Black Cloud, how the internet is going dark

The number of open listening ports on the internet is around 185 million (  This means there is plenty of opportunity to exploit these open services, as it is now possible to scan the entire internet in under 1 hour for a particular port (service) (  Can we somehow hide open ports (services) on the internet or in the enterprise?  Is there a method of making them invisible?  Well this idea has been around for a while, a method called Port Knocking ( has been around since the early 2000, and there is even a new IETF Internet Draft from 2015 called TCP Stealth ( that has a similar concept.  All these concepts have the same effect, making your services on the internet or in the enterprise invisible and only accessible by authorized devices or users.

Today the idea of making the Internet, or Corporate Network, dark has gained momentum since the introduction of Software Defined Network (SDN).  This has enabled the new concept Software Defined Perimeter (SDP) or what you might call Black Cloud.  This concept is slightly different to port knocking, it makes your services invisible and you need to be authorized.  The difference with SDP is you can not send a secret combination of packets to open the port on the host, you need to have trust with the controller.  The controller will allow for a mutual TLS (mTLS) session between the Initiating Host (IH) and the Accepting Host (AH).  This concept does not require any listening ports on the AH, more importantly the AH will not accept any connections unless authorized by the SDP controller.

The SDP controller is using Single Packet Authorization (SPA) which is an variant of port knocking.  This concept creates a authorization network fabric where you can define which connections are allowed, so think of this as a perimeter that is everywhere that fits nicely into the zero trust model.  You can define by policy which hosts can talk to which hosts and on what ports.

This diagram below explains the process for SDP, the concept is from Cloud Security Alliance (CSA) working group (

The security model below can also be used where you have SDP gateways, these could be placed into network segments on premise or in the cloud, this way you can control all traffic to hosts in the segment.

This security model makes a lot of sense, why should we open services and allow anyone to do a threeway handshake if this services should only be accessible by a group of users and devices.  The solution greatly reduces the attack surface, you do not have any open ports, therefore you can not DDOS the service, you can not even connect.

You can see below that ZScaler Private Access is based on a similar security concept but goes a few steps further, basically the Zscaler Connector is the SDP gateway, the ZApp client is the Initiating host, and the Central Authority is the SDP Controller.  The Broker (ZEN) is an additional component that removed the need for incoming connections to the data center or cloud network segment.  An extra layer of Mutual TLS is added between the Client and Connector to provide an extra layer of encryption and trust.

Basically you could think of SDP as a network fabric where you control traffic flows based on policy.  This concept even extends into the data center, which is used by Cisco ACI, where contracts between End Point Group (EPGs) is required to enable network connectivity.

I think this concept of creating your own Darknet (Black Cloud) where you can control and monitor network connections is the future. This will enable companies to create their own virtualized secure network fabric (Black Cloud) where they are in control. Furthermore this will enable enterprises to embrace cloud, and stay in control.

Black Cloud is the new Black

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: