mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 15:29:01 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,156 @@
|
||||
# Deploying Software-Defined Perimeter
|
||||
|
||||
---
|
||||
domain: cybersecurity
|
||||
subdomain: zero-trust-architecture
|
||||
author: mahipal
|
||||
tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna]
|
||||
difficulty: advanced
|
||||
estimated_time: 4-6 hours
|
||||
prerequisites:
|
||||
- Understanding of zero trust principles (NIST SP 800-207)
|
||||
- Knowledge of CSA Software-Defined Perimeter specification
|
||||
- Familiarity with PKI and mutual TLS authentication
|
||||
- Experience with network security architecture
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
A Software-Defined Perimeter (SDP) implements zero trust by creating a dynamically provisioned, identity-centric perimeter around individual resources. Defined by the Cloud Security Alliance (CSA), SDP makes application infrastructure invisible to unauthorized users through a "dark cloud" approach where services are hidden until authenticated and authorized. Unlike traditional VPN, SDP establishes one-to-one encrypted connections between verified users and specific applications.
|
||||
|
||||
This skill covers deploying SDP using the CSA v2.0 specification, implementing Single Packet Authorization (SPA), configuring the SDP controller and gateway, and validating the deployment against NIST SP 800-207 requirements.
|
||||
|
||||
## Architecture
|
||||
|
||||
### SDP Components (CSA Specification)
|
||||
|
||||
```
|
||||
┌─────────────────────┐
|
||||
│ SDP Controller │
|
||||
│ - Authentication │
|
||||
│ - Authorization │
|
||||
│ - Policy management │
|
||||
│ - Key management │
|
||||
└──────────┬──────────┘
|
||||
│
|
||||
┌──────┴──────┐
|
||||
│ │
|
||||
v v
|
||||
┌────────┐ ┌────────────┐
|
||||
│ IH │ │ AH │
|
||||
│(Client)│ │(Gateway) │
|
||||
│ │ │ │
|
||||
│ SPA │──│ Protected │
|
||||
│ mTLS │ │ Resources │
|
||||
└────────┘ └────────────┘
|
||||
|
||||
IH = Initiating Host (User Device)
|
||||
AH = Accepting Host (Application Gateway)
|
||||
SPA = Single Packet Authorization
|
||||
```
|
||||
|
||||
### SDP Deployment Models
|
||||
1. **Client-to-Gateway**: User device connects through SDP gateway to backend applications
|
||||
2. **Client-to-Server**: Direct connection between user and application server
|
||||
3. **Server-to-Server**: Workload-to-workload communication through SDP
|
||||
4. **Gateway-to-Gateway**: Site-to-site connectivity replacing traditional VPN tunnels
|
||||
|
||||
## Key Concepts
|
||||
|
||||
### Single Packet Authorization (SPA)
|
||||
SPA is a network security mechanism where the SDP gateway drops all TCP/UDP packets by default. A cryptographically signed single packet must be sent before any connection is established. The gateway validates the SPA packet, and only then opens a temporary port for the authenticated session. This makes the gateway invisible to port scanners.
|
||||
|
||||
### Mutual TLS (mTLS)
|
||||
After SPA validation, both the client and server authenticate each other using X.509 certificates. This bidirectional authentication prevents man-in-the-middle attacks and ensures both endpoints are verified.
|
||||
|
||||
### Dynamic Provisioning
|
||||
SDP connections are provisioned on-demand based on real-time policy evaluation. No persistent network tunnels exist; each session is individually authorized and encrypted.
