Navigating the Cloud Transition: Simplified Solutions for Legacy Applications

Navigating the Cloud Transition: Simplified Solutions for Legacy Applications

 source:Dall-E

Overcoming the Complexities of Cloud Migration with Cohesive Networks’ VNS3 Plugin System

Transitioning legacy applications to the cloud can be a daunting task. The challenges are numerous: complex network reconfigurations, increased costs, extended downtimes, and potential security risks. These hurdles are particularly pronounced for applications that rely on broadcast functionality, a common feature in many legacy systems yet challenging to implement in cloud environments – and entirely missing from the offerings of today’s major cloud providers.

Addressing the Core Challenges:

Complex Network Reconfiguration:
Legacy applications often depend on specific network features, like Layer 2 broadcast, which aren’t natively supported in cloud environments. Reconfiguring these applications for cloud networks usually means extensive and costly alterations.

Cost and Resource Allocation:
Moving to the cloud shouldn’t mean breaking the bank or pushing back deadlines. Traditional methods involve hiring specialists or investing in extensive development work, leading to spiraling costs and repeated delays.

Downtime and Operational Delays:
Every minute your application isn’t fully operational impacts your business. Lengthy transitions and testing periods are common with traditional cloud migration methods. The more your application has to change to fit a new environment, the greater the chances for costly mistakes.

Security Concerns:
Adapting legacy applications to the cloud can introduce vulnerabilities, especially when modifying network architectures. New code means new bugs, and new configuration introduces opportunities for human error.

The VNS3 Solution

At Cohesive Networks, we’ve developed a new plugin for our VNS3 software that specifically addresses these issues for applications requiring broadcast functionality. Our solution allows for a seamless and efficient transition to the cloud, without the need for extensive network reconfiguration or application rewriting.

Ease of Use:
With our plugin, most broadcast-dependent applications can be migrated to the cloud with minimal setup and no changes to the existing code or application workflow.

Cost-Effective:
Our approach significantly reduces the need for expensive network specialists, extensive redevelopment, offering a more budget-friendly solution.

Minimized Downtime:
Our streamlined process ensures a faster and smoother transition, reducing operational disruptions. HA and failover options mean that you won’t sacrifice the inherent reliability of cloud environments.

Secure Transition:
VNS3 maintains a strong security posture throughout the migration process, ensuring your data and applications are protected.

Your Path to Cloud Efficiency

Embrace the future of cloud networking with Cohesive Networks. VNS3 isn’t just a tool; it’s a comprehensive solution that makes your cloud networking efficient, secure, and cost-effective. Experience a smoother transition and enable your applications to thrive in a new cloud environment with ease and confidence.

Contact a Cohesive Networks expert today for real solutions that provide real value.

Apple VisionPro – No security issues yet!

Apple VisionPro – No security issues yet!

Cohesive Networks VNS3 6.0 - Clientpacks Page

This front image of the Apple VisionPro augmented reality headset is apt at the moment.

It is dark and we can’t see clearly yet, which is OK, because it allows us the opportunity to prognosticate.

In addition, no network or security issues yet!
We still have time to panic.

Although devices are not a normal topic for us at Cohesive Networks, as CTO, I thought I would ruminate a bit at LinkedIn in a post on The Apple Impact (2023).

Whilst the future is a bit murky, the AI breakout and VisionPro for AR (augmented reality) will combine in interesting ways: compelling, practical, frightening, and unanticipated.

From a Cohesive point of view, as we provide over-the-top networks and security to, through and across the clouds, both of these trends are going to have an impact with Large Language Models deep in the clouds, and augmented reality as the lens from below, piercing the cloud cover.

From a personal point of view:

“Vision Pro emerges at the same time as the artificial intelligence breakout. What will these gods of unknown intention be whispering in our ears? I can’t quite yet imagine these two emergent technologies combined and how it could bring about completely new social environments – with all the good and all the terrible amplified.”

We would love to hear what you think.

