Cohesive Blog


Bring-your-own SSL Certs

One of the (few) issues some customers have with VNS3 is the use of self-signed certificates. There are arguments to be made that self-signed certs can be as secure than those provided by third-party trusted signing certificate authorities (CAs), when implemented properly. But these arguments are often more hassle than many IT departments want, especially as most browsers have increased their scary warnings, and when an end user sees those the last thing they want is a debate on the relative security of CAs versus their own local infrastructure.

As of version 4.0 of VNS3 it is possible to upload your own SSL certs. These can be self-signed certs or those provided by a CA.

In this post we’re going to show how to create and upload a signed certificate to VNS3 by using EFF’s Certbot and certificates generated by Let’s Encrypt . Certbot is a part of EFF’s efforts to encrypt the entire Internet. It acts as a client to the Let’s Encrypt open CA, which is a service provided by the Internet Security Research Group (ISRG).

From the perspective of VNS3, an issue with Certbot is that by default it needs to be installed on the instance. It requires this so the certificates can be automatically renewed every 3 months. As VNS3 is a self-contained software appliance, access to the system is strictly limited and the only way to install new software is via the plugin container system, but as the plugin system doesn’t have access to the host’s web server this isn’t a viable approach.

A workable solution, however, is to use the manual options of Certbot and create the certificates separate from the instance, then upload them using VNS3’s UI.

Creating and Installing Your Let’s Encrypt Certificates

The rest of this tutorial assumes the following:

  • You have ownership of a specific domain, example.com
  • You are naming your VNS3 instance vns3.example.com
  • You have access to the DNS records for example.com

Given the above requirements, you can run the Certbot process on a separate server and have the certs generated, ready to be uploaded to VNS3.

The approach is:

Running Certbot looks similar to the following:

$ sudo certbot certonly –manual –preferred-challenges dns

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter in your domain name(s) (comma and/or space separated)  (Enter ‘c’

to cancel): vns3.example.com

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for vns3.example.com

——————————————————————————-

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you’re running certbot in manual mode on a machine that is not

your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

——————————————————————————-

(Y)es/(N)o: Y

——————————————————————————-

Please deploy a DNS TXT record under the name

_acme-challenge.vns3.example.com with the following value:

hZo-MWdsBlAhwbbYAVyzada3LSLlpDTTu752T3XxthU

Before continuing, verify the record is deployed.

——————————————————————————-

Press Enter to Continue

At this point you will have to wait for your DNS records to push the TXT record out. This should be fairly quick. To see if your TXT record has appeared you can use the “dig” command (in a separate tab/window), which should return the contents of the TXT record. For example:

$ dig txt _acme-challenge.vns3.example.com

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> _acme-challenge.vns3.example.com txt

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64903

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;_acme-challenge.vns3.example.com.    IN TXT

;; ANSWER SECTION:

_acme-challenge.vns3.example.com. 1799 IN TXT “hZo-MWdsBlAhwbbYAVyzada3LSLlpDTTu752T3XxthU”

;; Query time: 46 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Thu Sep 07 11:37:23 CDT 2017

;; MSG SIZE  rcvd: 123

Back to Certbot, press Enter to Continue:

Waiting for verification…

Cleaning up challenges

IMPORTANT NOTES:

 – Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/vns3.example.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/vns3.example.com/privkey.pem

   Your cert will expire on 2017-12-06. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   “certbot renew”

 – If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Congratulations, your certs have been created and they are valid for 3 months.

For VNS3 we need the following files:

/etc/letsencrypt/live/vns3.example.com/privkey.pem

/etc/letsencrypt/live/vns3.example.com/cert.pem

To update via the UI, connect to your instance and navigate to the “HTTPS Certs” option in the Admin section of the menu. 

The file, cert.pem, is your SSL certificate, and privkey.pem is your SSL key file. Upon clicking the “Upload and Install” button you will receive the message, “HTTPS certs validated and installed”. (If you receive “Error validating key/cert files” it’s possible the order of the files was reversed, with the private key as the cert and vice versa). Once installed the system will restart the web server and your new certificates should be protecting your VNS3 instance.

Automating Certificate Renewal

An SSL certificate from Let’s Encrypt CA expires in 3 months. This is actually a very good thing as it means that in the event of another Heartbleed-type bug, the maximum amount of time that the weakened certs will remain active is 90 days. The problem is that it means that someone will need to rerun Certbot and update the certs on the VNS3 instances every 90 days. A better way is to automate the process.

A detailed analysis of the certificate renewal process is beyond this post. Instead we’ll just touch on some details. Certbot supports a way of running non-interactively but a plugin is required when combining with manual use. It is also possible to run semi-interactively, like so:

$ sudo bash -c “yes | certbot certonly –manual –cert-name vns3.example.com

To automate the uploading of the new certs to the VNS3 instance requires use of the API. Here is an example of some basic, hastily written Ruby code that can be used to upload and install the certs:

require ‘rest_client’

require ‘json’

@user     = ‘api’

@password = ‘vnscubed’

base_path = ‘https://vns3.example.com:8000/api/system/ssl’

cert      = File.read(‘cert.pem’)

key       = File.read(‘cert.key’)

def put(url, payload = {})

  rc = RestClient::Resource.new(url, user: @user, password: @password, verify_ssl: OpenSSL::SSL::VERIFY_NONE)

  JSON.parse(rc.put(payload.to_json, content_type: ‘application/json’))

end

def get(url)

  rc = RestClient::Resource.new(url, user: @user, password: @password, verify_ssl: OpenSSL::SSL::VERIFY_NONE)

  JSON.parse(rc.get(content_type: ‘application/json’))

end

begin

  response = put(“#{base_path}/keypair”, { cert: cert, key: key })

  response = put(“#{base_path}/install”)

  uuid = response[‘response’][‘uuid’]

  response = get(“#{base_path}/install/#{uuid}”)

  while response[‘response’][‘state’] == ‘pending’

    puts “Job #{uuid} : status #{response[‘response’][‘status’]}”

    sleep 3

    response = get(“#{base_path}/install/#{uuid}”)

  end

  puts “Job #{uuid} : status #{response[‘response’][‘status’]}”

rescue => e

  puts “Error: #{e.message}”

end

The above Ruby code should not be used in production. It doesn’t test well for errors, it has global variables, it loops in an unchecked way and it’s not verifying the existing SSL certs. But on the positive side, it does demonstrate how easy it can be to upload newly generated certs to a VNS3 instance.

