News Roundup: Week of Dec 26, 2021

News Roundup: Week of Dec 26, 2021

Could Continuing AWS Outages Give Rise to Distributed Cloud Deployments?

Widespread disruption of high-use internet services was recently experienced as a result of the third AWS outage in the span of a month. AWS reported this latest disruption was caused by “a power outage at a data center in Northern Virginia” which saw giants like Hulu and Slack offline for about two and a half hours. A recent article from The Washington Post suggests that having a cloud deployment with a singular, critical point of failure creates opportunities for widespread outages, in a world where distributed cloud deployments can offer you some protection from these outages. As “the cloud’s increasing intricacy and demands” continue to increase, and companies continue to migrate and develop in the cloud, the potential for outages caused by the “over-centralization” of infrastructure into heavily-used AWS regions also increases.

Azure App Service Insecurity Exposing Source Code Since 2017

A recently discovered insecurity in the Azure App Service has “exposed the source code of applications written in PHP, Python, Ruby, and Node” and has been prevalent since September 2017. SC Magazine purports that this security flaw was first widely reported to the public by The Wiz on Oct. 7, 2021, and Microsoft has since updated it’s security recommendations document and mitigated the default behavior that caused this issue. Further research suggests that this vulnerability was likely not a well-kept secret and would have been widely exploited during the purported four year window of this vulnerability. We recommend double-checking your deployments against these new recommendations to ensure that your source code isn’t vulnerable.

Security Attacks Likely to Continue to Increase in 2022

2020 and 2021 have been marred by an increase in the commonality and sophistication of security attacks on companies as we all navigate the uncharted waters of remote work, and address the new connectivity and security concerns that have surfaced as a result of this necessary transition. A recent article from Bloomberg law suggest that some of the most damaging attacks have targeted backbone systems and solutions, such as the Microsoft Exchange software attacks that affected many companies in 2021. Alarmingly, many of the “exploits used in the first quarter of 2021 are still being used today” which only serves to create added pressure on both the solutions providers and companies that build critical systems upon such backbones solutions. These attacks are complemented by more ‘traditional’ phishing attacks, “which remains one of the highest-volume types of vulnerabilities” across all business sectors. Having proper security procedures and communication channels in place is more important than ever, and the criticality of such considerations will only increase as we move into 2022.

JEDI Becomes JWCC With Decision Target of Q3 2022

In the wake of four years of legal challenges and congressional inquiries, The JEDI contract has been replaced with a new framework, the Joint Warfighter Cloud Compatibility (JWCC), “from which to deliver commercial cloud services to Defense personnel.” The Pentagon “issued formal solicitations for JWCC” to AWS, Microsoft, Google, and Oracle, effectively leveling the playing field for the biggest US cloud providers. According to Nextgov “The Pentagon plans to make JWCC awards in the third quarter of fiscal 2022” which could bring some interesting infrastructure developments from these cloud providers.
VNS3 LNKe: Creating Cloud-Agnostic Transitive Networks Without a lot of Fuss

VNS3 LNKe: Creating Cloud-Agnostic Transitive Networks Without a lot of Fuss

Cohesive Networks has been helping our customers build robust transit networks on public cloud infrastructure since our early days. Doing so on VNS3 technology gives you secure and observable methods consistent across cloud providers and other virtualization platforms. Up until recently we achieved this by creating site to site IPSec tunnels into our federated mesh backbone. This approach, while robust due to BGP failover capabilities, adds quite a lot of complexity. Each of these connections have unique peering addresses and autonomous system numbers (ASN), as well as peer access lists to configure and manage. Which brings us to our new offering, the VNS3 LNKe controller. LNKe controllers are simple to set up while still providing robust failover capabilities.

The VNS3 LNKe controller is one of Cohesive Networks latest offerings. It’s been designed to provide a low cost, easy to deploy, method of connecting your private cloud networks, regardless of the provider. Let’s take a look at the mechanics of it.

