Owning our mistakes, “mea culpa” from Cohesive’s CEO

Owning our mistakes, “mea culpa” from Cohesive’s CEO

We owe our customers an apology as a several issues were recently found by the Trend Micro Zero Day Initiative.

Two of them had a high score because of the potential for an unauthenticated user to trigger remote code execution.

(Note: Like with other recent industry exploits, if your control plane access is limited as we advise, then the risks are significantly lower.)

If you follow the CVEs that are released every day, we are not alone, but that is still not an excuse.

While our engineering management and company management are intimately involved in all code changes and releases, as our solution footprint has grown and our responsibilities to our customers have grown, we did not expand some of our processes comensurately.

We have worked with customers since the disclosure getting them patches and new cloud images.

We have added additional code review tools and processes to our releases.

Thank you to Trend Micro ZDI and Mehmet INCE @prodaft for the discovery and working us through the disclosure process. We are grateful for the help from the community to make our products and customers more secure.

Any users of the VNS3 Network Platform who need assistance can always reach us via support@cohesive.net and we will assist with patching and upgrades.
https://cohesive.net/support/security-responses/

– Pat Kerpan
CEO, Cohesive

To agent or not agent, the CrowdStrike question

To agent or not agent, the CrowdStrike question

Some thoughts on the CrowdStrike events at a broad level. We don’t provide the type of capabilities they do, so I don’t feel comfortable inveighing on what happened and how it happened.  But, we do have some thoughts on when to take the risk of deploying agents into your systems.

At Cohesive we have a standard response to customers wanting to install <fill in the blank agent> into our VNS3 Network and Security platform virtual appliances. It is always a difficult situation as it is being pushed by the security team and CISO, at what tends to be our larger, more revenue significant customers. It is difficult because our answer is a polite, yet vehement “no”.

The VNS3 control plane should only be open to an allow-listed operations ingress address. The data plane should be open to the ports and services you use our platform for. (We are often a cloud edge firewall, people vpn, data center vpn, waf, and more.) The biggest liability to the security and operational integrity of our devices would be to add an agent that can be exploited or can itself cause an outage. This has happened in the industry (but not to us) numerous times over the recent years via things like SolarWinds, Microsoft OMS agent, and now CrowdStrike to name a few.

One of the oft-used phrases at Cohesive is “horses for courses” and we use that British idiom as part of our approach to making architectural and deployment security recommendations. With respect to the panoply of agents that vendors and security teams alike argue to be installed in all your systems, we think it is quite apropos. We think you need to look at what the purpose and placement of the computing devices is in order to make this decision.

Seinfeld - His father was a mudder, his mother was a mudder

If it is a computer used by a person, especially hybrid use or remote use, how are are you going to protect it? For the most part you can’t protect the network it is on, since it is running on networks you don’t control.

There are some options outside of agenting, for example if using Windows operating system you could use group policy to force the machine onto a virtual network with no ability to access the Internet other than through your VPN’s edge, but it is bad user experience and expensive to have acceptable points of presence.

And even if forcing users onto a VPN, what about email phishing links and attachments, what about Microsoft Office macro exploits that leak into your shared drives? Super tough, and I am glad we aren’t in that business.

People make mistakes. Even well-trained, diligent people can make mistakes in where they browse to or what they click on, and you need to be able to address possible exploits there at the point of attack. So I can’t really blame someone for wanting to believe these types of products are the answer.

At Cohesive which admittedly is not a huge company, our answer has evolved from ‘Microsoft Office is disallowed’, to now ‘Windows is not allowed’. Right there the “people attack surface” is minimized. However, that is a long migration or a “never migration” for many companies. In these cases, I think “agent away” and be judicious in the vendor you choose.

What about business servers, the computers that are not the personal device of an end-user, but rather are there to perform a function like database or API serving or message queuing? Again, for Cohesive, easier in that Windows is not allowed, business services are built on Linux. That said, whether Windows or Linux, in these scenarios why are you ‘protecting’ the computer instead of the network? Those business servers are not going to click on links, browse bad websites, or download malware. They are automatons performing specific, repetitive operations.

