Protect all servers

Eliminate the headaches and vulnerabilities of open ports, ACLs and VPNs. Close all access to all your servers and data. 

OpenZiti - open source cloudziti- free trial


Simple and secure

Providing app access is a headache. Relying on static IP addresses, managing ACLs, nailing up GRE and IPsec VPNs, and standing up bastions has always been difficult. In today's world of distributed apps and users, it is also insecure - it doesn't protect your servers well enough.

SaaS and modern apps helped, but other use cases still require whitelisted IPs, VPNs and open firewall ports. This includes APIs, B2B, remote access and management, 3rd party access, internal tools, webhooks, multicloud, IoT, shared data, ops (SIEM, APN log collection, DevOps, etc). 

Now, there is a simple and secure solution for all of these use cases.

Simple and secure


  • You have end-to-end visibility and control, regardless of underlay network or cloud.
  • Cryptographically authenticated X.509 certificates identify and secure each flow. PKI and cert management built in.
  • Firewall denies all inbound traffic. No whitelisted IPs. No open inbound ports. Your app servers and web servers are no longer exposed to the Internet.
  • Microsegmented, high performance mesh network with e2e encryption replaces point to point VPN tunnels (your data is private, only available to the endpoint and not accessible to any intermediate points in the NetFoundry cloud).
  • Mutual TLS (mTLS) for every flow.  mTLS secures the client side of your connection - ensuring only authenticated clients can reach your overlay network.

Complex and insecure

  • Limited visibility and control, varying by underlay network or cloud.
  • IP addresses used as identities, causing security problems, RFC 1918 conflicts, port forwarding.
  • Firewalls open to whitelisted IPs, with open inbound ports and ACL complexity. All of these holes give cyber attacker access to your app and web servers.
  • Point to point VPN tunnels enable lateral attacks, cause performance impairing backhaul and are difficult to manage. Encryption is often limited to individual legs, and third parties often terminate your TLS sessions, with access to your keys.
  • TLS ensures clients are talking to the right servers, but you are not protected from unauthenticated clients without mTLS.
  • “We are committed to protecting our clients’ data. Partnering with NetFoundry isn’t just a way to accomplish this, but the best way.”
    Steve Lindsey
    CIO, Liveview Technologies (LVT)
  • “Businesses can use NetFoundry's Ziti platform to simplify network management, and enable zero trust networking for applications running at the edge on Azure public MEC and Azure regions.”
    Ross Ortega
    VP, Azure for Operators
  • “Integrating our IoT solution with NetFoundry SDKs enables IoT networking without VPNs or proprietary hardware. We can jointly be deployed as software on any IoT device to provide customers with simple solutions.”
    Paul Edrich
    CTO, IMS Evolve
  • “By integrating NetFoundry’s zero trust platform into our IoT and Edge analytics solutions, TOOQ is transforming the retail industry.”
    Ronaldo Moura
  • PliantCloud Alliance Technology Group netfoundry appwan zero trust fintech
    NetFoundry extends the WAN all the way to the application endpoint without CPE, over the Internet. We integrated NetFoundry’s AppWANs into the networking solutions we sell to financial institutions to enable them to meet their strict regulatory and security requirements.
    Chris Williams
    VP at PliantCloud, Alliance Technology Group

Why haven't firewalls, WAFs and VPNs worked?

Because our firewalls and WAFs are full of holes - permitted (whitelisted) IP addresses, open inbound ports, complex ACLs. Once an attacker has credentials, or a bug that they can exploit, they simply enter right through the holes in our firewalls, from anywhere on the Internet. Similarly, VPNs grant too much access - they are like a permanent master key to an entire network, rather than temporary access to a specific app.  Our servers are not protected.

Why are firewalls and WAFs full of so many holes?

Many use cases require access, including remote management (SSH, RDP, etc.), and third party access (MSP, MSSP, contractor, partner, vendor, etc.). Use cases also include many ops flows such as DevOps, GitOps, CI/CD, log collection, SIEM and APM. A growing category of these use cases are APIs, B2B, internal tools, webhooks, multicloud, IoT, and shared data (e.g. for data science).  We need to provide simple access, but we also need to protect our app servers and web servers.

How to close all firewall and WAF holes, and eliminate all VPNs, resulting in simpler access, and protecting our servers?

The problem is it is too complex and insecure to build ACL and VPN based solutions for each one of the holes. We need an architectural shift which can solve all of these use cases with one platform, with centralized identities and policies.

Deploy NetFoundry's Ziti software in front of your servers, anywhere (private or public cloud; K8s; home lab; a Raspberry Pi...anywhere). This enables you to close all your inbound ports on your firewall (default deny-all). Your servers are no protected - they no longer have any Internet exposure!

Instead, your Ziti software opens zero trust, app specific connections, outbound to your private network (hosted by NetFoundry in CloudZiti; self-hosted in the OpenZiti open source version). Details below.

You converge networking and security, moving the policy enforcement point. Apps and devices need to identify, authenticate and authorize before they can can send packets to your private Ziti overlay fabric. You move the policy enforcement point all the way back to the initiation of the session, preventing unauthenticated data from ever reaching your firewalls.  Your app and web servers are protected - not accessible to unauthenticated users on the Internet.

Your passport gate your private Ziti overlay networks. Nothing gets on your private Ziti overlay without passports. Cryptographically validated X.509s are the passports. The Ziti platform takes care of automated enrollment, PKI and certificate renewals. The X.509 functions like it is a Yubikey or hardware dongle physically loaded on each device, so is much more difficult to steal or hijack than passwords, SMS codes,etc.  The solution is similar to network access control (NAC) solutions, except it is for Internet-distributed devices and apps, and secured with modern cryptography.  Your app and web servers will now only talk to parties which are X.509 authenticated.

You extend your Ziti networks anywhere, without needing to control the underlay networks. Ziti enables you to deploy 'endpoints' as software, anywhere, even inside the process space of your apps (via Ziti SDKs). This enables any type of client, server or API to be authenticated, which means your servers are protected from unauthenticated endpoints. 

Your secure your servers with mutual TLS. Mutual TLS (mTLS) is a big deal. Not just for security or compliance requirements, but because it is far more secure. TLS secures clients - mTLS secures your servers. But of course there is a catch. mTLS can be difficult to implement.  So Ziti provides mTLS in all directions, controlled by you from one platform, across all edges and clouds, for all use cases, including remote access, log collection, SIEM, remote management, DevOps and GitOps, APM data and CI/CD .

Network performance and reliability. Your private Ziti overlay network fabric includes HA, load balancing and dynamic routing across multiple tier one backbones. You can put parts of the Ziti data plane into your environments, so you don't have to backhaul latency sensitive sessions to the cloud. Every session follows it own optimized routing - eliminate tunneling all sessions to one place, and then routing out from there.

Eliminate the headaches and vulnerabilities of open ports, ACLs and VPNs. Close all access, protecting your servers.

OpenZiti - open source cloudziti- free trialDemo or briefing