The Target of Evaluation (TOE) is AppGate SDP v4.3 from Cyxtera. AppGate SDP enables network administrators to establish a Software Defined Perimeter (SDP) to control access by network-based users to network resources in physical, cloud-based and hybrid environments.
AppGate SDP implements an information flow control policy that mediates network traffic between users and network resources, based on Claims (key-value pairs that relate to the identity and context of the user and the user’s device) and Entitlements (the rules for controlling access to network resources).
AppGate SDP Gateways are deployed in front of networked resource infrastructure. An AppGate SDP Controller defines access rights for users and devices (collectively, the Clients). An AppGate SDP Client establishes a secure TLS tunnel to the Controller, which authenticates the user. The Controller verifies user claims and issues Entitlement tokens to the user. The Client submits the Entitlement tokens to the Gateways, which control the user’s subsequent access to network resources based on the granted Entitlements.
All users are identified and authenticated by the Controller prior to being granted a Claims token. AppGate SDP provides a local password-based authentication mechanism and can be configured to support remote authentication of client users and administrators using LDAP, RADIUS and SAML.
AppGate SDP generates audit records of security relevant events and can be configured to export generated audit records over a TLS channel to an external syslog server for audit storage and review.
Communications between Controllers, Gateways and Clients are protected using TLS v1.2.