Anapaya GATE - Bridging SCION and the IP Internet

Anapaya GATE is a network security solution that acts as a gateway to the SCION Internet. It is designed to provide organizations with a more secure, reliable, and controllable way to connect their critical online services to the Internet.

The protected web service and the company HQ are behind Anapaya EDGEs and only reachable via the SCION internet from selected Anapaya GATEs. The protected resources are invisible to the public Internet.

The GATE value proposition: Drastic attack surface reduction

The core value of Anapaya GATE lies in its ability to fundamentally change an organization's security posture. By selecting individual GATEs (operated by trusted ISPs), organizations gain fine-grained control over where their critical online services are accessible. This proactive defense model offers two key advantages:

1. Shrinking the attack surface: Instead of being visible and accessible to the entire public Internet, a service is only exposed to the selected, trusted networks. This reduces the potential attack surface from billions of devices globally to just the users within those specific networks. What cannot be seen, cannot be attacked.

2. Preventing critical threats: This drastic reduction of the attack surface greatly decreases the risk of falling victim to common and sophisticated cyberattacks.

   • Distributed Denial of Service (DDoS) attacks: Most DDoS attacks rely on overwhelming a target with traffic from a multitude of compromised machines across the globe. If these machines cannot see or route traffic to the target service, the attack is rendered ineffective before it can even begin.
   • Exploitation of vulnerabilities: Even if a service has a critical software vulnerability (including zero-day exploits), an attacker must first be able to connect to the service to attempt an exploit. By severely limiting who can connect, GATE dramatically reduces the pool of potential attackers, providing a powerful security layer that complements traditional defenses like firewalls and patching.

Key features of Anapaya GATE

• Drastic attack surface reduction: The GATE's primary feature is making online services invisible to the public Internet. By controlling which networks can "see" and connect to a service, the potential attack surface is reduced from the entire Internet to a small, trusted group of networks.
• Immunity to DDoS attacks: Since attackers on the public Internet cannot discover a path to services protected by the GATE, large-scale DDoS attacks become ineffective. There is no way for attackers to direct traffic towards a service that is not visible to them.
• Path control & geofencing: Built on SCION, the GATE allows organizations to define the exact network paths their data travels. This enables true geofencing at the network level, ensuring data remains within specific jurisdictions and only traverses trusted provider networks.
• High resilience and availability: SCION's multi-pathing capabilities mean that if one network path fails or experiences degradation, traffic is instantly and automatically rerouted over an alternative path, ensuring uninterrupted service availability.
• Seamless integration: Through IP-in-SCION tunneling, the GATE works with existing IP-based applications and infrastructure. There's no need for costly and complex modifications to an organization's and users' software or hardware stack.

Use cases

The Anapaya GATE is particularly beneficial for organizations that rely on the Internet for critical operations and need to protect their services from cyberattacks. Key use cases include:

• Securing remote access: With the rise of remote work, securing VPNs and other remote access solutions is crucial. The Anapaya GATE can be used to create a secure and isolated network for remote employees to access company resources, protecting the corporate network from threats originating from the public Internet.
• Protecting web services: Public-facing web services that are critical yet have a defined user base can be protected from attacks while remaining accessible to legitimate users. For example, access can be restricted to users within a specific country or region. This is ideal for securing e-banking portals, which primarily serve domestic customers, or protecting a national alerting infrastructure from international threats. It also applies to customer portals and e-commerce platforms with a regional focus.
• Secure IoT deployments: The Internet of Things (IoT) introduces a vast number of new devices to the network, each a potential entry point for attackers. The Anapaya GATE can be used to create a secure and controlled environment for IoT devices, ensuring that they can only communicate with authorized endpoints and are shielded from the public Internet, thus ensuring the integrity of the entire IoT network.