Zero Trust Networking
View All Tags
Regular readers of this blog know that OpenZiti provides secure overlay networking between Ziti identities. You can improve security of your OpenZiti edge identities by using hardware-based private keys. This guide provides step-by-step instructions on integrating hardware security with OpenZiti. It uses Linux built-in TPM as a hardware security device. Similar steps will also work with other HSM devices.
If you run Portainer, and you seek a modern, flexible recipe for how to make it secure while also providing flexible access to your authorized users, this article is for you.
A question that sometimes gets asked is: What types of companies, self-hosters, or general use cases, will gain the greatest benefit from using OpenZiti BrowZer?
The latest version of zrok has a new capability -- host-to-host VPN tunnel.
k3d is a Kubernetes distribution for Docker that makes it easy to replicate a production-like environment in a local container environment. It's great for local development and familiarizing yourself with OpenZiti's deployment options.
Not too long ago, I authored a post about why Go is Amazing for Zero Trust. In that post, I write about one of OpenZiti's superpowers that allows your applications to have no listening ports by integrating an OpenZiti SDK into it. It's always interesting writing content that makes perfect sense to you but after you publish it, someone immediately asks a question that's so obvious, you wonder how it is you, and everyone that reviewed it missed it. I published that blog post, and the first (well-deserved) response was:
We created OpenZiti so that anyone can implement distributed applications over the Internet, incorporating the principles of zero-trust networking for free into almost anything and for any use case.
We started the OpenZiti GitHub org back in May 2020. One of the most common questions we get today is, "Why haven't you bumped the version to 1.0 yet?" It's a fair question. OpenZiti boasts a robust feature set and sees widespread use in mission-critical applications, including Fortune 50 environments, with billions of sessions annually.
So, why the long wait? Well, making secure connectivity simple at scale is non-trivial, and we’ve held ourselves to a high standard.
We’ve proved, and our users have proved, that OpenZiti stands up to large-scale production use. But one of the most important things we wanted to do before flipping to v1.0 was show off OpenZiti in action in its most potent use case: as a foundation for what we call “ziti-native apps.” These are applications built from the ground up with security, privacy, and resilience designed in.
PKCE, which stands for “Proof of Key Code Exchange”, and is pronounced “pixy,” is an extension of the OAuth 2.0 protocol that provides an additional security layer helping to prevent intercept attacks.
Articles about OpenZiti often discuss application and network security, and this article will follow that trend.
In 2022, we showed you how to run a Minecraft server privately and securely using OpenZiti.
I have the privilege of working on the OpenZiti project. OpenZiti is a free, open-source overlay network and platform focused on making it easy to implement the principles of zero trust. OpenZiti believes zero trust belongs inside applications by adopting an SDK, not bolted onto the network after the application is developed. With zero trust built into the application, it becomes secure-by-default. Since OpenZiti is primarily written in GoLang, naturally, we offer an SDK based on Go to allow you to secure your applications. But Go isn't the only SDK offered; the project also has numerous SDKs in various other languages. With one of these SDKs, you can build zero-trust principles into an application and make it secure-by-default.
Recently, I used our SDK based on Go and built an "Appetizer Demo" to give the world an idea of how easy it can be to secure applications by adopting an OpenZiti SDK. We want to make it trivial for people to experience frictionless zero trust in action. Using code, the demo shows you what it takes to include an OpenZiti SDK into an application to secure data in motion.
The Appetizer Demo doc page is live. You can go there and experience it now if you like or later after reading a bit more about it here. It'll hopefully take five minutes or less, depending on how fast you are! If you'd prefer to look at the source from GitHub first, have a look at the reflect server and/or the reflect client.
![[object Object]](https://openziti.io/img/appetizer/step4.svg)
One of the most incredible achievements of the late 20th century is the internet. It has connected the world in ways never imagined and enabled businesses, organizations, and individuals to do incredible things efficiently and at a global scale. One of the groups it has enabled, unfortunately, is criminals. Since the first networks were connected, criminals and malicious users have exploited weaknesses in software and configuration to disrupt business and steal money, technology, and peace of mind. The connectivity of the modern world is the greatest feature and the greatest weakness. Recently, Zero Trust has become the new security model. Zero Trust is an evolution of earlier models, addressing their weaknesses and giving a framework to deliver much more secure systems and networks. NetFoundry, the sponsor of the free and open-source OpenZiti project, is at the forefront of this movement, providing many Zero Trust features, and enabling others. The API-driven and software-embeddable nature of the OpenZiti project gives flexibility for simple solutions that have outsized impacts in reducing some of the most common risks seen in information systems today.