Securing Amazon Workspaces with VNS3

Securing Amazon Workspaces with VNS3

The recent upsurge in remote working may have you thinking about new ways to achieve centralised control of a distributed workforce. One way to do this is to use a Desktop-as-a-Service(DaaS), Amazon Workspaces is one offering. We’ll show you how VNS3 can improve security, visibility and control of your DaaS infrastructure.

But First, What are Amazon Workspaces?

Amazon Workspaces are AWS’s managed DaaS solution which allows you to provision Linux or Windows desktop environments. Your users access and use the desktop via the Workspaces app as if it were installed locally. They can surf the web, download software and access other resources on the network, great, right?

What’s Going on in the Background?

When you launch Workspaces via the wizard, AWS creates a VPC, 3 Subnets, 2 AD servers and the Workspace instances, that’s a lot of stuff going on in the background. 

Whilst some of this is managed from a maintenance perspective; with the shared responsibility model you are still responsible for what can be accessed, shared, downloaded and installed on and in your DaaS infrastructure.

How VNS3 Secures Your Workspaces

VNS3 deployed in your public subnet can be configured as the ingress/egress point for your VPC. This allows you to control traffic in and out of your network, including your Workspaces. When we route the traffic to the internet via VNS3’s Elastic Network Interface (ENI), coupled with our overlay network you have complete visibility of what’s going where. 

Sounds like a fancy NAT device, I hear you say?

Sort of, but VNS3 is much more. With visibility comes the ability to control what’s happening on your network. VNS3’s Network Sniffer allows you to filter and watch live traffic or you can capture trace files for export and analysis later. 

For automated traffic monitoring our plugins are the way to go, to control web and application traffic our WAF plugin can be used inline to log, alert or restrict certain activity. If our curated plugins aren’t compatible with your current tech stack, we can easily create and deploy a custom plugin using technologies you’re already familiar with.

VNS3 Secure workspaces in AWS

In this diagram we have VNS3 centrally controlling traffic, with the addition of Nginx, ModSecurity and OWASP. Out to the right we have Cloudwatch and Datadog for external monitoring of VNS3.

If you’d like to discuss this deployment, or some of the features of VNS3 not mentioned in this post, including VPN’s, HA, Peering please contact us at contactme@www.cohesive.net.

Managing AWS Workspaces with VNS3

Cloud and network virtualization have created the opportunity to have virtual networks that transit your applications and staff to, through and across the clouds. These networks can stretch across the globe in multiple, to 10s of locations (points of presence) or more. In the case of Cohesive Networks our virtual networks are used to create cryptographically secure overlay networks in full mesh architectures. When implementing the cryptographic mesh (at scale machine-to-machine VPN) it is critical that the cryptographic credentials can be easily managed across the controller mesh. Our goal at Cohesive is to make managing the credentials straightforward and clear; associating credentials with users via tagging, enabling/disabling so that credentials can only be used when desired, checked out/in state to help manage via automation, check log information for specific credentials, and manage certificate revocation. Below is a short video showing the key elements of straightforward key state management in an N-way VNS3 controller mesh.

Hopefully the video highlights the essential key state management capabilities we have strived for. They are part of the foundation of the VNS3 Controllers which are used to build a wide array of service edge use cases. VNS3 encrypted topologies combined with our plug and play security system, you or your management service provider can achieve both Workload and Workforce mobility using secure network virtualization.

Building Global Hybrid-Cloud Infrastructure Automation with Pipes and Python3

Building Global Hybrid-Cloud Infrastructure Automation with Pipes and Python3

Building automation for foundational hybrid-cloud infrastructure deployments in hybrid cloud environments is hard. At Cohesive Networks we’ve helped our users build out networks that span datacenters, public clouds, IOT networks, even cell networks for bridging SMS communications. So we can find ourselves stitching together cloud infrastructure using different APIs in different clouds assuming different credentials etc. It can seem a little daunting. Now, If you’re in single public cloud, life’s a little bit easier: each cloud has their own deployment manager and Infrastructure as Code (IaC) templating system that more or less suffices. The complexity arises when you need to, say, build some infrastructure in AWS, then switch context and build in Azure, and switch back to AWS with state from the Azure infrastructure to continue building in AWS. The goal here is to step through an example architecture and simplify our deployment using pipes and python3.

