On-prem Support - Dropzone Connector

Dropzone AI connects to APIs via its Data Source and Alert integrations. Many of these are reachable across the internet, such as third-party Threat Intelligence sources, corporate SaaS tools, and public cloud APIs. However many corporate systems may be behind firewalls and VPNs for security reasons.

Customers are able to enable Dropzone to reach restricted systems by running a lightweight Dropzone Private Network Connector Client docker container within their secure environment. This process connects out to the Dropzone tenant network and establishes a reverse tunnel.

Private Network Connector Security

The Dropzone Private Network Connector Client establishes an outbound HTTPS session, inside which websockets is used to establish a two-way TCP session. Over this TCP session a secure SSH session is established. Both client and server are mutually authenticated at two layers of the stack for maximum security:

• Dropzone server verification via TLS certificate verification

• Dropzone server via SSH server key verification

• Dropzone client connector via SSH `password' verification

The Dropzone integrations that require access to the protected resources tunnel their connections through this Private Network Connector Client container, so their source IP is from within your datacenter.

The Private Network Connector Client can be run on any host capable of running Docker containers, such as a physical server, VM, or inside your public/private cloud environment.

For additional security you may restrict what outbound connections can be made from the connector machine to your internal resources. Examples include:

• Putting the connector machine on a firewall DMZ

• Enabling cloud-native restrictions on the connector machine (e.g. AWS Security Groups)

• Running local firewall rules on the connector machine (e.g. iptables, shorewall)

Just make sure that the connector machine can reach the machines you want integrated, on the ports/protocols needed, DNS, and your tenant machine on port 8080.

We describe how to run the Dropzone connector in the Dropzone Connector Installation page.