[Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

As many IPs and ports of a network are exposed, there are as many points that can be attacked. The smaller the exposed area, the safer the network.

There are some stealth technologies in Zero Trust that can achieve “zero exposure”, which can make enterprises immune to cyber attacks.

Let me introduce three of them.

Stealth technology 1: SDP port hiding

SDP technology is one of the best technical frameworks used to realize the concept of zero trust. SDP technology can reduce the attack surface to a minimum, even without exposing ports at all, realizing a “zero” attack surface.

Everyone knows that a website needs to map its port to the Internet before it can be accessed by external users.

SDP can do it-let a website only map ports to legitimate users, not to illegal users.

As shown in the figure below, only legitimate users can connect to the business system. Illegal users completely “cannot see” the protected business system and network. If the bad guy tries to connect, he will find that there is no website on this IP address. But at the same time, good people can use it normally.

The protected network is like being invisible, and the bad guys can’t see or touch it at all. Including the various network attacks listed in the figure below, none of them can be initiated. Having SDP is equivalent to being immune to all network attacks.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

How is such a magical effect achieved? Before introducing the principle of port stealth, let me first popularize science about what a port is and how hackers can attack a port.

 What is a port

If a server is a building, ports are like the entrances and exits of the building. Different entrances can enter different shops and different areas. For the server, different ports correspond to different service programs.

Each server program communicates with external users through a “port”. For example, when we open Baidu with a browser, we communicate with Baidu’s server program through Baidu’s port 443. The real URL in the address bar of the browser is www.baidu.com:443. You generally cannot see 443 because the browser hides the port and does not show it. If you don’t believe me, enter: 443 after the url. The same interface is opened.

Visit the https website through port 443 of the server, visit http website through port 80 of the server, establish SSH connection through port 22, and send mail through port 25…

  How hackers attack ports

Hackers generally first collect which ports the server has opened, guess what services the server provides, and then make corresponding attack plans.

Therefore, the port is the key to attack and defense. All types of cyber attacks basically target “ports”. If the port is not exposed, hackers have no targets to attack.

1. Exploit vulnerabilities to attack

Hackers use port scanning tools (such as Nmap) to learn a lot of server information from the port return information. For example, the server’s operating system, middleware, communication protocol, etc.

[Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

If the bad guy knows the information of the target server, he can use the corresponding vulnerabilities to attack. There are many public vulnerability libraries on the Internet. As long as you search in the vulnerability database, you can find the vulnerability.

Operating system, middleware and other software manufacturers will find their own vulnerabilities from the vulnerability database, and repair and upgrade them. However, a new version of the software is released, and users may not immediately follow the upgrade. Most users use the old version with loopholes.

For hackers, these servers and users have become targets. Hackers can attack at will, paralyze the server, or steal confidential information.

[Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

 2. DDoS attacks

In addition to exploiting vulnerabilities, hackers have simpler and more rude attack methods.

If you find that a certain port of the target server is exposed, you can directly use a large number of broiler puppet machines to carry out traffic attacks, fill up the server’s resources, and directly paralyze the server.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

  3. Automatic information collection

Seeing this, you might think that it is indeed dangerous for ports to be directly exposed on the Internet, but how can so many people be so boring, scanning for loopholes and wanton attacks on the Internet every day. If so, it will be my turn.

I tell you, it’s wrong! Every day, many crawlers are automatically scanning on a large scale.

Just like Baidu will continue to crawl all the web pages in the world, many hacker organizations will set up a cluster to scan all the servers in the world every day. The picture below is a public server search engine in China. To search for the name of a vulnerability, you can immediately list all servers in the world that have this vulnerability.

So, you may already be in someone else’s target list, but it’s not your turn yet, or you don’t know it yet.

 [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

  General defense

Cyber ​​attacks are terrible, so how do companies defend them now? There are generally two methods.

One is to allow everyone to visit the target website, but various security filters will be applied when visiting. If malicious code or virus Trojan is found, it will be blocked immediately.

This method relies on a rule base that recognizes malicious behavior. If a new type of attack has just been invented, and the cracking method has not yet been invented, then it is very likely that the attack will not be defended. This is the so-called zero-day attack.