|
||||
|
||||
## Procedure
|
||||
|
||||
### Phase 1: SDP Controller Deployment
|
||||
|
||||
1. **Deploy SDP Controller**
|
||||
- Install SDP controller on hardened, redundant infrastructure
|
||||
- Configure PKI integration for certificate issuance
|
||||
- Set up authentication backend (LDAP, SAML, OIDC)
|
||||
- Configure policy database with application definitions
|
||||
- Enable audit logging for all controller decisions
|
||||
|
||||
2. **Configure Authentication**
|
||||
- Integrate with enterprise IdP via SAML 2.0 or OIDC
|
||||
- Configure device certificate enrollment (SCEP/EST)
|
||||
- Enable multi-factor authentication requirements
|
||||
- Set up certificate revocation checking (OCSP/CRL)
|
||||
|
||||
3. **Define Access Policies**
|
||||
- Map users/groups to authorized applications
|
||||
- Define device posture requirements per application
|
||||
- Configure contextual conditions (location, time, risk level)
|
||||
- Set session duration and re-authentication intervals
|
||||
|
||||
### Phase 2: SDP Gateway Deployment
|
||||
|
||||
4. **Deploy Accepting Hosts (Gateways)**
|
||||
- Install SDP gateway instances in front of protected applications
|
||||
- Configure default-drop firewall rules (deny all inbound)
|
||||
- Enable SPA listener on designated ports
|
||||
- Configure mTLS with controller-issued certificates
|
||||
- Set up health monitoring and failover
|
||||
|
||||
5. **Configure Application Definitions**
|
||||
- Register each protected application with the controller
|
||||
- Define backend server IPs, ports, and protocols
|
||||
- Configure load balancing for multi-instance applications
|
||||
- Set up application health checks
|
||||
|
||||
### Phase 3: Client Deployment
|
||||
|
||||
6. **Deploy Initiating Hosts (Clients)**
|
||||
- Install SDP client software on user endpoints
|
||||
- Enroll device certificates through automated provisioning
|
||||
- Configure SPA key material distribution
|
||||
- Test authentication flow: SPA → mTLS → application access
|
||||
|
||||
7. **Validate End-to-End Flow**
|
||||
- Verify SPA packets are accepted by gateway
|
||||
- Confirm mTLS handshake succeeds with valid certificates
|
||||
- Test application access through the SDP tunnel
|
||||
- Verify unauthorized access is blocked (no SPA = invisible gateway)
|
||||
|
||||
### Phase 4: Operational Validation
|
||||
|
||||
8. **Security Testing**
|
||||
- Port scan the SDP gateway to confirm invisibility (all ports show filtered/closed)
|
||||
- Attempt connection without valid SPA (must fail silently)
|
||||
- Test with revoked client certificate (must be denied)
|
||||
- Attempt lateral movement from one authorized app to another unauthorized app
|
||||
- Validate audit trail completeness
|
||||
|
||||
9. **Monitoring and Maintenance**
|
||||
- Configure SIEM integration for SDP controller and gateway logs
|
||||
- Set up alerting for failed SPA attempts and certificate errors
|
||||
- Establish certificate rotation schedule
|
||||
- Document incident response procedures for SDP events
|
||||
|
||||
## Validation Checklist
|
||||
|
||||
- [ ] SDP Controller deployed with HA and audit logging
|
||||
- [ ] IdP integration tested with SAML/OIDC and MFA
|
||||
- [ ] SDP Gateways deployed with default-drop firewall
