Cohesive Blog

Data breaches can seriously damage a SMB, both in IT cost and loss of business. Prevent disaster by creating, updating, and refining cybersecurity policies.

The impact of a data breach on a small business can be catastrophic.

So how can SMBs fight cybersecurity risks? Prevent IT vulnerabilities and educate employees about data security best practices.

  1. Self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.
  2. Use the regular self-evaluations to check up on the reality of your security policies as the business grows.
  3. Involve everyone – including IT, HR, sales, and legal teams – in the cybersecurity self-evaluation process.
  4. Remember to add encryption and monitoring within your network to strengthen existing security.

(watch for the full version of this article soon!)

Data Breachs from informationisbeautiful

How can Cohesive Networks help? 

At Cohesive, we’ve combined our connectivity technology with dataflow and compliance tools to create secure, redundant networks for each set of critical data. VNS3:turret is our application segmentation product designed to surround and encrypt your data wherever it goes.

Those additional layers of security builds ‘defense in depth’ into each application, or group of business data. VNS3:turret lets you encrypt and manage network traffic. Protect against both external exploits and unauthorized interior network access. VNS3:turret guards your network by routing traffic through encrypted switches.

VNS3turret-in-datacenter

VNS3:turret allows you to:

  • Create a cryptographically unique micro-perimeter around each application.
  • Segregate applications to eliminate east-west vulnerability and monitor interior traffic.
  • Isolate and monitor all traffic to flow through the secure edge.
  • Automate compliance reporting with dataflow and monitoring tool integration.
  • Provide the most comprehensive application security model available today.

Availability:

VNS3:turret is available for private cloud customers, as well as public cloud users. Contact Cohesive Networks to get started today: sales@cohesive.net

Posted by:

- - - -

Ransomware and phishing attacks point to end goals: vulnerable internal networks

Hackers are unwittingly signaling an industry movement from resources locked away in data centers to highly connected, distributed resources in flexible environments. Ransomware and phishing scams are growing, and now targeting high-value individuals and organizations. These attacks are only the first step to gaining access. The ultimate goal is to ransack vulnerable resources connected in internal networks.

In 2016, 3 Ukrainian regional electric power distribution companies suffered 3-hour-long power outages caused by a coordinated cyberattack. The attack impacted more than 250,000 customers. Once the hackers accessed the control systems (SCAD) networks through hijacked VPNs, they had full access to the power grids.

Sony should have taught us to lock down internal networks. Even more horrifying is the length of time hackers have full access to resources once inside. The Yahoo breach in the news in 2016 – affecting 500 million users’ email addresses, phone numbers, and encrypted passwords – came from a 2014 intrusion.

 

PhishMe Q1 2016 Malware Review

Via the PhishMe Q1 2016 Malware Review

“With recent high profile, broad-reaching and sophisticated penetrations of firms such as JP Morgan Chase and Sony, it’s increasingly obvious that simple perimeter level network defenses are insufficient,” said Stephen O’Grady, Principal Analyst with RedMonk. “Combined with the fact that every portion of technical infrastructure is a target, application level security with encrypted segmentation is a must have.”

Industry shift: valuable data resides in many locations 

Saryu Nayyar of Dark Reading writes, “Data no longer resides behind firewalls; that singular control point of protection is gone. Instead, there is a much more complex, hybrid IT security challenge of on-premises environments being connected to multiple cloud applications and multiple mobile devices.”

More than 70% of organizations have deployed at least one application to the cloud, according to IDC. On average organizations will invest $1.62 million in cloud computing. With all this valuable movement to cloud-based resources hackers are eyeing the potential vulnerabilities in data transfer and novice cloud users who do not focus on security. 

Security approaches need an evolution, quickly

Perimeter-based security approaches have not evolved to meet the modern application-focused enterprise. Hardware and virtualization layer defenses give far too much access to core mission-critical controls. Teams are forced to write overly permissive controls to accommodate overlapping use cases. The weaknesses of the perimeter-based approach are on display in the east/west attacks on Sony, Target, and Home Depot exploits where hackers gained access to the perimeter, then ransacked the internal networks with minimal resistance.

