VNS3 6.0 Beta2 is now available.
You can find the Free edition in both the Amazon and Azure marketplaces (GCP coming soon).
It is an easy way to get a server up and running that can connect you to data centers, cloud VPCs/VNETs, has a super firewall, straightforward support of even difficult things like “source based routing”, and most of all a quick way to run and manage your own WireGuard® network connecting multiple people, devices, or both.
This post will show you how to use the standard Mac Appstore WireGuard client built and delivered by the WireGuard team with Cohesive Networks VNS3 6.0 network controllers. (Of course similar capability is available using the same app from the Windows/iPhone/Android “app stores” as well.)
In future posts we will show the Cohesive CLI (cnvpn) at work, and the Cohesive WG GUI working with VNS3 6.0. And then we will follow up by showing how the different connection options work with a distributed VPN cluster where you can spread a VNS3 controller mesh across regions and clouds with ease, yet have a unified VPN system for management of credentials, pre-shared keys, OIDC sessions and more.
In the screen shots throughout we have three windows; upper left the Mac OS WG client, bottom left a command line from the same Mac, and to the right the cloud-based VNS3 server supporting a wide range of cloud networking use-cases, and here specifically WireGuard VPN connections.
VNS3 Network Platform has the concept of “clientpacks” – basically the credentials needed to connect a machine or a person via a VPN client to the network. Historically they have been “openvpn” by default – and starting in 6.0 they are WireGuard by default. In a future release we will support a dual stack with both “ovpn” and “wg” connections simultaneously, and a goal of IPsec clients as well.
In the picture above and those below we see the “Clientpacks” page. From here you can perform key administrative functions like disabling addresses, re-generating credentials, updating pre-shared keys, and getting access URLs for secure and easy distribution of VPN credentials.
Above shows the results of choosing “Access URL” and displaying its result. This is a secure, one-time, timed URL which allows users to copy/paste the clientpack, download it for import, or for mobile clients use a QR code for import.
It has all the necessary information to make a connection using the standard WG Client – with or without PSKs.
There is also a series of commented lines which are used by CNVPN CLI and GUI for additional enterprise support (failover, dynamic route updates, OIDC authentication) to be discussed in future. For now we just want to focus on how easy it is to connect native WG clients.
Copy/paste the clientpack into the Mac OS client, and click SAVE/ACTIVATE.
Voilà – you are connected to the VPN. The VNS3 Clientpacks page shows the status as “connected”.
The WG Client now shows its statistics about the connection, and below we are pinging the VNS3 controller’s VPN address to show access to the VPN network.
(By default, this connection can access other addresses on the VPN. If that’s not desired it is easily changed via the Firewall page.)
If needed you can use the Action menu to perform administrative operations. For example, if you select “Disable” on the connection, the client is dropped from the VPN. Below, we see the client set to disabled state by the Admin, and we see the “pings” begin to fail.
Then we “Enable” – and the client is back on the network and packets begin to flow.
And of course similar operations can be performed to re-new or re-secure a connection by adding a PSK or re-generating keys – both of which require the clientpack to be redistributed to the user or device. But as expected, when you enable a PSK for the connection, the user is unable to access the network. With the credential re-deployed with the appropriate clientpack containing the PSK, they are back on the net!
Accessing the other devices on the VPN network is one use, what about getting to the Internet?
This requires a couple configuration elements on the client side which requires a little bit of operating system knowledge on the client side and a of couple firewall rules on the VNS3 Controller. We won’t go into those specifics here.
But, if you look at the Cohesive-specific directives used by the CNVPN CLI and GUI – one of them is “TunnelAllTraffic” – and when this is set to “true” – all the client side magic is done for you! But that is for another day.
(“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.)
We’re happy to announce that Cohesive Networks has successfully completed a Type 2 SOC 2 examination. The examination confirmed that our systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.
Security and privacy are at the core of our business model and part of our culture. Cohesive Networks was spun out in 2014 from Cohesive Flexible Technologies in part due to a realization we were no longer in the cloud migration business. We were in fact a security and networking company. As a result we had the opportunity and experience to create internal systems and controls to a high standard. All are still overbuilt by today’s measure.
By design, we have no access to customers’ VNS3 provided networks. Access and visibility are completely in the hands of the owner. Given that deployment mode, VNS3 has mechanisms to ensure limited attack surface with no backdoor access: Access URLs and API Tokens.
We also “eat our own cooking.” VNS3 was created by our parent company, Cohesive Flexible Technologies back in 2008. The purpose was first to secure our Elastic Server product cluster (see Bill-of-Materials approach to virtual machine image creation) and second to provide IP address control and security for the wild west EC2-classic 10/8 network space of the day. Our company runs internal Overlay Networks for our production systems, support engineers, as well as PeopleVPN for our remote/post-geographic team.
Cohesive Networks is committed to continuing annual Type 2 SOC 2 examinations and will plan on adding Availability and Privacy Trust Service categories in the future. Additionally we’ll be evaluating if a SOC 3 examination is more appropriate given our role as a provider of critical network infrastructure for our globally distributed customer base.