|
||||
- [ ] SPA mechanism validated (gateway invisible to port scans)
|
||||
- [ ] mTLS established between clients and gateways
|
||||
- [ ] Access policies enforce least-privilege per user/app
|
||||
- [ ] Device certificate enrollment automated
|
||||
- [ ] Unauthorized access attempts blocked silently
|
||||
- [ ] Lateral movement between apps prevented
|
||||
- [ ] Logs streaming to SIEM with alerting configured
|
||||
- [ ] Certificate rotation and revocation procedures tested
|
||||
|
||||
## References
|
||||
|
||||
- CSA Software-Defined Perimeter Architecture Guide v3
|
||||
- CSA SDP Specification v2.0
|
||||
- NIST SP 800-207: Zero Trust Architecture
|
||||
- CISA Zero Trust Maturity Model v2.0
|
||||
- fwknop: Single Packet Authorization implementation
|
||||
@@ -0,0 +1,58 @@
|
||||
# SDP Deployment Plan Template
|
||||
|
||||
## Project Information
|
||||
|
||||
| Field | Value |
|
||||
|---|---|
|
||||
| Project Name | |
|
||||
| SDP Solution | [Appgate SDP / Zscaler / Open-source / Other] |
|
||||
| Project Lead | |
|
||||
| Start Date | |
|
||||
|
||||
## Application Inventory
|
||||
|
||||
| Application | FQDN/IP | Port | Protocol | Criticality | Gateway Assignment |
|
||||
|---|---|---|---|---|---|
|
||||
| | | | | | |
|
||||
|
||||
## SDP Controller Configuration
|
||||
|
||||
| Parameter | Value |
|
||||
|---|---|
|
||||
| HA Mode | [Active-Active / Active-Passive] |
|
||||
| IdP Integration | [SAML / OIDC] |
|
||||
| IdP Provider | [Azure AD / Okta / Ping] |
|
||||
| PKI Backend | [Internal CA / HashiCorp Vault / EJBCA] |
|
||||
| Client Cert Lifetime | [24h / 48h / 72h] |
|
||||
| Audit Log Destination | [SIEM / Syslog / Cloud storage] |
|
||||
|
||||
## Gateway Deployment
|
||||
|
||||
| Gateway Name | Location | Protected Apps | SPA Enabled | mTLS Enabled | Default-Drop |
|
||||
|---|---|---|---|---|---|
|
||||
| | | | Yes | Yes | Yes |
|
||||
|
||||
## Access Policy Matrix
|
||||
|
||||
| User Group | Application | Conditions | Action |
|
||||
|---|---|---|---|
|
||||
| | | Device posture + MFA | Allow |
|
||||
| Default | All | None | Deny |
|
||||
|
||||
## Security Validation
|
||||
|
||||
- [ ] Port scan confirms gateway invisibility
|
||||
- [ ] SPA validation working correctly
|
||||
- [ ] mTLS handshake succeeds with valid certs
|
||||
- [ ] Invalid SPA packets dropped silently
|
||||
- [ ] Revoked certificates denied access
|
||||
- [ ] Lateral movement between apps blocked
|
||||
- [ ] Logs captured in SIEM
|
||||
|
||||
## Sign-Off
|
||||
|
||||
| Stakeholder | Role | Approval | Date |
|
||||
|---|---|---|---|
|
||||
| | Security Architecture | | |
|
||||
| | Network Engineering | | |
|
||||
| | Application Owners | | |
|
||||
@@ -0,0 +1,73 @@
|
||||
# Standards and Frameworks Reference
|
||||
|
||||
## CSA Software-Defined Perimeter Specification v2.0
|
||||
|
||||
### Core Architecture
|
||||
- **SDP Controller**: Central policy and authentication authority
|
||||
- **Initiating Host (IH)**: Client device requesting access
|
||||
- **Accepting Host (AH)**: Gateway protecting backend resources
|
||||
- **Single Packet Authorization (SPA)**: Pre-authentication mechanism making services invisible
|
||||
|
||||
### SDP Workflow
|
||||
1. IH authenticates to SDP Controller
|
||||
