EDP: An eBPF-based Dynamic Perimeter for SDP in Data Center

In recent years, the concept of Zero Trust Networks (ZTN) has been proposed to overcome unrealistic security assumptions, e.g., what lies in private networks (such as data centers) is always trusted and safe. In ZTN, no device or user is assumed to be secure, instead all connections have to be authenticated and authorized before being established. Software Defined Perimeter (SDP) is one of the most promising solution for ZTN, where the gateway allows clients to access services only after receiving legitimate Single Packet Authorization (SPA) data. However, existing SDP solutions either (1) need to decouple the SPA from the connection request, resulting in redundant communication processes and impersonation attacks; or (2) need to copy the SPA data to the user space from sniffers, causing the packets to enter the protocol stack repeatedly. Due to the large number of short-lived streams in the data center, inefficiency and insecurity of the SPA process lead to severe connection delays and network attacks (e.g., DDoS). To this end, we propose an eBPF-based Dynamic Perimeter (EDP) to enhance the security and performance of SDP. By using EDP, authentication data can be efficiently embedded into every packet and checked before entering the receiver's protocol stack. Experimental results show that the connection delay of EDP is 80% less than that of the existing state-of-the-art solutions.