During a call this Monday, FBI and DHS cyber officials urged government agencies “to look out for signs of Russian activity on their networks” as a result of the evolving Ukraine crisis. According to Yahoo: “federal officials also urged those on the call to dramatically lower their threshold for reporting suspicious activity.” Citing “an uptick in Russian scanning of U.S. law enforcement networks” as well as “in Russian disinformation and misinformation about Ukraine,” cyber officials urge increased care and caution with links and communications as the crisis progresses.
IBM recently announced the opening of their first IBM Security Command Center in the Asia Pacific region. The center hopes to provide a cybersecurity incident response plan for enterprise customers with deployments in the region, as well as “a fully immersive, interactive, and experiential learning facility.” IBM plans to use simulations and experiential training to help enterprises protect themselves from cyberattacks. IBM promises that by co-locating this training center with their X-Force Command Center, IBM’s Security Operations Center, both live practice and training for cyber security precautions will benefit immensely.
Yesterday Microsoft announced the release of Microsoft Defender for Cloud for Google Cloud Platform, making Microsoft the first major cloud provider to offer security solutions in all major cloud platforms. The offering from Microsoft boasts Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across both containers and servers. According to the release, GCP deployments of Microsoft Defender for Cloud will come “with out-of-box recommendations that allow you to configure GCP environments in line with key security standards like the Center for Internet Security (CIS).” Microsoft is also emphasizing the necessity of Zero Trust Management and event log management in cloud environments with two more ‘upgraded’ cloud security offerings.
The FCC recently announced that a federal advisory committee will be re-established “with a primary focus on improving 5G network security.” This announcement also cites the recent security breaches affecting the communications sector, especially the Solar Winds breach, in needing to revamp the CSRIC for today’s and tomorrow’s challenges. The FCC intends to “re-establish CSRIC on or before June 30, 2021 for a period of two years.”
VentureBeat recently highlighted the Secure Access Service Edge (SASE) market as “showing tangible, long-term momentum in just its second year as a new technology segment.” The article states that SASE provides “long-term assurances for unified security across the entire organization,” which is especially important in our widely WFH world. SASE technology also allows you to streamline “complex security and WAN implementations” and build “user-centric security frameworks,” that are a necessity as the 5G-powered cloud edge begins to develop.
The US Department of Justice recently issued an unprecedented court order for the FBI “removal of the malicious web shells” from vulnerable versions of Microsoft Exchange servers from networks in the US. Months after a January Chinese-led espionage campaign that exploited four day zero vulnerabilities in Microsoft Exchange Server, many of the vulnerable web shells were still in place. According to released court records, “FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each” of the web shells, to delete them. The announcement did include a promise from the FBI to attempt to inform all network owners impacted by the search and of impacted computers affected by this process.
Ford announced this week that they’re partnering with Google Cloud “in first-of-its-kind partnership” that aims to “accelerate Ford’s transformation and reinvent the connected vehicle experience.” Ford intends to leverage the data, AI, and ML capabilities of Google Cloud as they move to power their vehicles with built-in Android OS and Google apps services. Ford is hoping to leverage this partnership to get ahead in the race for “electrification, connectivity and self-driving” cars that is happening in the industry today. This partnership highlights the initial integration of Google Assistant, Google Maps as primary navigation, Google Play media playback, and an Android development base for other apps.
Amazon announced this week that Jeff Bezos will be stepping down as CEO and will be replaced by longtime AWS leader Andy Jassy. After 27 years, Bezos will be stepping into an executive chair role, effective in Q3 of this year. As reported by c|net, this “transition comes as Amazon navigates a tricky period in its history.” Amazon is attracting regulatory scrutiny as its profits continue to grow during the economic shifts caused by the COVID-19 pandemic. This coming on the back of challenges Amazon has faced keeping its vast workforce safe from COVID-19 infection.
The lengthy legal battle led by AWS against the results of the JEDI cloud competition is creating renewed pressure on the Department of Defense under the new administration. According to Nextgov, “The Defense Department may not continue with the embattled Joint Enterprise Defense Infrastructure cloud contract if a federal judge does not dismiss charges of improper political influence in Amazon Web Services’ protest, according to a document sent to Congress.” AWS continues to allege that government officials, including the former president, improperly influenced the outcome. The Department of Justice expects a ruling from a federal judge soon.
A recent article from InformationAge warns us of continued and evolving threats to remote work IT security. The post warns that hackers are changing their tactics to utilize a much more people-centric attack vector and targeting end employees directly. It is critical that we all take extra care to train employees and screen external communications for these evolving threats. As CISOs around the world continue to focus on securing their remote workforce, often for the first time in their company’s history, this challenge can seem incredibly daunting. Many companies scrambled to push out a cloud solution to address the remote work necessity and are now having to backtrack to secure them. The article warns that ransomware might continue to focus more on cloud environments and increase in complexity as 2021 progresses.
Salesforce recently announced the launch of “Vaccine Cloud” in an effort to help institutions “more rapidly, safely and efficiently deploy and manage their vaccine programs.” The announcement comes as many states are working towards the end of their first phase of vaccination and registrants are eagerly awaiting the second phase of vaccination. The immense challenge of administering and managing the global scale of vaccination “efficiently, effectively, and equitably,” is proving to be quite the challenge for government agencies, healthcare organizations, businesses, nonprofits, and educational institutions alike. Salesforce is hoping to leverage their experience to help with vaccine inventory management, appointment scheduling, outcome monitoring, public health outreach and more.
Recent Comments