# About Defguard

{% embed url="<https://www.youtube.com/watch?v=4PF7edMGBwk>" %}

## What is Defguard?

Defguard is a **comprehensive Remote Access Management solution** incorporating in one solution:

* True Zero-Trust [WireGuard® VPN with 2FA/Multi-Factor Authentication](/1.4/features/wireguard.md),
* Identity Management with [SSO based on OpenID Identity Provider](/1.4/features/openid-connect.md),
* Account Lifecycle management with [secure remote account onboarding](/1.4/using-defguard-for-end-users/enrollment.md).

***

<mark style="color:purple;">**Our primary focus at Defguard is on prioritizing security. Then, we aim to make this challenging topic both useful and as easy to navigate as possible.**</mark>

***

Defguard is a true Zero-Trust [WireGuard® VPN with 2FA/Multi-Factor Authentication](/1.4/features/wireguard.md), as each connection requires MFA (and not only when logging in into the client application like other solutions):

<figure><img src="/files/oUFdbV2DSSqNfnJHZecr" alt=""><figcaption></figcaption></figure>

Having said that, this security platform is for building **secure** and **privacy-aware organizations,** as we put great effort not only on functionality but first and foremost on secure code, architecture and testing (application and security).

### Basic security concept

The main architecture concept is that **all critical data should be in the internal (Intranet) network and not exposed in the public Internet** (contrary to typical and common cloud approach) and only services that need to be exposed to the Internet - should be exposed in a controled (DMZ) network segments:

<figure><img src="/files/luaylwwaECz7Fx99QAyD" alt=""><figcaption><p>Internet, DMZ &#x26; Internal network segments</p></figcaption></figure>

This approach is **vastly different from most (if not all) VPN/IdP solutions**, which are a simple or monolithic applications focus on functionalities and most of the time is publicly available in the Internet for any attacker to exploit.

Of course you can deploy Defguard in a typical scenario (all services on one server and even all publicly available) - but that should be **for you to decide!**

### Incorporating IdP and VPN in one solution

Incorporating IDM, ALM, VPN has also other advantages:

1. Internal IdP with 2FA/MFA enables us to provide [**real VPN 2FA/MFA**](/1.4/in-depth/architecture/architecture.md) - and not like most applications just 2FA when opening the app (and not during the connection process). Even if you use [external OIDC](/1.4/features/external-openid-providers.md) (Google/Microsoft/Custom - which Defguard supports), we still use our internal IdP for 2FA/MFA.
2. Your organization may use just **one account** (login) for access control to all your applications as well as VPN.
3. It simplifies deployment, maintenance, audits.

More about [defguard's architecture and security can be found here](/1.4/in-depth/architecture.md).

## Pentested!

**Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/pdf/isec-defguard.pdf))


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/1.4/about/about-defguard.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.