Ziti: Programmable network overlay and edge components for zero-trust networking

All of this somewhat recent new activity that exposes easier user defined networking makes me wonder about corporate Cybersec departments. Are they trying to keep all this stuff in a box, control it, etc? I know none of it is really new per se, but it is certainly easier to do now.<p>I know that some of it is fairly easy to detect, but Cyber also can&#x27;t use the same old stranglehold techniques[1] they have in the past, because remote developers need to be able to use docker and other tools that use network overlays.<p>The old school approach of trying to block it all is based on, I assume, old style networks where the corporate office floor network has too much access to production. And so, the corporate VPN inherits too much access also, so it works similarly to your desk.<p>Perhaps this pushes more effort to make the VPN and office floor networks completely separate from anything important.<p>[1] For example, popular corporate VPN software products, like AnyConnect and GlobalProtect, are somewhat notorious for blocking things like Docker overlay networks by default.

Because I&#x27;ve found OpenZiti kind of hard to wrap my head around, I&#x27;m repeating my TL;DR from another recent discussion (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32923851#32942158" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32923851#32942158</a>):<p>It is a meshed overlay with endpoint authentication and ACLs. Endpoints can be: application-embedded (think TLS) or system level (think PtP VPN) or routers to subnets (think routing VPN).<p>One thing that took me a long time to wrap my head around is: You can incrementally implement OpenZiti by: setting it up as a traditional VPN, then start putting individual server endpoints directly on OpenZiti, then put individual services directly on the fabric (application embedded).

For the HN readers,<p><a href="https:&#x2F;&#x2F;support.netfoundry.io&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;360019471912-Contact-NetFoundry-Support" rel="nofollow">https:&#x2F;&#x2F;support.netfoundry.io&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;360019471912...</a><p>from the Ziti support pricing page:<p>* Standard - To be retired soon. Not applicable for the latest pricing plans ( since 2022)<p>Does this mean you are required to be using Ziti infrastructure just to use this product or its SDK? Or it is self-hostable?

responses* to all the great discussion:<p>1. the problem solved by the openziti platform is making secure networking simpler and stronger for dev, ops and sec teams.<p>2. to solve this problem, openziti provides functions such as mtls; strong IDs with automated enrollment; outbound session initiation (initiated by client or server side and bridged by proxies...such that inbound firewall rulesets become deny-all); programmable cloud native overlay network which only accepts cryptographically authorized sessions.<p>3. app-embedded via OpenZiti SDKs means no separate agent required. your private overlay network goes wherever your app goes. other options include agents and gateways, as well as embedding in browsers, proxies, etc.<p>* i work for netfoundry - we built saas on top of openziti

What does &quot;zero-trust&quot; mean?<p>I&#x27;d presume I want a network I <i>can</i> trust.

Since this was unbelievably hard to find: It&#x27;s not a VPN, it&#x27;s a TCP tunnel. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32928222" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32928222</a>

ZeroTier alternative ? Has the team done any performance measures ?

Is this an alternative to:<p>- ngrok<p>- ssh tunnel<p>- tor<p>- libp2p<p>?