VNS3 LNKe: Creating Cloud-Agnostic Transitive Networks Without a lot of Fuss

VNS3 LNKe: Creating Cloud-Agnostic Transitive Networks Without a lot of Fuss

by | Dec 16, 2021 | Public Clouds, Security, VNS3 Features

Cohesive Networks has been helping our customers build robust transit networks on public cloud infrastructure since our early days. Doing so on VNS3 technology gives you secure and observable methods consistent across cloud providers and other virtualization platforms. Up until recently we achieved this by creating site to site IPSec tunnels into our federated mesh backbone. This approach, while robust due to BGP failover capabilities, adds quite a lot of complexity. Each of these connections have unique peering addresses and autonomous system numbers (ASN), as well as peer access lists to configure and manage. Which brings us to our new offering, the VNS3 LNKe controller. LNKe controllers are simple to set up while still providing robust failover capabilities.

The VNS3 LNKe controller is one of Cohesive Networks latest offerings. It’s been designed to provide a low cost, easy to deploy, method of connecting your private cloud networks, regardless of the provider. Let’s take a look at the mechanics of it.

VNS3 can be deployed in a peered mesh topology, where by all of the members of the mesh exchange connection and routing information with all of the other members of the mesh across encrypted peering links. These mesh peers can be situated in any cloud provider and in any region. This is the hub in your typical hub and spoke model. The difference being that VNS3 hub, or mesh, components can exist in many different locations, while still being aware of all of the other components. Extending the hub
simply entails adding new peers. This hub can be as little as one or two VNS3 controllers to many tens of controllers spanning across your cloud vendors regions. Within this mesh you have full visibility and attestability of network flows.

    Now to connect your various networks into the mesh so as to facilitate your transitive network. LNKe is a light weight variant, thats has been designed to work with the encrypted overlay networking capabilities of VNS3. It uses the cryptographic key architecture to create a tunnel from the LNKe controller to the closest mesh controller. This link can be established through a VPC peering link between the connecting VPC or over public IP. You simply have to deploy the LNKe controller into the connecting VPC and push the VNS3 client pack to it. This gives it a unique overlay address that the hub mesh is aware of.

    The LNKe can be configured to have failover hub members that it will connect to should any failure occur. On the hub members that it is configured to connect to we then create route entries for the LNKe’s network. This route is pointed at the overlay IP that has been associated with the LNKe controller. While these are effectively static entries, VNS3 will only ever enable the one that is actively connected to. We call this dynamic static routing.

    On the connected VPC you can set your subnet route of 0.0.0.0/0 to point to the LNKe controller, since LNKe can also serve duty as your NAT gateway. In this way any traffic that is bound for other connected networks will traverse into the hub, where as non transit network traffic can get out as needed.

    This solution gives you a lot of flexibility in managing your network connections. You have full firewall capabilities to restrict and shape traffic. You can transform traffic should you have overlapping CIDRs. You can combine other connections into the mesh such as remote workforces or data center connectivity. You can inject network function virtualization like NIDS and WAF. You end up with a network control plane that works the same across all cloud providers that is cost effective and easy to deploy and mange.

    Announcing the Release of VNS3 5.2.1

    Announcing the Release of VNS3 5.2.1

    by | Dec 1, 2021 | Security, VNS3 Features

    We are happy to announce that VNS3 version 5.2.1 has been released and is available for deployment in all cloud platforms. Below are some of feature highlights of this release.

    Image Access

    AWS Private AMI: users with private AMI access to UL versions will see the 5.2.1 AMI already shared into their account. Filter for Private Images in the appropriate region and search for vnscubed521-20211111-ul-ebs-5LFW.

    AWS and Azure Marketplace: all VNS3 Marketplace SKUs are updated with the latest 5.2.1 listings.

    GCP and OCI: contact support@www.cohesive.net for image access.

    This release focuses on making our Distributed Cloud (site-to-site VPN and Overlay Mesh) and Plugin user experience easier from implementation to operation. Don’t forget, release notes are always available at https://docs.cohesive.net/docs/vns3/release-notes/.

    Traffic Pairs

    Over the last few years the world of site-to-site VPN has been moving away from Policy-based IPsec VPN in favor of Route-based. Route-based VPNs, from the POV of the device, have simpler configurations (generally a single tunnel) and as a result can have increased long term stability. Simple and stable is good but Route-based VPNs without associated policies/ACLs can be thought of as ‘IPsec without the sec’ and let any traffic move between the two sites. Traffic pairs simplify the deployment of secure route-based VPNs. 