Taking the two separate steps and wrapping them in a script is trivial and having either a Jenkins task or a cron job run the process every month or two should be easy to ensure that the certificates on your VNS3 instances are up-to-date.

Conclusion

In this post we’ve shown you how to create and upload an SSL certificate for your VNS3 instance using Let’s Encrypt and Certbot. We’ve also given a quick overview on how to begin to automate the certificate update process. Hopefully another item on the ever-lengthening IT security to-do list can now be checked off.

 

Posted by:

- - - -

The UK government has published a “statement of intent” on data privacy and security this summer. The law, an updated version of the Data Protection Bill, will mirror the EU’s upcoming General Data Protection Regulation (GDPR) rules for data privacy and the fines for non-compliance. The UK law will likely go into effect in September 2017, which does not give organisations time to meet the GDPR requirements by 28 May 2018.

banner image by vadim-sherbakov

About the Data Protection Bill

The new Data Protection Bill requires any organisation that collects or manages personal data to be accountable for that data. All data collection, storage, and management must prioritize end user privacy rights. Any organisations that deals with high-risk data processing must protect that data, allow end users to remove and transport their data.

Worryingly, only one in 10 FTSE 350 companies (10 percent) do not currently have a response plan for dealing with a cyber incident. Less than a third of organisations’ boards have a comprehensive cyber risk plan. Only 6% of UK businesses completely prepared for new data protection rules, which makes the Data Protection Bill and GDPR deadlines even more important.

Bottom line: businesses must ensure their data is secure, private, and well managed or pay the price.

Unlike the GDPR, the UK law sets the national data protection regulator as the Information Commissioner’s Office (ICO). The ICO will have the power to defend consumer interests and issue higher fines. Organizations that do not properly protect personal data or fail to report security breaches can be fined up to £17 million or up to 4% of their global turnover. Previous laws set the maximum fine at £0.5 million.

From the Government, the Data Protection Bill intends to:

  • make it simpler for users to withdraw consent for the use of personal data;
  • allow people to ask for their personal data held by companies to be erased;
  • enable parents and guardians to give consent for their child’s data to be used;
  • require ‘explicit’ consent to be necessary for processing sensitive personal data;
  • expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
  • update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
  • make it easier for customers to move data between service providers.

An Evolution of Digital Security
The DCMS has evolved from the Department of National Heritage (DNH), into the Department for Culture, Media and Sport (DCMS) was renamed in 1997, to today’s Department for Digital, Culture, Media and Sport on 3 July 2017. PM Theresa May’s government updated the name to reflect the department’s increased activity in the Digital sector.

On 7 August the DCMS released a “statement of intent” to update and strengthen data protection laws. A new Data Protection Bill will mirror the EU’s General Data Protection Regulation (GDPR). Like the agency, the original Data Protection Act first came into law in 1984, then updated again in 1998. The proposed 2017 law will bring the EU’s GDPR into UK law, so data security will remain a priority regardless of Brexit.

How is the Data Protection Bill is similar to GDPR?

The Data Protection Bill is designed to enact the GDPR into UK law. The Bill is very similar to the GDPR – it includes the famous “right to be forgotten” data removal requirements, “explicit consent” for collecting new data, and “data portability” for moving data between providers.

Another key similarity is the concept of “privacy by design/default.” Organisations must build applications and systems with data privacy protection built in.

image: GDPR Portal

What can you do today to prepare?

Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access management tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.

Add encryption in-transit to any existing encryption best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

VNS3 and data protection

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.”  For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.

 

Posted by:

- - - -

Don’t be caught off guard by GDPR requirements in 2018

A recent study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. All new data your organisation gathers should include more clear evidence of data collection consent and opt-out options. How should IT teams prepare for the upcoming changes? Which initiatives should be a part of your program to be compliant?

Penalties for not complying with GDPR will be steep. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). While this is the maximum amount an organisation will face, the requirements are rigid for all levels of infringements. GDPR has a tiered approach to fines so organisations might be liable for multiple offenses. Internal IT teams and legal depatrments should take note – the GDPR applies to any company that controls data or processes data —  ‘clouds’ are not exempt.

Which initiatives should be a part of your program to be compliant with GDPR? 
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.

Takeaway: Any organisation that collects or processes data of an EU citizen should comply with GDPR.

At the core, the GDPR requires data protection by design. Organisations must design data security into business processes.

Another requirement is “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.

Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.

Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.

Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

tunnel-by-modestas-urbonas-300

How can Cohesive Networks help you? 

VNS3 helps meet data security measures for data privacy compliance:

  • Encrypt data in transit using VNS3’s IPsec tunnels to connect to all data sources and applications
  • Protect Personal Data by encrypting all data across open public networks
  • Guard against Vulnerability with a VNS3 intrusion detection system (IDS)
  • Maintain Strong Access Control by controlling access to data and encryption keys
  • Enhance Data Portability with a VNS3 overlay network over the top of any cloud or virtual network
Posted by:

- - - -

Blog Resources