Leveraging FWsets to Streamline and Augment Your VNS3 Firewall

What are IPsets?

IPset is an extension to iptables which allows the creation of firewall rules that reference a set of addresses all at once, rather than requiring the creation of many individual rules. Unlike normal iptables rules which are stored and traversed linearly, IPsets are stored as indexed data structures, making lookups very efficient, even when dealing with a large number of addresses.[1]

The VNS3 firewall acts as a wrapper around the conventional IPTables syntax. The syntax used is a slight variation for optimization and organization purposes. To highlight the distinction, we use the term FWsets when referring to VNS3’s implementation of IPsets.

Advantages of Using FWsets

FWsets tremendously decrease the CPU load of iptables. FWsets can be referenced in any firewall chain or table, making them a versatile tool which can be used in many types of rules and environments. You can easily add or remove addresses from an FWset with two simple API calls.

Creating lengthy Firewall rules in VNS3 can get messy when referencing many address or networks.  

By utilizing FWsets, your firewall can be much easier to organize and manage.

IPSet performance graph

FVNFWThe graph above illustrates the improvement in latency when using FWsets compared to conventionally specified lists of IPs in your firewall. FWset response time (shown in red above) is consistently quick even with 400k+ IPs defined in your FWset. In testing a larger FWset with 1 million IP’s we found no noticeable increase in latency, measuring a consistent response time of under two milliseconds across the board.

Get Started with FWsets in VNS3

Via the VNS3 API you can create, retrieve, reload, add to, and delete FWsets. Once an FWset is created, you can refer to it in VNS3 firewall rules using the “-m set” module.

Here is a short guide on how to implement FW sets with the VNS3 API.

Here is the documentation for the VNS3 FW Sets API.

If you have any questions, please reach out to Cohesive Support at support.cohesive.net or via email: support@www.cohesive.net.

Essential Key State Management in VNS3

Cloud and network virtualization have created the opportunity to have virtual networks that transit your applications and staff to, through and across the clouds. These networks can stretch across the globe in multiple, to 10s of locations (points of presence) or more. In the case of Cohesive Networks our virtual networks are used to create cryptographically secure overlay networks in full mesh architectures. When implementing the cryptographic mesh (at scale machine-to-machine VPN) it is critical that the cryptographic credentials can be easily managed across the controller mesh. Our goal at Cohesive is to make managing the credentials straightforward and clear; associating credentials with users via tagging, enabling/disabling so that credentials can only be used when desired, checked out/in state to help manage via automation, check log information for specific credentials, and manage certificate revocation. Below is a short video showing the key elements of straightforward key state management in an N-way VNS3 controller mesh.

Hopefully the video highlights the essential key state management capabilities we have strived for. They are part of the foundation of the VNS3 Controllers which are used to build a wide array of service edge use cases. VNS3 encrypted topologies combined with our plug and play security system, you or your management service provider can achieve both Workload and Workforce mobility using secure network virtualization. 

Zero Trust External Privileged Access Management and VNS3

According to a survey conducted last year by Centrify, a leader in the privileged access management space, 65% of companies are sharing root level access credentials in at least some instances. This backs up Forrester Research’s long held claim that privileged credential abuse is the leading attack vector. For network devices this figure rises somewhat as the survey showed that 68% of companies are not securing their network devices with privileged access control. This is not surprising as historically network devices have had single or few local users. Perhaps it is because smaller more trusted teams managed the network infrastructure. Or that when bootstrapping or troubleshooting network devices , relying on network connections to user directory servers could become problematic.

Cohesive Networks has been guilty of this in the past. The challenge of implementing the principle of least privilege has always been complexity. The more complex a system or control is to manage the less secure it becomes. We have been putting a lot of focus on various methods of access management for our VNS3 cloud security edge controller that are simple to manage and operate.

In a previous blog post we discussed how we have adopted Access URLs and API Tokens. Both of which allow for time-based access to VNS3. Where API tokens are useful for systematic access between the control and data planes and Access URLs are incredibly useful for one off access, we still needed to address long living user accounts and have done so by implementing LDAP authentication for VNS3. We have had this capability for our management server for a while and the time has come to extend that to our individual VNS3 network controllers.

In the world of Zero Trust every user needs to have an identity. Ideally your identity system will enforce principles like password rotation and complexity standards. Things like managing on-boarding and off-boarding of authorized users, wether into or out of the system or groups, is what these systems are designed for. By shifting this function away from the VNS3 network device and its operators we allow you to not only to manage and enforce better security practices but address other corporate realities. Codifying some of the principles of Zero Trust are things like ISO 27001 and 27002, SOC and other compliance regimes which call for the segregation of duties. The people who maintain your privileged access management systems can’t be the same people who utilize them.