2. Controller validates identity, device posture, and policy
|
||||
3. Controller instructs AH to accept connection from specific IH
|
||||
4. IH sends SPA packet to AH
|
||||
5. AH validates SPA and opens temporary port
|
||||
6. mTLS tunnel established between IH and AH
|
||||
7. Application traffic flows through encrypted tunnel
|
||||
|
||||
### Deployment Models
|
||||
| Model | Use Case | Architecture |
|
||||
|---|---|---|
|
||||
| Client-to-Gateway | Remote user access | IH → AH Gateway → Backend servers |
|
||||
| Client-to-Server | Direct application access | IH → AH (application server) |
|
||||
| Server-to-Server | Workload communication | IH (server) → AH (server) |
|
||||
| Gateway-to-Gateway | Site-to-site connectivity | AH₁ → Controller → AH₂ |
|
||||
|
||||
## NIST SP 800-207: SDP as Zero Trust Deployment
|
||||
|
||||
### SDP Mapping to NIST ZTA Components
|
||||
| NIST Component | SDP Equivalent |
|
||||
|---|---|
|
||||
| Policy Engine (PE) | SDP Controller policy evaluation |
|
||||
| Policy Administrator (PA) | SDP Controller session management |
|
||||
| Policy Enforcement Point (PEP) | SDP Gateway (Accepting Host) |
|
||||
|
||||
### NIST ZTA Tenets Addressed by SDP
|
||||
- All communication secured regardless of network location (mTLS tunnels)
|
||||
- Per-session access grants (dynamic SDP connections)
|
||||
- Dynamic policy evaluation (controller real-time decisions)
|
||||
- Asset integrity monitoring (device posture checks)
|
||||
|
||||
## CISA Zero Trust Maturity Model v2.0
|
||||
|
||||
### Network Pillar - SDP Alignment
|
||||
| Maturity | SDP Capability |
|
||||
|---|---|
|
||||
| Traditional | No SDP, perimeter-based VPN |
|
||||
| Initial | SDP for remote access, basic SPA |
|
||||
| Advanced | Full SDP with device posture, context-aware |
|
||||
| Optimal | Dynamic SDP with continuous verification, ML-driven |
|
||||
|
||||
## Single Packet Authorization (SPA) Technical Details
|
||||
|
||||
### SPA Packet Structure
|
||||
- Encrypted with shared key or asymmetric cryptography
|
||||
- Contains: source IP, timestamp, HMAC, requested service
|
||||
- Single UDP packet (no TCP handshake visible)
|
||||
- Anti-replay protection via timestamp and sequence number
|
||||
|
||||
### fwknop Implementation
|
||||
- Open-source SPA implementation
|
||||
- Supports AES-256 and GnuPG encryption
|
||||
- Integrates with iptables/nftables for firewall rule insertion
|
||||
- Temporary rule created for authenticated session only
|
||||
|
||||
## mTLS Configuration Standards
|
||||
|
||||
### Certificate Requirements
|
||||
- Minimum RSA 2048-bit or ECDSA P-256 keys
|
||||
- Short-lived certificates (24-72 hours) preferred
|
||||
- OCSP stapling for real-time revocation checking
|
||||
- Certificate pinning for additional security
|
||||
@@ -0,0 +1,119 @@
|
||||
# SDP Deployment Workflows
|
||||
|
||||
## Workflow 1: SDP Connection Establishment
|
||||
|
||||
```
|
||||
┌────────────┐ ┌──────────────┐ ┌────────────┐
|
||||
│ IH (Client) │ │ SDP Controller│ │ AH (Gateway)│
|
||||
└──────┬─────┘ └──────┬───────┘ └──────┬─────┘
|
||||
│ │ │
|
||||
│ 1. Authenticate │ │
|
||||
│──────────────────>│ │
|
||||
│ │ │
|
||||
│ 2. Validate ID, │ │
|
||||
│ device, policy │ │
|
||||
│ │ │
|
||||
│ 3. Auth response │ │
|
||||
│<──────────────────│ │