The Hybrid-Cloud Architecture

So let’s run through a common hybrid-cloud architecture, break it down into discrete steps and see if we can’t simplify our lives.

VNS3 federation Plane

Here’s a simplified architecture we see quite a bit: Account B in Cloud Y is providing connectivity (down and across) to Account A in Cloud X. Account A would like its applications to have secure access to any applications running on premise. At Cohesive we call the routing plane in Account B the “federation plane” and the whole network the “federation network”. It provides highly available connectivity to any new virtual private clouds (VPC) spun up in Cloud XYZ.

Automated VPC Cloud Construction

Ok, so let’s run through automating the construction of a new VPC in Cloud X that automatically has connectivity to on-premise applications. The steps for us look something like:

  1. Fetch network configuration for new VPC subnet (e.g. CIDR 10.1.0.0/16 with your favorite subnets)
  2. Create new VPC and virtual router/firewall (VNS3) for Account A in Cloud X
  3. Create fednet routing – routes for traffic “up” to 10.1.0.0/16.
  4. Create new VPC routing – routes to on-prem, traffic 10.0.0.0/16 to controller interface for routing traffic “down” to fednet
  5. Temporarily open API access for configuring VNS3 network routes and firewalls
  6. Connect new VPC with federation network by IPSEC peering controller in account A with federation network controllers
  7. Remove API access
  8. Teardown any configuration resources

Each step requires state from the previous step. This is really just a simple pipe: “echo parameters | fetch-network-config | create-new-vpc | …”. Ah, the beauty in simple ideas decades old. Each step accepts the previous step’s state, runs the step’s task, enriches the data with any new state and returns it. Now, I’ve always been partial to python for its ease of use and readability for things like this. Unfortunately, it doesn’t have native pipelining functionality. So let’s build it. Python3 also has some nice async features that we can take advantage for optimizing our automation.

The Python 3 Pipeline

A first pass at a simple pipelining function could be as simple as this:

Python Pipe Code

I like to use python3’s new typing functionality because I think it makes for more maintainable code. Here it tells maintainers that a step is a tuple of length 2, where the first element is a string and the second is a callable function. We also copy the initial data so as not to mutate our caller’s data and then simply loop through our functions. So a pipeline function for our architecture might look like this:

Python Pipe Code v2

So what’s going on here?

  1. We initialize some cloud clients that have permissions for provisioning resources in our cloud environments
  2. We define each step with a name (for readability and logging purposes) and a function. The function partial binds the parameters passed (template) to the function provided as the first argument. You’ll see each step can target whatever cloud we want using whatever IaC templates we like and the state will be passed through. In fact, each step can do anything so long as it respects the function signature expected (ie. it accepts and returns a dictionary).

A Little Optimization

This works quite nicely and it’s very simple. You might notice that some steps could perhaps be combined or run concurrently. Python3’s asyncio makes that quite easy:

Python Async Pipe Code

Our new pipe function has a couple changes:

  1. It now accepts different kinds of steps as indicated by the Union typing parameter. Our pipe now accepts a step that provides a list of functions rather than just one. Using asyncio.gather we can run each sub-step concurrently (each sub-step must implement the async/await paradigm )
  2. We also updated our step functions to return a dictionary that has an optional “outputs” key for passing along in the pipe.

Add thats it. Pretty minor changes to take advantage of steps that can be run concurrently. Here’s what our deployment pipeline looks like now:

Python run function awsync pipe

We’ve found this approach simple and effective. I’ll end with putting out a feeler: is there any interest in an open source python3 library for hybrid-cloud deployment automation? It would be purposefully simple and pluggable, adopting only a few powerful idioms like a pipeline. Let us know!

A look under the hood: VNS3 networking devices

A look under the hood: VNS3 networking devices

As you’ll remember from networking foundations (4 things everyone should know about network layers), routers, switches, firewalls, and port filtering all happen between layers 4-7 of the OSI layer model.