What can modern enterprises do? A “defense in depth” approach to security at the network layer.

Enterprises must strengthen existing core networking hardware and virtualization layer security with added application security. Just as the physical segmentation at the core hardware layer and logical segmentation at the virtualization layer, application layer security provides “application segmentation.” Defense in depth at the application layer can stop the next Sony attack before it becomes another headline.

In data centers, physical network isolation is not practical, and logical segmentation can be very difficult without using evolved networking approaches. As data centers became wholly virtualized and blur the line between data center and private cloud, we can finally add and control logical segmentation at the virtualization layer.

Application segmentation: the missing link in security evolution

This “Application Segmentation” provides the most comprehensive security model available today.

You can apply application segmentation defense in depth using Cohesive Networks’ VNS3:turret. VNS3:turret creates a cryptographically unique micro-perimeter around each application topology. By segregating each application, the inner rings of security can eliminate east-west vulnerability within a network.

VNS3:turret secures virtualized applications on a client’s virtual, public, private or hybrid cloud networks. vns3:turret uses the vns3:asc – a virtual application security controller – to provide a virtual router, switch, firewall, VPN concentrator, protocol redistributor, and extensible NFV container functions. 

VNS3turret-in-datacenter

Defense in Depth with VNS3:turret

Using the VNS3:turret vns3:asc’s organic security, users can set their own access rules, firewall settings, and other security policies specifically for that application cluster. With flexible and interoperable components, VNS3:turret allows users to add in compatibility with existing networking devices and open-source capabilities such as network intrusion detection (NIDS), proxy, caching, and load balancing.

VNS3:turret is a software-only network appliance that adds security at the application layer. Create encrypted networks on top of cloud providers’ network. Virtualize critical network security functions, including routing, switching, firewalls and SSL VPNs. Through end-to-end encrypted IPsec tunnels, customers can connect on-premises or data center edge firewall devices to cloud resources. By building such encrypted virtual networks, customers are able to build secure connections over the top of data center networks, and bridge networks to cloud resources.

Why us?

Cohesive Networks positions ourselves as cloud networking and security advisors in a space full of vendors selling “magic”. Our leadership team promote the belief that enterprise IT should incorporate security best practices and existing resources without redoing everything for cloud. Because of our strong believe in low “cognitive load” on customers, Cohesive Networks have always been provider, vendor, application, OS and script neutral.

Posted by:

- - - -

It’s time to update an oldie-but-goodie!

One of our lead engineer alumni, Dmitriy Samovskiy, wrote an excellent technical overview of VNS3. Back then, we called it VPN-Cubed, or VPN3. It’s finally getting the update it deserves.

The goal of the post, both then and now, is to dive into the technical part of VNS3. We’ll go into more features requirements for VNS3 beyond the typical features and use cases. As always, you can see the VNS3 page for product info and availability and read all of our use cases here.

In a nutshell, what is VNS3?

VNS3 is a software-only virtual network appliance that allows cloud users to add data in motion encryption, application layer firewalls, multicast protocol support, and region peering on top of network infrastructures.

VNS3 builds on core VPN concepts but allows more customer control with an “overlay network.” An overlay network is a computer network built on top of another network. Nodes in an overlay can be virtual or logical links. VNS3 adds control over topologies, network addressing, encrypted communications, and network protocols.

VNS3 overlay concepts

 

What is VNS3 made out of?

Software! But seriously…

VNS3 Controllers are virtual machines (VMs) that act as a VPN gateway for the other virtual machines in the same cloud infrastructure. VNS3 synchronize between each other using RabbitMQ. VNS3 has a web-based UI and traditional Linux system command line interface (CLI). The VNS3 API uses a Ruby script and Ruby language binding.

Everything else is a patented secret. In 2010 Dmitriy and the other VNS3 developers earned a patent on the underlying networking and cloud technologies.

If it’s more than a VPN, why *did* you call it VPN-Cubed?