      This new feature allows local/remote subnet pairs to be defined via UI or API for a route-based VPN. This is very similar to how policy-based “tunnels” are defined. When using traffic pairs, VNS3 manages the default state of routes and ACLs for those pairs. Additional routing and ACL operations are not needed when using traffic pairs. “Traditional” configuration is still supported as originally presented since VNS3 4.4.1. This new approach makes it easier for customers integrating VNS3 into their infrastructure to leave the state management of routes and ACLs to VNS3, rather than incorporating related state into their database.

      Plugin Catalog

      Many of you have leveraged the VNS3 Plugin System (Container System) to add critical network services in-path to allow full customization of your network edge. Previously container images had to be sourced in from outside storage buckets or uploaded from local storage. VNS3 now provides in-place installation of plugins via Plugin Catalog. The updated VNS3 Main Menu now lists “Plugins” –> “Catalog” which allows access to a number of additional monitoring, logging, and security functions provided via plugins. The catalog allows in-place installation inside the VNS3 UI – as opposed to requiring access via the Cohesive Website. To see all our available plugins, please visit the plugins page on our support site.

      Additionally the plugin Dashboard is available to provide simplified management of plugins.

      You also note that we’ve replaced the “Container” menu items with “Plugins” but don’t worry you can still access the Container submenu items via the Dashboard.On the right hand side of display there is a “Developer” menu which provide access to the lower level “Container”, “Images” and “Network” functions for the plugin system.

      VNS3 Overlay Mesh Hyperdrive

      We’ve seen Distributed Cloud deployments and use cases increase dramatically over the last few years. As a result the need for speed has become increasingly important in both intra-region as well as inter-cloud deployments. In response we’ve workd to dramatically increased the speed of the peering mesh for new deployments. Behind the scenes Cohesive has been building Wireguard tunneling capabilities into VNS3 since late 4.x releases. We are pleased to now offer this to our BYOL customers deploying new topologies. The Wireguard-based mesh can achieve peering throughput very close to the underlying virtual instance NICs. (Hats off to Jason Donenfeld and the WireGuard team for an amazing system.). Contact Cohesive support (support@www.cohesive.net) for a license which enables this feature BEFORE any deployment configuration.

      Additional Optimizations

      • Ping hosts work for route-based VPNs: Previously the “ping host” function (sometimes called a VPN Monitor by other vendors) worked only for policy-based VPNs. It now works for VTI and GRE route based VPNs.
      • BGP event logs available for external BGP peers and VNS3 Mesh peers now available via Logging Plugin in /mnt/logs/vns3_connection_logs/bgpd.log
      • BGP session up/down alerts available for BGP session up and BGP session down for BGP peers.
      • Additional IPsec Parameters – “re-allowed” DH22 for customers who refuse to believe it should not be used and support elliptical curve DH 31.

      Any user regardless of subscription SKU or support contract is eligible for upgrade assistance including live upgrade chaperoning by a member of our excellent support team. To schedule your assisted upgrade, open a ticket on our support system (support@www.cohesive.net) and we’ll ensure a smooth transition.

      NOTE: Peering between major versions (e.g. 4.x peered with 5x) can be done but we don’t recommend due to potential stability issues.

      Please don’t hesitate to reach out with any comments, questions, or feature requests (contactme@www.cohesive.net).

      IPSec with VNS3: Part I

      IPSec with VNS3: Part I

      by | Aug 24, 2021 | Connectivity, Network Architecture, Network Edge Plugins, Networking Fundamentals, Security, VNS3 Features

      Internet Protocol Security (IPSec) is used to encrypt communications between two computers over the internet. Usually it is done between between security gateways to allow two networks to communicate securely. On the data center side this will be done for the most part on physical boxes manufactured by the likes of Cisco, Juniper, Fortinet and others. In the public cloud it is virtualized. Cohesive Networks VNS3 is one such device that allows you to easily configure these secure connections into your cloud private network. Whether you are running a hybrid cloud, are an ISV that needs to connect to customer sites or are implementing a multi cloud strategy VNS3 can provide a stable, secure and simple solution.

      VNS3 can manage as many IPSec connections as you need, the only limit is the underlying instance resources. You can scale your VNS3 instance with the number of connections. It supports both policy and route based connections and supports a wide range of algorithms, hashes and Diffie-Hellman groups. In short, VNS3 can connect to just about anything out there. It’s highly configurable design lets you match exactly what it is communicating with. This all makes VNS3 a very stable solution.

      Setting up VNS3 is a breeze. You can launch it out of your cloud vendor’s marketplace and pay by the hour, or contact Cohesive Networks for longer term billing. VNS3 should be placed into a public subnet. Once launched you will need to either in AWS, turn off source destination checking, or in Azure, enable IP Forwarding on its network interface. In AWS you should attach an Elastic IP (EIP) to it or in Azure a Public IP Address. Once it is up you can manage it via its web interface. You will need to open up TCP port 8000 in your security group. Then open a browser and go to:

            https://:8000
            The default admin username is: vnscubed

      In AWS the default password is the instance id, in Azure the default password will be the virtual machine name followed by a hyphen then the private ip (ex. MyVNS3-10.0.0.1)

      Once you have logged in you should change the admin and api passwords.

