Secure remote access
- End-to-end visibility and control, regardless of underlay network or cloud.
- Cryptographically authenticated X.509 certificates identify and secure each flow. PKI and cert management built in.
- Firewall denies all inbound traffic. No whitelisted IPs. No open inbound ports.
- Microsegmented, high performance mesh network replaces point to point VPN tunnels.
- Mutual TLS (mTLS) for every flow.
Insecure remote access
- Limited visibility and control, varying by underlay network or cloud.
- IP addresses used as identities, causing security problems, RFC 1918 conflicts, port forwarding.
- Firewalls open to whitelisted IPs, with open inbound ports and ACL complexity.
- Point to point VPN tunnels enable lateral attacks and cause performance impairing backhaul.
- TLS only secures clients.
“We are committed to protecting our clients’ data. Partnering with NetFoundry isn’t just a way to accomplish this, but the best way.”
Steve LindseyCIO, Liveview Technologies (LVT)
“Businesses can use NetFoundry's Ziti platform to simplify network management, and enable zero trust networking for applications running at the edge on Azure public MEC and Azure regions.”
Ross OrtegaVP, Azure for Operators
“Integrating our IoT solution with NetFoundry SDKs enables IoT networking without VPNs or proprietary hardware. We can jointly be deployed as software on any IoT device to provide customers with simple solutions.”
Paul EdrichCTO, IMS Evolve
“By integrating NetFoundry’s zero trust platform into our IoT and Edge analytics solutions, TOOQ is transforming the retail industry.”
Ronaldo MouraCEO, TOOQ
“NetFoundry extends the WAN all the way to the application endpoint without CPE, over the Internet. We integrated NetFoundry’s AppWANs into the networking solutions we sell to financial institutions to enable them to meet their strict regulatory and security requirements.”
Chris WilliamsVP at PliantCloud, Alliance Technology Group
The greatest vulnerability is the network
What do cyberattack breaches caused by compromised passwords or MFA credentials, phishing or zero-days have in common? Regardless of the vulnerability, it is almost always exploited from the Internet.
Why haven't firewalls worked?
Because our firewalls and WAFs are full of holes - permitted (whitelisted) IP addresses, open inbound ports, complex ACLs. Once an attacker has credentials, or a bug that they can exploit, they simply enter right through the holes in our firewalls, from anywhere on the Internet.
Why are firewalls and WAFs full of so many holes?
Most operations systems require access to servers in our private data centers and public cloud environments. This includes remote access to our servers, and remote management (SSH, RDP, etc.) of them. It also includes many DevOps, GitOps and CI/CD flows. Added to this is systems such as log collection, SIEM and APM systems, which often send logs to servers in our data centers. Add it all up, and suddenly are firewalls and WAFs have many holes.
How to close all the firewall and WAF holes?
Deploy NetFoundry's Ziti software in front of your servers, anywhere (private or public cloud; Kubernetes; home lab; a Raspberry Pi...anywhere).
Close all your inbound ports on your firewall (default deny-all).
Your Ziti software opens zero trust, app specific connections, outbound to your private network (hosted by NetFoundry in CloudZiti; self-hosted in the OpenZiti open source version). The connections are governed by your identities and policies. Details below.
You converge networking and security, moving the policy enforcement point. Apps and devices need to identify, authenticate and authorize before they can can send packets to your private Ziti overlay fabric. You move the policy enforcement point all the way back to the initiation of the session, preventing unauthenticated data from ever reaching your firewalls.
Your passport gate your private Ziti overlay networks. Nothing gets on your private Ziti overlay without passports. Cryptographically validated X.509s are the passports. The Ziti platform takes care ofautomated enrollment, PKI and certificate renewals. The X.509 functions like it is a Yubikey or hardware dongle physically loaded on each device, so is much more difficult to steal or hijack than passwords, SMS codes,etc. The solution is similar to network access control (NAC) solutions, except it is for Internet-distributed devices and apps, and secured with modern cryptography.
You extend your Ziti networks anywhere, without needing to control the underlay networks. Ziti enables you to deploy 'endpoints' as software, anywhere, even inside the process space of your apps (via Ziti SDKs). Suddenly, remote access, operations and management apps are simple to secure. Adios VPNs, MPLS, private mobile APNs.
Your secure your servers with mutual TLS. Mutual TLS (mTLS) is a big deal. Not just for security or compliance requirements, but because it is far more secure. TLS secures clients - mTLS secures your servers. But of course there is a catch. mTLS can be difficult to implement. So Ziti provides mTLS in all directions, controlled by you from one platform, across all edges and clouds, for all use cases, including remote access, log collection, SIEM, remote management, DevOps and GitOps, APM data and CI/CD .
Network performance and reliability. Your private Ziti overlay network fabric includes HA, load balancing and dynamic routing across multiple tier one backbones. You can put parts of the Ziti data plane into your environments, so you don't have to backhaul latency sensitive sessions to the cloud. Every session follows it own optimized routing - eliminate tunneling all sessions to one place, and then routing out from there.