|
||||
│ (SPA key, AH IP) │ │
|
||||
│ │ 4. Notify AH to │
|
||||
│ │ expect IH │
|
||||
│ │────────────────────>│
|
||||
│ │ │
|
||||
│ 5. Send SPA packet│ │
|
||||
│─────────────────────────────────────────>│
|
||||
│ │ │
|
||||
│ │ 6. Validate SPA │
|
||||
│ │ Open port │
|
||||
│ │ │
|
||||
│ 7. mTLS handshake │ │
|
||||
│<════════════════════════════════════════>│
|
||||
│ │ │
|
||||
│ 8. Application │ │
|
||||
│ traffic flows │ │
|
||||
│<═══════════════════════════════════════=>│
|
||||
```
|
||||
|
||||
## Workflow 2: SDP Deployment Lifecycle
|
||||
|
||||
```
|
||||
Phase 1: Planning (Weeks 1-2)
|
||||
├── Inventory protected applications
|
||||
├── Map user-to-application access requirements
|
||||
├── Design PKI infrastructure for mTLS
|
||||
├── Select SDP solution (open-source or commercial)
|
||||
└── Plan network architecture changes
|
||||
|
||||
Phase 2: Controller Setup (Weeks 3-4)
|
||||
├── Deploy SDP controller with HA
|
||||
├── Integrate with IdP (SAML/OIDC)
|
||||
├── Configure PKI and certificate templates
|
||||
├── Define application catalog and policies
|
||||
└── Test controller authentication flow
|
||||
|
||||
Phase 3: Gateway Deployment (Weeks 5-6)
|
||||
├── Deploy gateways in each app environment
|
||||
├── Configure default-drop firewall rules
|
||||
├── Enable SPA listeners
|
||||
├── Register applications with controller
|
||||
└── Verify gateway invisibility (port scan test)
|
||||
|
||||
Phase 4: Client Rollout (Weeks 7-10)
|
||||
├── Package SDP client with certificates
|
||||
├── Deploy to pilot user group
|
||||
├── Validate end-to-end connectivity
|
||||
├── Expand to all user groups
|
||||
└── Decommission legacy VPN access
|
||||
|
||||
Phase 5: Operations (Ongoing)
|
||||
├── Monitor SDP controller and gateway health
|
||||
├── Rotate certificates on schedule
|
||||
├── Review and update access policies
|
||||
├── Conduct quarterly penetration tests
|
||||
└── Update SDP components for security patches
|
||||
```
|
||||
|
||||
## Workflow 3: SPA Validation
|
||||
|
||||
```
|
||||
Incoming Packet to Gateway
|
||||
│
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Is it a SPA packet? │
|
||||
│ (Check magic bytes) │
|
||||
└───┬──────────┬──────┘
|
||||
│ │
|
||||
YES NO
|
||||
│ │
|
||||
v v
|
||||
┌──────────┐ ┌──────────┐
|
||||
│ Decrypt │ │ DROP │
|
||||
│ SPA data │ │ silently │
|
||||
└────┬─────┘ └──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Validate timestamp │
|
||||
│ (within 60s window) │
|
||||
└───┬──────────┬──────┘
|
||||
VALID EXPIRED
|
||||
│ │
|
||||
v v
|
||||
┌──────────┐ ┌──────────┐
|
||||
│ Check │ │ DROP + │
|
||||
│ HMAC │ │ Log │
|
||||
└────┬─────┘ └──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Verify replay │
|
||||
│ (check sequence DB) │
|
||||
└───┬──────────┬──────┘
|
||||
NEW REPLAY
|
||||
│ │
|
||||
v v
|
||||
┌──────────┐ ┌──────────┐
|
||||
│ Open port │ │ DROP + │
|
||||
│ for src IP│ │ Alert │
|
||||
│ (30s TTL) │ └──────────┘
|
||||
└──────────┘
|
||||
```
|
||||
@@ -0,0 +1,283 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Software-Defined Perimeter Deployment Validator
|
||||
|
||||
Validates SDP deployment readiness, tests SPA mechanisms,
|
||||
verifies gateway invisibility, and generates deployment reports.
