Traditional network design created internal segments that were separated from the external world by a fixed perimeter made up of routers, firewalls, and other access control devices. The premise of the traditional approach was based on visibility and accessibility. If a device external to the network can’t see an internal resource, then access cannot be gained.
Today, we have a very fluid network perimeter that extends to the cloud—SaaS, IaaS, and PaaS-based infrastructure, all with many points of entry. There’s also an increasing number of devices that fall under categories such as remote access workers, BYOD, on-site contractors, and partners that will continue to grow internal to the network. The advent and popularity of these modern infrastructures, user-managed devices, and the increasing rate of phishing attacks bring to bear the inadequacies of the traditional fixed perimeter model.
A new approach is needed to protect the modern network infrastructure located in a public or private cloud and on-premises, and the increasing number of mobile or dispersed users. This new approach is known as the Software Defined Perimeter (SDP).
Here is our list of the 6 best SDP software:
- Perimeter 81 SDP EDITOR’S CHOICE Provides protection for all hardware elements on a company’s network from a cloud base. This service even marshals internal access to resources by authorized company users because it integrates with access rights management systems including LDAP and Active Directory.
- Twingate SDP (FREE TRIAL) Adds zero trust security to any business’s infrastructure without the need for onsite hardware changes or on-premises software.
- NetMotion SDP A combined digital experience monitoring and an enterprise VPN in with its SDP packaged as a cloud service.
- Appgate SDP Named a Forrester Zero Trust Wave 2020 leader, this service implements SDP onsite or in the cloud.
- Cisco Software Defined Access (SDA) Supplied by the world’s leading network device producer, this SDP is bundled together with other advanced network management facilities.
- Wandera SDP A cloud-based zero trust implementation that forms part of a wider unified cloud security package.
What is a Software Defined Perimeter?
SDP is a way to conceal internet-connected infrastructure (servers, routers, etc.) so that external entities cannot see it, whether it is hosted on-premises or in the cloud. Rather than focusing on traditional, network-based security, SDP takes a different approach—securing the user, the application, and the connectivity in-between. The goal of the SDP approach is to base the network perimeter on software instead of hardware. An organization that uses SDP is essentially draping a robe of invisibility over its servers and internal resources so that no one can see them from the outside; however, authorized users can still see and access the resources. They must authenticate before visibility and access to authorized services is granted.
SDP is distinct from a VPN system. While VPN is designed to allow users broad access to connect to corporate networks using simple authentication to determine user access, SDP is designed to connect users discreetly to individual resources, using a real-time contextual risk assessment to determine user access. According to Gartner, 60% of enterprises will phase out VPNs in favor of SDP by 2021. An SDP comprises of the following components:
- The SDP client—An application that runs on user devices
- The SDP controller—The trust broker between the client and the backend resources
- The SDP gateway—Grants users access to requested network resources
The Best Software Defined Perimeter Software
Perimeter 81 SDP platform is a scalable hardware-free solution that helps organizations provide secure access to their network infrastructure and digital assets including local and cloud resources from end-point to data-center to the cloud. It offers network visibility, resource access segmentation, and full integration with major cloud providers, giving organizations peace of mind in the cloud. The solution is ideal for SMBs, especially those looking for a modern alternative to traditional corporate VPN system.
Some of the key features and capabilities of Perimeter 81 SDP include:
- Integration with identity providers or directory services such as SAML, LDAP, Active Directory, Touch ID, and more
- Option to deploy private servers on your premises, in a remote location, or in the cloud, allowing you to restrict access to specific resources
- Activity reports and analytics, allowing you to monitor logins, app connections, and connections to unsecured WiFi
- Central cloud management with single-click apps for major platforms
- Two-factor authentication, automatic WiFi protection, and kill switch
- 700 servers in 36 countries
The onboarding process is smooth and hitch-free. When you sign up with Perimeter 81, you get a full management platform where you can build, manage, and secure your network. To get started, all you need to do is to sign up, invite your team, install the apps, and create user groups. By clicking on the link in the Downloads section of the platform, you can download the app on your preferred platform and follow the wizard to complete the installation. You can give network access to as many team members as possible, assign them to specific groups, and add or remove user permissions with a single click.
Perimeter 81 offers flexible payment plans with billing occurring on a yearly or monthly basis. Sign up process for all plans are commitment-free and has a 30-day money-back guarantee. The table below is a summary of the various subscription plans and associated features.
