Development of microsegmentation with IoT-OpenZiti integration

Building/Development
1

Hi OpenZiti community,

Looking for guidance on using OpenZiti for microsegmentation in an IoT gateway setup.

I'm exploring OpenZiti for microsegmentation in an IoT gateway environment and would appreciate some guidance.

Existing Use case:

  • Gateway managing multiple IoT devices using multiple protocols , for e.g.signle iot gatway for all the wifi devices
  • continuos monitoring and polices based on attack scenerios.
  • Dynamic policy enforcement based on security events- policy server and agent running on gateway itself
  • Resource-constrained environment (Raspberry Pi gateway)

Questions:

  1. What's the recommended deployment architecture for OpenZiti in gateway scenarios?
  2. Can OpenZiti policies be updated dynamically in response to real-time security events?
  3. Any considerations for running OpenZiti on resource-limited hardware?
  4. Best practices for managing identities and segmentation policies at scale?
  5. Need device-level and protocol-level network segmentation, levels of microsegmentation in thi setup ??

Any guidance, examples, or documentation pointers would be helpful!

2

Hi @urbanhuee112, welcome to the community and to OpenZiti!

Unfortunately, your request is pretty broad, I don't think I'll have much to really offer. We've got a lot of people that have shown up in the past doing similar sorts of things, perhaps one of those older posts might be of interest?

In general, I'd be thinking you'll be installing ziti-edge-tunnel (our linux tunneler) on some linux machine and using that as the "gateway".

I'd hope our doc makes this clear, maybe it's not clear enough but "yes", a zero trust overlay network is specifically about having policies that are constantly evaluated.

You should test it yourself but the ziti-edge-tunnel runs on very constrained hardware. You need to have a CPU that is capable of performing the crypto operations at the speed you need but if you're just doing "normal" stuff (not 100s of mbps stuff) then i expect the needs are truly quite low.

I admit that I don't really follow, that's what OpenZiti does well in my opinion. It's designed for this.

I don't quite follow this either. At this time OpenZiti doesn't support L2 protocols but if you're using L3/4 OpenZiti will accomplish this quite easily as again, it's designed for this.

hth?

3

Hi @TheLumberjack, thanks for the response! Let me clarify my architecture and specific use case.

My Current Architecture (see attached diagram):

  • Authentication/Identity: SPIRE framework (already implemented) handles device identity, certificate validation, and SPIRE agent management

  • Policy Authorization: OPA (Open Policy Agent) manages policy decisions via PDP/PEP

  • Gateway: Raspberry Pi running the control plane

  • End Devices: Multiple IoT devices across different rooms/protocols (WiFi/BLE/Zigbee sensors)

What I Want from OpenZiti: I want to use OpenZiti specifically and exclusively for network microsegmentation, NOT for authentication or policy management (which SPIRE and OPA already handle).

Specific Questions:

  1. Integration Architecture: Can OpenZiti operate as a pure microsegmentation layer alongside existing SPIRE (identity) and OPA (policy) systems? Or does OpenZiti require using its own identity and policy frameworks?

  2. Dynamic Segmentation: When a new IoT device joins the network:

    • SPIRE validates its identity

    • OPA determines what it can access

    • Can OpenZiti dynamically place this device into the correct network segme

    • nt based on external policy decisions (from OPA)?

  3. Segmentation Granularity: In my setup, I need to segment:

    • By device type (temperature sensors separate from motion sensors)

    • By location (living room devices isolated from kitchen devices)

    • By protocol (WiFi/BLE/Zigbee devices in separate segments)

    Can OpenZiti provide this multi-dimensional microsegmentation?

  4. External Policy Integration: Can OpenZiti's segmentation policies be driven/updated by external systems (my OPA-based policy server) rather than managed directly in OpenZiti's controller?

In Summary: I want OpenZiti purely for network-level isolation/microsegmentation while keeping SPIRE for identity and OPA for policy. Is this a supported architecture pattern?

4

The real question

I think this is the real question in this post. The answer here is "not yet". OpenZiti has a policy engine built into it but it doesn't allow for external decision points like this at this time. HOWEVER... It's certainly on our roadmap to allow external policy decisions, it's just not implemented at this time. I don't think it'd do exactly what you're after just yet.

I'll provide other answers below that I was typing up as I went in case they are useful... :slight_smile:

Other answers below

I didn't see a diagram?

Sure but I would also consider the controller a PDP, just a remote PDP. Routers and argualby tunnelers are PEPs as well in our opinion....

Well you won't be able to get around this. OpenZiti WILL do this as well because it must. That said, I suppose you can configure OpenZiti wide open but I'm not sure that would count as "network microsegmentation"? This kinda feels like an oxymoron to me in ways? Maybe I don't quite understand

Oh - I already mostly answered this. Yes you'll have to configure OpenZiti with policies. I made the comment before that I don't quite understand what you're looking for, I don't quite understand.