Product of the Week: wolfSSL wolfSentry

April 13, 2021


Product of the Week: wolfSSL wolfSentry

Intrusion detection and prevention systems (IDPS) can be described as advanced firewalls that help guard against both internal and external network-borne threats. They are usually deployed in the context of an entire network. But what about detecting and preventing an intrusion on an individual device, like a connected embedded or IoT system?

wolfSSL’s wolfSentry is an embedded IDPS that functions as both a static and dynamic firewall engine. Its fully dynamic capabilities are what separate the solution from traditional embedded firewalls, as it can arbitrarily associate user-defined events and actions based on contextualized connection attributes. This helps characterize network transaction profiles between the client and server over time so that unwanted behavior can be identified and stopped quickly.

The small-footprint stack adds as little as 64 KB of code footprint and 32 KB to volatile state memory, thanks to design efforts like constraining algorithms within a designated maximum memory footprint. This allows wolfSentry to operate in resource-constrained bare-metal or RTOS environments on top of Arm CPUs or other embedded processors.

wolfSentry can integrate seamlessly with new and deployed infrastructure by fully leveraging the existing state and logic of applications and their sibling libraries, and utliiznig a O(log n) lookup of netblocks and known hosts to maintain deterministic throughput in embedded use cases.

wolfSSL wolfSentry in Action

wolfSentry will be fully integrated into other wolfSSL security products such as the wolfSSL Embedded SSL/TLS Library, wolfSSH Lightweight SSH Library, and wolfMQTT Client Library, and be dynamically configurable via an API or by supplying the engine with a text input file. 

Callbacks and in-tree call-in options will provide users of the SSL/TLS library, SSH library, MQTT library, and all other network-facing wolfSSL products with access to the embedded IDPS functionality of wolfSentry. These can be accessed via simple configuration commands like --enable-wolfidps, while a zero-configuration option will also be available.

Advanced features such as cryptographically-secured remote configuration and status queries and remote logging through MQTT or syslog will be available via callback and client-server implementations.

Getting Started with wolfSentry

The first beta release of wolfSentry is scheduled for this month. Turnkey product integrations with a number of leading wolfSSL security solutions mentioned previously will follow.

For more information on wolfSentry, visit or visit the resources below.