VNS3 can be deployed in a peered mesh topology, where by all of the members of the mesh exchange connection and routing information with all of the other members of the mesh across encrypted peering links. These mesh peers can be situated in any cloud provider and in any region. This is the hub in your typical hub and spoke model. The difference being that VNS3 hub, or mesh, components can exist in many different locations, while still being aware of all of the other components. Extending the hub
simply entails adding new peers. This hub can be as little as one or two VNS3 controllers to many tens of controllers spanning across your cloud vendors regions. Within this mesh you have full visibility and attestability of network flows.

    Now to connect your various networks into the mesh so as to facilitate your transitive network. LNKe is a light weight variant, thats has been designed to work with the encrypted overlay networking capabilities of VNS3. It uses the cryptographic key architecture to create a tunnel from the LNKe controller to the closest mesh controller. This link can be established through a VPC peering link between the connecting VPC or over public IP. You simply have to deploy the LNKe controller into the connecting VPC and push the VNS3 client pack to it. This gives it a unique overlay address that the hub mesh is aware of.

    The LNKe can be configured to have failover hub members that it will connect to should any failure occur. On the hub members that it is configured to connect to we then create route entries for the LNKe’s network. This route is pointed at the overlay IP that has been associated with the LNKe controller. While these are effectively static entries, VNS3 will only ever enable the one that is actively connected to. We call this dynamic static routing.

    On the connected VPC you can set your subnet route of 0.0.0.0/0 to point to the LNKe controller, since LNKe can also serve duty as your NAT gateway. In this way any traffic that is bound for other connected networks will traverse into the hub, where as non transit network traffic can get out as needed.

    This solution gives you a lot of flexibility in managing your network connections. You have full firewall capabilities to restrict and shape traffic. You can transform traffic should you have overlapping CIDRs. You can combine other connections into the mesh such as remote workforces or data center connectivity. You can inject network function virtualization like NIDS and WAF. You end up with a network control plane that works the same across all cloud providers that is cost effective and easy to deploy and mange.

    Announcing the Release of VNS3 5.2.1

    Announcing the Release of VNS3 5.2.1

    We are happy to announce that VNS3 version 5.2.1 has been released and is available for deployment in all cloud platforms. Below are some of feature highlights of this release.

    Image Access

    AWS Private AMI: users with private AMI access to UL versions will see the 5.2.1 AMI already shared into their account. Filter for Private Images in the appropriate region and search for vnscubed521-20211111-ul-ebs-5LFW.

    AWS and Azure Marketplace: all VNS3 Marketplace SKUs are updated with the latest 5.2.1 listings.

    GCP and OCI: contact support@www.cohesive.net for image access.

    This release focuses on making our Distributed Cloud (site-to-site VPN and Overlay Mesh) and Plugin user experience easier from implementation to operation. Don’t forget, release notes are always available at https://docs.cohesive.net/docs/vns3/release-notes/.

    Traffic Pairs

    Over the last few years the world of site-to-site VPN has been moving away from Policy-based IPsec VPN in favor of Route-based. Route-based VPNs, from the POV of the device, have simpler configurations (generally a single tunnel) and as a result can have increased long term stability. Simple and stable is good but Route-based VPNs without associated policies/ACLs can be thought of as ‘IPsec without the sec’ and let any traffic move between the two sites. Traffic pairs simplify the deployment of secure route-based VPNs. 

      This new feature allows local/remote subnet pairs to be defined via UI or API for a route-based VPN. This is very similar to how policy-based “tunnels” are defined. When using traffic pairs, VNS3 manages the default state of routes and ACLs for those pairs. Additional routing and ACL operations are not needed when using traffic pairs. “Traditional” configuration is still supported as originally presented since VNS3 4.4.1. This new approach makes it easier for customers integrating VNS3 into their infrastructure to leave the state management of routes and ACLs to VNS3, rather than incorporating related state into their database.

      Plugin Catalog

      Many of you have leveraged the VNS3 Plugin System (Container System) to add critical network services in-path to allow full customization of your network edge. Previously container images had to be sourced in from outside storage buckets or uploaded from local storage. VNS3 now provides in-place installation of plugins via Plugin Catalog. The updated VNS3 Main Menu now lists “Plugins” –> “Catalog” which allows access to a number of additional monitoring, logging, and security functions provided via plugins. The catalog allows in-place installation inside the VNS3 UI – as opposed to requiring access via the Cohesive Website. To see all our available plugins, please visit the plugins page on our support site.

