About
Login
Get Started

Portnox API

Unite zero trust access control with the rest of your critical security stack with the Portnox API

The rise of APIs (Application Programming Interface) like REST and SOAP have made it possible for a variety of software to pass information back and forth with much less lifting on the development side. From a security perspective, it’s critically important your tools work together – having a set of disparate tools that don’t communicate with each other is bound to leave you exposed. Thankfully the Portnox API supports a wide variety of integrations.

UI Showing Gateway Health

The Portnox API can help cut down on time spent getting your network security up and running

Nothing is more frustrating than spending hours on the phone with support, trying to get all your different security tools to work together…or spending more than the solution actually costs on professional services to achieve this same goal. Portnox has several out-of-the-box integrations for a variety of vendors – from Aruba to Zytel, we’ll integrate into the fabric of your zero trust security architecture.

Request a Demo

The Portnox API can bring all your zero trust security tools together

From identity providers to MDM and SIEM solutions, Portnox fits right in. We have several out-of-the-box guides for the most common integrations, and we’ll help you get everything up and running so you can rest assured your network is protected.

 
Start a Free Trial
API connectors

Rest API

FAQs

The following can help mitigate API attacks and secure REST API:

  • Adopt the use of rate limiting and throttling. Throttling means setting a temporary state that make API to assess all requests and it is used often as an anti-spam technique or to avoid abuse or attack on denial of service. When implementing the throttling feature, there are two primary considerations: what amount of data should be allowed per user, and when should enforcement of limit be? Rate-limiting on the other hand helps REST API security to prevent DoS and Brute force attacks.
  • API vulnerabilities scanning. To make API security services continuous, it is important to enable automatic API scanning, identify vulnerabilities, and reduces them across stages of software lifecycle. Automated scanning tools single-handedly identify security gaps by comparing the application’s configuration against a vulnerabilities database that is known.
  • Use TLS/HTTPS for REST APIS. HTTPS and TLS (Transport Layer Security) offer a protocol that is secured to transfer encrypted data between servers and web browsers. Aside from other information, HTTPS also helps in protecting authentication credentials in transit. Every REST API should implement HTTPS for authenticity, confidentiality and integrity as one of the most critical practices.
  • To secure REST API, restrict HTTP methods. REST APIs allow web applications that carry out various possible HTTP verb operations. Data over HTTP is not encrypted, and using some HTTP techniques may be exploited and intercepted by attack vectors. As a recommended best practice, HTTP methods that are inherently insecure should be forbidden. HTTP methods like PUT, DELETE, GET, POST, etc.

Not all REST APIs are web services but all web services are APIs. A standardized architecture style for creating a web Service API is called RESTful API. The utilization of HTTP methods to make a request over a network is one of the requirements to be a REST API. A type of API that must be accessed through a network connection is called web services. Because it offers a standardized methodology for making requests to an API is the reason why REST is great. Once you learn one REST API, other REST APIs will function similarly.

API is related to both REST API and RESTful API. REST API develops APIs to enable client-server interaction. RESTful API follows the REST architecture while giving interoperability between different systems. While REST is a constraint, RESTful is an API adhering to these constraints.

The REST is a software architectural style that is not standardized like SOAP. When it comes to implementation, it gives a lot of elasticity. For instance, there is no appropriate or single way to implement pagination; hence, REST defines a set of general, main constraints to adhere to when developing RESTful APIs. These constraints are explained below:

  • Uniform Interface: Specific resources should be detected in the request. They are usually described by URI (Uniform Resource Identifier). Besides, internal implementation is different from resource representation. In addition, representation should give all information to fetch additional data, delete or modify the resource.
  • The Client-Server Architecture: The client utilizes Uniform Resource Identifier to obtain resources. It has nothing to do with how the server process the request. The server on the other hand process and returns the resources. It does not influence a user interface at all. Both client and server do not need to be aware of other responsibilities. They can independently evolve. It enable the usage of a single API in Many different clients, like mobile apps and web browsers.
  • Statelessness: One of the features of RESTful API is statelessness. It doesn’t store or keep any information concerning the user’s session. Therefore, every request should give complete data to process it. In essence, it leads to greater API availability.
  • Cacheability: The server’s response should give information on whether it should be cached or not, and for how long. Caching the data that does not update regularly improves performance and kills redundant client-server interactions.
  • Layered System: A REST API can comprise multiple layers, like business presentation, logic and data access. Also, layers should not impact others directly. In addition, the client should not know if it’s connected directly to the intermediary or end server. Therefore, we can scale the system easily or give additional layers such as proxies, gateways, and load balancers.
  • Code On-Demand: This is an optional constraint. Instead of the data in JSON format, the server can return a part of the code itself. The reason is to give specific operations on the data that the client can directly use. Although, it’s not a practice that is common.

Security issues must be a crucial aspect to consider when a REST API is designed, tested, and deployed. Most times, the security levels are underestimated in the development and design of the API. Sensitive data security, whether personal or organizational information, is an essential factor affecting developers nowadays. REST APIs are not exempted, being part of important systems that needs protection against security breaches and threats.

Therefore, when we look deeply into some examples, a few tips and basic things can be taken into account when implementing APIs.

HTTP Protects REST API With No Authentication: Most developers are already familiar with providing an API by using HTTPS. But it can be tricky using an API that does not have any authentication for personalized services.

No Throttling Or Rate Limiting Implemented: The API was not limited nor throttled so the traffic peak hit the backend directly. Enforcing a system-wide quota is a good practice so that there will not be an overload at the backend. Setting up an app- and/or user-based quota is an even better practice.

Unprotected Keys And Identity: To grant access to services on behalf of the user, OAuth/ OpenID Connect is used a lot. These tokens provide a longer period of access without requiring reauthentication. This is a good thing, but users are not usually aware of this and struggle to know the difference between changing password and revoking access.

Unencrypted Payroll: There still remain some apps, even if seldom use unencrypted payloads or connections. It is actually easier to listen to traffic and API calls of websites and mobile apps.

Incorrect Use Of HTTPS: When HTTPS is used, it doesn’t stop the connection from being intercepted. Certificate Key Pinning needs to be implemented to avoid this from happening.

Explore Portnox Cloud

Let us upgrade you

You’ve started your zero trust journey—now level up your network.

Explore what’s next on the path to total cloud-native access control. One platform. No weak spots. Just smarter security with every step.

tacacs logo

TACACS+

Granular access control to protect critical infrastructure from unauthorized changes

Check out TACACS+ →

PORTNOX CLOUD

Unified Access Control across your organization—secure every device and connection from one cloud-native platform

Check out Portnox Cloud →

Related Reading

Webinars

Taming Tool Sprawl: How Portnox Unifies Security Through Smarter Integrations
Case Studies

New Albany Floyd County Consolidated School District rolls out NAC in record time with Portnox
Case Studies

PFCU Locks Down Compliance and Branch Security with Portnox Cloud
Explore the Blog

Portnox Now Supports Access Control for Console-Based Apps with ZTNA

Learn More
X