VNS3 6.0 Beta2 is now available. You can find the Free edition in both the Amazon and Azure marketplaces (GCP coming...
VNS3 6.0 Beta2 is now available.
It is an easy way to get a server up and running that can connect you to data centers, cloud VPCs/VNETs, has a super firewall, straightforward support of even difficult things like “source based routing”, and most of all a quick way to run and manage your own WireGuard® network connecting multiple people, devices, or both.
This post will show you how to use the standard Mac Appstore WireGuard client built and delivered by the WireGuard team with Cohesive Networks VNS3 6.0 network controllers. (Of course similar capability is available using the same app from the Windows/iPhone/Android “app stores” as well.)
In future posts we will show the Cohesive CLI (cnvpn) at work, and the Cohesive WG GUI working with VNS3 6.0. And then we will follow up by showing how the different connection options work with a distributed VPN cluster where you can spread a VNS3 controller mesh across regions and clouds with ease, yet have a unified VPN system for management of credentials, pre-shared keys, OIDC sessions and more.
In the screen shots throughout we have three windows; upper left the Mac OS WG client, bottom left a command line from the same Mac, and to the right the cloud-based VNS3 server supporting a wide range of cloud networking use-cases, and here specifically WireGuard VPN connections.
VNS3 Network Platform has the concept of “clientpacks” – basically the credentials needed to connect a machine or a person via a VPN client to the network. Historically they have been “openvpn” by default – and starting in 6.0 they are WireGuard by default. In a future release we will support a dual stack with both “ovpn” and “wg” connections simultaneously, and a goal of IPsec clients as well.
In the picture above and those below we see the “Clientpacks” page. From here you can perform key administrative functions like disabling addresses, re-generating credentials, updating pre-shared keys, and getting access URLs for secure and easy distribution of VPN credentials.
Above shows the results of choosing “Access URL” and displaying its result. This is a secure, one-time, timed URL which allows users to copy/paste the clientpack, download it for import, or for mobile clients use a QR code for import.
It has all the necessary information to make a connection using the standard WG Client – with or without PSKs.
There is also a series of commented lines which are used by CNVPN CLI and GUI for additional enterprise support (failover, dynamic route updates, OIDC authentication) to be discussed in future. For now we just want to focus on how easy it is to connect native WG clients.
Copy/paste the clientpack into the Mac OS client, and click SAVE/ACTIVATE.
Voilà – you are connected to the VPN. The VNS3 Clientpacks page shows the status as “connected”.
The WG Client now shows its statistics about the connection, and below we are pinging the VNS3 controller’s VPN address to show access to the VPN network.
(By default, this connection can access other addresses on the VPN. If that’s not desired it is easily changed via the Firewall page.)
If needed you can use the Action menu to perform administrative operations. For example, if you select “Disable” on the connection, the client is dropped from the VPN. Below, we see the client set to disabled state by the Admin, and we see the “pings” begin to fail.
Then we “Enable” – and the client is back on the network and packets begin to flow.
And of course similar operations can be performed to re-new or re-secure a connection by adding a PSK or re-generating keys – both of which require the clientpack to be redistributed to the user or device. But as expected, when you enable a PSK for the connection, the user is unable to access the network. With the credential re-deployed with the appropriate clientpack containing the PSK, they are back on the net!
Accessing the other devices on the VPN network is one use, what about getting to the Internet?
This requires a couple configuration elements on the client side which requires a little bit of operating system knowledge on the client side and a of couple firewall rules on the VNS3 Controller. We won’t go into those specifics here.
But, if you look at the Cohesive-specific directives used by the CNVPN CLI and GUI – one of them is “TunnelAllTraffic” – and when this is set to “true” – all the client side magic is done for you! But that is for another day.
(“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.)
We’re happy to announce that Cohesive Networks has successfully completed a Type 2 SOC 2 examination. The examination confirmed that our systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.
- Selected SOC 2 Categories: Security
- Examination Type: Type 2
- Review Period: November 1, 2021, to April 30, 2022
- Service Auditor: Schellman & Company, LLC
Our Secure History
Security and privacy are at the core of our business model and part of our culture. Cohesive Networks was spun out in 2014 from Cohesive Flexible Technologies in part due to a realization we were no longer in the cloud migration business. We were in fact a security and networking company. As a result we had the opportunity and experience to create internal systems and controls to a high standard. All are still overbuilt by today’s measure.
By design, we have no access to customers’ VNS3 provided networks. Access and visibility are completely in the hands of the owner. Given that deployment mode, VNS3 has mechanisms to ensure limited attack surface with no backdoor access: Access URLs and API Tokens.