      Additionally the plugin Dashboard is available to provide simplified management of plugins.

      You also note that we’ve replaced the “Container” menu items with “Plugins” but don’t worry you can still access the Container submenu items via the Dashboard.On the right hand side of display there is a “Developer” menu which provide access to the lower level “Container”, “Images” and “Network” functions for the plugin system.

      VNS3 Overlay Mesh Hyperdrive

      We’ve seen Distributed Cloud deployments and use cases increase dramatically over the last few years. As a result the need for speed has become increasingly important in both intra-region as well as inter-cloud deployments. In response we’ve workd to dramatically increased the speed of the peering mesh for new deployments. Behind the scenes Cohesive has been building Wireguard tunneling capabilities into VNS3 since late 4.x releases. We are pleased to now offer this to our BYOL customers deploying new topologies. The Wireguard-based mesh can achieve peering throughput very close to the underlying virtual instance NICs. (Hats off to Jason Donenfeld and the WireGuard team for an amazing system.). Contact Cohesive support (support@www.cohesive.net) for a license which enables this feature BEFORE any deployment configuration.

      Additional Optimizations

      • Ping hosts work for route-based VPNs: Previously the “ping host” function (sometimes called a VPN Monitor by other vendors) worked only for policy-based VPNs. It now works for VTI and GRE route based VPNs.
      • BGP event logs available for external BGP peers and VNS3 Mesh peers now available via Logging Plugin in /mnt/logs/vns3_connection_logs/bgpd.log
      • BGP session up/down alerts available for BGP session up and BGP session down for BGP peers.
      • Additional IPsec Parameters – “re-allowed” DH22 for customers who refuse to believe it should not be used and support elliptical curve DH 31.

      Any user regardless of subscription SKU or support contract is eligible for upgrade assistance including live upgrade chaperoning by a member of our excellent support team. To schedule your assisted upgrade, open a ticket on our support system (support@www.cohesive.net) and we’ll ensure a smooth transition.

      NOTE: Peering between major versions (e.g. 4.x peered with 5x) can be done but we don’t recommend due to potential stability issues.

      Please don’t hesitate to reach out with any comments, questions, or feature requests (contactme@www.cohesive.net).

      IPSec with VNS3: Part I

      IPSec with VNS3: Part I

      Internet Protocol Security (IPSec) is used to encrypt communications between two computers over the internet. Usually it is done between between security gateways to allow two networks to communicate securely. On the data center side this will be done for the most part on physical boxes manufactured by the likes of Cisco, Juniper, Fortinet and others. In the public cloud it is virtualized. Cohesive Networks VNS3 is one such device that allows you to easily configure these secure connections into your cloud private network. Whether you are running a hybrid cloud, are an ISV that needs to connect to customer sites or are implementing a multi cloud strategy VNS3 can provide a stable, secure and simple solution.

      VNS3 can manage as many IPSec connections as you need, the only limit is the underlying instance resources. You can scale your VNS3 instance with the number of connections. It supports both policy and route based connections and supports a wide range of algorithms, hashes and Diffie-Hellman groups. In short, VNS3 can connect to just about anything out there. It’s highly configurable design lets you match exactly what it is communicating with. This all makes VNS3 a very stable solution.

      Setting up VNS3 is a breeze. You can launch it out of your cloud vendor’s marketplace and pay by the hour, or contact Cohesive Networks for longer term billing. VNS3 should be placed into a public subnet. Once launched you will need to either in AWS, turn off source destination checking, or in Azure, enable IP Forwarding on its network interface. In AWS you should attach an Elastic IP (EIP) to it or in Azure a Public IP Address. Once it is up you can manage it via its web interface. You will need to open up TCP port 8000 in your security group. Then open a browser and go to:

            https://:8000
            The default admin username is: vnscubed

      In AWS the default password is the instance id, in Azure the default password will be the virtual machine name followed by a hyphen then the private ip (ex. MyVNS3-10.0.0.1)

      Once you have logged in you should change the admin and api passwords.

      The IPSec configuration page can be found under the Connections section on the left hand side contextual menu. From there you will want to click on the “New Endpoint” button and will see the IPSec configuration form.

      Now it is just a matter of filling in the parameters for the endpoint you will communicate with. Typically you and the other party will agree upon a set of algorithms, hashes and dh groups as well as NAT-T or native IPSec and IKEv1 or IKEV2. While VNS3 does a good job of auto discovery it is best to make sure that both sides are explicitly the same. We provide a simple syntax for VNS3. An example might look like:

      phase1=aes256-sha2_256-dh14
      phase2=aes256-sha2_256
      pfsgroup=dh14
      phase1-lifetime=3600s
      phase2-lifetime=28800s
      dpdaction=restart
      dpddelay=30s
      dpdtimeout=90s

      VNS3 simplifies this process by putting all of your configuration on a single page.

      If you are creating a policy based IPSec connection you will next need to create individual tunnels for your connection. This is done after the creation of the initial endpoint. After the endpoint is created you can create a “New tunnel” from the action drop down to the right of your endpoint. This will be your local subnet and then the subnet on the other side of the connection that you will be communicating with.

      With route based IPSec we support both Virtual Tunnel Interface (VTI) and over GRE, useful for sending multicast packets. If you are utilizing a VTI route based IPSec VPN you next want to set up a “New eBGP Peer” from the action drop down.

      Your IPSec configuration should now show as connected.

      In the next parts in this blog series we will dive into the tools we provide to troubleshoot a faulty connection, interesting things you can do with our firewall to transform the tunnel traffic, and some plugins we use to solve common problems.

      Zero Trust External Privileged Access Management and VNS3

      According to a survey conducted last year by Centrify, a leader in the privileged access management space, 65% of companies are sharing root level access credentials in at least some instances. This backs up Forrester Research’s long held claim that privileged credential abuse is the leading attack vector. For network devices this figure rises somewhat as the survey showed that 68% of companies are not securing their network devices with privileged access control. This is not surprising as historically network devices have had single or few local users. Perhaps it is because smaller more trusted teams managed the network infrastructure. Or that when bootstrapping or troubleshooting network devices , relying on network connections to user directory servers could become problematic.

      Cohesive Networks has been guilty of this in the past. The challenge of implementing the principle of least privilege has always been complexity. The more complex a system or control is to manage the less secure it becomes. We have been putting a lot of focus on various methods of access management for our VNS3 cloud security edge controller that are simple to manage and operate.

      In a previous blog post we discussed how we have adopted Access URLs and API Tokens. Both of which allow for time-based access to VNS3. Where API tokens are useful for systematic access between the control and data planes and Access URLs are incredibly useful for one off access, we still needed to address long living user accounts and have done so by implementing LDAP authentication for VNS3. We have had this capability for our management server for a while and the time has come to extend that to our individual VNS3 network controllers.

      In the world of Zero Trust every user needs to have an identity. Ideally your identity system will enforce principles like password rotation and complexity standards. Things like managing on-boarding and off-boarding of authorized users, wether into or out of the system or groups, is what these systems are designed for. By shifting this function away from the VNS3 network device and its operators we allow you to not only to manage and enforce better security practices but address other corporate realities. Codifying some of the principles of Zero Trust are things like ISO 27001 and 27002, SOC and other compliance regimes which call for the segregation of duties. The people who maintain your privileged access management systems can’t be the same people who utilize them.

      You can now manage your access to your VNS3 controller through integration with LDAP, along with its Active Directory variant, and the usage of groups. We support encryption to your LDAP server via Secure TLS (StartTLS) and LDAPs utilizing certificate authentication.