This is where we are skeptical of the agent approach and will not allow it for our network appliances, and as applicable would not allow for business services. (CrowdStrike apparently created a similar issue previously on some Linux distributions: https://www.theregister.com/2024/07/21/crowdstrike_linux_crashes_restoration_tools)

In these cases the VNS3 Network Platform (or similar vendor offerings) is there to protect and monitor ingress and egress to the network, along with other elements of what should be thought of as a security lattice. Using cloud or data center virtualization, you have your cloud network security groups and network ACLs, along with your OS firewall, both of which should be working in tandem with network appliances like VNS3. You can then run WAF or IPS at these ingress/egress points as well – run them inside VNS3 or run them via an appropriate cloud service offering.

We think these are the rules to follow:

  • Computer primarily used by human and it has to be Windows, agent it and anti-virus it.
  • Computer primarily used by human and is Mac or Linux, anti-virus it.
  • Computer used by computers, both micro-segment and protect the network, use a security lattice. The risk from any agents are too high.
  • (OPTIONAL) Computers used by computers are ideally Linux servers using the distributions’ minimal install with at least some elements of CIS hardening.

But then you loudly proclaim, “we need visibility into the VNS3 (or other) appliances for our <DataDog, Syslog Server, SumoLogic, AlertLogic, etc..>!”

OK – you got us. We DO allow visibility to logs, network configuration and statistics, netflow, and some API calls for system status to plugins that run inside VNS3 – but don’t have full host access.

When you are running VNS3 controllers, whether a single one or a larger cluster, you are running a mini “docker cloud” inside your virtual network. We have a set of pre-built plugins as well as a published set of elements needed to make any open source, proprietary source, or commercial source that can be containerized, into a compliant plugin. This gives you the ability to put analysis and monitoring INTO the network, yet not be able to disrupt the network security device; observability with security.

(And now the sound of Cohesive patting itself on the back for this balanced approach to agenting.)

ZTNA: Is it really the end of VPNs?

ZTNA: Is it really the end of VPNs?

The Zero Trust Network Architecture (ZTNA) movement has been around long enough that many vendors have proclaimed the “end of the VPN era” (1)(2)(3).  While ZTNA offers valuable security benefits, we can’t help but wonder if this declaration is premature and naive.

Don’t get me wrong – ZTNA is a powerful approach to secure applications. By assuming all users are potential threats, it verifies, identities, and permissions before granting access to resources. However, relying solely on layer 7 (L7) solutions like those described by ZTNA advocates may leave your organization vulnerable to other types of attacks.

The Limitations of L7 Security

ZTNA’s focus on the application layer can’t address issues at the network layer. Few enterprises have HTTPS/web-based only infrastructure. It is more complicated than that at the network layer. This means that even with a robust ZTNA solution in place, you’re still exposed to threats like DNS spoofing, IP spoofing, and lateral movement.

Perhaps at the heart of our disagreement, if we had to pick “no vpns” vs. “everything is a vpn”, we would lean toward the latter. Your carrier network uses virtual private networks, your cloud subnets at AWS and Azure are virtual private networks, your VMware infrastructure running NSX is a virtual private network, and so it goes throughout the infrastructure used by well-secured enterprises. Oh and you’re technically reading this blog through a tunnel (encrypted communication channel established between your browser and the web server using TLS/SSL cryptography).

A Combined Approach is Key

Instead of relying solely on a simplistic definition of ZTNA, we recommend a combined approach that incorporates multiple security layers. This includes:

  1. Network segmentation: Divide your network into smaller segments based on business needs, reducing the attack surface and limiting lateral movement.
  2. Encryption: Encrypt sensitive data in transit using technologies like Wireguard, OpenVPN (SSL/TLS), and IPsec.
  3. ZTNA: Implement ZTNA to verify identities and permissions at the application layer.
  4. Network security appliances: Use network security appliances like firewalls, intrusion detection systems (IDS), and next-generation firewalls (NGFW) to detect and prevent threats at the network layer.

While ZTNA is an essential approach to a comprehensive network security strategy, it’s not a panacea for all network security issues. By combining multiple security layers, you can create a robust defense that addresses various threat vectors.

Don’t fall prey to the hype – take a balanced approach to securing your organization’s network.