AppGate Technical Architecture Overview
This week we launched the latest version of AppGate, our market-leading implementation of the Software-Defined Perimeter architecture. AppGate offers:
– Individualized perimeter for each user
– Fine-grained authorization for on-premises and cloud
– Dynamic adjustment to new cloud server instances
– Consistent access policies across heterogeneous environments
– Contextual awareness that drives access and authentication
How does AppGate do all that?
AppGate offers a distributed architecture with three main functions:
- Controller – handles authentication and token-issuing service
- Gateway – handles distributed, dynamic access control
- LogServer – provides secure logging services
This architecture ensures that servers only accept incoming connections from the Gateway.
AppGate Policy Model
Policies are tools used to assign entitlements to a user, group of users, or administrators. Policies include a list of entitlements and filters that define who those entitlements should be assigned to.
The list of entitlements within a policy is used by the Controller to create the entitlement token(s) for each user.
The policy defines all the entitlements allowed by a user during the session. The conditions within each entitlement are used by the Gateway to control whether the entitlement is permitted for that specific session.
The Controller applies the filters within a policy to decide which policies apply upon authentication. If no filters have been included in the policy, then it won’t be assigned to any users. If a user’s claims don’t match any filters, then no policies will be allocated and the user will not receive any entitlements.
An entitlement provides the definition of the protected resource in AppGate.
Entitlements can allow, block or alert and are subject to filters and conditions and define the exact network resources which users may access. Network access types include:
- IP access, reverse IP access, or ICMP access
- Target hostnames, IP addresses, subnets, AWS security groups & tags
Examples of a user entitlement:
- TCP access to port 443 on host 10.1.0.4
- TCP access to port 22 on subnet 10.1.0.0/24
- TCP access to port 3389 on all AWS resources with Security Group Dev_Team4
- ICMP access to host QA_Server_11
This screenshot shows how to create an entitlement within AppGate. Here we show that the Client is entitled to TCP access to port 443 on host 10.1.0.4.
Filters determine which users are allowed access. Entitlements are filtered at authentication time and conditions are evaluated at the time of access. As demonstrated in the screenshot, AppGate enables you to determine access at a very granular level through the definition of these criteria. Policies are:
- Filtered at authentication time
- Evaluated by the Controller upon user device authentication (and renewal)
- Used to determine the set of entitlements (targets, ports, and protocols)
Conditions determine how and when users can access resources. Conditions are evaluated at time of access and may prompt for password, OTP, or require explanation. Conditions may also permit or block access based on attributes such as network location, time of day, etc.
Attributes include the user, device and contextual information. Attributes mapping defines how attributes in each user identity provider directory will be mapped to AppGate claim names. This mapping defines which user-claims will be available to include in filter and condition expressions.
AppGate offers an identity-centric network security solution. To learn more about the AppGate architecture, get the paper on Securing User Access to Enterprise Systems in Private or Public Clouds.