From the course: CompTIA SecurityX (CAS-005) Cert Prep

Zero trust PDPs and PEPs

From the course: CompTIA SecurityX (CAS-005) Cert Prep

Start my 1-month free trial Buy for my team

Zero trust PDPs and PEPs

- Okay, in this lesson, we're not going to dig deeply into Zero Trust, because we're going to talk about that in an upcoming entire module. But we do need to define as part of this particular area of the exam, PDPs, which are policy decision points, and PEPs, policy enforcement points. Now realize this can transcend or be completely separate from a Zero Trust initiative. We can have policy decision points, let's say in a Kerberos environment where you have the authentication server and a ticket granting server. So we can have these types of components and they're much broader than Zero Trust, but on the exam, that's the context here. So the one thing about the policy decision point, and this is not unlike other things, it has two parts to it. It can be deployed separately. So the PDP will have an underlying engine. So I'll just put ENG, and that could be like a Cisco identity services engine. And then you have on top of that, the policy server, right? And the policies are usually written in like JSON, or YAML, or XML, some type of semi-structured, not always, but you know, they could be written in Python, you know, things like that. But that's what the policies are written in. So we have a policy server, then we have the underlying engine. And so this is the policy decision point. Okay, so what are some common policy decision points? Well, a controller running at a cloud provider or a vendor, and the controller is basically just a special type of software, controller software that runs on a Cisco, you know, a stack of Cisco servers, HP Enterprise, Dell servers, whatever. It could be controllers, they can be Cisco identity service engine stacks running in the enterprise. They could be running at a vendor, they could be running in your own data center, they could be running in the cloud. They're the ones that make the decisions. And the interesting thing is your subject over here, and the subject in this model isn't always just a person, okay? A subject can be a user, an end user with an endpoint. It could be somebody that's remote, and this is a software-defined perimeter situation, or they're using a new VPN solution, which would still work as long as they're not using TCP. It may be what is called an NPE, a non-person entity. So a robotic system, some other type of programmable logic controller, some other type of Siemens type of system. So the subject is just anything that needs to be authenticated and authorized on the control plane, right? So this has to happen first. So the PDP has to authenticate and authorize, and usually against some backend radius or diameter server, or Active Directory, or some type of directory service, some type of identity provider, maybe Cisco identity services engine. Now, this is a strict control plane activity. And you know, if this is a subject using software-defined perimeter, they're going to use single packet authentication, and they're going to use mutual TLS against the PDP, which is the controller, okay? So they both have a certificate, X509 V3. So server side and client side certification. Once they're authenticated and authorized, and possibly if that's a cloud PDP, they'll do like an OCSP lookup, you know, to make sure that the certificate's still good. Once that's done and they're authenticated and authorized, then and only then can they connect on the data plane to the PEP, which is the policy enforcement point, okay? Policy enforcement point, what's that going to be? An edge router or router. It could be, let's say a Cisco aggregate services router. Now, these are always going to be highly available. That goes without saying, right? This is resilient solutions. But this could be a router, you know, an edge router, it could be like a security appliance, like adaptive security appliance from Cisco. It could be like, Google would use what's called like a proxy, like an authentication proxy, an auth proxy engine. So a wide variety of things that are accepting on the data plane once they've been authenticated and authorized. So kind of before all this happens, this relationship right here, this trust relationship really has to be established. And there's communication because the policies can change, right? On a regular basis, you can have new policies for new devices, new attributes, and new characteristics. Whenever there's a change in policy, that has to be communicated with the PEP. And so the PEP will then allow it back to the resource. And we're going to call this, you know, the implicit trust zone, okay? The implicit trust zone, which could be a server farm, a data center, it could even be virtual servers that are running with virtual instances and even micro-segmentation going on. That could be part of the equation. So if you have virtual servers with workloads, you know, they could be micro-segmented where each one has its own web application firewall or web security gateway as you're accessing these workloads or these instances. In that case, these become a policy enforcement point for people that are accessing the hypervisors and these containers, or these instances running in your hypervisor. So you can have application PEPs, which is what these are in a micro-segmentation, or you can have what we would call network or physical PEPs, which is what those are. So this lesson really is not diving into Zero Trust, but just understand the difference between the policy decision point and the policy enforcement point. And it can be network, physical, but it can also be applied to micro-segmentation with instances and containers and hypervisors.

Contents