Zero Attack Surface Architecture

Secure IPv6 Overlay Network

The Xaptum Edge Network Fabric is a secure, IPv6 overlay network for edge devices.

An overlay network uses the physical infrastructure of one network while logically acting like a separate network. For example, in the early days, the Internet was an overlay network on top of the telephone network. Now, with VOIP, the telephone network is an overlay on top of the Internet.

The ENF isolates devices from the public Internet, while still taking advantage of the public Internet to provide global availability for devices. Devices establish a secure tunnel to the ENF over any last-mile Internet connection, much like a laptop establishing a VPN connection to an enterprise network. All traffic to the device is then routed via the ENF where malicious traffic can be monitored and blocked.

Devices can connect to the overlay via any last-mile Internet connection – even move between connections – but use a stable ENF IPv6 address for all communication. The ENF address is assigned on first connection and, because it remains with the device forever, can be used as a stable, authenticated identifier.

The nodes on the ENF cannot directly communicate with the public Internet and vice-versa. In fact, nodes on the public Internet are not aware of the existence of the ENF or any of the nodes. With all traffic being routed through the ENF network and firewalls, devices are isolated from the threats of the public Internet. Each customer is given a ::/48 block, which they may further partition into ::/64 subnets. Traffic between subnets is blocked by default, effectively segregating traffic within the ENF as well.

Encryption and Authentication

All of the communication on the ENF is encrypted using industry-standard TLS. This allows an endpoint to use an unsecured last-mile connection such as a public WiFi hotspot. To ensure that the connection between the endpoint and the ENF access point is not hijacked, the endpoint and ENF perform a two-way handshake using the ECDSA algorithm.

ENF Architecture

The Xaptum ENF is purpose-built for the edge. As a software-defined network sitting on top of the Public Internet, it secures all of a company’s connected Things anywhere in the world and protects the bidirectional exchange of data between generation at the edge and consumption at the backend.

The ENF architecture block diagram.

The Xaptum backbone is a distributed network of routers. This backbone has direct peering relationships to major ISPs and cloud providers to ensure fast, reliable transfer of traffic. All traffic, not just traffic from the public Internet, passes through the ENF firewall, isolating devices from malicious hosts. The firewall uses a default-deny approach. In order for any two nodes to communicate, firewall rules must be set up.

High Level Operation

The image below illustrates the logical flow of data in the ENF. Devices establish a secure, mutually-authenticated and encrypted tunnel over any last-mile public Internet access. Each is assigned a single IPv6 address identifying it within the customer’s network. Backend servers and cloud applications can similarly establish tunnels to receive traffic from these devices. The ENF routes traffic between the endpoints, enforces the customer-defined firewall rules, and provides visibility and control of the network.

The 4 Main Segments

Public Internet
Devices can connect to the ENF from any Internet connection, anywhere in the world. All traffic is securely tunneled to the ENF, isolating each device from all threats on the public Internet.
Data Plane
The core of the ENF is Xaptum’s distributed IPv6 routing and firewall technology. The services run on Xaptum’s infrastructure in major Internet exchanges. Operating in these points-of-presence (POP) allows Xaptum to peer directly with major ISPs, enabling low latency delivery of all traffic.
Control Plane
The ENF makes managing a dispersed edge deployment as simple as operating a local, on-premise enterprise network. Network administrators can configure subnet configurations, routing policies, and rate limits for all devices in the network. Certificate-based identity and access management provides full control of which devices, servers, and administrators may access the network. The audit trail capabilities offer a full history of all device interactions including when they came online/offline, last-mile ISP used, etc. Metrics like data rates and packet rates are available for each endpoint.
User Interface
Control and interaction monitoring is available through JSON REST APIs that can be easily integrated into an IT department’s existing workflow. To simplify integrations, a command-line interface frontend is available. The built-in dashboard displays basic network metrics.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us