Zero Trust External Privileged Access Management and VNS3

by | 2 Apr 2020

According to a survey conducted last year by Centrify, a leader in the privileged access management space, 65% of companies are sharing root level access credentials in at least some instances. This backs up Forrester Research’s long held claim that privileged credential abuse is the leading attack vector. For network devices this figure rises somewhat as the survey showed that 68% of companies are not securing their network devices with privileged access control. This is not surprising as historically network devices have had single or few local users. Perhaps it is because smaller more trusted teams managed the network infrastructure. Or that when bootstrapping or troubleshooting network devices , relying on network connections to user directory servers could become problematic.

Cohesive Networks has been guilty of this in the past. The challenge of implementing the principle of least privilege has always been complexity. The more complex a system or control is to manage the less secure it becomes. We have been putting a lot of focus on various methods of access management for our VNS3 cloud security edge controller that are simple to manage and operate.

In a previous blog post we discussed how we have adopted Access URLs and API Tokens. Both of which allow for time-based access to VNS3. Where API tokens are useful for systematic access between the control and data planes and Access URLs are incredibly useful for one off access, we still needed to address long living user accounts and have done so by implementing LDAP authentication for VNS3. We have had this capability for our management server for a while and the time has come to extend that to our individual VNS3 network controllers.

In the world of Zero Trust every user needs to have an identity. Ideally your identity system will enforce principles like password rotation and complexity standards. Things like managing on-boarding and off-boarding of authorized users, wether into or out of the system or groups, is what these systems are designed for. By shifting this function away from the VNS3 network device and its operators we allow you to not only to manage and enforce better security practices but address other corporate realities. Codifying some of the principles of Zero Trust are things like ISO 27001 and 27002, SOC and other compliance regimes which call for the segregation of duties. The people who maintain your privileged access management systems can’t be the same people who utilize them.

You can now manage your access to your VNS3 controller through integration with LDAP, along with its Active Directory variant, and the usage of groups. We support encryption to your LDAP server via Secure TLS (StartTLS) and LDAPs utilizing certificate authentication.

VNS3 LDAP integration page

This new capability provides some really good improvements for VNS3 access control. However for those who are looking for a method that goes beyond “something you know”, security architects can add on “something you have” by utilizing the VNS3 encrypted overlay network in tandem with LDAP identity management. The VNS3 encrypted overlay network makes use of unique X.509 certificates. These give you your network identity to participate in machine to machine communications. In order to access the VNS3 controllers management interface, which runs on TCP port 8000, you could restrict access to only break-glass endpoints while allowing a broader access to UDP port 1194 where the overlay network operates. In this way network operators would need to first establish a TLS connection to the VNS3 controller with their individually issued certificate and through the established tunnel they would then connect to the VNS3 controller via it’s own overlay address. A further way to implement Zero Trust policies.New Paragraph