 

Enterprise WireGuard® with Cohesive VPN Client

Enterprise WireGuard® with Cohesive VPN Client

Cohesive Networks VNS3 6.0 - Clientpacks Page

VNS3 6.0 Beta3 will be available in cloud marketplaces or upon request this week (contactme@www.cohesive.net).  In our last post we showed how easy it is to connect your native WireGuard® clients to VNS3 6.0.  In this post we show you how to use the Cohesive VPN Client to achieve the same goals like connecting to data centers or cloud VPCs/VNETs, and managing your own WireGuard® network connecting multiple people and devices.  In addition, we will show an overview of using our enterprise capabilities like dynamic route updates, easy tunneling of all traffic with local subnet exceptions, and OIDC integration so you can authenticate your vpn users with Google Authentication, Okta, Auth0 and more.

The screen shots throughout show three windows; upper left the Cohesive VPN client, bottom left a command line from the same Mac, and to the right the cloud-based VNS3 server.

VNS3 Network Platform has the concept of “clientpacks” – basically the credentials needed to connect a machine or a person to the network via a VPN client.  Historically “clientpacks” have been “openvpn” by default.  Starting in 6.0 clientpacks are WireGuard by default. In a future release we will support a dual stack with both “ovpn” and “wg” connections simultaneously, and a goal of IPsec clients as well.

In the picture above and those below we show the “Clientpacks” page. From this you can perform key administrative functions like disabling addresses, re-generating credentials, updating pre-shared keys, and getting access URLs for secure and easy distribution of VPN credentials.

 

Access URL

Cohesive Networks VNS3 6.0 - Clientpack Download
Cohesive Networks VNS3 6.0 - Clientpack Access URL

Above shows the results of choosing “Access URL” and displaying its result. This is a secure, one-time, timed URL allowing users to copy/paste the clientpack, download it for import, or use via a QR code on mobile devices.

It has all the necessary information to make a connection using the Cohesive VPN Client – with or without PSKs.

The commented lines are used by CNVPN CLI and GUI for additional enterprise support; failover, dynamic route updates, and OIDC authentication.

Copy/paste the clientpack into the Cohesive client via the “Paste” option, and choose Save.

 

Connect

Cohesive Networks VNS3 6.0 - Clientpack Paste into CNVPN
Cohesive Networks VNS3 6.0 - CNVPN Connect

Next choose “Connect” from the Cohesive Client’s “Actions” menu –  and the VPN connection is created.  The VNS3 Clientpacks page then shows the status as “connected”.

Below shows access to the VPN network by successfully pinging the VNS3 controller’s VPN address.  (By default, this connection can access other addresses on the VPN. If that’s not desired it is easily changed via the Firewall page.)  

Cohesive Networks VNS3 6.0 - CNVPN Connect
Cohesive Networks VNS3 6.0 - CNVPN Ping

You can use the Action menu on the VNS3 Clientpacks page to perform administrative operations.   For example, if you select “Disable” on the connection, the client is dropped from the VPN.  

Similar operations can be performed to re-new or re-secure a connection by adding a PSK or re-generating keys (both of which require the clientpack to be redistributed to the user or device).  As expected, when you enable a PSK for the connection, the user is unable to access the network.  With the credential re-deployed with the appropriate clientpack containing the PSK, they are back on the net!

To see some of those operations in action, take a look at our previous post.  Cohesive’s target is to provide organizations the ability to deploy their own enterprise VPN infrastructure.  This could be managed by Cohesive via our SecurePass offering, or self-managed.  Regardless, our initial focus for 6.0 is managed, enterprise WireGuard.

Dynamic Route Updates

One of our key enterprise features is dynamic route updates.  For “people vpns” you can usually just tunnel all traffic through the VPN – making the VPN adapter the default gateway.  However, for IoT and machine2machine vpns, dynamic routing is a critical capability.  You allow the device to have its own local gateway but when routes arrive dynamically, the traffic begins to follow that path.  If the route is removed from the network, the default gateway is used.