You can now manage your access to your VNS3 controller through integration with LDAP, along with its Active Directory variant, and the usage of groups. We support encryption to your LDAP server via Secure TLS (StartTLS) and LDAPs utilizing certificate authentication.

VNS3 LDAP integration page

This new capability provides some really good improvements for VNS3 access control. However for those who are looking for a method that goes beyond “something you know”, security architects can add on “something you have” by utilizing the VNS3 encrypted overlay network in tandem with LDAP identity management. The VNS3 encrypted overlay network makes use of unique X.509 certificates. These give you your network identity to participate in machine to machine communications. In order to access the VNS3 controllers management interface, which runs on TCP port 8000, you could restrict access to only break-glass endpoints while allowing a broader access to UDP port 1194 where the overlay network operates. In this way network operators would need to first establish a TLS connection to the VNS3 controller with their individually issued certificate and through the established tunnel they would then connect to the VNS3 controller via it’s own overlay address. A further way to implement Zero Trust policies.New Paragraph

4 Ways VNS3 Simplifies Transitive Routing in the Cloud

4 Ways VNS3 Simplifies Transitive Routing in the Cloud

Transitive routing in the cloud has always had its challenges. Some providers simply don’t support it. Others have released services that appear to solve the issue. 

Both cases require workaround architectures to circumvent the issue. This means adding more moving parts, which increases complexity. 

Where there’s added complexity, there’s the potential for increased cost.

VNS3 is our Virtual Application Security Controller that allows you to create and control your own cloud edge and encrypt traffic to, through and between your chosen cloud provider or on-premises networks. It can also simplify complex network challenges, like transitive routing. 

So, What is Transitive Routing?

In short, it’s the ability for a computer in one network to communicate with a computer in another network that it isn’t directly linked (or peered) to. 

Here’s an example:

  • We have three networks, NetA, NetB, NetC. 
  • There’s a database in NetC
  • There’s a PC in NetA
  • NetA is connected to NetB
  • NetB is connected to NetC
  • The PC in NetA needs to connect to the database in NetC, to do this it would need to route its packets through NetB and on to NetC
  • NetC would need to route its response back through NetB and on to NetA. 
VNS3 AWS Transitive Routing Deployment

This would be a transitive routing topology, because NetA’s traffic “transit’s” through NetB and vice versa for NetC. 

Why not just peer them all together, you ask?

There’s any number of reasons it’s not feasible to peer all your virtual networks together. Here are a few:

Conflicting IP address ranges means it’s not technically possible. 

Number of networks, peering connections grow exponentially, this eventually becomes unmanageable.

You may have shared services, but need to isolate certain traffic.

If you have some other reasons that are preventing you from peering your networks, reach out to us contact@www.cohesive.net, we may be able to help!

4 Ways VNS3 Can Help With Transitive Routing

VNS3 combines the features of a router/switch/firewall/VPN concentrator/protocol redistributor and incorporates a plugin system, that allows you to embed any other application directly into your network.

  1. VNS3 as a cloud router, with IPSec tunnels between your networks you can create a centralised and secure gateway. This not only solves the transitive routing issue but gives you visibility and control of the traffic that passes in, out and through your network:
VNS3 Transit Ipsec deployment

2. Using VNS3’s overlay network you can deploy a unified address space that encompasses all your networks, whether there are 3 or 300, in the same cloud or between multiple cloud providers:

VNS3 AWS Overlay deployment

3. Use multiple VNS3’s in a peered mesh, this gives you all the benefits of the previous solutions, plus high availability:

VNS3 AWS Peering

4. Connect multiple VLANs across multiple cloud providers to maximize network performance and minimize latency between the deployments. Often times when spanning long geographic distances where you are not purchasing private links, jumping through cloud points-of-presence can provide a more performant solution.

VNS3 Multicloud

Conclusion

If you need to communicate between networks, across regions or even across cloud providers. The VNS3 Application Security Controller can help by providing a device that can connect your cloud assets seamlessly to each other. Either as a single device, multiple devices or as an entire isolated network above your current cloud network, networks or providers.

If you need help with your deployments or want to try VNS3 for free, contact us at contact@www.cohesive.net.

Helping business teams stay connected in response to Coronavirus

Helping business teams stay connected in response to Coronavirus

We use it internally and we want to help.

People VPN Banner

As more and more businesses decide to suspend travel and close offices in response to the spread of COVID-19, the global workforce is becoming increasingly distributed (see Smarter with Gartner COVID-19 ). We support these decisions to reduce intersection points and help prevent the spread of the virus. We want to help in our own way to make this transition easier for business teams that don’t already have a secure remote work solution or need an alternative that is easy to setup and works.

