What is OpenZiti?
An Example of an OpenZiti Overlay Network
In OpenZiti You Will Find
- A zero trust overlay mesh network composed of a controller, edge routers and fabric routers
- Numerous SDKs making it easy to embed zero trust principles directly into your application
- Tunneling applications providing zero trust access to those applications you cannot embed zero trust into directly
- Zero trust principles such as authorize before connect, continual authorization, least-privilege access
OpenZiti makes it easy to embed zero trust, programmable networking directly into your app. With OpenZiti you can have zero trust, high performance networking on any Internet connection, without VPNs!
🏃♂️ Ready to deploy your first network? Jump right in, feet first, and follow along with one of our quickstart guides!
The OpenZiti Controller is the central function of the OpenZiti Network. The OpenZiti Controller provides the configuration plane. It is responsible for configuring OpenZiti services as well as being the central point for managing the identities used by users, devices and the nodes making up the OpenZiti Network. Lastly but critically, the OpenZiti Controller is responsible for authentication and authorization for every connection in the OpenZiti Network.
The OpenZiti Controller must be configured with public key infrastructure (PKI). The configured PKI is used to create secure, mutually- authenticated TLS (mTLS) network connections between any two pieces of the OpenZiti Network. The OpenZiti Controller does not provide its own PKI but for the OpenZiti Controller to sign a certificate signing request (CSR) the OpenZiti Controller will need to be configured with a key and certificate used for signing. The OpenZiti CLI can generate a PKI.
The OpenZiti Controller also supports using a third-party PKI should the operator of the OpenZiti Network have an existing PKI they wish to reuse. Utilizing a third-party CA pushes the burden of obtaining and distributing properly signed certificates to the operator of the OpenZiti Network but for sophisticated customers this might make overall management of the network easier. The OpenZiti Controller uses a local database based on bbolt to store the information needed to manage the network.
OpenZiti Routers are the fundamental building blocks of the OpenZiti Network. These routers are responsible for securely and reliably delivering traffic from one OpenZiti Network node to the destination.
Ziti Routers are linked together to form a mesh network. This mesh is constantly being monitored for latency and the fastest paths are used when routing traffic to the destination. The monitoring also allows for active failover to ensure a reliable network connection even in the case of a node failure.
The OpenZiti Router is the entry point to the OpenZiti Network for client connections. The OpenZiti Router in combination with the Ziti Controller is responsible for authenticating and authorizing OpenZiti Edge Clients.
OpenZiti Edge Clients
Connecting to the OpenZiti Network requires an OpenZiti Edge Client. Edge Clients are designed to work with both brownfield and greenfield applications.
If the solution being developed includes developing new software OpenZiti offers SDKs targeting various languages and runtimes to provide fast, reliable and secure connectivity. These SDKs provide the capabilities needed to securely connect to the OpenZiti Network and are designed to be easily incorporated into the target application.
When adding secure connectivity to an already existing solution OpenZiti offers specialized Edge Clients called tunnelers which provide seamless, secure connectivity and do not require changes to the target application.
Read more about clients
Once the OpenZiti Network is established and deployed the next step is to configure the software-powered network. The three main concepts necessary to configure an OpenZiti Network are: Identities, Services, and Policies.
A service encapsulates the definition of any resource that could be accessed by a client on a traditional network. An OpenZiti Service is defined by a strong, extensible identity, rather than by an expression of an underlay concept. This means that services defined on an OpenZiti Network have an almost limitless "namespace" available for identifying services. An OpenZiti Service is defined by a name and/or a certificate, rather than by a DNS name or an IP address (underlay concepts). Services also declare a node where traffic that exits the OpenZiti Network needs to be sent to before exiting. The node where traffic enters the OpenZiti Network may be the same node where traffic exits. Alternatively, traffic may need to traverse the OpenZiti Network Routers to reach the exit node. Simply specifying the node is all the end-user need do, the OpenZiti Network handles the rest.
Read more about services
Identities represent individual endpoints in the OpenZiti Network which can establish connectivity. All connections made within the OpenZiti Network are mutually authenticated using X509 Certificates. Every Identity is mapped to a given certificate’s signature. OpenZiti Edge Clients present this certificate when initiating connections to the OpenZiti Network. The presented certificate is used by the OpenZiti Network to authorize the client and enumerate the services the Identity is authorized to use.
Read more about identities and authentication.
Policies control how Identities, Services and Edge Routers are allowed to interact. In order to use a service the identity must be granted access to the service. Also, since all access to a service goes through one more edge routers, both the service and the identity must be granted to access to the same edge router or edge routers.
Entities such as identities, services and edge routers can be added to
policies explicitly, either by id or name. Entities can also be tagged
with role attributes. Role attributes are simple strings like
support. Their meaning is decided by the
administrator. Policies can include entities by specifying a set of role
attributes to match.
Service Policies encapsulate the mapping between identities and services in a software-powered network. In the simplest terms, Service Policies are a group of services and a group of identities. The act of adding a service to a Service Policy will grant the identities in that Service Policy access to the given service. Similarly, adding an identity to a Service Policy will grant that identity access to the services mapped in that Service Policy.
Service policies controls both which identities may dial a service (use the service) and which identities may bind a service (provide or host the service). Each Service Policy may either grant dial or bind access, but not both.
Edge Router Policies
Edge Router Policies manage the mapping between identities and edge routers. Edge Router Policies are a group of edge routers and a group of identities. Adding an edge router to an Edge Router Policy will grant the identities in that Edge Router Policy access to the given edge router. Similarly, adding an identity to an Edge Router Policy will grant that identity access to the edge routers mapped in that Edge Router Policy.
Service Edge Router Policies
Service Edge Router Policies manage the mapping between services and edge routers. Service Edge Router Policies are a group of edge routers and a group of services. Adding an edge router to a Service Edge Router Policy will grant the services in that Service Edge Router Policy access to the given edge router. Similarly, adding a service to a Service Edge Router Policy will grant that service access to the edge routers mapped in that Service Edge Router Policy.
Zero Trust/Application Segmentation
Many networking security solutions act like a wall around an internal network. Once you are through the wall, you have access to everything inside. Zero trust solutions enforce not just access to a network, but access to individual applications within that network.
Every client in a Ziti system must have an identity with provisioned certificates. The certificates are used to establish secure communications channels as well as for authentication and authorization of the associated identity. Whenever the client attempts to access a network application, Ziti will first ensure that the identity has access to the application. If access is revoked, open network connections will be closed.
This model enables Ziti systems to provide access to multiple applications while ensuring that clients only get access to those applications to which they have been granted access.
In addition to requiring cert based authentication for clients, Ziti uses certificates to authorize communication between Ziti components.
Dark Services and Routers
There are various levels of accessibility a network application/service can have.
- Many network services are available to the world. The service then relies on authentication and authorization policies to prevent unwanted access.
- Firewalls can be used to limit access to specific IP or ranges. This increases security at the cost of flexibility. Adding users can be complicated and users may not be able to easily switch devices or access the service remotely.
- Services can be put behind a VPN or made only accessible to an internal network, but there are some downsides to this approach.
- If you can access the VPN or internal network for any reason, all services in that VPN become more vulnerable to you.
- VPNs are not usually appropriate for external customers or users.
- For end users, VPNs add an extra step that needs to be done each time they want to access the service.
- Services can be made dark, meaning they do not have any ports open for anyone to even try and connect to.
Making something dark can be done in a few ways, but the way it's generally handled in Ziti is that services reach out and establish one or more connections to the Ziti network fabric. Clients coming into the fabric can then reach the service through these connections after being authenticated and authorized.
Ziti routers, which make up the fabric, can also be dark. Routers located in private networks will usually be made dark. These routers will reach out of the private network to talk to the controller and to make connections to join the network fabric mesh. This allows the services and routers in your private networks to make only outbound connections, so no holes have to be opened for inbound traffic.
Services can be completely dark if they are implemented with a Ziti SDK. If this is not possible a Ziti tunneler or proxy can be co-located with the service. The service then only needs to allow connections from the local machine or network, depending on how close you colocate the proxy to the service.
Ziti makes sure that when you connect to a service using a Ziti network, your connection is encrypted from start to finish. Each connection is secured through public-private-key cryptography provided by libsodium. This means that even if your service data is not encrypted on its own, the connection between the SDKs will be encrypted and only readable by the intended parties. This feature is available in all applications that use Ziti's SDKs, including Ziti's tunneler, desktop, and mobile applications.
Read more about end-to-end encryption and security for other connections on the Connection Security page.