Cryptzone AppGate Technical Architecture

Editor's Notes

1. Site is Protected by Gateway Servers only accept incoming connections from Gateway Plaintext traffic for standard logging, monitoring tools
2. Policies are tools used to assign entitlements to a user, group of users, or administrators. Policies include a list of entitlements, and filters that define who those entitlements should be assigned to. The list of entitlements within a policy is used by the Controller to create the entitlement token(s) for each user. The policy defines all the entitlements allowed by a user for use during the session. The conditions within each entitlement are used by the Gateway to control whether the entitlement is permitted at the time of consumption.  The Controller uses the filters within a policy to check if the policy applies to a user. If no filters have been included in the policy, then it won't be assigned to any users. If a user's claims don't match any filters, then no policies will be allocated and the user will not receive any entitlements.
3. This is a screen shot of how you would create an entitlement within AppGate. Entitlements specify the network resources that are applied to users for network access. Some types of network access include IP access, ICMP access or reverse IP access, target hostnames, AWS security groups and tags. In this example, we are showing the Client is entitled to TCP access to port 443 on host 10.1.0.4. Entitlement can allow, block or alert and are subject to filters and conditions. Define the exact network resources which users may access Network access types include: IP access, reverse IP access, or ICMP access Target hostnames, IP addresses, subnets, AWS security groups & tags Examples of a user entitlement : TCP access to port 443 on host 10.1.0.4TCP access to port 22 on subnet 10.1.0.0/24TCP access to port 3389 on all AWS resources with Security Group Dev_Team4ICMP access to host QA_Server_11 Entitlements can allow, block or alert Entitlements are associated with conditions
4. Entitlements are filtered at authentication time and conditions are evaluated at time of access. AppGate allows you to get to a very granular level when defining these criteria as you can see above. Policies are filtered at authentication time Policies are evaluated by Controller upon user device authentication (and renewal) Policies determine the set of entitlements (targets, ports, and protocols)
5. Conditions are evaluated at time of access Entitlements are evaluated by the Gateway when user tries to access target resource Conditions may prompt for password, OTP, require explanation Conditions may permit or block access based on attributes such as network location, time of day, etc.
6. The attributes mapping defines how the database attributes in each user identity provider directory will be mapped to AppGate XDP claim names. This mapping defines which user-claims will be available to include in filter and condition expressions. (In addition to being used to authenticate the user at login, the database attributes in your identity provider directory are used to populate user-claims.  Filters and conditions use these user-claims to control the allocation and authorization of entitlements. By creating different filter expressions that use different user-claims, administrators can be very precise about how entitlements are allocated to prevent over-provision.)