|
||||
"""
|
||||
|
||||
import json
|
||||
import socket
|
||||
import hashlib
|
||||
import hmac
|
||||
import struct
|
||||
import time
|
||||
import ssl
|
||||
import subprocess
|
||||
import sys
|
||||
from datetime import datetime
|
||||
from pathlib import Path
|
||||
from typing import Optional
|
||||
|
||||
|
||||
def check_gateway_invisibility(host: str, port_range: tuple = (1, 1024), timeout: float = 0.5) -> dict:
|
||||
"""Scan gateway ports to verify SDP invisibility (all ports should appear closed/filtered)."""
|
||||
result = {
|
||||
"host": host,
|
||||
"scanned_range": f"{port_range[0]}-{port_range[1]}",
|
||||
"open_ports": [],
|
||||
"closed_ports": 0,
|
||||
"filtered_ports": 0,
|
||||
"invisible": True,
|
||||
"timestamp": datetime.now().isoformat(),
|
||||
}
|
||||
|
||||
for port in range(port_range[0], port_range[1] + 1):
|
||||
try:
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.settimeout(timeout)
|
||||
conn_result = sock.connect_ex((host, port))
|
||||
if conn_result == 0:
|
||||
result["open_ports"].append(port)
|
||||
result["invisible"] = False
|
||||
else:
|
||||
result["filtered_ports"] += 1
|
||||
sock.close()
|
||||
except socket.timeout:
|
||||
result["filtered_ports"] += 1
|
||||
except OSError:
|
||||
result["closed_ports"] += 1
|
||||
|
||||
return result
|
||||
|
||||
|
||||
def generate_spa_packet(
|
||||
source_ip: str,
|
||||
destination_service: str,
|
||||
shared_key: str,
|
||||
timestamp: Optional[float] = None
|
||||
) -> bytes:
|
||||
"""Generate a Single Packet Authorization payload (demonstration)."""
|
||||
if timestamp is None:
|
||||
timestamp = time.time()
|
||||
|
||||
payload = json.dumps({
|
||||
"version": 2,
|
||||
"source_ip": source_ip,
|
||||
"service": destination_service,
|
||||
"timestamp": timestamp,
|
||||
"nonce": hashlib.sha256(f"{time.time()}{source_ip}".encode()).hexdigest()[:16],
|
||||
}).encode()
|
||||
|
||||
mac = hmac.new(shared_key.encode(), payload, hashlib.sha256).digest()
|
||||
packet = struct.pack("!I", len(payload)) + payload + mac
|
||||
|
||||
return packet
|
||||
|
||||
|
||||
def validate_spa_packet(packet: bytes, shared_key: str, max_age_seconds: int = 60) -> dict:
|
||||
"""Validate a received SPA packet."""
|
||||
result = {"valid": False, "errors": [], "payload": None}
|
||||
|
||||
try:
|
||||
payload_len = struct.unpack("!I", packet[:4])[0]
|
||||
payload = packet[4:4 + payload_len]
|
||||
received_mac = packet[4 + payload_len:]
|
||||
|
||||
expected_mac = hmac.new(shared_key.encode(), payload, hashlib.sha256).digest()
|
||||
if not hmac.compare_digest(received_mac, expected_mac):
|
||||
result["errors"].append("HMAC verification failed")
|
||||
return result
|
||||
|
||||
data = json.loads(payload.decode())
|
||||
result["payload"] = data
|
||||
|
||||
age = time.time() - data.get("timestamp", 0)
|
||||
if age > max_age_seconds:
|
||||
result["errors"].append(f"Packet expired ({age:.0f}s old, max {max_age_seconds}s)")
|
||||
return result
|
||||
|
||||
if age < -5:
|
||||
result["errors"].append("Packet timestamp is in the future")
|
||||
return result
|
||||
|
||||
result["valid"] = True
|
||||
|
||||
except (struct.error, json.JSONDecodeError, KeyError) as e:
|
||||
result["errors"].append(f"Packet parse error: {str(e)}")
|
||||
|
||||
return result
|
||||
|
||||
|
||||
def validate_mtls_certificate(host: str, port: int, ca_cert_path: Optional[str] = None) -> dict:
|
||||
"""Validate mTLS certificate configuration on SDP gateway."""
|
||||
result = {
|
||||
"host": host,
|
||||
"port": port,
|
||||
"tls_configured": False,
|
||||
"certificate": None,
|
||||
"errors": [],
|
||||
}
|
||||
|
||||
try:
|
||||
context = ssl.create_default_context()
|
||||
if ca_cert_path:
|
||||
context.load_verify_locations(ca_cert_path)
|
||||
|
||||
with socket.create_connection((host, port), timeout=10) as sock:
|
||||
with context.wrap_socket(sock, server_hostname=host) as ssock:
|
||||
cert = ssock.getpeercert()
|
||||
result["tls_configured"] = True
|
||||
result["certificate"] = {
|
||||
"subject": dict(x[0] for x in cert.get("subject", [])),
|
||||
"issuer": dict(x[0] for x in cert.get("issuer", [])),
|
||||
"version": cert.get("version"),
|
||||
"not_before": cert.get("notBefore"),
|
||||
"not_after": cert.get("notAfter"),
|
||||
"serial": cert.get("serialNumber"),
|
||||
}
|
||||
|
||||
not_after = cert.get("notAfter", "")
|
||||
if not_after:
|
||||
expiry = datetime.strptime(not_after, "%b %d %H:%M:%S %Y %Z")
|
||||
days_remaining = (expiry - datetime.utcnow()).days
|
||||
result["certificate"]["days_remaining"] = days_remaining
|
||||
if days_remaining < 30:
|
||||
result["errors"].append(f"Certificate expires in {days_remaining} days")
|
||||
|
||||
except ssl.SSLError as e:
|
||||
result["errors"].append(f"SSL error: {str(e)}")
|
||||
except Exception as e:
|
||||
result["errors"].append(f"Connection error: {str(e)}")
|
||||
|
||||
return result
|
||||
|
||||
|
||||
def validate_sdp_config(config: dict) -> dict:
|
||||
"""Validate SDP deployment configuration."""
|
||||
findings = []
|
||||
score = 100
|
||||
|
||||
controller = config.get("controller", {})
|
||||
if not controller.get("ha_enabled"):
|
||||
findings.append({"severity": "high", "finding": "Controller HA not enabled"})
|
||||
score -= 15
|
||||
|
||||
if not controller.get("idp_integration"):
|
||||
findings.append({"severity": "critical", "finding": "No IdP integration configured"})
|
||||
score -= 25
|
||||
|
||||
if not controller.get("audit_logging"):
|
||||
findings.append({"severity": "high", "finding": "Audit logging not enabled on controller"})
|
||||
score -= 10
|
||||
|
||||
gateways = config.get("gateways", [])
|
||||
if not gateways:
|
||||
findings.append({"severity": "critical", "finding": "No SDP gateways deployed"})
|
||||
score -= 25
|
||||
for gw in gateways:
|
||||
if not gw.get("default_drop"):
|
||||
findings.append({"severity": "critical", "finding": f"Gateway {gw.get('name')}: default-drop not enabled"})
|
||||
score -= 20
|
||||
if not gw.get("spa_enabled"):
|
||||
findings.append({"severity": "critical", "finding": f"Gateway {gw.get('name')}: SPA not enabled"})
|
||||
score -= 15
|
||||
if not gw.get("mtls_enabled"):
|
||||
findings.append({"severity": "high", "finding": f"Gateway {gw.get('name')}: mTLS not configured"})
|
||||
score -= 10
|
||||
|
||||
pki = config.get("pki", {})
|
||||
cert_lifetime_hours = pki.get("client_cert_lifetime_hours", 8760)
|
||||
if cert_lifetime_hours > 72:
|
||||
findings.append({
|
||||
"severity": "warning",
|
||||
"finding": f"Client certificate lifetime is {cert_lifetime_hours}h (recommend <=72h for zero trust)"
|
||||
})
|
||||
score -= 5
|
||||
|
||||
if not pki.get("ocsp_enabled") and not pki.get("crl_enabled"):
|
||||
findings.append({"severity": "high", "finding": "No certificate revocation checking enabled"})
|
||||
score -= 10
|
||||
|
||||
monitoring = config.get("monitoring", {})
|
||||
if not monitoring.get("siem_integration"):
|
||||
findings.append({"severity": "warning", "finding": "No SIEM integration for SDP events"})
|
||||
score -= 5
|
||||
|
||||
return {
|
||||
"score": max(score, 0),
|
||||
"findings": findings,
|
||||
"status": "ready" if score >= 80 else "needs_work" if score >= 50 else "not_ready",
|
||||
"timestamp": datetime.now().isoformat(),
|
||||
}
|
||||
|
||||
|
||||
def generate_sdp_deployment_report(config: dict) -> dict:
|
||||
"""Generate comprehensive SDP deployment report."""
