Introduction
Last updated
Was this helpful?
What is Defguard?
Defguard is a comprehensive Remote Access Management solution incorporating in one solution:
Our primary focus at defguard is on prioritizing security. Then, we aim to make this challenging topic both useful and as easy to navigate as possible.
Having said that, this security platform is for building secure and privacy-aware organizations, as we put great effort not only on functionality but first and foremost on secure code, architecture and testing (application and security).
Basic security concept
The main architecture concept is that all critical data should be in the internal (Intranet) network and not exposed in the public Internet (contrary to typical and common cloud approach) and only services that need to be exposed to the Internet - should be exposed in a controled (DMZ) network segments:
This approach is vastly different from most (if not all) VPN/IdP solutions, which are a simple or monolithic applications focus on functionalities and most of the time is publicly available in the Internet for any attacker to exploit.
Of course you can deploy defguard in a typical scenario (all services on one server and even all publicly available) - but that should be for you to decide!
Incorporating IdP and VPN in one solution
Incorporating IDM, ALM, VPN has also other advantages:
Your organization may use just one account (login) for access control to all your applications as well as VPN.
It simplifies deployment, maintenance, audits.
Features
Remote Access with WireGuard® VPN 2FA/MFA:
multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
import your current WireGuard server configuration (with a wizard!)
easy device setup by users themselves (self-service)
automatic IP allocation
kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support
dashboard and statistics overview of connected users/devices for admins
defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.
Identity Management:
nice UI to manage users
Users self-service (besides typical data management, users can revoke access to granted apps, MFA, Wireguard, etc.)
WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
Email tokens
Account Lifecycle Management:
Self-service for password reset
Yubikey Provisioning
Integrations
Webhooks & REST API
Pentested!
Guides: Jump right in
Follow our handy guides to get started on the basics as quickly as possible:
Fundamentals: Dive a little deeper
Learn the fundamentals of Defguard to get a deeper understanding of our main features:
True Zero-Trust ,
Identity Management with ,
Account Lifecycle management with .
Defguard is a true Zero-Trust , as each connection requires MFA (and not only when logging in into the client application like other solutions):
Internal IdP with 2FA/MFA enables us to provide - and not like most applications just 2FA when opening the app (and not during the connection process). Even if you use (Google/Microsoft/Custom - which defguard supports), we still use our internal IdP for 2FA/MFA.
More about .
using our
multiple for each VPN Location (r) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
External
LDAP (tested on ) synchronization
(TOTP - e.g. Google Authenticator)
Secure remote (over the internet)
User
provisioning for users with one click
Build with for portability, security, and speed
Checked by professional security researchers (see )
