Well-Architected VNS3 Security

Well-Architected VNS3 Security

AWS well architected

The AWS Well-Architected Framework

At Amazon, they recommend following the AWS Well-Architected Framework to align plans, architecture, and their cloud best practices. It’s worth reviewing the framework for your own AWS-based projects for an in-depth look.

AWS’ well-architected framework’s 4 pillars

Since Cohesive Networks mainly focuses on networking and security, we’ll highlight parts from AWS’ Framework and other network and security best practices.

The AWS Well-Architected Framework is based around 4 “pillars”:

  1. Security – The ability to protect information systems and assets while delivering business value through risk assessments and mitigation strategies.
  2. Reliability – The ability to recover from infrastructure or service failures, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
  3. Performance Efficiency -The efficient use of computing resources to meet system requirements, and maintaining that efficiency as demand changes and technologies evolve.
  4. Cost Optimization – The ability to avoid or eliminate unneeded cost or suboptimal resources.

At Cohesive Networks, we have a process called “ coalescence ,” where we encourage customers to match ideal architectures to the realities of public cloud environments. Cloud users should both account for their current architecture and build with an end architecture in mind.

This way as the realities of cloud creep into the build-out you can be prepared for them. Follow security best practices from the beginning and always architect networks for recovery and connectivity.

Network planning and security highlights from the Well-Architected Framework:

  • Limit access to networks and servers to the “least privilege” rule
  • Capture and analyst network traffic logs
  • Use AWS services to encrypt data at rest, and add on security features to encrypt data in transit
  • Plan your cloud/ AWS resources to interact with any existing network topology on-prem
  • Build networks for high availability, failover, and disaster recovery
  • Test systems and network services for resiliency
  • When building a network solution, consider location to reduce distance
  • Take advantage of regions, placement groups, and edge locations to improve performance

Fitting it together: Mixing in VNS3 for application layer security

Security, customization and control were the 3 big reasons we created the overlay networking and VNS3. As Cohesive began to put its own computing systems into the cloud, we were uncomfortable with the loss of control of our network infrastructure.

VNS3 can help you literally extend enterprise firewall and security rules into the cloud to enclose, isolate, and control all cloud networks. VNS3 offers enhanced network services on top of the cloud platform network. Our customers use VNS3 to enhance VLAN peering, full encryption of data in motion, application layer firewalls, and cross-region peering.

In particular, VNS3:turret can secure applications in micro-perimeters to eliminate east-west vulnerability. These Application Security Controllers are deployed as an encrypted, clustered software-only virtual instances that secure mission critical business systems in public or private cloud. VNS3:turret provides the most comprehensive application security model available today.

4 things everyone should know about network layers

4 things everyone should know about network layers

This is a first in a series of posts about networking fundamentals.

At Cohesive Networks we have found that not all VNS3 users are networking experts – and that’s ok! Usually customers come to us to solve a problem. It is usually network related, but not always. We often find that business units or operations teams are looking for a solution to a connectivity or security problem, regardless of how the networking piece fits in.

We’re always here to help. Our award-winning support team helps customers solve problems, but also troubleshoots networking troubles. From misconfigured settings on physical network devices to sneaky cloud set up pitfalls, our team is here to help.

1. the OSI Layers

Arguably the OSI layers are foundation for all networking knowledge. The OSI Model (shortened from the Open Systems Interconnection model) evolved in the 1970s and 80s from the early ARPANET and telephone providers. The model describes layers of connectivity and activity based on 7 layers. A similar model, the TCP/IP model is a combined version of the OSI layers.

Essentially, data passes from one connected device to another over a network, from the top of the OSI model down to Layer 1, then back up again to Layer 7. As data passes through each phase, essential functions like encryption and encapsulation occur. Data travels from a software application at Layer 7, down to a router at layer 3, packets bounce between physical hubs at Layer 1, and back up to a router on the other side’s Layer 3, then finally up to a connected application on Layer 7.

OSI-layer-model

How can you remember “Physical/Data Link/Network/Transport/Session/Presentation/Application” in the Layer 7 OSI model? How about “Please Do Not Teach Students Pointless Acronyms.”

2. Packet Switched networks

Packet switched networks are characterized by how they exchange data. Packets , or discreet units of data, are transmitted between devices in a network. Packet switching improves network efficiency and enables more device to communicate reliably on a network.

Packets are made up of “headers” and “payloads” The header contains information about the packet’s destination. Networking devices use the header to direct the packet toward its destination. Once it reaches the final destination, the payload is extracted and used by application software.

Packet-switched networks are generally better because they can transfer data bit by bit, as opposed to a firehose of data. That way, receiving parties can confirm delivery and ask for data to be resent if needed.

3. Hubs vs Switches vs Routers

Hub = Layer 1 (Physical) carry electricity, essentially, hubs send information to all other ports as electricity to everyone connected on that hub.

Switch = Layer 2 (Data) uses packet switching to receive, process, and forward data. A switch, like a hub, carries data from port to port, but a switch keeps a record of MAC addresses of all the devices attached to it.

Router = Layer 3 (Network) directs packets from a source to the destination using specific packet forwarding mechanisms. Routers only send data to other routers using IP addresses. A key difference between a router and a switch is the level of information the device “knows” about the traffic. Switches only look at the Link Layer address, not the IP datagram (or message).

Bonus term:
MAC address = unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

Back to the 7 Layer OSI model – you can determine what tools are appropriate and what data can be manipulated by each layer. For devices, a handy rule of thumb: any data at layer 3 must interact with a router. Data at layer 2 must interact with a switch. Data at layer 1must interact with a hub.

4. Networking at home vs. networking in the cloud

At home, your router connects you to the ISP Network (gateway). A gateway is a term to describe a connection of 2 or more networks connections.

Inside your home, the gateway is between your internet service provider (ISP) network and your network. You have a public IP address given to you by your ISP and an internal one created by your NAT. More on NAT in future posts…

A home router also acts as a Switch for communicating between devices inside your home network. If your network is slow whenever there are more people on the network, your router is likely acting as a hub also. Remember, hubs send data to all devices on a network.

“So when your home router says it’s actually a hub / switch / router — it really is a hub/switch/router.” Want more network layer fun? Read the full article from Louis Cremen: 10 things InfoSec professionals need to know about networking

Bonus: How encapsulation works at the OSI network layers