|
||||
validation = validate_sdp_config(config)
|
||||
|
||||
applications = config.get("applications", [])
|
||||
users = config.get("authorized_users", [])
|
||||
|
||||
return {
|
||||
"generated": datetime.now().isoformat(),
|
||||
"deployment_status": validation["status"],
|
||||
"security_score": validation["score"],
|
||||
"findings": validation["findings"],
|
||||
"summary": {
|
||||
"controller_ha": config.get("controller", {}).get("ha_enabled", False),
|
||||
"gateways_deployed": len(config.get("gateways", [])),
|
||||
"applications_protected": len(applications),
|
||||
"authorized_users": len(users),
|
||||
"spa_enabled": all(g.get("spa_enabled") for g in config.get("gateways", [])),
|
||||
"mtls_enabled": all(g.get("mtls_enabled") for g in config.get("gateways", [])),
|
||||
},
|
||||
"recommendations": [f["finding"] for f in validation["findings"] if f["severity"] in ("critical", "high")],
|
||||
}
|
||||
|
||||
|
||||
def main():
|
||||
import argparse
|
||||
parser = argparse.ArgumentParser(description="SDP Deployment Validator")
|
||||
parser.add_argument("--config", type=str, help="Path to SDP configuration JSON")
|
||||
parser.add_argument("--scan", type=str, help="Gateway host to scan for invisibility")
|
||||
parser.add_argument("--scan-ports", type=str, default="1-1024", help="Port range to scan")
|
||||
parser.add_argument("--check-tls", type=str, help="Host:port to check TLS certificate")
|
||||
parser.add_argument("--output", type=str, default="sdp_report.json")
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.config:
|
||||
with open(args.config) as f:
|
||||
config = json.load(f)
|
||||
report = generate_sdp_deployment_report(config)
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
print(f"SDP Status: {report['deployment_status']} (Score: {report['security_score']})")
|
||||
for r in report["recommendations"]:
|
||||
print(f" - {r}")
|
||||
|
||||
elif args.scan:
|
||||
start, end = args.scan_ports.split("-")
|
||||
result = check_gateway_invisibility(args.scan, (int(start), int(end)))
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(result, f, indent=2)
|
||||
status = "INVISIBLE" if result["invisible"] else "EXPOSED"
|
||||
print(f"Gateway {args.scan}: {status}")
|
||||
if result["open_ports"]:
|
||||
print(f" Open ports: {result['open_ports']}")
|
||||
|
||||
elif args.check_tls:
|
||||
parts = args.check_tls.split(":")
|
||||
host = parts[0]
|
||||
port = int(parts[1]) if len(parts) > 1 else 443
|
||||
result = validate_mtls_certificate(host, port)
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(result, f, indent=2)
|
||||
print(f"TLS on {host}:{port}: {'configured' if result['tls_configured'] else 'not configured'}")
|
||||
|
||||
else:
|
||||
parser.print_help()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user