexible to encompass all of the network resources and assets of a particular enterprise. This kind of creates virtual private clouds for different enterprises within the underlying common SASE cloud infra.

Following standard SDx architecture, SDP has three components:
• SDP client : installed on endpoint device
• SDP controller : broker between n/w & client. sits somewhere in SASE core cloud
• SDP GW : Actual data plane n/w entry point device. sits on SASE gateways

As an analogy, SDP is very similar to traditional network ACL’s. Just that ACL’s are static & works only up to L4 whereas SDP can act up to L7. So ACLs will allow access to a whole server/host, but SDP is smart & granular enough to allow access only to a particular application on that server. User won’t even see other apps on the same server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents