undefined | Better HN

0 pointsRsmFz1y ago0 comments

Oh so that allows it to run in-process?

That's cool, I did that for an HTTP forwarding thing a while back.

0 comments

Yes, indeed, this blog gives a great view on it - https://blog.openziti.io/go-is-amazing-for-zero-trust - using Golang and HTTP examples. My favourite part:

"Now, your server has no listening ports on the underlay network. It's literally unattackable via conventional IP-based tooling. Seriously, stop and consider that for just a moment. By adopting an OpenZiti SDK into the server, all conventional network threats are immediately useless."

RsmFzOP1y ago

Well that's also true for Firezone :)

It's a tradeoff between in-process and out-of-process though. It's nice that Firezone Gateways don't have access to the service's memory space and can't crash the process, but it's also nice that an in-process Gateway equivalent doesn't need to loop through the network to reach its service.

PLG881y ago

Maybe we are referring to different things when we say 'process'... I am not aware (happy to be educated) of Firezone having SDKs to embed the zero trust overlay running directly in an application, i.e., in the app process and memory.

Do they support this?

I hear you on having 'out of process', that's why OpenZiti also has tunnellers for deploying on host as well as virtual appliances to run in the DMZ/VNET/VPC etc. I was only aware of Firezone supporting those 2 deployment models.

j / k navigate · click thread line to collapse

0 comments

PLG881y ago

Yes, indeed, this blog gives a great view on it - https://blog.openziti.io/go-is-amazing-for-zero-trust - using Golang and HTTP examples. My favourite part:

RsmFzOP1y ago

Well that's also true for Firezone :)

PLG881y ago

Do they support this?

j / k navigate · click thread line to collapse