Perímetro definido por software: aumentando os níveis de segurança na autenticação com Single Packet Authorization e Device Fingerprinting

Abstract

The traditional firewall-based network perimeter model enables communication between devices before they authenticate, resulting in vulnerabilities that facilitate different types of attacks/intrusions. To mitigate this vulnerability, the Cloud Security Alliance (CSA) proposed the Software Defined Perimeter (SDP), a new approach to authenticate before the first communication occurs. In SDP, the use of Single Packet Authorization (SPA) is critical for first access to occur only after device authentication. Through the analysis of the SDP protocol there were security issues that need to be improved or addressed in the creation of the SPA. It is also observed that some vulnerabilities still persist, having seen failures in the TCP/IP model when the identity of a device is bound to its IP address. This work recommends adaptations in the SDP architecture and definition of a new pattern of creation and sending of the SPA. It was designed under modular aspects that are incorporated into the SDP architecture. In addition, they propose to include in the SPA structure a device fingerprint field, as well as present a method to construct and use the new field in order to solve the temporal gap between SPA authentication and connection for user authentication. The results demonstrate that the proposed solution fights improper access and considerably increases the degree of difficulty in detecting, replicating or reading SPA data. Through the experiments it has been demonstrated that the increase of the processing time of the new SPA and the generation of the fingerprint do not compromise the solution and are justified by the gains in the levels of protection.