      VNS3 LDAP integration page

      This new capability provides some really good improvements for VNS3 access control. However for those who are looking for a method that goes beyond “something you know”, security architects can add on “something you have” by utilizing the VNS3 encrypted overlay network in tandem with LDAP identity management. The VNS3 encrypted overlay network makes use of unique X.509 certificates. These give you your network identity to participate in machine to machine communications. In order to access the VNS3 controllers management interface, which runs on TCP port 8000, you could restrict access to only break-glass endpoints while allowing a broader access to UDP port 1194 where the overlay network operates. In this way network operators would need to first establish a TLS connection to the VNS3 controller with their individually issued certificate and through the established tunnel they would then connect to the VNS3 controller via it’s own overlay address. A further way to implement Zero Trust policies.New Paragraph

      Identity Access Management: Zero Trust Networks

      As more and more traditional business infrastructure is being migrated to the cloud, traditional enterprise security and common corporate security practices are no longer enough to keep networks safe. Even as far back as the 2014 Sony Pictures Entertainment hack we’ve seen traditional, perimeter-focused security prove ineffective against attacks originating from within and beyond the network. During this attack, hackers were able to penetrate the perimeter firewall and access the entire flat network in a large-scale east-west exploit. In 2015, large enterprises like Google, Inc. began moving their corporate applications to the cloud with a heavy emphasis on a model where corporate data can be accessed from anywhere with the right device and user credentials. Facing the reality of a global network of networks, the traditional strategy of forming a security wall around an internal network is giving way to a many access point approach. This new Zero Trust strategy emphasizes protecting these access points from threats both within networks and without.

      What is a Zero Trust Network?

      Zero-Trust is a “never trust, always verify” strategy that relies on network segmentation and endpoint authorization rather than a single, unified, external firewall. This approach to network security assumes that no entity is trustworthy by default, leveraging application segmentation and “micro-perimeters” within a network to protect critical applications and data while preventing lateral movement.

      A Zero Trust network strategy addresses many common security concerns, including access management, authentication & connectivity, and endpoint & data security. Any access to network resources must be authenticated, including network management activity and applications. Authentication involves supporting industry standard authentication protocols and user directories for any access point to the network, including applications, endpoints, and network connections. Once authenticated, no longer can a single verification into a network enjoy unlimited lateral access within the network. Zero Trust involves the constant verification of users, applications, and data flows within and between networks and data, assets, application, and services micro-perimeters.

      Allowing access to network management applications is a key component in a Zero Trust strategy. Network administrators require the necessary access to manage the network, but supporting Zero Trust means providing access for only what is needed, possibly for a limited time, with the ability to shut down access if a threat is recognized. Different organizations have different processes, use cases, and critical elements when it comes to network management.

      Traditionally, network devices have one set of administrative credentials used not only for logging into network management applications but also in application scripts. The concern and threat here is that the “keys to the kingdom” credentials are dispersed throughout potentially many network administrator users and possibly in scripts or in repositories. These concerns are even further complicated by a password change. Incorporating industry standard identity protocols such as LDAP authentication with official directories enables users to be managed centrally, decreasing the risks of duplicating another user management system.

      How to Build a Zero-Trust Network with Cohesive VNS3

      New approaches and innovations continue to push us towards a Zero Trust strategy that allows for the necessary access management for users and applications without creating security holes. Network managers have to first understand the use cases required for accessing network management applications and scripts to work with vendors to provide access management solutions. If a network administrator has a use case to provide temporary access to a key vendor to support their technology, a typical approach may be to provide a temporary user account. But this now involves provisioning a user account with appropriate password policies, supporting forgotten passwords, eventually removing the account and any other actions required for a secure identity management environment. Maybe another access mechanism could be provided, that was secure, provides the necessary access for a limited time and automatically expires, with the ability of an administrator to terminate access if any threat is recognized. The key point is to provide a toolbox of secure options and use what is best for the use case.

       

      Cohesive Networks works with customers to build that toolbox of secure network access management options, supporting a Zero Trust policy for all access points in the infrastructure. VNS3’s API provides the ability to programmatically provision expiring access creds as well as build your network segments and perimeter policies, allowing you to build an encrypted network entirely declaratively in code. In the coming weeks we’ll be releasing more in-depth discussions of the approaches we take with VNS3 to enable you to create a secure Zero-Trust network, including how we approach access URLs, API tokens, and LDAP integration.