9. A Policy-Centric Approach
• Controller applies filters to
decide which policies apply
upon authentication
• All the permitted entitlements
are applied to the user
• Resulting entitlements and
conditions are embedded in a
token
Site 2
Site 1
Site 3
Database Database
Controller
LogServer
Sales
System
RDP
Access
Web Staging
SSH
9
FinanceApp
DatabaseFinanceApp
18. AppGate Benefits
18
Creates an identity before connecting to anything on the network
Removes attacks including zero day, DDOS and lateral movement
The Cloud Fabric can now be extended all the way to the user and device
Leverages legacy applications by extending the SDP Architecture
No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.)
• Identity-centric security • Policies on user and cloud instances
Identity-Centric Network Security
Site is Protected by Gateway
Servers only accept incoming connections from Gateway
Plaintext traffic for standard logging, monitoring tools
Policies are tools used to assign entitlements to a user, group of users, or administrators.
Policies include a list of entitlements, and filters that define who those entitlements should be assigned to.
The list of entitlements within a policy is used by the Controller to create the entitlement token(s) for each user.
The policy defines all the entitlements allowed by a user for use during the session. The conditions within each entitlement are used by the Gateway to control whether the entitlement is permitted at the time of consumption.
The Controller uses the filters within a policy to check if the policy applies to a user. If no filters have been included in the policy, then it won't be assigned to any users. If a user's claims don't match any filters, then no policies will be allocated and the user will not receive any entitlements.
This is a screen shot of how you would create an entitlement within AppGate. Entitlements specify the network resources that are applied to users for network access. Some types of network access include IP access, ICMP access or reverse IP access, target hostnames, AWS security groups and tags. In this example, we are showing the Client is entitled to TCP access to port 443 on host 10.1.0.4.
Entitlement can allow, block or alert and are subject to filters and conditions.
Define the exact network resources which users may access
Network access types include:
IP access, reverse IP access, or ICMP access
Target hostnames, IP addresses, subnets, AWS security groups & tags
Examples of a user entitlement :
TCP access to port 443 on host 10.1.0.4TCP access to port 22 on subnet 10.1.0.0/24TCP access to port 3389 on all AWS resources with Security Group Dev_Team4ICMP access to host QA_Server_11
Entitlements can allow, block or alert
Entitlements are associated with conditions
Entitlements are filtered at authentication time and conditions are evaluated at time of access. AppGate allows you to get to a very granular level when defining these criteria as you can see above.
Policies are filtered at authentication time
Policies are evaluated by Controller upon user device authentication (and renewal)
Policies determine the set of entitlements (targets, ports, and protocols)
Conditions are evaluated at time of access
Entitlements are evaluated by the Gateway when user tries to access target resource
Conditions may prompt for password, OTP, require explanation
Conditions may permit or block access based on attributes such as network location, time of day, etc.
The attributes mapping defines how the database attributes in each user identity provider directory will be mapped to AppGate XDP claim names. This mapping defines which user-claims will be available to include in filter and condition expressions.
(In addition to being used to authenticate the user at login, the database attributes in your identity provider directory are used to populate user-claims. Filters and conditions use these user-claims to control the allocation and authorization of entitlements. By creating different filter expressions that use different user-claims, administrators can be very precise about how entitlements are allocated to prevent over-provision.)