Configure Enterprise Shield™ for Kaazing Gateway

This checklist provides the steps necessary to configure Enterprise Shield™ in your Kaazing Gateway architecture.

# Step Topic or Reference
1 Become familiar with Gateway topologies Common Gateway Production Topologies
2 Understand how Enterprise Shield works About Enterprise Shield
3 Determine which Enterprise Shield topology is for you Enterprise Shield Use Cases
4 Download and set up Kaazing Gateway Setting Up the Gateway
5 Configure Enterprise Shield Walkthrough: Configure Enterprise Shield
6 Configure Enterprise Shield for high availability and failover Walkthrough: Configure Enterprise Shield for High Availability

About Enterprise Shield™

Enterprise Shield protects your trusted network by initiating the connection from the internal trusted network towards the DMZ. Until now, allowing access to a trusted network while still maintaining security behind the firewall still has challenges because of the necessity to open ports to accept incoming connections. For most administrators, opening a port to the outside world is a necessary but undesirable solution because it instantly increases vulnerability to outside hacks and attacks. Companies are reluctant to open up ports in firewalls because each open port is another potential attack vector for malicious users. Using Enterprise Shield, you can close all of your inbound ports while still allowing clients to initiate connections.

Traditionally, web architectures require that you open inbound ports to allow connectivity to internal systems and services in your trusted network. As with any web architecture, a typical Kaazing Gateway configuration (without Enterprise Shield) must open ports to allow TCP, HTTP, or WebSocket connectivity through a firewall, as shown in the following figure:

Gateway Topology with Ports Open to the Trusted Network

Figure 1: A Kaazing Gateway Topology with Ports Open to the Trusted Network

Using Enterprise Shield, you can close all inbound ports in your firewall, thus closing the entry points available to untrusted users and eliminating your attack surface vulnerability.

To implement Enterprise Shield, you configure a Gateway in the DMZ, which receives a reverse connection from within the trusted network. With this architecture, a client can talk to the back-end service or message broker through a firewall. Another benefit of Enterprise Shield is that your architecture remains valid, without requiring changes. For example, neither the client nor the back-end service or message broker are aware of the reverse connection because it is completely transparent to the rest of the architecture. Clients that are outside the firewall connect as usual to the DMZ Gateway.

Simple Topology Showing a Reverse Connection

Figure 2: Closed Inbound Ports in an Enterprise Shield Topology

Adding Enterprise Shield to your architecture requires only a few simple modifications. Instead of a single Gateway in your trusted network, you add another Gateway in the DMZ. Then, you only need to make a few changes to the two Gateway configurations to reverse the connection. Other parts of the architecture, such as the client and the back-end service or message broker, observe no apparent differences between a configuration with Enterprise Shield or one without, making the reverse connection completely transparent to the endpoints of the configuration.

With this architecture in place, you can close the inbound ports of your firewall, thus providing maximum security and zero attack vectors for malicious users seeking to exploit ports in your firewall.

See Enterprise Shield Use Cases to gain more insight into how you might use Enterprise Shield. This topic describes the various Enterprise Shield configurations you can deploy.

Walkthrough: Configure Enterprise Shield provides a detailed walkthrough describing how to configure Kaazing Gateway to protect your enterprise by using a reverse connection to initiate the connection from the Gateway in the internal trusted network to a DMZ Gateway.

Note: Before you configure Enterprise Shield you should have a basic understanding of the following topologies: