|
1 | | ---- |
2 | | -icon: hand-wave |
3 | | ---- |
4 | | - |
5 | | -# Introduction |
6 | | - |
7 | | -{% embed url="https://www.youtube.com/watch?v=4PF7edMGBwk" %} |
8 | | - |
9 | | -## What is Defguard? |
10 | | - |
11 | | -Defguard is a **comprehensive Remote Access Management solution** incorporating in one solution: |
12 | | - |
13 | | -* True Zero-Trust [WireGuard® VPN with 2FA/Multi-Factor Authentication](admin-and-features/features-and-configuration/wireguard/), |
14 | | -* Identity Management with [SSO based on OpenID Identity Provider](admin-and-features/features-and-configuration/openid-connect/), |
15 | | -* Account Lifecycle management with [secure remote account onboarding](help/enrollment/). |
16 | | - |
17 | | -*** |
18 | | - |
19 | | -<mark style="color:purple;">**Our primary focus at defguard is on prioritizing security. Then, we aim to make this challenging topic both useful and as easy to navigate as possible.**</mark> |
20 | | - |
21 | | -*** |
22 | | - |
23 | | -Defguard is a true Zero-Trust [WireGuard® VPN with 2FA/Multi-Factor Authentication](admin-and-features/features-and-configuration/wireguard/), as each connection requires MFA (and not only when logging in into the client application like other solutions): |
24 | | - |
25 | | -<figure><img src=".gitbook/assets/zero-trust.png" alt=""><figcaption></figcaption></figure> |
26 | | - |
27 | | -Having said that, this security platform is for building **secure** and **privacy-aware organizations,** as we put great effort not only on functionality but first and foremost on secure code, architecture and testing (application and security). |
28 | | - |
29 | | -### Basic security concept |
30 | | - |
31 | | -The main architecture concept is that **all critical data should be in the internal (Intranet) network and not exposed in the public Internet** (contrary to typical and common cloud approach) and only services that need to be exposed to the Internet - should be exposed in a controled (DMZ) network segments: |
32 | | - |
33 | | -<figure><img src=".gitbook/assets/security-basic.png" alt=""><figcaption><p>Internet, DMZ & Internal network segments</p></figcaption></figure> |
34 | | - |
35 | | -This approach is **vastly different from most (if not all) VPN/IdP solutions**, which are a simple or monolithic applications focus on functionalities and most of the time is publicly available in the Internet for any attacker to exploit. |
36 | | - |
37 | | -Of course you can deploy defguard in a typical scenario (all services on one server and even all publicly available) - but that should be **for you to decide!** |
38 | | - |
39 | | -### Incorporating IdP and VPN in one solution |
40 | | - |
41 | | -Incorporating IDM, ALM, VPN has also other advantages: |
42 | | - |
43 | | -1. Internal IdP with 2FA/MFA enables us to provide [**real VPN 2FA/MFA**](admin-and-features/features-and-configuration/wireguard/multi-factor-authentication-mfa-2fa/architecture.md) - and not like most applications just 2FA when opening the app (and not during the connection process). Even if you use [external OIDC](enterprise/all-enteprise-features/external-openid-providers/) (Google/Microsoft/Custom - which defguard supports), we still use our internal IdP for 2FA/MFA. |
44 | | -2. Your organization may use just **one account** (login) for access control to all your applications as well as VPN. |
45 | | -3. It simplifies deployment, maintenance, audits. |
46 | | - |
47 | | -More about [defguard's architecture and security can be found here](in-depth/architecture/). |
48 | | - |
49 | | -## Features |
50 | | - |
51 | | -### Remote Access with WireGuard® VPN 2FA/MFA: |
52 | | - |
53 | | -* [**Multi-Factor Authentication**](admin-and-features/features-and-configuration/wireguard/multi-factor-authentication-mfa-2fa/) using our [desktop client](https://defguard.net/client) |
54 | | -* **multiple VPN Locations** (networks/sites) - with defined access (all users or only Admin group) |
55 | | -* multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location ([**high availability/failove**](admin-and-features/setting-up-your-instance/high-availability-and-failover.md)**r**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense |
56 | | -* import your current WireGuard server configuration (with a wizard!) |
57 | | -* _easy_ device setup by users themselves (self-service) |
58 | | -* automatic IP allocation |
59 | | -* kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support |
60 | | -* dashboard and statistics overview of connected users/devices for admins |
61 | | - |
62 | | -_defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld._ |
63 | | - |
64 | | -### Identity Management: |
65 | | - |
66 | | -* #### [OpenID Connect](https://openid.net/developers/how-connect-works/) based SSO |
67 | | -* External [OpenID providers for login/account creation (Google/Microsoft/Custom)](enterprise/all-enteprise-features/external-openid-providers/) |