We also “eat our own cooking.” VNS3 was created by our parent company, Cohesive Flexible Technologies back in 2008. The purpose was first to secure our Elastic Server product cluster (see Bill-of-Materials approach to virtual machine image creation) and second to provide IP address control and security for the wild west EC2-classic 10/8 network space of the day. Our company runs internal Overlay Networks for our production systems, support engineers, as well as PeopleVPN for our remote/post-geographic team.
Cohesive Networks is committed to continuing annual Type 2 SOC 2 examinations and will plan on adding Availability and Privacy Trust Service categories in the future. Additionally we’ll be evaluating if a SOC 3 examination is more appropriate given our role as a provider of critical network infrastructure for our globally distributed customer base.
U.S. Cyber Officials Issue Official Warning Against Potential Russian Cyber Attacks
During a call this Monday, FBI and DHS cyber officials urged government agencies “to look out for signs of Russian activity on their networks” as a result of the evolving Ukraine crisis. According to Yahoo: “federal officials also urged those on the call to dramatically lower their threshold for reporting suspicious activity.” Citing “an uptick in Russian scanning of U.S. law enforcement networks” as well as “in Russian disinformation and misinformation about Ukraine,” cyber officials urge increased care and caution with links and communications as the crisis progresses.
IBM Opens Cyber Security Hub in India
IBM recently announced the opening of their first IBM Security Command Center in the Asia Pacific region. The center hopes to provide a cybersecurity incident response plan for enterprise customers with deployments in the region, as well as “a fully immersive, interactive, and experiential learning facility.” IBM plans to use simulations and experiential training to help enterprises protect themselves from cyberattacks. IBM promises that by co-locating this training center with their X-Force Command Center, IBM’s Security Operations Center, both live practice and training for cyber security precautions will benefit immensely.
Microsoft Brings Cloud Security to GCP
Yesterday Microsoft announced the release of Microsoft Defender for Cloud for Google Cloud Platform, making Microsoft the first major cloud provider to offer security solutions in all major cloud platforms. The offering from Microsoft boasts Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across both containers and servers. According to the release, GCP deployments of Microsoft Defender for Cloud will come “with out-of-box recommendations that allow you to configure GCP environments in line with key security standards like the Center for Internet Security (CIS).” Microsoft is also emphasizing the necessity of Zero Trust Management and event log management in cloud environments with two more ‘upgraded’ cloud security offerings.
Could Continuing AWS Outages Give Rise to Distributed Cloud Deployments?Widespread disruption of high-use internet services was recently experienced as a result of the third AWS outage in the span of a month. AWS reported this latest disruption was caused by “a power outage at a data center in Northern Virginia” which saw giants like Hulu and Slack offline for about two and a half hours. A recent article from The Washington Post suggests that having a cloud deployment with a singular, critical point of failure creates opportunities for widespread outages, in a world where distributed cloud deployments can offer you some protection from these outages. As “the cloud’s increasing intricacy and demands” continue to increase, and companies continue to migrate and develop in the cloud, the potential for outages caused by the “over-centralization” of infrastructure into heavily-used AWS regions also increases.
Azure App Service Insecurity Exposing Source Code Since 2017A recently discovered insecurity in the Azure App Service has “exposed the source code of applications written in PHP, Python, Ruby, and Node” and has been prevalent since September 2017. SC Magazine purports that this security flaw was first widely reported to the public by The Wiz on Oct. 7, 2021, and Microsoft has since updated it’s security recommendations document and mitigated the default behavior that caused this issue. Further research suggests that this vulnerability was likely not a well-kept secret and would have been widely exploited during the purported four year window of this vulnerability. We recommend double-checking your deployments against these new recommendations to ensure that your source code isn’t vulnerable.
Security Attacks Likely to Continue to Increase in 20222020 and 2021 have been marred by an increase in the commonality and sophistication of security attacks on companies as we all navigate the uncharted waters of remote work, and address the new connectivity and security concerns that have surfaced as a result of this necessary transition. A recent article from Bloomberg law suggest that some of the most damaging attacks have targeted backbone systems and solutions, such as the Microsoft Exchange software attacks that affected many companies in 2021. Alarmingly, many of the “exploits used in the first quarter of 2021 are still being used today” which only serves to create added pressure on both the solutions providers and companies that build critical systems upon such backbones solutions. These attacks are complemented by more ‘traditional’ phishing attacks, “which remains one of the highest-volume types of vulnerabilities” across all business sectors. Having proper security procedures and communication channels in place is more important than ever, and the criticality of such considerations will only increase as we move into 2022.
JEDI Becomes JWCC With Decision Target of Q3 2022In the wake of four years of legal challenges and congressional inquiries, The JEDI contract has been replaced with a new framework, the Joint Warfighter Cloud Compatibility (JWCC), “from which to deliver commercial cloud services to Defense personnel.” The Pentagon “issued formal solicitations for JWCC” to AWS, Microsoft, Google, and Oracle, effectively leveling the playing field for the biggest US cloud providers. According to Nextgov “The Pentagon plans to make JWCC awards in the third quarter of fiscal 2022” which could bring some interesting infrastructure developments from these cloud providers.