Our core business is providing enterprises with cloud edge connectivity and security solutions. This typically doesn’t include remote working solutions like roadwarrior VPN or PeopleVPN (as we call it). That said, we do have some customers who utilize our VNS3 hybrid overlay network appliance to provide their distributed work force with secure connectivity to their data center and cloud based assets. We also have been using VNS3 internally to securely connect and protect our distributed workforce since 2009. Based on these use-cases we think we can help those who don’t have a simple and secure remote work solution.

VNS3 PeopleVPN available today for free for 6 months

We are making a custom, pre-configured version of our VNS3 network controller called PeopleVPN for remote work solutions available for free in both AWS Marketplace and Azure Marketplace.

VNS3 PeopleVPN capabilities include:

  • VPN Credentials allowing up to 35 team members to stay connected and protected when working remotely on “unknown” Wi-Fi such as cafes, coffee shops, and other public venues.
  • Each remote worker connection is assigned a known IP address, making segmentation for your remote team easy.
  • Provide shared access to your cloud resources
  • Optional NAT capabilities so all team members, regardless of where they are, will appear to come from a common Internet address, making whitelisting of your remote team much easier.

If you aren’t already using AWS or Azure for your cloud computing needs, take a look at their “free tier” offers to keep the cost of your remote work solution near zero:

While we have no delusions about our impact on this global crisis (we aren’t the Gates Foundation ), we want to do something to help. We believe that everyone has a communal obligation to help in any way. This is our way. We will not make any money from VNS3 PeopleVPN during the COVID-19 outbreak and we are committed to supporting any and all users during this challenging time.

Housekeeping:

  • Support: VNS3 PeopleVPN comes with free forum support that is provided on a best effort basis. If you need additional support, we are of course happy to help but a commercial agreement may be needed.
  • Pricing: Our first thought was to offer an extended free trial but the Marketplaces limit the free trial periods. We are offering VNS3 PeopleVPN for free in the AWS and Azure Marketplaces until September 15th, 2020. This date can be pushed out depending on the state of the virus response. We will contact all users to provide them with ample time before we either de-list the offering or start charging an hourly premium (current pricing projection is $0.25 per hour premium which is still 6-10x cheaper than cloud provider client VPN alternatives).
  • Upgrades: If you have slightly bigger needs, we can accommodate under same terms. Much larger needs will likely warrant a commercial discussion. Contact Us for more information.
  • Monitoring/Data Gathering: We don’t monitor or gather metadata on usage. The VNS3 PeopleVPN is an instance that you own, manage, and operate. Tracking user activity is not part of our business model. We take privacy and security very seriously.

Other Organizations looking to help (this list is not exhaustive, and we are happy to add):

Updated 3/18/2020 to include links to AWS and Azure Marketplace listings.

Enhanced VPN Monitoring With VNS3

Cloud VPN Monitoring

Monitoring your VPN connections is essential in today’s interconnected world. Having the ability to quickly react to network interruptions is paramount to business continuity. At Cohesive Networks we have developed a range of new features to keep you one step ahead.

VNS3 Alerts

Our VNS3 Network Security Appliance has prebuilt alerts that talk to all your favourite collaboration tools, including Slack, Webex Teams, AWS SNS, Opsgenie, PagerDuty, and our own VPN monitoring appliance VNS3:ms (or ‘MotherShip’ as it’s known around here).

If there isn’t a pre-built template for your monitoring application, you can leverage our Alerts Integrations to send customised payloads to any incoming webhook API that’s listening for an update.

Our ever-growing list of alerts now encompasses administrative actions carried out on your VNS3 Network Security Appliance, including password changes, controller reboots, and system resets, as well as monitoring your VPN connection ups and downs.

Configuring Alerts

Configuring alerts is a straightforward process with our pre-built templates. You can try them for free in your favorite public cloud with our VNS3 Free Edition. To get started visit our docs site here: https://docs.cohesive.net/tutorials/getting-started/.

Here we are going to set up alerts to Slack,

  • Find the “Alerts” menu item in the Web UI
  • Click “New Alert”, to bring up the setting page
  • From the Integration dropdown select (Prebuilt) Slack
  • Give your alert a Name
  • Enter your Slack App Notification URL (you will need to create a Slack App). Once you have done that, you will get the Webhook URL ( https://api.slack.com/start )
  • Highlight all the things you want to be notified about in the Events window
  • Ensure the alert is Enabled

And you’re done!

VNS3 Alerting form page

Conclusion

VNS3 Alerts are quick and easy to set up, improve visibility, and keep you one step ahead of your VPN monitoring requirements. If you want to know more about VNS3 and it’s capabilities reach out at https://cohesiveprod.wpenginepowered.com/contact.