68 | | -* LDAP (tested on [OpenLDAP](https://www.openldap.org/)) synchronization |
69 | | -* nice UI to manage users |
70 | | -* Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, Wireguard, etc.) |
71 | | - |
72 | | -#### [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication |
73 | | - |
74 | | -* [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator) |
75 | | -* WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...) |
76 | | -* Email tokens |
77 | | - |
78 | | -### Account Lifecycle Management: |
79 | | - |
80 | | -* Secure remote (over the internet) [user enrollment](https://defguard.gitbook.io/defguard/help/remote-user-enrollment) |
81 | | -* User [onboarding after enrollment](https://defguard.gitbook.io/defguard/help/remote-user-enrollment/user-onboarding-after-enrollment) |
82 | | -* Self-service for password reset |
83 | | - |
84 | | -### Yubikey Provisioning |
85 | | - |
86 | | -[Yubikey hardware keys](https://www.yubico.com/) provisioning for users with _one click_ |
87 | | - |
88 | | -### Integrations |
89 | | - |
90 | | -Webhooks & REST API |
91 | | - |
92 | | -Build with [Rust](https://www.rust-lang.org/) for portability, security, and speed |
93 | | - |
94 | | -### Pentested! |
95 | | - |
96 | | -**Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/pdf/isec-defguard.pdf)) |
97 | | - |
98 | | -## Guides: Jump right in |
99 | | - |
100 | | -Follow our handy guides to get started on the basics as quickly as possible: |
101 | | - |
102 | | -{% content-ref url="features/setting-up-your-instance/" %} |
103 | | -[setting-up-your-instance](features/setting-up-your-instance/) |
104 | | -{% endcontent-ref %} |
105 | | - |
106 | | -{% content-ref url="admin-and-features/features-and-configuration/wireguard/create-your-vpn-network.md" %} |
107 | | -[create-your-vpn-network.md](admin-and-features/features-and-configuration/wireguard/create-your-vpn-network.md) |
108 | | -{% endcontent-ref %} |
109 | | - |
110 | | -{% content-ref url="broken-reference" %} |
111 | | -[Broken link](broken-reference) |
112 | | -{% endcontent-ref %} |
113 | | - |
114 | | -{% content-ref url="admin-and-features/features-and-configuration/webhooks.md" %} |
115 | | -[webhooks.md](admin-and-features/features-and-configuration/webhooks.md) |
116 | | -{% endcontent-ref %} |
117 | | - |
118 | | -{% content-ref url="help/desktop-client.md" %} |
119 | | -[desktop-client.md](help/desktop-client.md) |
120 | | -{% endcontent-ref %} |
121 | | - |
122 | | -## Fundamentals: Dive a little deeper |
123 | | - |
124 | | -Learn the fundamentals of Defguard to get a deeper understanding of our main features: |
125 | | - |
126 | | -{% content-ref url="in-depth/architecture/" %} |
127 | | -[architecture](in-depth/architecture/) |
128 | | -{% endcontent-ref %} |
| 1 | +# Welcome |
| 2 | + |
| 3 | +Welcome to the Defguard documentation. Here, you'll learn how to explore the full capabilities of the platform, set up a quick demo instance, configure a production-ready deployment, and get your client application up and running. |
| 4 | + |
| 5 | +### How is this documentation organised? |
| 6 | + |
| 7 | +* [About](broken-reference)\ |
| 8 | + Briefly describes defguard and its features. |
| 9 | +* [Getting started](broken-reference)\ |
| 10 | + Lets you quickly set up your own defguard instance to explore its features an user interface. |
| 11 | +* [Admin features](broken-reference)\ |
| 12 | + Helps you, as a future defguard administrator, get familiar with all of defguard's features and how to configure them to suit your needs. |
| 13 | +* [User features](broken-reference)\ |
| 14 | + Helps you, as a defguard end user, get familiar with the client applications and their features so you can quickly connect to your defguard instance. |
| 15 | +* [Enterprise features](enterprise/all-enteprise-features/)\ |
| 16 | + Covers the advanced features available in the enterprise version of defguard, including how to purchase an enterprise license and the additional benefits it provides. |
| 17 | +* [Deployment strategies](broken-reference)\ |
| 18 | + Walks you through the most common deployment strategies to help you set up your defguard instance as a production-grade solution. |
| 19 | +* [Tutorials](broken-reference)\ |
| 20 | + A collection of step-by-step guides with clear examples and helpful screenshots to make the setup process smooth and enjoyable. |
| 21 | +* [In depth](broken-reference)\ |
| 22 | + In-depth information about the platform and its development, reflecting our commitment to transparency. |
| 23 | +* [For developers](broken-reference)\ |
| 24 | + All the information you need to become a defguard contributor — join us in building a better solution. |
| 25 | +* [Resources](broken-reference)\ |
| 26 | + A collection of essential resources, including troubleshooting guides, API documentation, and more. |
0 commit comments