Moreover, this defensive thinking has a flaw, that is, as long as the target website is exposed, it is a target! The bad guys can study it and crack it at any time.

For example, WAF is a device designed to defend against web attacks, and there are many online WAF bypass tutorials. Because WAF is visible to everyone, everyone can continue to study it to test whether there is a way to bypass its defenses.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

It is precisely because the first method has this limitation, so many important systems are not exposed on the public network.

If you need to access this system remotely, companies generally choose to access through VPN.

The characteristic of VPN is that it can reduce the exposure. External users cannot see the ports of the business system protected by the VPN.

But there is still a problem with VPN, that is, VPN itself still has to expose ports. For example, SSL VPN will expose port 443. There are loopholes if there are ports! For example, the picture below shows the various VPN vulnerabilities I found in the vulnerability database.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

So VPN is not a perfect solution. So is there a way not to expose a port? have! The method is-SDP.

 The Stealth Principle of SDP

Go back to the first picture. SDP equipment is usually deployed at the entrance of the network for defense (the circle switch on the left of “Fire” in the figure below). The protected network has only one entrance and exit. SDP is guarded here.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

 1. SDP components

SDP requires the cooperation of two components to achieve the effect of invisibility. These two components are the SDP client and the SDP gateway.

(1) The SDP client is installed on the user’s computer.

(2) The SDP gateway is deployed at the network entrance.

 2. All ports are closed by default

The default rule of the SDP gateway is-close all ports and refuse all connections. There is only one gateway firewall rule, which is deny all. By default, he will ignore whoever comes. No one can connect to its port. The SDP gateway is so “stealth”.

 3. Knocking on the port

In this case, the bad guys can’t be connected, but how can the good guys be connected? Good people need to go through a special process to connect. This process is called “port knocking”.

For example, the principle of port knocking is like that you want to enter a secret base, and the door of the base is usually closed. There is a person guarding the door, and you will not open the door if you knock on it, unless you knock on the right code, such as three long and two short. Knock on the right signal, and the door is opened.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

SDP technology requires good people to “knock on the door” before connecting to the port.

(1) Before the SDP client communicates with the SDP gateway, it will first send a data packet for “knock on the door”. The package contains the user’s identity and the port to be accessed.

(2) The SDP gateway will verify after receiving the knock-on packet to see if the identity is legal or not, and see if the requested port is authorized.

(3) If all are qualified, the SDP gateway will add a rule to the firewall-allowing traffic from this user’s IP to access the port. This is equivalent to “knocking” on the door of the SDP gateway.

(4) After knocking on the door, the user can access the gateway again by going to the port of the gateway. The gateway will forward the user’s traffic to the corresponding business system.

 [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

Note that at this time, bad guys will still not be able to access the “same port”. Because the gateway only releases the IP of the good guys, the IP of the bad guys is not released. So the bad guys still can’t scan the port, can’t see, can’t touch it.

Moreover, the target port is only temporarily open to good people. Once the good person stops operating for more than one minute, the port is automatically closed. If good people are always operating, then the SDP client will knock on the door regularly to keep the port open.

You may find that there is a problem-if all ports of the SDP gateway are closed by default, how does the knock packet receive?

In fact, SDP will leave a port in a semi-open state, only receiving, not responding. (For example, any UDP port)

(1) The port number is negotiated between the gateway and the client in advance, such as 60001

(2) The client sends the knock package to port 60001

(2) Port 60001 does not make any response after receiving the data packet

(3) When the bad guy’s scanning tool detects port 60001, it will think that this port has no response at all, and it must be closed.

The above is the port stealth mechanism of SDP.

 4. The effect of invisibility

If you use Nmap to scan the SDP gateway, you will find that all ports are closed, as shown in the figure below. However, the website can be opened normally with the SDP client.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

 5. Comparison of SDP and VPN

Gartner predicts that SDP will replace VPN technology, mainly because of the stealth capability of SDP. VPN still has to expose at least one port (for example, port 443 of ssl vpn). Why do you always hear the news that vpn breaks out vulnerabilities? Because vpn always exposes ports, bad guys can try to attack at any time to study whether you have vulnerabilities.

So from this point of view, SDP is indeed more secure.