      The IPSec configuration page can be found under the Connections section on the left hand side contextual menu. From there you will want to click on the “New Endpoint” button and will see the IPSec configuration form.

      Now it is just a matter of filling in the parameters for the endpoint you will communicate with. Typically you and the other party will agree upon a set of algorithms, hashes and dh groups as well as NAT-T or native IPSec and IKEv1 or IKEV2. While VNS3 does a good job of auto discovery it is best to make sure that both sides are explicitly the same. We provide a simple syntax for VNS3. An example might look like:

      phase1=aes256-sha2_256-dh14
phase2=aes256-sha2_256
pfsgroup=dh14
phase1-lifetime=3600s
phase2-lifetime=28800s
dpdaction=restart
dpddelay=30s
dpdtimeout=90s

      VNS3 simplifies this process by putting all of your configuration on a single page.

      If you are creating a policy based IPSec connection you will next need to create individual tunnels for your connection. This is done after the creation of the initial endpoint. After the endpoint is created you can create a “New tunnel” from the action drop down to the right of your endpoint. This will be your local subnet and then the subnet on the other side of the connection that you will be communicating with.

      With route based IPSec we support both Virtual Tunnel Interface (VTI) and over GRE, useful for sending multicast packets. If you are utilizing a VTI route based IPSec VPN you next want to set up a “New eBGP Peer” from the action drop down.

      Your IPSec configuration should now show as connected.

      In the next parts in this blog series we will dive into the tools we provide to troubleshoot a faulty connection, interesting things you can do with our firewall to transform the tunnel traffic, and some plugins we use to solve common problems.

      Zero Trust External Privileged Access Management and VNS3

      by | Apr 2, 2020 | Security, VNS3 Features

      According to a survey conducted last year by Centrify, a leader in the privileged access management space, 65% of companies are sharing root level access credentials in at least some instances. This backs up Forrester Research’s long held claim that privileged credential abuse is the leading attack vector. For network devices this figure rises somewhat as the survey showed that 68% of companies are not securing their network devices with privileged access control. This is not surprising as historically network devices have had single or few local users. Perhaps it is because smaller more trusted teams managed the network infrastructure. Or that when bootstrapping or troubleshooting network devices , relying on network connections to user directory servers could become problematic.

      Cohesive Networks has been guilty of this in the past. The challenge of implementing the principle of least privilege has always been complexity. The more complex a system or control is to manage the less secure it becomes. We have been putting a lot of focus on various methods of access management for our VNS3 cloud security edge controller that are simple to manage and operate.

      In a previous blog post we discussed how we have adopted Access URLs and API Tokens. Both of which allow for time-based access to VNS3. Where API tokens are useful for systematic access between the control and data planes and Access URLs are incredibly useful for one off access, we still needed to address long living user accounts and have done so by implementing LDAP authentication for VNS3. We have had this capability for our management server for a while and the time has come to extend that to our individual VNS3 network controllers.

      In the world of Zero Trust every user needs to have an identity. Ideally your identity system will enforce principles like password rotation and complexity standards. Things like managing on-boarding and off-boarding of authorized users, wether into or out of the system or groups, is what these systems are designed for. By shifting this function away from the VNS3 network device and its operators we allow you to not only to manage and enforce better security practices but address other corporate realities. Codifying some of the principles of Zero Trust are things like ISO 27001 and 27002, SOC and other compliance regimes which call for the segregation of duties. The people who maintain your privileged access management systems can’t be the same people who utilize them.

      You can now manage your access to your VNS3 controller through integration with LDAP, along with its Active Directory variant, and the usage of groups. We support encryption to your LDAP server via Secure TLS (StartTLS) and LDAPs utilizing certificate authentication.

      VNS3 LDAP integration page

      This new capability provides some really good improvements for VNS3 access control. However for those who are looking for a method that goes beyond “something you know”, security architects can add on “something you have” by utilizing the VNS3 encrypted overlay network in tandem with LDAP identity management. The VNS3 encrypted overlay network makes use of unique X.509 certificates. These give you your network identity to participate in machine to machine communications. In order to access the VNS3 controllers management interface, which runs on TCP port 8000, you could restrict access to only break-glass endpoints while allowing a broader access to UDP port 1194 where the overlay network operates. In this way network operators would need to first establish a TLS connection to the VNS3 controller with their individually issued certificate and through the established tunnel they would then connect to the VNS3 controller via it’s own overlay address. A further way to implement Zero Trust policies.New Paragraph