Quick, here’s a short video on what devices work at each layer:

One thing we like to brag about with VNS3 is that it is a layer 4-7 networking device. What does that mean? How can that be? VNS3 is software, and acts as 6 devices in 1:

  • router,
  • switch,
  • SSL/IPSec VPN concentrator,
  • firewall,
  • protocol distributor,
  • scriptable network function virtualization

VNS3 is a network appliance – or virtual, remember it’s software. With a software-based networking devices you can build those function on top of cloud-provider devices, like AWS security groups or Azure network security groups. Remember that defense in depth !

How does it work? What’s it made out of??

VNS3 builds on core VPN concepts but allows more customer control with an “overlay network.” An overlay network is a computer network built on top of another network. Nodes in an overlay can be virtual or logical links. VNS3 adds control over topologies, network addressing, encrypted communications, and network protocols.

Unlike other VPNs, VNS3 also acts like a virtual router, switch, firewall, VPN concentrator, protocol redistributor, and NFV container. VNS3 allows many, many networking use cases including:

  • application layer firewall with custom rules and hashings
  • connecting both NAT-T and Native IPsec endpoints on the same endpoint
  • Layer 2 Bridging over GRE as well as GRE tunneling over IPsec
  • customizable, flexible networks with Docker containerized network services
  • Trend Micro Deep Security central management agent

VNS3 Controllers are virtual machines (VMs) that act as a VPN gateway for the other virtual machines in the same cloud infrastructure. VNS3 synchronize between each other using RabbitMQ ( a little thing we put together a while ago ). VNS3 has a web-based UI and traditional Linux system command line interface (CLI). The VNS3 API uses a Ruby script and Ruby language binding. Everything else is a secret. Seriously, we’ve got a patent.

Put it all together: VNS3 devices

VNS3 cloud overlay diagram

How to: Configure a new VNS3 Controller from a Snapshot

How to: Configure a new VNS3 Controller from a Snapshot

What is a Snapshot?

You can save your VNS3 Controllers configuration with the VNS3 Runtime Snapshot feature.

Use Snapshots to reconfigure a new Controller with the same SSL Certificates and Keyset with just one file upload. In the event of a Controller failure or re-provisioning event, you can upload the snapshot file to a new VNS3 Controller. The new Controller will retain all the configuration settings as your saved snapshot.

You can view all snapshots under Maintenance > Snapshots. Remember to also download snapshots to your local network.

Always have a VNS3 configuration snapshot on hand! In case something goes wrong with your underlying VM host, you will be able to quickly get back up to speed. Best practices are to always have a current VNS3 snapshot for all running instances. For a detailed step-by-step guide for taking a snapshot of your VNS3 configuration and uploading it to a newer 3.5+ version, see our Support guide here.

How to use a Snapshot to configure a Controller

If you haven’t already, log in to your VNS3 UI via a browser: https://<Controller IP>:8000.

If you’ve never configured this VNS3, you will see the Initialization page. 

Click the Upload Snapshot link on the left.

VNS3 import snapshot

Browse for your saved Snapshot and upload. The Controller will reboot with the updated configuration. The same Clientpacks will be available in the Controller, so redistribution to each server on the virtual network is not necessary.

A slight configuration change on each server on the virtual network is necessary if you have not assigned Elastic IPs to your Controller. The OpenVPN configuration file (vnscubed.<conf ovpn>) on each server needs the new IP of the new Controller referenced in the remote commands section.

To automate this step, you can assign an Elastic IP to the Controller and reference the Elastic IP in each server’s OpenVPN configuration file. Likewise in Azure, their version is simply called a Static IP. That way your overlay network devices will automatically connect back with the Controllers and will save you time on both Controller and client configuration.

What’s Next

Remember that after you initialize you must generate keys to create your VNS3 clientpacks and set up Controller peering to finish configurations

NOTE : all VNS3 editions must complete the peering step, even for single Controller topologies.

Watch the video

If you have trouble with the video player below, watch the video on YouTube: https://youtu.be/pjQUoIIgsW8

4 tips for managing cybersecurity for small business

4 tips for managing cybersecurity for small business

Data breaches can seriously damage a SMB, both in IT cost and loss of business. Prevent disaster by creating, updating, and refining cybersecurity policies.

