Cryptzone AppGate Technical Architecture
•Download as PPTX, PDF•
2 likes•1,052 views
Learn more about AppGate's technical architecture. AppGate delivers a Software-Defined Perimeter network security solution.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (16)
Similar to Cryptzone AppGate Technical Architecture
Similar to Cryptzone AppGate Technical Architecture (20)
Recently uploaded
Recently uploaded (20)
Cryptzone AppGate Technical Architecture
- 2. Individualized perimeter for each user What Does AppGate Look Like? 2
- 3. Fine-grained authorization for on-premises and cloud What Does AppGate Look Like? 3
- 4. Dynamically adjusts to new cloud server instances What Does AppGate Look Like? 4
- 5. Consistent access policies across heterogeneous environments What Does AppGate Look Like?
- 6. Contextual awareness drives access and authentication What Does AppGate Look Like? 6
- 7. AppGate Architecture Controller Authentication and token-issuing service Distributed Architecture with 3 Functions Gateway Distributed, dynamic access control LogServer Provides secure logging services 7 Virtual Network Adapter Secure, Encrypted Tunnel
- 8. AppGate Policy Model 8 Filter Entitlement ConditionAttributes
- 9. A Policy-Centric Approach • Controller applies filters to decide which policies apply upon authentication • All the permitted entitlements are applied to the user • Resulting entitlements and conditions are embedded in a token Site 2 Site 1 Site 3 Database Database Controller LogServer Sales System RDP Access Web Staging SSH 9 FinanceApp DatabaseFinanceApp
- 11. Filters Determine which users are allowed access 11
- 12. Conditions Determine how and when users can access resources 12
- 14. AppGate 14 DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATIONAPPLICATION PERMISSIONS Looks at both context and identity to grant access1
- 15. AppGate 15 DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATIONAPPLICATION PERMISSIONS Managed Networks Cloud, On-premises or Hybrid SharePoint Secured Email CRM Group File Share Executive Files Enterprise Finance EXEC_SE RVER Looks at both context and identity to grant access1 Creates dynamic ‘Segment of One’ (1:1 firewall rule)2 ENCRYPTED & LOGGED ERP
- 16. AppGate 16 DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATIONAPPLICATION PERMISSIONS Managed Networks Cloud, On-premises or Hybrid Looks at both context and identity to grant access1 Creates dynamic ‘Segment of One’ (1:1 firewall rule)2 Makes everything else invisible3 ENCRYPTED & LOGGED ERP
- 17. AppGate 17 DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATIONAPPLICATION PERMISSIONS Managed Networks Cloud, On-premises or Hybrid Looks at both context and identity to grant access1 Creates dynamic ‘Segment of One’ (1:1 firewall rule)2 Makes everything else invisible3 Adjusts automatically to changes in posture and infrastructure4 ENCRYPTED & LOGGED ERP
- 18. AppGate Benefits 18 Creates an identity before connecting to anything on the network Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
Editor's Notes
- Site is Protected by Gateway Servers only accept incoming connections from Gateway Plaintext traffic for standard logging, monitoring tools
- Policies are tools used to assign entitlements to a user, group of users, or administrators. Policies include a list of entitlements, and filters that define who those entitlements should be assigned to. The list of entitlements within a policy is used by the Controller to create the entitlement token(s) for each user. The policy defines all the entitlements allowed by a user for use during the session. The conditions within each entitlement are used by the Gateway to control whether the entitlement is permitted at the time of consumption. The Controller uses the filters within a policy to check if the policy applies to a user. If no filters have been included in the policy, then it won't be assigned to any users. If a user's claims don't match any filters, then no policies will be allocated and the user will not receive any entitlements.
- This is a screen shot of how you would create an entitlement within AppGate. Entitlements specify the network resources that are applied to users for network access. Some types of network access include IP access, ICMP access or reverse IP access, target hostnames, AWS security groups and tags. In this example, we are showing the Client is entitled to TCP access to port 443 on host 10.1.0.4. Entitlement can allow, block or alert and are subject to filters and conditions. Define the exact network resources which users may access Network access types include: IP access, reverse IP access, or ICMP access Target hostnames, IP addresses, subnets, AWS security groups & tags Examples of a user entitlement : TCP access to port 443 on host 10.1.0.4 TCP access to port 22 on subnet 10.1.0.0/24 TCP access to port 3389 on all AWS resources with Security Group Dev_Team4 ICMP access to host QA_Server_11 Entitlements can allow, block or alert Entitlements are associated with conditions
- Entitlements are filtered at authentication time and conditions are evaluated at time of access. AppGate allows you to get to a very granular level when defining these criteria as you can see above. Policies are filtered at authentication time Policies are evaluated by Controller upon user device authentication (and renewal) Policies determine the set of entitlements (targets, ports, and protocols)
- Conditions are evaluated at time of access Entitlements are evaluated by the Gateway when user tries to access target resource Conditions may prompt for password, OTP, require explanation Conditions may permit or block access based on attributes such as network location, time of day, etc.
- The attributes mapping defines how the database attributes in each user identity provider directory will be mapped to AppGate XDP claim names. This mapping defines which user-claims will be available to include in filter and condition expressions. (In addition to being used to authenticate the user at login, the database attributes in your identity provider directory are used to populate user-claims. Filters and conditions use these user-claims to control the allocation and authorization of entitlements. By creating different filter expressions that use different user-claims, administrators can be very precise about how entitlements are allocated to prevent over-provision.)