Software Defined Perimeter


Gartner’s recent report, It’s Time to Isolate Your Services From the Internet Cesspool, highlights the insufficiencies of current perimeter designs and the great risks created by the way organizations expose their services (applications, APIs, etc) to the world.

It introduces a new concept called the Software Defined Perimeter (SDP) to resolve these problems. The fact is that organizations have been exposing their services (such as HTTP/S, RDP and APIs) to the world in the same way for years, and no matter how many layers of security are added, hackers have been able to infiltrate or bring down services via DDoS attacks.

It’s time to re-examine the way organizations expose their services. What if, instead of statically exposing and publishing your services to the world, and then layering security measures to prevent unauthorized access and to prevent DDoS attacks, you could expose them on-demand and only for authenticated users? It obscures your services from the Internet until the moment it’s necessary to allow someone to access that service.


Safe-T’s Software Defined Perimeter (SDP) architecture is the basis for Safe-T’s Secure Application Access solution. By deploying Safe-T’s Software Defined Perimeter architecture, organizations can now design and deploy the On-Demand Perimeter. The On-Demand perimeter creates access rules for authenticated users into applications and data, in a fully automated and dynamic fashion.


  • 1

    User logs into dedicated authentication portal published by the Authentication Gateway.

  • 2

    The user enters the credentials into the portal

  • 3

    The Access Controller retrieves the credentials from the Authentication Gateway over a reverse-access connection and then authenticates the user using 3rd party IAM/IDP solutions, POST based login, Microsoft Active Directory, SAML, OTP, etc.

  • 4

    Once the user is authenticated, the Access Controller instructs the Authentication Gateway which applications to display to the user, and instructs the Access Gateway to provide (reverse) access to the specific user to allowed applications

  • 5

    The user selects the application which should be accessed

  • 6

    The user is redirected to the application’s published IP address

  • 7

    The user accesses the newly published service

  • 8

    Once the user disconnects from the service, the Access Controller instructs the Access Gateway to block access to the specific user for the specific application

Safe-T Software Defined Perimeter

The Safe-T Software Defined Perimeter solution is the ultimate cyber threat protection for published services, supporting protocols such as HTTP/S, RDH5, WebDAV, etc. Organizations can now provide a complete remote access suite for remote users and partners for internal services, including Web, RDP, NTFS, Email, and more. There’s no client software to install and no need for a VPN. And now, with the addition of Safe-T Telepath user behavior analysis module for unparalleled insight into user traffic, you can detect bots and malicious insiders before they have the chance to cause damage. Meanwhile, your services are completely hidden from the world at all times.


  • Firewall is constantly in a deny-all state, no open port (inbound or outbound) is required for access.
  • Supports a variety of applications – HTTP/S, SMTP, SFTP, SSH, APIs, RDH5, WebDAV.
  • Bi-directional traffic is handled on outbound connections from the LAN to the outside world.
  • Defines new reverse-access rules on-demand.
  • Allows client-less access to data, services, networks and APIs.
  • Robust partner authentication options.
  • Removes the need for VPN.
  • Performs SSL decryption in a secure zone.
  • Scans all incoming traffic using the organization’s security solutions.
  • Hides DMZ components which can be hacked and utilized to access the network.
  • Detects and reports on the presence of bots and malicious insiders for quick event resolution.
  • Provides only direct application/service access, thereby blocking network access.


  • Supports any type of application or service.
  • Bi-directional traffic over outbound connections.
  • Hides enterprise services from the Internet.
  • Only authenticated users can access the service.
  • Prevents DDoS attacks on protected services.
  • Simple and easy application access.
  • Provides actionable insight regarding your users’ intentions, allowing you to determine if they are bots or malicious insiders.
  • Reduces client-server VPN overhead.
  • Blocks network access, allow application access.
  • Integrates all security and IAM solutions into data access flow.