Excellent question.

We originally named it VPN-Cubed because it’s like a VPN, but 3x the features.

VNS3 is different from standard VPN software and hardware-based networking devices. Typically, VPNs are used to connect 2 LANs together, or to connect desktop clients to a LAN over the Internet. VNS3 acts like a traditional VPN gateway plus a virtual router, switch, firewall, VPN concentrator, protocol redistributor, and NFV container.

The cloud computing market has evolved, and cloud users are more sophisticated so we moved away from boxing ourselves into a VPN-only product. In 2012 we renamed it to VNS3. 451 Research analyst William Fellows wrote “VNS3 is not only for VPNs – hence the name change – since overlays can be within a cloud, between clouds, between a private datacenter and a cloud (or clouds), or between multiple data centers.” [the full report has a paywall.]

What cloud providers, server operating systems, devices, etc does VNS3 support?

Because VNS3 was created to support server infrastructure in a cloud, across clouds, or connected from private infrastructure to the clouds, VNS3 can support multiple OSes and networking devices.

VNS3 integrates with existing network equipment and can be delivered as part of the application deployment in most virtualized infrastructures. VNS3 is available in AWS, Azure, IBM Softlayer / Bluemix, Google Cloud, and more. It works with Cisco ASAs, Juniper Watchguard, Fortinet, and more IPsec devices in data centers. For more on specifications, check out cohesive.net/specs

Does VNS3 require large port ranges for firewalls? 

Nope. For security best practices and ease of use, VNS3 doesn’t require large ranges of ports to open and accepts clients from behind NAT. VNS3 Controllers accept client connections on a single TCP or UDP port and seamlessly support clients behind NAT.

Can I scale beyond typical VPNs?

Yes! Typical VPNs do not scale beyond two active-active gateways. VNS3 supports synchronized “N-active” VNS3 Controllers. This means each VNS3 Controller has the same view of the topology as all of its peers, allowing it to support any of the servers in a cloud infrastructure.

For better failover options, configure VNS3 Controllers to manually failover via re-mapping the public IP of the primary VNS3 to the secondary VNS3. It also means the servers in theVNS3 Controllers can keep their same network address, regardless of the Controller they communicate through.

Unlike other VPNs, VNS3 also acts like a virtual router, switch, firewall, VPN concentrator, protocol redistributor, and NFV container. VNS3 allows many, many networking use cases including:

  • application layer firewall with custom rules and hashings
  • connecting both NAT-T and Native IPsec endpoints on the same endpoint
  • Layer 2 Bridging over GRE as well as GRE tunneling over IPsec
  • customizable, flexible networks with Docker containerized network services
  • Trend Micro Deep Security central management agent

Can I manage static IP addresses in the cloud?

Yes! VNS3 connecting “clients” (usually cloud-based servers) get the same IP address no matter which VNS3 Controller they are connected to. Customers can assign Elastic IPs in AWS or static IPs in Azure to ease any network reconfiguration.

Do VNS3 clients require communication via different gateways?

Nope. VNS3 uses routing tables to pass traffic between servers connected to different VNS3 controllers. A device only needs to know itsVNS3 Controller and it can communicate with any device in the topology, regardless of its actual location.

Does VNS3 allow multiple clouds or a hybrid infrastructure between co-location sites, clouds and your data center?

Yes! VNS3 Controllers are software, so the virtual servers can work in any virtualized environment or cloud.

VNS3 Controllers can form an N-active, multi-directional overlay network between computing centers, cloud regions, and/or data centers.  A network can run over the top of networks in Amazon AWS, Microsoft Azure, as well as in a co-location site or data center.

VNS3 Controllers can be located anywhere, including all over the Internet, inside a single cloud, or across multiple clouds. VNS3 Controllers maintain a synchronized and encrypted channel of communications between each manager in a specific VNS3 topology. The diagram – we call it the “sexy diagram” – shows just how powerful this cross-cloud, cross-region overlay network can be.

VNS3 overlay sexy diagram 2016

Posted by:

- - - -

Blog Resources