Enterprise Shield™ protects your trusted network by initiating the connection from the internal trusted network towards the DMZ. Until now, allowing access to an trusted network while still maintaining security behind the firewall still has challenges because of the necessity to open ports to accept incoming connections.
For most administrators, opening a port to the outside world is a necessary but undesirable solution because it instantly increases vulnerability to outside hacks and attacks. Companies are reluctant to open up ports in firewalls because each open port is another potential attack vector for malicious users. Using Enterprise Shield™, you can close all of your inbound ports while still allowing clients to initiate connections.
Traditionally, web architectures require that you open inbound ports to allow connectivity to internal systems and services in your trusted network. As with any web architecture, a typical Kaazing WebSocket Gateway configuration (without Enterprise Shield™) must open ports to allow TCP, HTTP, or WebSocket connectivity through a firewall, as shown in the following figure:
Using Enterprise Shield™, you can close all inbound ports in your firewall, thus closing the entry points available to untrusted users and eliminating your attack surface vulnerability.
To implement Enterprise Shield™, you configure an additional Gateway in the DMZ, which receives a reverse connection from within the trusted network. With this architecture, a client can talk to a message broker or an application through a firewall. Another benefit of Enterprise Shield™ is that your architecture remains valid, without requiring changes. For example, neither the client nor the message broker are aware of the reverse connection because it is completely transparent to the rest of the architecture.
Clients that are outside the firewall connect as usual to the DMZ Gateway.
Adding Enterprise Shield™ to your architecture requires only a few simple modifications. Instead of a single Gateway in the your trusted network, you add another Gateway to the DMZ. Then, you only need to make a few changes to the two Gateway configurations to reverse the connection. Other parts of the architecture, such as the client and the message broker or other applications, observe no apparent differences between a configuration with Enterprise Shield™ or one without, making the reverse connection completely transparent to the endpoints of the configuration.
With this architecture in place, you can close the inbound ports of your firewall, thus providing maximum security and zero attack vectors for malicious users seeking to exploit ports in your firewall.