Cost (billed annually)
Minimum No. of Users
$ 8 per user/month per gateway
$12 per user/month per gateway
Custom: + $40/month per gateway
Perimeter 81 SDP is our top pick for a software-defined perimeter solution because it is easy to deploy and manage. This cloud-based service manages all access to all company resources without the need for onsite changes. The Perimeter 81 service integrates with the business’s existing access rights management system to create strong zero trust protection without blocking out legitimate system users. This tool even controls access to potentially risky Wi-Fi APs offsite by company assets.
Access live demo: perimeter81.com/demo
OS: Agents for Windows, macOS, Linux, iOS, and Android
Twingate SDP enables organizations to implement a more secure modern zero-trust network without changing existing infrastructure, and centrally manage user access to company digital assets, whether they are on-premises or in the cloud. Twingate is delivered as a cloud-based service, and delegates user authentication to a third-party Identity Provider (IdP).
No special technical knowledge is required from end-users other than to download and install the client application and authenticate with an existing identity provider, and they’re good to go. The controller handles the rest, negotiating encrypted connections between clients and resources. Once everything is confirmed, users are routed to the appropriate resources.
A key feature of Twingate SDP is that authorization for user access is always confirmed with a second or third component depending on the sensitivity of the decision being authorized. No single component can independently make a decision to allow traffic to flow to another component or resource in your remote networks.
Other Twingate features and capabilities include:
- No hardware and application changes are necessary to deploy nodes
- Scalable controller with over 580 points of access worldwide
- One-click user/third-party onboarding and offboarding
- Support for role-based and attribute-based access control
- Comprehensive audits of employee activities and actions
- Client agents can be set up by users without IT support
- Supports least-privilege access and split tunneling
The Twingate SDP solution relies on four components: Controller, Clients, Connectors, and Relays. These components work in tandem to ensure that only authenticated users gain access to the resources that they have been authorized to access.
Twingate SDP is offered in four flexible price plans: Twingate Starter, Twingate Teams, Twingate Business, and Twingate Enterprise. The table below is a summary of the various plans and their features.
Cost (billed annually)
Individuals or very small teams
$5 / user / month
Smaller teams that need to replace a VPN for remote access
$10 / user / month
Larger teams that need more advanced access controls
Companies that need comprehensive access controls, detailed auditing, and deployment automation
The NetMotion SDP platform combines SDP, Digital Experience Monitoring (DEM), and enterprise VPN solutions to provide organizations secure access to their digital assets and resources. It can be deployed on-premises, or in the cloud (public, private, and hybrid). The easiest way to take advantage of the NetMotion platform is to implement it as a service.
The NetMotion client installed on user devices acts as the SDP controller, gathering real-time data about the host device, applications, network connections, etc. and analyzing the context of every user request for resources. The data gathered is then used to build a risk profile of each request to determine whether the user can access the resource based on the immediate context. The NetMotion gateway which can be installed on-premises or in the cloud ensures that all company resources are protected. If the controller approves users’ access to a resource, traffic is routed to this gateway and directly to the destination requested.
Some of the key features and capabilities of the NetMotion SDP include:
- Combines SDP, digital experience monitoring (DEM), and enterprise VPN in a single platform
- A single agent and console to manage remote devices, analyze data, and apply policy
- Dynamic web filtering and enforcement of access policies on a contextual basis
- Flexible deployment options, including cloud, hosted or on-premises
- Security reputation information on websites and applications.
- Real-time risk assessments of every access request
NetMotion licenses are available in two subscription options:
- The Complete subscription: This option grants customers access to the entire range of functionality – SDP, VPN, experience monitoring, and others.
- The Core subscription: This option grants customers access to a limited range of functionality.
A 30-day free trial is available on request.
4. Appgate SDP
Appgate SDP solution is infrastructure agnostic and can be deployed in all environments: on-premises, multi-cloud (AWS, Azure, GPC), virtualized containerized environments, and legacy networks and infrastructure. Appgate was named a leader in the Forrester Zero Trust Wave 2020 report. The entire Appgate SDP solution is designed to be distributed and to offer high availability, and it can be deployed in physical, cloud, or virtual environments. The Appgate SDP integrates seamlessly with third-party applications such as IdPs, LDAP, MFA, SIEM, among others.
With Appgate SDP, you can control access from any location and to any enterprise resource in a unified policy engine with centralized policy management for servers, desktops, mobile devices, and cloud infrastructure among others. The Appgate SDP consists of three main components:
- Controller: The controller manages user authentication and applies access policies assigned to users based on user attributes, roles, and context, and then issues entitlement tokens listing the resources the user is permitted to access.
- Client: The Apgate SDP client is software that runs on user devices, and connects with Appgate SDP appliances to receive site-based entitlement tokens after successful authentication.
- Gateway: The gateway evaluates user entitlements and opens connections to resources accordingly.
Some of the key Appgate SDP features and capabilities include:
- Concurrent access: Users gain access to all entitled resources across heterogeneous environments without VPN switching
- Integration support: Includes a bi-directional API interface to support third-party integrations
- Invisibility: Single Packet Authorization (SPA) makes your infrastructure invisible
- Dynamic policy resolution: User policies remain in-sync with infrastructure
- Users live outside the protected network
Cisco has over the years maintained its leadership position in the networking industry through innovative tools and applications. The Cisco SDA is one such innovative tools that joined the market in recent times. The Cisco SDA is a software defined perimeter solution that allows organizations to bring together users, applications, and devices and apply the right policies to each to secure the network. It is aimed at making enterprise networks more software-driven and simpler to manage.
The solution is targeted at medium to large enterprises looking to solve the following business IT challenges:
- Network segmentation without the need for MPLS network
- Flexible LAN or host mobility without additional VLANs
- Role-based access control without end-to-end TrustSec
- Common policy for wired and wireless without using multiple tools
- Consistency across WAN, cloud infrastructures, branch offices, and campuses without using multiple tools
The core components that make up the SDA solution are The Cisco DNA Center (Cisco DNA software that powers the controller appliance including a dashboard), Cisco ISE (that enables zero-trust network access), and wired/wireless network infrastructure (such as routers and switches). When you implement Cisco SDA you are essentially creating an overlay network. The DNA center creates an abstraction layer that allows the entire physical network made of switches, routers, and wireless access points to be treated as a virtual switch, which can be manipulated to create virtual networks. The virtual network makes it possible to segment the network and apply specific policies that are centrally managed.
Traditionally, creating and managing these virtual networks were made possible by technologies such as VPNs, VLANS, and segmentation rules. But to apply that consistently across LAN, WAN, and wireless networks can be daunting. Cisco SDA simplifies that whole process by creating virtual networks, which makes it easy to apply policies consistently.
If you are considering the Cisco SDA solution, the steps below will guide you in the ordering process:
- Choose the required Cisco SDA platforms
- Choose the required software licenses to enable Cisco SDA functionality in the device and ISE, available either a-la-carte or with the purchase of Cisco DNA Premier
- Choose the required appliances—Cisco DNA Center (if applicable) and Cisco ISE
- Choose Cisco SDA professional services (optional but recommended)
As with most Cisco products, the setup process is very complex and requires the services of a Cisco expert. Although the product is best suited for the Cisco environment, you don’t need to have an exclusive Cisco network to maximize value. SDA contains multi-vendor support and an API that allows integration with network equipment from other vendors.
Wandera is a SaaS security vendor that provides unified cloud security for businesses through its Wandera Security Cloud. Wandera SDP is part of its unified cloud security solution. Wandera SDP solution is a cloud-hosted, hardware-free solution that helps organizations protect corporate data, applications, users, devices, as well as provide secure access to applications in the data center or in the cloud.
The Wandera SDP solution is targeted at SMBs and other organizations looking for a flexible alternative to legacy VPN or those needing access and security controls for applications with minimal setup complexities. Although Wandera is a relatively young company, they offer a competitive SDP solution.
Some of the key features and capabilities include:
- Zero trust network access—corporate resources are kept invisible and users have the least privilege access
- Easy-to-implement unified software-defined network
- Role and session-based access control
- Great UI and UX design and experience
Like most SaaS providers, Wandera operates a subscription pricing model. The onboarding process is simple and smooth. Organizations interested in trying out Wandera SDP can request a demo, which grants them zero trust access to their public and private cloud services and applications through the SDP solution. Users go through an authentication process using the client application installed on their devices.
Choosing the right SDP software solution for your business
With a variety of SDP products out there, choosing the right one for your business and budget can be challenging. Like most network security solutions, not all SDP solutions are created equal. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another. You need to consider a variety of factors, some of which include: What deployment model best suits your environment—cloud or on-premises? How does the SDP solution implement zero-trust network access? Does the SDP solution integrate with your existing network infrastructure? Does the SDP solution require a dedicated appliance for cloud connectivity? Is vendor support available in your region, and to what extent? What is the total cost of ownership?
Hopefully, this will guide you in the process of choosing the right solution for your business.
See also: Best Access Rights Management Software