      Identity Access Management: Zero Trust Networks

      by | Nov 7, 2019 | Security, VNS3 Features

      As more and more traditional business infrastructure is being migrated to the cloud, traditional enterprise security and common corporate security practices are no longer enough to keep networks safe. Even as far back as the 2014 Sony Pictures Entertainment hack we’ve seen traditional, perimeter-focused security prove ineffective against attacks originating from within and beyond the network. During this attack, hackers were able to penetrate the perimeter firewall and access the entire flat network in a large-scale east-west exploit. In 2015, large enterprises like Google, Inc. began moving their corporate applications to the cloud with a heavy emphasis on a model where corporate data can be accessed from anywhere with the right device and user credentials. Facing the reality of a global network of networks, the traditional strategy of forming a security wall around an internal network is giving way to a many access point approach. This new Zero Trust strategy emphasizes protecting these access points from threats both within networks and without.

      What is a Zero Trust Network?

      Zero-Trust is a “never trust, always verify” strategy that relies on network segmentation and endpoint authorization rather than a single, unified, external firewall. This approach to network security assumes that no entity is trustworthy by default, leveraging application segmentation and “micro-perimeters” within a network to protect critical applications and data while preventing lateral movement.

      A Zero Trust network strategy addresses many common security concerns, including access management, authentication & connectivity, and endpoint & data security. Any access to network resources must be authenticated, including network management activity and applications. Authentication involves supporting industry standard authentication protocols and user directories for any access point to the network, including applications, endpoints, and network connections. Once authenticated, no longer can a single verification into a network enjoy unlimited lateral access within the network. Zero Trust involves the constant verification of users, applications, and data flows within and between networks and data, assets, application, and services micro-perimeters.

      Allowing access to network management applications is a key component in a Zero Trust strategy. Network administrators require the necessary access to manage the network, but supporting Zero Trust means providing access for only what is needed, possibly for a limited time, with the ability to shut down access if a threat is recognized. Different organizations have different processes, use cases, and critical elements when it comes to network management.

      Traditionally, network devices have one set of administrative credentials used not only for logging into network management applications but also in application scripts. The concern and threat here is that the “keys to the kingdom” credentials are dispersed throughout potentially many network administrator users and possibly in scripts or in repositories. These concerns are even further complicated by a password change. Incorporating industry standard identity protocols such as LDAP authentication with official directories enables users to be managed centrally, decreasing the risks of duplicating another user management system.

      How to Build a Zero-Trust Network with Cohesive VNS3

      New approaches and innovations continue to push us towards a Zero Trust strategy that allows for the necessary access management for users and applications without creating security holes. Network managers have to first understand the use cases required for accessing network management applications and scripts to work with vendors to provide access management solutions. If a network administrator has a use case to provide temporary access to a key vendor to support their technology, a typical approach may be to provide a temporary user account. But this now involves provisioning a user account with appropriate password policies, supporting forgotten passwords, eventually removing the account and any other actions required for a secure identity management environment. Maybe another access mechanism could be provided, that was secure, provides the necessary access for a limited time and automatically expires, with the ability of an administrator to terminate access if any threat is recognized. The key point is to provide a toolbox of secure options and use what is best for the use case.

       

      Cohesive Networks works with customers to build that toolbox of secure network access management options, supporting a Zero Trust policy for all access points in the infrastructure. VNS3’s API provides the ability to programmatically provision expiring access creds as well as build your network segments and perimeter policies, allowing you to build an encrypted network entirely declaratively in code. In the coming weeks we’ll be releasing more in-depth discussions of the approaches we take with VNS3 to enable you to create a secure Zero-Trust network, including how we approach access URLs, API tokens, and LDAP integration.

      VNS3 Empowers 30-Minute HIPAA-Compliant IntelliGuard Deployment

      VNS3 Empowers 30-Minute HIPAA-Compliant IntelliGuard Deployment

      by | Oct 2, 2019 | HIPAA, Security, VNS3 Features

      Intelliguard stock photo

      IntelliGuard recently engaged with consulting group Six Nines to address the “scalability, flexibility, and cost optimization” of their Microsoft Azure deployment. “By moving to AWS, IntelliGuard sought to design its platform architecture for HIPAA-compliance and enable seamless scalability, rapid development capabilities, and provide more features—such as advanced tooling in machine learning (ML) and high availability and replication features—to its teams.” As a APN Advanced Technology Partner, Cohesive had the pleasure of joining the team in order to complete this project, leveraging VNS3 to create an encrypted, HIPAA-compliant overlay network and site-to-site VPN. The success of this project has enabled IntelliGuard to automate the HIPAA-compliant deployment of its entire RFID Inventory Management System down to an impressive 30 minute window, while allowing for shorter and less painful release cycles that “drive value to the business more quickly.”

      Click here to read the full AWS success story.