FCC Re-Establishes CSRIC to Tackle 5G and Solar Winds Attacks
The FCC recently announced that a federal advisory committee will be re-established “with a primary focus on improving 5G network security.” This announcement also cites the recent security breaches affecting the communications sector, especially the Solar Winds breach, in needing to revamp the CSRIC for today’s and tomorrow’s challenges. The FCC intends to “re-establish CSRIC on or before June 30, 2021 for a period of two years.”
SASE Market Continues to Grow
VentureBeat recently highlighted the Secure Access Service Edge (SASE) market as “showing tangible, long-term momentum in just its second year as a new technology segment.” The article states that SASE provides “long-term assurances for unified security across the entire organization,” which is especially important in our widely WFH world. SASE technology also allows you to streamline “complex security and WAN implementations” and build “user-centric security frameworks,” that are a necessity as the 5G-powered cloud edge begins to develop.
FBI Begins Court-Ordered Culling of Microsoft Exchange Servers
The US Department of Justice recently issued an unprecedented court order for the FBI “removal of the malicious web shells” from vulnerable versions of Microsoft Exchange servers from networks in the US. Months after a January Chinese-led espionage campaign that exploited four day zero vulnerabilities in Microsoft Exchange Server, many of the vulnerable web shells were still in place. According to released court records, “FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each” of the web shells, to delete them. The announcement did include a promise from the FBI to attempt to inform all network owners impacted by the search and of impacted computers affected by this process.
Ford and Google Partnership Announced
Ford announced this week that they’re partnering with Google Cloud “in first-of-its-kind partnership” that aims to “accelerate Ford’s transformation and reinvent the connected vehicle experience.” Ford intends to leverage the data, AI, and ML capabilities of Google Cloud as they move to power their vehicles with built-in Android OS and Google apps services. Ford is hoping to leverage this partnership to get ahead in the race for “electrification, connectivity and self-driving” cars that is happening in the industry today. This partnership highlights the initial integration of Google Assistant, Google Maps as primary navigation, Google Play media playback, and an Android development base for other apps.
Jeff Bezos to be Replaced as Amazon CEO by AWS Chief Andy Jassy
Amazon announced this week that Jeff Bezos will be stepping down as CEO and will be replaced by longtime AWS leader Andy Jassy. After 27 years, Bezos will be stepping into an executive chair role, effective in Q3 of this year. As reported by c|net, this “transition comes as Amazon navigates a tricky period in its history.” Amazon is attracting regulatory scrutiny as its profits continue to grow during the economic shifts caused by the COVID-19 pandemic. This coming on the back of challenges Amazon has faced keeping its vast workforce safe from COVID-19 infection.
New Administration Brings Renewed Scrutiny of JEDI Contract
The lengthy legal battle led by AWS against the results of the JEDI cloud competition is creating renewed pressure on the Department of Defense under the new administration. According to Nextgov, “The Defense Department may not continue with the embattled Joint Enterprise Defense Infrastructure cloud contract if a federal judge does not dismiss charges of improper political influence in Amazon Web Services’ protest, according to a document sent to Congress.” AWS continues to allege that government officials, including the former president, improperly influenced the outcome. The Department of Justice expects a ruling from a federal judge soon.
Remote Threats to Remote Work Continue to Evolve
A recent article from InformationAge warns us of continued and evolving threats to remote work IT security. The post warns that hackers are changing their tactics to utilize a much more people-centric attack vector and targeting end employees directly. It is critical that we all take extra care to train employees and screen external communications for these evolving threats. As CISOs around the world continue to focus on securing their remote workforce, often for the first time in their company’s history, this challenge can seem incredibly daunting. Many companies scrambled to push out a cloud solution to address the remote work necessity and are now having to backtrack to secure them. The article warns that ransomware might continue to focus more on cloud environments and increase in complexity as 2021 progresses.
Salesforce Launches Vaccine Cloud as Vaccinations Become a Reality
Salesforce recently announced the launch of “Vaccine Cloud” in an effort to help institutions “more rapidly, safely and efficiently deploy and manage their vaccine programs.” The announcement comes as many states are working towards the end of their first phase of vaccination and registrants are eagerly awaiting the second phase of vaccination. The immense challenge of administering and managing the global scale of vaccination “efficiently, effectively, and equitably,” is proving to be quite the challenge for government agencies, healthcare organizations, businesses, nonprofits, and educational institutions alike. Salesforce is hoping to leverage their experience to help with vaccine inventory management, appointment scheduling, outcome monitoring, public health outreach and more.