The implementation of Software Defined Perimeter (SDP) architectures to bolster cybersecurity is becoming increasingly popular for many organizations. This type of cybersecurity strategy is an incredibly effective element of a Zero Trust network architecture and LinkGuard is a powerful asset to ensure the success and security of these methodologies.
LinkGuard is a complementary element of SDP implementations. In most cases it’s highly synergistic, in that it provides the means to extend SDP protection to devices which are inaccessible to SDP controllers. To get a better understanding of how this works, let’s examine the characteristics that define the Software Defined Perimeter:
- SDP, sometimes referred to as a “black cloud”, is meant to hide or cloak the protected network from external discovery. This cloaking has been one of the fundamental characteristics of LinkGuard since 1997.
- SDP mandates a strict separation of the data plane and the control plane. This is mandatory in all LinkGuard implementations.
- SDP defines a number of connection models: client-to-server, client-to-gateway, server-to-server, and various mixes of these. SDP gateways provide proxy protection of servers on their inside network interfaces. Access to the servers is strictly controlled based upon client identity and need to know granularity. Clients are assumed to have software components that properly satisfy the SDP policy. This can be problematic for legacy or resource constrained OT devices that do not have the computational and storage resources to support TLS and a variety of authentication methodologies. LinkGuard enables use of a variety of client-side appliances that, similar to a gateway, provide proxy services on behalf of the clients while supporting the use of legacy OT devices.
LinkGuard is a network overlay solution that was designed to securely hide the existence of the networks that it protects. The platform creates a data link layer or “layer 2” solution, which transfers data between adjacent nodes in a wide area network or between nodes on the same local area network segment and does not attempt to provide higher layer access control policies. This kind of solution has proven incredibly valuable, especially for industrial organizations with extensive IoT devices and network components.
However, a LinkGuard solution may include some or all of a customer’s SDP resources. LinkGuard’s client-side gateways allow the SDP to be extended economically to network components that cannot be modified to directly support the SDP solution. As a protocol agnostic solution, it does not filter or examine the data plane contents of the protected network. So, it’s operationally transparent to the existing network components that it protects. In many cases, LinkGuard is used to deliver the network data stream to a traditional SDP server gateway which will then apply the appropriate policies based upon higher layer protocol contents.
The image above is an example of how LinkGuard extends the SDP to one or more network devices. The devices may be local or remote, one or many, or any combination. The protected OT equipment does not require any modification or configuration changes. This graphic demonstrates how both the protected equipment and the SDP gateway see this as a single Ethernet network. In fact, the LinkGuard component may provide additional security by extending the SDP protection over geographically diverse and heterogeneous wide area networks.
Including LinkGuard as an element of your security infrastructure has proven to be advantageous to overall SDP deployment and lifetime management because the SDP policy is shielded from various un-trustable external networks. LinkGuard provides 100% separation of interior and exterior address spaces. The SDP gateway policy is appropriately focused only on the interior OT network operations.
Have questions about how LinkGuard can benefit your Software Defined Perimeter? Contact us here.