Secure access for internal apps and tools

Use internal apps, tools and webhooks without IP whitelisting and complex ACLs

OpenZiti - open source cloudziti- free trial

Secure access for internal apps and tools

  • End-to-end visibility and control, regardless of underlay network or cloud.
  • Cryptographically authenticated X.509 certificates identify and secure each flow. PKI and cert management built in.
  • Firewall denies all inbound traffic. No whitelisted IPs. No open inbound ports.
  • Microsegmented, high performance mesh network replaces point to point VPN tunnels.
  • Mutual TLS (mTLS) for every flow.
secure remote access

Insecure access for internal apps and tools

  • Limited visibility and control, varying by underlay network or cloud.
  • IP addresses used as identities, causing security problems, RFC 1918 conflicts, port forwarding.
  • Firewalls open to whitelisted IPs, with open inbound ports and ACL complexity.
  • Point to point VPN tunnels enable lateral attacks and cause performance impairing backhaul.
  • TLS only secures clients.
insecure remote access
[stack_testimonial layout="slider-1" pppage="6" filter="home-page"]

The greatest vulnerability is the network

Cyber attackers exploit a very wide variety of vulnerabilities, but they almost always attack from the Internet.  While it is difficult to eliminate every vulnerability, we can prevent attackers from exploiting the vulnerability from the networks, drastically reducing the surface area exposed to attacks.

Why haven't firewalls worked?

Because our firewalls and WAFs are full of holes - permitted (whitelisted) IP addresses, open inbound ports, complex ACLs.  This is often for internal apps, tools and webhooks.  

Why are firewalls and WAFs full of so many holes?

Internal apps, tools and webhooks often need access to servers and data.  To provide these access, we use permitted or whitelisted IP addresses, VPNs and bastions.  Unfortunately, these approaches mean that we are opening up holes in our firewalls and WAFs.

How to close all the firewall and WAF holes?

Deploy NetFoundry's Ziti software in front of your servers and data, anywhere (private or public cloud; Kubernetes; home lab; a Raspberry Pi...anywhere).

Close all your inbound ports on your firewall (default deny-all).

Your Ziti software opens zero trust, app specific connections, outbound to your private network (hosted by NetFoundry in CloudZiti; self-hosted in the OpenZiti open source version). The connections are governed by your identities and policies. Details below.

You converge networking and security, moving the policy enforcement point. Apps and devices need to identify, authenticate and authorize before they can can send packets to your private Ziti overlay fabric. You move the policy enforcement point all the way back to the initiation of the session, preventing unauthenticated data from ever reaching your firewalls.

Your passport gate your private Ziti overlay networks. Nothing gets on your private Ziti overlay without passports. Cryptographically validated X.509s are the passports. The Ziti platform takes care of automated enrollment, PKI and certificate renewals.  The X.509 functions like it is a Yubikey or hardware dongle physically loaded on each device, so is much more difficult to steal or hijack than passwords, SMS codes, etc.  The solution is similar to network access control (NAC) solutions, except it is for Internet-distributed devices and apps, and secured with modern cryptography.

You extend your Ziti networks anywhere, without needing to control the underlay networks. Ziti enables you to deploy 'endpoints' as software, anywhere, even inside the process space of your apps (via Ziti SDKs). Suddenly, remote access, operations and management apps are simple to secure. Adios VPNs, MPLS, private mobile APNs.  

Your secure your servers with mutual TLS. Mutual TLS (mTLS) is a big deal. Not just for security or compliance requirements, but because it is far more secure. TLS secures clients - mTLS secures your servers. But of course there is a catch.  mTLS can be difficult to implement.  So Ziti provides mTLS in all directions, controlled by you from one platform, across all edges and clouds, for all use cases, including internal apps, tools, workflows and webhooks, even if they are "legacy" apps.

Network performance and reliability. Your private Ziti overlay network fabric includes HA, load balancing and dynamic routing across multiple tier one backbones. You can put parts of the Ziti data plane into your environments, so you don't have to backhaul latency sensitive sessions to the cloud. Every session follows it own optimized routing - eliminate tunneling all sessions to one place, and then routing out from there.

Secure, high performance network for internal apps, tools and webhooks

OpenZiti - open source cloudziti- free trialDemo or briefing