  [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

 Stealth technology 2: cloud-based IP stealth

SDP can hide ports, but IP still needs to be externally mapped. Otherwise, good people won’t be able to visit.

Is there any technology that can realize remote access without mapping IP? have! Many cloud-based zero-trust products will carry this technology.

  1. The principle of cloud invisibility

The architecture of this technology is shown in the figure, including three parts: client, cloud, and connector.

(1) The connector first actively establishes a tunnel with the cloud

(2) The client’s traffic is first sent to the cloud, and then forwarded to the connector along the loop of the tunnel

(3) Finally, the connector forwards the traffic to the intranet server

The cloud is equivalent to the gateway of SDP. The connector plays the role of connecting the intranet and the cloud.

[Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

Under this architecture, the enterprise does not need to map the IP and port to the connector. The connector can be connected to the Internet. The corporate intranet only has outward connections, not inward connections. In this way, bad guys can’t get in at all.

Why doesn’t the connector need to externally map the IP and port?

Because the connector actively establishes a tunnel to the outside, the connector itself does not provide services to the outside. The communication between the cloud and the connector is carried out along the loop of the tunnel.

If you don’t understand, you can think of the scene when we usually surf the Internet at home. The computer at home does not map the IP and port to the outside world. How can the website send the information to the computer? The computer initiates a connection to the website, and the website sends the web page down the loop of the connection.

 2. The benefits of cloud stealth

There are many advantages for companies not to expose IP and ports.

(1) First of all, there is no need to file.

(2) Moreover, various DDoS attacks and vulnerability scanning are impossible. The target IP must be filled in the scanning tool. If the company doesn’t expose any IP, the bad guys don’t say scan the port, and they don’t know how to fill in the IP.

In this way, the corporate network is equivalent to being completely invisible, yeah!

 [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

3. Defects of cloud invisibility

This mode is worry-free and safe, and it seems perfect. But there is actually a risk point. The point of risk is the security of the cloud itself. The cloud still needs to map the IP to the outside.

This model essentially transfers the risk to the cloud.

 4. The combination of cloud + SDP

If you want to protect the cloud, you can consider incorporating SDP into it. Install an SDP gateway in the cloud. The cloud still exposes the IP, but not the port.

In this way, a total of two layers of protection, the first layer is SDP hidden port, the second layer is the connector does not expose IP. The overall security is perfect.

 [Zero Trust]Revealing the “Stealth” Black Technology in Zero Trust

 Stealth Technology 3: Unprovoked Mode

The SDP+ connector method is very safe in terms of security, but there is a shortcoming in terms of convenience-the user needs to install a client. Because knocking is a special process, only the client can execute it. The default browser on the computer cannot be executed.

It is difficult to promote if there are reasons. General terminal products are more difficult to operate and maintain, and users are reluctant to install all kinds of messy things on their computers.

Can it be without end? can.

I have seen a foreign netizen DIY an unprovoked stealth solution for his company.

  1. The architecture of the unprovoked mode

(1) The user first logs in to the SSO (single sign-on) system

(2) SSO notifies the firewall to add a rule—allowing traffic from the user’s IP (the creation time is added to the rule label)

(3) There is a recycling program in the background that checks all firewall rules regularly, compares the creation time, and finds that 10 minutes have passed, then immediately clear the rules.

 2. Advantages and disadvantages of unprovoked mode

This scheme can also achieve the effect of invisibility. Before the user logs in to SSO, the firewall is closed. The business system is completely inaccessible on the Internet.

This solution is equivalent to putting the logic of knocking the door into the SSO system for execution. The advantage is that users do not need to install the client, but the price is that the enterprise’s SSO system is exposed.

So, from this perspective, the experience comes up, but the safety goes down.


The three stealth techniques are introduced above, each with its advantages and disadvantages, and its own suitable scenarios. The three technologies can also be combined in pairs to produce better results.

The value brought by stealth technology companies is also very large. After being invisible, most network attacks and penetration tests can be avoided. Especially for a relatively large company, with hundreds of internal systems, it is too tiring to engage in security construction one by one. It is better to hide directly on the unified entrance, which is simple and effective.

The Links:   CM150DY-12H FZ3600R17HE4

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *