Cohesive Blog

We’ve seen a huge uptick in new Azure cloud users. Clearly, more people are trying out Azure and realize they need more connectivity and flexibility. VNS3 is here to help!

But, if you’ve not set up an Azure Vnet with Security Groups before, it might seem overwhelming. That’s why we’ve redesigned our Azure guide to jump directly into deploying VNS3 and setting up the Azure services along the way. This route is actually faster than an VNS3 deployment in AWS – but don’t tell them we told you!

See it for yourself in our Azure guides on YouTube 

First, a note on addressing: Don’t Overlap Addresses!

Virtual Networks (Vnets) provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall. We highly recommend creating a new, separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs.

The Azure subnets you configure CANNOT overlap with the VNS3 networks you create during configuration.

We recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.) See the diagram for how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment.

Azure VLAN ranges with VNS3

Launch VNS3 VM from Azure Marketplace

Select your VNS3 Image

 

VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. From the VNS3 page, click Get it Now.  From the popup, select the VNS3 Edition and click Continue.  You’ll be redirected to the Azure Portal.

Launch VNS3 in Azure Marketplace

From the Azure Portal, you can search for VNS3 in all Marketplace offerings.

azure launch vns3

Either way you choose, you’ll see the VNS3 information page in the Portal. Make sure to launch in the Resource Manager (not Classic). Click Create.

Step 1 – Configure Basics

In Basics window pane, name your VNS3 VM. FYI, spaces are not allowed, so use hyphens to separate the words of an instance name.

Choose Standard (HDD) or Premium (SSD) disk type. This is impact your size and storage costs on Azure. We recommend HDD.

Even though VNS3 does not allow SSH access, you still have to create a username and password in Azure. Cohesive Networks does not provide shell access to customers for VNS3 appliances. These entries are required, but will not be used.

In this step you can select or create a Resource Group for your deployment. We recommend a new Resource Group to better organize and launch your VNS3 applications in Azure.

Select your Location (aka region).

Click OK.

Basics in VNS3 Azure launch

Step 2 – Configure Size

On the resulting Size window pane, choose your disk size.

VNS3 should have at least one core and 1.5GB of memory, so the “A2 Basic” instance type is a good place to start.[2]

Click Select.

Step 3 – Configure Settings

On the resulting Settings widow pane, configure the settings for the VM.

Under Storage, choose managed disk or self-managed disk. Choose No to manage storage yourself and either select existing storage or create a new storage account. We recommend Standard (HDD) storage.

Under Network, create a new Virtual Network. In the resulting window pane enter a name, address space (CIDR notation), subnet name, and subnet address space. Click Ok.[3]

In this example we follow this addressing scheme:

  • Virtual network address space: 10.10.10.0/24
  • Subnet address space: 10.10.10.240/28

Under Network, the Subnet should automatically update.

Under Network, create a Network Security Group.[4]
Add the following inbound rules for basic VNS3 functionality:

  • TCP port 8000 either from Source: Internet or from the IP you will be using to access the UI
  • UDP 1194 from the devices you will be adding to the Overlay (likely the Virtual Network as the source)
  • UDP 500 from the IPs of devices you will be connecting to via IPSec VPN
  • UDP 4500 (NAT-Traversal) or Any Protocol (native IPsec) from the IPs of the devices you will be connecting to via IPSec VPN

Click OK.

Keep Default Outbound security rules set to allow all. Cohesive Networks recommends leaving this setting during implementation. You can always revisit to lock down the traffic per your use-case once the initial deployment is up and tested.

Under Network, create a static public IP address. Create a new public IP addresses, enter a name, select static. Click OK.

Click OK on Configure Settings.

Step 4 – Summary

Review the settings on the Summary page. Click OK.

Step 5 – Buy

Review the Purchase price and details on the resulting Purchase window pane. Click Purchase.

That’s it! 

See the Quick Start guide for Azure on our Documentation page here. 

Plus you can get through all these steps in under 10 minutes. Don’t believe me? Watch it:

[1] Need access to a private unlicensed VNS3 VM? contact our support team.

[2] Depending on need, VNS3 can be run as a very large disk to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions. If throughput is a big priority for you, get in touch with support for tips on how to maximize VNS3 speeds on Azure.

[3] You can add other subnets to the Virtual network after creation. For more customized networking set up in Azure, see our full Azure documentation. 

[4] Azure network security groups allow you to build access control lists (ACLs) that are enforced at the Azure hypervisor firewall. These ACLs control access into and out of your Azure VMs. Network security groups can be associated with subnets or individual network interface cards (NICs) that are running on individual VMs.
Network security rules are processes in priority order. The lower the number the higher the priority. Default inbound rules include a Deny all traffic from anywhere to anywhere (essentially deny all) with the highest number (lowest priority). With that rule in place, you will need to include specific rules to allow inbound traffic per your use-case, as any traffic that does not match a specific Allow rule will be denied.
In this example we associate a VNS3 controller network security group with the VNS3 controller subnet previously created. If you do not plan on segmenting out the VNS3 controllers into their own Azure network subnet, associate the network security group with the NIC running on the VNS3 controller during the launch steps covered later.

Posted by:

- - - -

VNS3 is a top AWS Marketplace tool for cloud users, according to a new list released by CloudEndure. Their yearly “Game of Clouds” map highlights the top 75 cloud network, application, and developer software.

We’re proud to be a part of a great map with some of our own partners and customers. Cohesive Networks’ VNS3 Network Appliance is available on the AWS Marketplace, and listed in The Top 76 Products on the AWS Marketplace for 2017. With 10 5-star reviews, VNS3 is ready to help your cloud network and connectivity use cases.

VNS3 is a top AWS Marketplace tool for cloud users

 

 

Posted by:

- - - -

Data breaches can seriously damage a SMB, both in IT cost and loss of business. Prevent disaster by creating, updating, and refining cybersecurity policies.

The impact of a data breach on a small business can be catastrophic.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

So how can SMBs fight cybersecurity risks? Prevent IT vulnerabilities and educate employees about data security best practices.

your business is small, but risks are enterprise-size

The 2016 Ponemon Cost of Data Breach Study notes the average total cost of a data breach increased from $3.79 to $4 million since last year. Data breaches are more than stolen records, considering the cost of lost business, increased customer acquisition activities, reputation loss, and diminished goodwill. Ponemon also found that average organizational cost of data breach in the US is more than $7.01 million.

Ponemon data breach report 2016

 The best way for small businesses (SMBs) to deal with cybersecurity risks and data breaches is to prevent them. Of course it’s easier said than done. With limited resources, SMBs need to get creative to spot vulnerable to cybersecurity risks than large companies and struggle to quickly react to vulnerabilities. The first step is to evaluate current security policies: everything from the office wifi network password to how customer payment information is stored.

See the InformationIsBeautiful interactive to see the root causes of the most recent data breaches and their impact:

Data Breachs from informationisbeautiful

Tip 1: : keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection polices to focus on preventing vulnerabilities and to set goals to improve and maintain security.

SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

Traditional standards and protections – like the Payment Card Industry (PCI) DSS, Health Insurance Portability and Accountability Act (HIPAA), and others – all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. The Framework has huge potential value for any organization looking to establish cybersecurity standards.

 

Tip 2: don’t become a victim of your own success 

As SMBs grow and add employees and partners, your IT systems and data security policies must also evolve. Your IT team must share access to vital business data and systems without leaving any vulnerabilities. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the organization grows and adds employees and technologies that “single point of failure” becomes a risk for the company.

The best way to manage data security is to build it in from the beginning. Security for data and networks should grow with the business, with precautions built into business goals.  Your business should use the regular self-evaluations in Tip 1 to check up on the reality of your security policies as the business grows.

In the last two years we have seen a shift from passing compliance audits toward actionable cybersecurity policies to prevent costly data loss. SMBs can prevent costly data loss by acting now to evaluate and boost security policies, then regularly check in on policies as the company grows.

Tip 3: Involve everyone in security and prevention

SMBs should involve everyone – including IT, HR, sales, and legal teams – in the cybersecurity self-evaluation process. First, company-wide involvement encourages bigger-picture thinking. Input about how data protection can be both practical and effective. For example if a policy requires employees to change their passwords every month and use 12 non-repeating characters, employees will likely cope by writing down passwords and reusing old logins which will defeat the purpose. Likewise, the IT team should be involved if the procurement team requires new vendors to pass certain security standards.

Another perk of company-wide involvement in regular security evaluations is the opportunity to update employees about data privacy. SMBs can educate employees on how to keep both personal and corporate data private to prevent data breaches. Cybersecurity training, at least once a year, can help both the business and individuals prevent cybersecurity breaches.

Tip 4: Add security in layers – defense in depth

Traditional security policies and vendors focus too much on the exterior defenses. Policies for employee screening, physical security, and website cookie blockers are all important, but don’t  overlook internal network security. In the famous Target and Sony data breaches the hackers broke in and then exploited weak internal network security to plunder the critical data that was freely connected inside the corporate network.

Add encryption and monitoring within your network to strengthen existing security.

“Defense in depth” is a term borrowed from the military where several varied layers of security offer better protection than a single, reinforced perimeter.  Your data security policies shouldn’t stop with preventing bad actors from entering, but also extend inside your network to monitor and limit access between  IT systems.

VNS3turret-Perimeter-security-flaws

How can Cohesive Networks help? 

At Cohesive, we’ve combined our connectivity technology with dataflow and compliance tools to create secure, redundant networks for each set of critical data. VNS3:turret is our application segmentation product designed to surround and encrypt your data wherever it goes.

Those additional layers of security builds ‘defense in depth’ into each application, or group of business data. VNS3:turret lets you encrypt and manage network traffic. Protect against both external exploits and unauthorized interior network access. VNS3:turret guards your network by routing traffic through encrypted switches.

VNS3turret-in-datacenter

VNS3:turret allows you to:

  • Create a cryptographically unique micro-perimeter around each application.
  • Segregate applications to eliminate east-west vulnerability and monitor interior traffic.
  • Isolate and monitor all traffic to flow through the secure edge.
  • Automate compliance reporting with dataflow and monitoring tool integration.
  • Provide the most comprehensive application security model available today.

Availability:

VNS3:turret is available for private cloud customers, as well as public cloud users. Contact Cohesive Networks to get started today: sales@cohesive.net

Posted by:

- - - -

Blog Resources