Application Firewall
In-Kernel. In Your AP.
Enterprise-grade content filtering, threat protection, and microsegmentation — activated on every NetExperience OpenWiFi AP. No extra hardware. No cloud middleman. No vendor lock-in.
Controller push to enforcement
Total engine footprint on AP
Domains mapped to named apps
Kernel-resident · zero userspace
New revenue. Zero new hardware.
Turn your existing OpenWiFi infrastructure into a premium security platform your subscribers will pay for.
New Revenue Stream
Sell premium safety, security, and content-policy tiers. Activated centrally in uCentral, billed by you. Net-new ARPU on infrastructure you already own.
Zero-Friction Deployment
Provisioned through the same uCentral controller you use today. Runs on every TIP OpenWiFi-certified AP. No truck rolls, no proprietary CPE stack.
Privacy by Design
All inspection happens in the AP. Telemetry stays where you decide. No mandatory cloud, no third-party data extraction — built for EU and regulated markets.
Four-stage inspection pipeline
Every packet traverses a kernel-resident pipeline — wire-speed decisions, zero userspace overhead.
Classification
Identifies protocol — DNS, HTTP, TLS, or unknown encrypted traffic via signature detection on ephemeral ports.
Profile Lookup
Resolves the device to its security profile by MAC address, SSID, or VLAN in microseconds.
Policy Evaluation
Applies the profile's allow/blocklists, application database, and L3/L4 firewall rules.
Verdict Caching
Commits the decision to wire-speed packet-mark caches — subsequent packets decided without re-inspection.
Complete capability catalog
Everything your operators need — from content filtering to microsegmentation — in a single software activation.
Content Filtering
- Multi-protocol L7 inspection: DNS, HTTP, TLS (SNI)
- Six curated blocklist categories: ads, adult, gambling, threats, trackers, bypass services
- Allowlists with global override across all protocols
- ~5,600 domains mapped to ~1,900 named applications
- Custom domain lists per venue and per profile
- Per-protocol category scoping (e.g., DNS-only for threats)
Bypass Prevention
- DNS-over-TLS (DoT) blocking — TCP/853 reject
- DNS-over-HTTPS (DoH) blocking — UDP/853 drop
- QUIC / HTTP/3 enforcement — UDP/443 drop
- WireGuard tunneling block — UDP/51820 drop
- ECH prevention via DNS HTTPS RR (QTYPE 65) suppression
- All enforced at the AP before bypass channel is established
Unknown Traffic Inspection
- Signature-based detection of encrypted protocols on ephemeral ports
- Default detectors: BitTorrent, SSH, hidden VPNs — extensible
- Catches policy-evading traffic DNS filters and SNI inspection miss
- Configurable as block or allow with per-profile telemetry
Threat Detection
- Real-time threat intelligence feeds, professionally curated
- Phishing, malware, ransomware, and C2 blocking
- Profile-level L3/L4 rules: protocol, port, IP, direction
- Default-allow or default-block policy per profile
- Incognito mode — telemetry suppression for privacy-sensitive profiles
Microsegmentation & IoT
- Per-VLAN profiles with dynamic 802.1X — no AP reconfiguration needed
- Per-SSID profiles: guest, tenant, IoT, staff — each isolated independently
- East-west blocking: prevent IoT from reaching subscriber laptops
- Lateral-movement defense: compromise contained to profile boundary
- Quarantine-ready: move compromised devices to restricted egress profile
Telemetry & Visibility
- Per-domain event reporting with nanosecond-precision timestamps
- Source MAC, IP, profile, application name, verdict, and reason
- Operator-managed analytics: InfluxDB, NetExperience telemetry, or compatible
- Batched, retried, persistent — no event loss on transient cloud outages
- Provisioned via uCentral — no SSH, no per-AP CLI required
Built for every vertical
One platform, purpose-built security posture for every deployment scenario.
MDU & Student Housing
Per-tenant security with dynamic 802.1X VLANs. Family-safe upgrades as a premium tier. Compromise of one tenant cannot reach another.
Hospitality
Brand-safe guest SSID with age-appropriate filtering. Separate conference SSID with stricter policies. Same AP, different posture per network.
Education
CIPA-compliant filtering. Classroom vs dorm vs guest SSIDs with distinct profiles. Malware and phishing blocked at the AP, before the LAN.
Senior Living
Scam, phishing, and tech-support-fraud blocking. Guest network for visitors with default-deny on the resident LAN.
SMB
Productivity and threat policies. Separate IoT and guest VLANs with full microsegmentation. No extra firewall appliance required.
Public Wi-Fi / Hotspots
Liability protection. Content compliance per jurisdiction. Per-SSID profiles for guest, paid, and free tiers.
How Application Firewall compares
Measured against enterprise SSE/SWG stacks, residential VAS, and cloud DNS filters — the three alternatives OpenWiFi operators typically evaluate.
| Capability | App Firewall | Enterprise SSE | Residential VAS | Cloud DNS |
|---|---|---|---|---|
| Native to TIP OpenWiFi / uCentral provisioning | ✓ | ✗ | ✗ | ✗ |
| Runs in-kernel on AP — no extra hardware | ✓ | ✗ | ✗ | n/a |
| No mandatory cloud — data stays under operator control | ✓ | ✗ | ✗ | ✗ |
| Blocks DoH / DoT / ECH / QUIC / WireGuard at the AP | ✓ | Partial | Partial | ✗ |
| Detects encrypted protocols on ephemeral ports | ✓ | Partial | Partial | ✗ |
| Per-VLAN, per-SSID microsegmentation built into AP | ✓ | Limited | ✗ | ✗ |
| Multi-tenant by design — ISP/MSP/MDU scale | ✓ | Enterprise only | Via vendor cloud | Via vendor cloud |
| Activated as Premium VAS in your existing platform | ✓ | ✗ | ✗ | ✗ |
| Total cost of ownership for OpenWiFi operators | Lowest — hardware you own | Highest — appliance + OpEx | Mid-high per-subscriber | Low cost, severe gap |
Three capabilities no competitor can match
The gaps that end every evaluation in Application Firewall's favor.
The only operator-grade application firewall that runs in the kernel of every TIP OpenWiFi AP. No proprietary CPE stack to adopt. No cloud middleman to trust. No new operations to learn.
The only solution that keeps your subscribers' data on your network, in your jurisdiction, under your control. Every cloud competitor requires telemetry to leave the home. Application Firewall doesn't.
The only one that closes the bypass holes your cloud DNS filter can't. DoH, ECH, QUIC, hidden VPNs, BitTorrent on ephemeral ports — all blocked at wire-speed inside the AP. Ask any cloud DNS vendor what happens to ECH. They'll point you to the standards body.
Ready to activate?
Enable in uCentral, push profiles, done. No truck rolls. No new hardware. Contact sales for per-AP or per-subscriber pricing.