Cloak Your Network.
Secure Services not IPs
Managing networks with static IPs, subnets, NAT, and firewalls is complex, fragile, and error-prone. As environments scale across cloud, hybrid, and mobile, traditional IP-based control falls apart. OpenZiti eliminates this headache by making identity—not IP—the core of your network. No more IP conflicts, no more guessing, just secure, zero-trust connectivity that works anywhere.
The Right Model For Your Needs
Implementing zero trust is a journey and every organization has different needs. Depending on your needs, one zero trust model may be better than another. Some organizations require different models for different needs. OpenZiti offers three distinct zero trust models, allowing your organization to form a zero trust overlay network that works best for you and allowing you to transform to a zero trust implementation at your own pace.
ZTAA
Zero Trust Application AccessThe most comprehensive approach to secure application to application communications.
- Simplified deployment model makes securing multi-cloud or hybrid deployments trivial, deploy anywhere
Eliminates all network-related trust, including the host network
Network firewall operates in deny-by-default mode
OS firewall operates in deny-by-default mode (unauthorized east-west traffic is impossible)
- Compiled into applications by leveraging OpenZiti SDKs
- Achieves true process to process, end-to-end encryption
The ultimate goal for organizations seeking comprehensive zero trust security.
ZTHA
Zero Trust Host AccessExtends zero trust principles to secure host communicationsWorks with existing solutions by using an OpenZiti Tunneler
Eliminates network-related trust
Network firewall operates in deny-by-default mode
OS firewall operates in deny-by-default mode (unauthorized east-west traffic is impossible)
Only the host network is a trusted network zone
ZTNA
Zero Trust Network AccessSecures access to applications and services in a secure network zoneWorks with existing solutions by using an OpenZiti Router in trusted network space
Network firewall operates in deny-by-default mode
OS firewalls require inbound port rules per service
- Allows zero trust network access on devices that can't install an OpenZiti Tunneler
Why OpenZiti
OpenZiti's unique capabilities redefine secure networking for the modern age.
Strong Identities
IPs are not identities. OpenZiti leverages proven cryptographically verifiable identities.
Identity-Aware Access
Fine-grained authorization with posture checking ensures only valid identities are allowed to connect to services.
No Open Ports
Services completely vanish from the internet, becoming invisible to attackers and scan tools.
App-Level Embedding
SDK integration brings zero trust directly into your applications, no agents required.
Smart Routing
The OpenZiti Fabric intelligently routes traffic through the optimal path for security and performance.
End-to-End Encryption
Libsodium-powered cryptography ensures data is secure in transit, always.
Private DNS
Authenticated, private DNS resolves service names to secure overlay tunnels, not IP addresses.
No Port Inference
Single-port transport prevents service fingerprinting and port scanning vulnerabilities.
Ready to Deploy Your Overlay?
Whether you're looking for enterprise-grade support or prefer to self-host, NetFoundry and OpenZiti offer flexible deployment options to meet your needs.
Enterprise Managed
Get fully managed zero trust networking with NetFoundry's enterprise offering, complete with SLAs and 24/7 support.
Learn MoreSelf-Hosted
Deploy and manage your own OpenZiti network with our comprehensive documentation and community support.
View Deployment Guide