Basic architecture considerations for Ziti

I am working on a basic security lab to test and implement various CloudZiti and OpenZiti elements. Here is a simplified view for discussion purposes of this proposed network to be secured:

This network will simulate the average office / enterprise with an internal network of hosts and devices and servers connected via wired ethernet on one firewall interface, a reverse proxy for web application delivery to Internet users on its own DMZ interface, and a WiFi network on its own DMZ interface. The firewall does NAT for all 3 of these interfaces. The Internet interface is to an ISP and uses one publicly reachable IP address.

My questions are about the best way to approach a typical enterprise network like this with hosted web applications and remote administration being the primary inbound traffic at this stage of the lab experiment.

  1. What is the best way to utilize CloudZiti with this environment?
  2. How should OpenZiti elements be logically placed and configured? Tunnels, edge router, controller? I’d appreciate some help in understanding the intended approach to an environment like this one as I try to learn and understand Ziti enough to gain confidence in possible commercial implementations.

The “internal network” consists of various OS platforms and hardware devices, servers running as VM and Docker containers, etc.

  1. Is the reverse proxy still a valid component in a Ziti world or is it obviated by the nature of how Ziti works? How can the CloudZiti services best be leveraged?
  2. Is there a way to direct all inbound traffic to a Cloudziti tunneler rather than allow connections to the actual network IP address? Is that a relevant question?
  3. This seems like a perfect example to try to use the Browzer component since the main service this network provides to the Internet is a list of about 15 web applications (currently running on various reverse proxied ports on the translated external IP address).
  4. Does the Ziti zero trust paradigm essentially remove the need for this hardware segmentation at the firewall? Does each server instance and host need to run some sort of client software?

Would really appreciate any and all help translating my old school knowledge and experience to the new Ziti paradigm. Thanks for the help and discussion.

Hi @jfj

Ziti ( Openziti or CloudZiti) creates a private network overlay over the internet underlay with endpoints on either sides not requiring to open inbound ports. In a scenario where the user of any of the 15 applications has a ziti endpoint on his / her device or app, there is no need for a reverse proxy since this communication happens over a private overlay either on private IP or a Ziti DNS. The endpoint can be a ZDE . ZME or a BrowZer. Considering the depth and nature of your questions, this is a good design discussion. We are happy to assist you over a meeting. Please drop in an email to Customer Success with your available slots, time zone and what you do, so that a specialist can be in touch with you. Thank you for your interest in NetFoundry; we love it.

1 Like