The impact of a data breach on a small business can be catastrophic.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

So how can SMBs fight cybersecurity risks? Prevent IT vulnerabilities and educate employees about data security best practices.

your business is small, but risks are enterprise-size

The 2016 Ponemon Cost of Data Breach Study notes the average total cost of a data breach increased from $3.79 to $4 million since last year. Data breaches are more than stolen records, considering the cost of lost business, increased customer acquisition activities, reputation loss, and diminished goodwill. Ponemon also found that average organizational cost of data breach in the US is more than $7.01 million.

The best way for small businesses (SMBs) to deal with cybersecurity risks and data breaches is to prevent them. Of course it’s easier said than done. With limited resources, SMBs need to get creative to spot vulnerable to cybersecurity risks than large companies and struggle to quickly react to vulnerabilities. The first step is to evaluate current security policies: everything from the office wifi network password to how customer payment information is stored.

See the InformationIsBeautiful interactive to see the root causes of the most recent data breaches and their impact:

Tip 1: keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection polices to focus on preventing vulnerabilities and to set goals to improve and maintain security.

SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

Traditional standards and protections – like the Payment Card Industry (PCI) DSS , Health Insurance Portability and Accountability Act ( HIPAA ), and others – all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. The Framework has huge potential value for any organization looking to establish cybersecurity standards.

Tip 2: don’t become a victim of your own success

As SMBs grow and add employees and partners, your IT systems and data security policies must also evolve. Your IT team must share access to vital business data and systems without leaving any vulnerabilities. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the organization grows and adds employees and technologies that “single point of failure” becomes a risk for the company.

The best way to manage data security is to build it in from the beginning. Security for data and networks should grow with the business, with precautions built into business goals. Your business should use the regular self-evaluations in Tip 1 to check up on the reality of your security policies as the business grows.

In the last two years we have seen a shift from passing compliance audits toward actionable cybersecurity policies to prevent costly data loss. SMBs can prevent costly data loss by acting now to evaluate and boost security policies, then regularly check in on policies as the company grows.

Tip 3: Involve everyone in security and prevention

SMBs should involve everyone – including IT, HR, sales, and legal teams – in the cybersecurity self-evaluation process. First, company-wide involvement encourages bigger-picture thinking. Input about how data protection can be both practical and effective. For example if a policy requires employees to change their passwords every month and use 12 non-repeating characters, employees will likely cope by writing down passwords and reusing old logins which will defeat the purpose. Likewise, the IT team should be involved if the procurement team requires new vendors to pass certain security standards.

Another perk of company-wide involvement in regular security evaluations is the opportunity to update employees about data privacy. SMBs can educate employees on how to keep both personal and corporate data private to prevent data breaches. Cybersecurity training, at least once a year, can help both the business and individuals prevent cybersecurity breaches.

Tip 4: Add security in layers – defense in depth

Traditional security policies and vendors focus too much on the exterior defenses. Policies for employee screening, physical security, and website cookie blockers are all important, but don’t overlook internal network security. In the famous Target and Sony data breaches the hackers broke in and then exploited weak internal network security to plunder the critical data that was freely connected inside the corporate network.

Add encryption and monitoring within your network to strengthen existing security.

“Defense in depth” is a term borrowed from the military where several varied layers of security offer better protection than a single, reinforced perimeter. Your data security policies shouldn’t stop with preventing bad actors from entering, but also extend inside your network to monitor and limit access between IT systems.

How can Cohesive Networks help?

At Cohesive, we’ve combined our connectivity technology with dataflow and compliance tools to create secure, redundant networks for each set of critical data. VNS3:turret is our application segmentation product designed to surround and encrypt your data wherever it goes.

Those additional layers of security builds ‘defense in depth’ into each application, or group of business data. VNS3:turret lets you encrypt and manage network traffic. Protect against both external exploits and unauthorized interior network access. VNS3:turret guards your network by routing traffic through encrypted switches.

VNS3:turret allows you to:

  • Create a cryptographically unique micro-perimeter around each application.
  • Segregate applications to eliminate east-west vulnerability and monitor interior traffic.
  • Isolate and monitor all traffic to flow through the secure edge.
  • Automate compliance reporting with dataflow and monitoring tool integration.
  • Provide the most comprehensive application security model available today.

Availability:

VNS3:turret is available for private cloud customers, as well as public cloud users. Contact Cohesive Networks to get started today: sales@www.cohesive.net