creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/deploying-software-defined-perimeter/references/standards.md
T

2.8 KiB
Raw Blame History

Standards and Frameworks Reference

CSA Software-Defined Perimeter Specification v2.0

Core Architecture

  • SDP Controller: Central policy and authentication authority
  • Initiating Host (IH): Client device requesting access
  • Accepting Host (AH): Gateway protecting backend resources
  • Single Packet Authorization (SPA): Pre-authentication mechanism making services invisible

SDP Workflow

  1. IH authenticates to SDP Controller
  2. Controller validates identity, device posture, and policy
  3. Controller instructs AH to accept connection from specific IH
  4. IH sends SPA packet to AH
  5. AH validates SPA and opens temporary port
  6. mTLS tunnel established between IH and AH
  7. Application traffic flows through encrypted tunnel

Deployment Models

Model Use Case Architecture
Client-to-Gateway Remote user access IH → AH Gateway → Backend servers
Client-to-Server Direct application access IH → AH (application server)
Server-to-Server Workload communication IH (server) → AH (server)
Gateway-to-Gateway Site-to-site connectivity AH₁ → Controller → AH₂

NIST SP 800-207: SDP as Zero Trust Deployment

SDP Mapping to NIST ZTA Components

NIST Component SDP Equivalent
Policy Engine (PE) SDP Controller policy evaluation
Policy Administrator (PA) SDP Controller session management
Policy Enforcement Point (PEP) SDP Gateway (Accepting Host)

NIST ZTA Tenets Addressed by SDP

  • All communication secured regardless of network location (mTLS tunnels)
  • Per-session access grants (dynamic SDP connections)
  • Dynamic policy evaluation (controller real-time decisions)
  • Asset integrity monitoring (device posture checks)

CISA Zero Trust Maturity Model v2.0

Network Pillar - SDP Alignment

Maturity SDP Capability
Traditional No SDP, perimeter-based VPN
Initial SDP for remote access, basic SPA
Advanced Full SDP with device posture, context-aware
Optimal Dynamic SDP with continuous verification, ML-driven

Single Packet Authorization (SPA) Technical Details

SPA Packet Structure

  • Encrypted with shared key or asymmetric cryptography
  • Contains: source IP, timestamp, HMAC, requested service
  • Single UDP packet (no TCP handshake visible)
  • Anti-replay protection via timestamp and sequence number

fwknop Implementation

  • Open-source SPA implementation
  • Supports AES-256 and GnuPG encryption
  • Integrates with iptables/nftables for firewall rule insertion
  • Temporary rule created for authenticated session only

mTLS Configuration Standards

Certificate Requirements

  • Minimum RSA 2048-bit or ECDSA P-256 keys
  • Short-lived certificates (24-72 hours) preferred
  • OCSP stapling for real-time revocation checking
  • Certificate pinning for additional security
Reference in New Issue View Git Blame Copy Permalink