Secure remote access

Zero trust remote access for administrators, systems and third parties

Secure remote access

  • Simple.
  • No access to networks - only to specific applications.
  • Just-In-Time, least privileged, microsegmented access, integrated with workflow systems.
  • End-to-end visibility and control.
  • X.509 certificates identify and secure each flow. PKI and cert management built in.
  • Firewall denies all inbound traffic. No permitted IPs. No open inbound ports. No exposed perimeter device.
  • High performance, multipoint network.
  • Mutual TLS (mTLS) for every flow.

Insecure remote access

  • Complex ACL and firewall management.
  • Access to hosts enables lateral movement.
  • Difficult to manage firewalls and VPNs provide too much access.
  • Limited visibility and control.
  • IP addresses used as identities, causing security problems, RFC 1918 conflicts, port forwarding.
  • Firewalls open to permitted IPs, with open inbound ports and exposed perimeter devices.
  • Point to point VPN tunnels impair performance.
  • TLS does not identify clients.

The greatest vulnerability is the network

Attackers leverage many methods, including compromised passwords, hijacked MFA credentials and zero days in perimeter devices like VPNs and firewalls.  However, regardless of the specific method, the attacks are almost always executed via networks.

What about the firewalls?

How can almost every cyberattack access our networks when we have firewalls?  Because our firewalls and WAFs are full of holes - permitted  IP addresses, and open inbound ports.  Once an attacker has credentials, or a bug that they can exploit, they enter right through the holes in our firewalls, from anywhere on the Internet.

Why are our firewalls full of holes?

Remote management, operations systems, webhooks and APIs often require access to servers in our DMZ.  Many of these flows enter on port 443, with the final authorization of the flow done by the specific systems in our DMZ.  This includes many DevOps, GitOps, CI/CD flows, log collection, SIEM and APM systems. It adds up to firewalls and WAF holes.  Normally, this is not a problem, but as soon as the DMZ has a weakness, then the attacker is inside.

How to close all the firewall holes?

NetFoundry's Ziti software enables you to literally close all your inbound ports on your firewall (default deny-all inbound).

Your Ziti software opens zero trust, app specific connections, outbound to your private, zero trust network (hosted by you or hosted by NetFoundry as SaaS). The connections are governed by your identities and policies.  Details below.

How NetFoundry's Ziti platform enables remote access without any firewall holes or exposed perimeter devices

You converge networking and security, moving the policy enforcement point. Apps and devices need to identify, authenticate and authorize before they can can send packets to your private Ziti overlay fabric. You move the policy enforcement point all the way back to the initiation of the session, preventing unauthenticated data from ever reaching your firewalls.

Your passport gate your private Ziti overlay networks. Nothing gets on your private Ziti overlay without passports. Cryptographically validated X.509s are the passports.  The Ziti platform takes care ofautomated enrollment, PKI and certificate renewals.  The X.509 functions like it is a Yubikey or hardware dongle physically loaded on each device, so is much more difficult to steal or hijack than passwords, SMS codes,etc.  The solution is similar to network access control (NAC) solutions, except it is for Internet-distributed devices and apps, and secured with modern cryptography.

You extend your Ziti networks anywhere, without needing to control the underlay networks. Ziti enables you to deploy 'endpoints' as software, anywhere, even inside the process space of your apps (via Ziti SDKs). Suddenly, remote access, operations and management apps are simple to secure. Adios VPNs, MPLS, private mobile APNs.  

Your secure your servers with mutual TLS. Mutual TLS (mTLS) is a big deal. Not just for security or compliance requirements, but because it is far more secure. TLS secures clients - mTLS secures your servers. But of course there is a catch. mTLS can be difficult to implement.  So Ziti provides mTLS in all directions, controlled by you from one platform, across all edges and clouds, for all use cases, including remote access, log collection, SIEM, remote management, DevOps and GitOps, APM data and CI/CD .

Network performance and reliability. Your private Ziti overlay network fabric includes HA, load balancing and dynamic routing across multiple tier one backbones. You can put parts of the Ziti data plane into your environments, so you don't have to backhaul latency sensitive sessions to the cloud. Every session follows it own optimized routing - eliminate tunneling all sessions to one place, and then routing out from there.