In the example below the configuration is changed to have “RoutePolling = True”, and on the VNS3 controller a route to 55.55.55.55 has been advertised through the VPN.  In the terminal window route display there is not yet a specific route to that public IP.

Once re-connected, the route to 55.55.55.55 through the VPN is visible on the client as a result of the dynamic route updating.

If that route is disabled or removed from the VPN network, then it is removed from the client.

Cohesive Networks VNS3 6.0 - CNVPN Route Polling
Cohesive Networks VNS3 6.0 - CNVPN Route Advertisement

Tunnel All Traffic

Tunneling all traffic through the VPN to the Internet is a snap with the Cohesive VPN Client.

Set the client parameter “TunnelAllTraffic” to “True” AND make sure you have enabled firewall directives on the VNS3 Server to send all VPN traffic out to the Internet.

VNS3 Free edition comes with a default set of rules in a group called “VPN2Internet.  Go to the Groups view on the Firewall page and enable these rules.

This will direct all traffic from your VPN client to the Internet, getting its address translated to the Public IP of the VNS3 controller.

What if you still want to be able to access local network resources like a printer or file server?  In that case, use the “LocalRoutes” option to enter a comma delimited list of the network CIDRs you want to exempt from the VPN so they can be reached locally.

Now that all traffic is being tunneled, from the command line the public IP 8.8.8.8 can be successfully pinged.  To “prove” this traffic is going into the VPN we show it via our Network Sniffer.

Cohesive Networks VNS3 6.0 - Firewall VPN2Internet
Cohesive Networks VNS3 6.0 - VPN2Internet Success

VPN User Authentication

So far the examples have just used WireGuard protocol with unique keys and pre-shared key (PSK) for the connections.  What about more specific user authentication?  For WireGuard in VNS3 6.0 we use OIDC (Open ID Connect), and will add LDAP support in future.  (Our dual stack offering in future will allow simultaneous use of OpenVPN and WireGuard clients, with your choice of LDAP/AD or OIDC).

With OIDC support you create a VPN users and/or admins application in your OIDC provider and then configure VNS3 integration.

Cohesive Networks VNS3 6.0 - OIDC VPN Users

Once the OIDC configuration has been saved you can login. In this case we are using our Google Apps login.  When “Connect” is chosen, a login screen pops up in the default browser.

Cohesive Networks VNS3 6.0 - VPN Users Google Identity

Upon entering the correct password the login panel indicates success and the VPN client connects!

Cohesive Networks VNS3 6.0 - VPN Users OIDC Success

Next up we will show using the Cohesive CNVPN CLI on a Linux machine.  For cloud overlay networks and over-the-top cloud networking, the CLI is a powerful way to bring your enterprise feature set to your cloud and multi-cloud deployments. 

(“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.)

Native WireGuard® Clients and VNS3 6.0 Beta2

Native WireGuard® Clients and VNS3 6.0 Beta2

VNS3 6.0 Beta2 is now available.

You can find the Free edition in both the Amazon and Azure marketplaces (GCP coming soon).

It is an easy way to get a server up and running that can connect you to data centers, cloud VPCs/VNETs, has a super firewall, straightforward support of even difficult things like “source based routing”, and most of all a quick way to run and manage your own WireGuard® network connecting multiple people, devices, or both.

This post will show you how to use the standard Mac Appstore WireGuard client built and delivered by the WireGuard team with Cohesive Networks VNS3 6.0 network controllers. (Of course similar capability is available using the same app from the Windows/iPhone/Android “app stores” as well.)

In future posts we will show the Cohesive CLI (cnvpn) at work, and the Cohesive WG GUI working with VNS3 6.0. And then we will follow up by showing how the different connection options work with a distributed VPN cluster where you can spread a VNS3 controller mesh across regions and clouds with ease, yet have a unified VPN system for management of credentials, pre-shared keys, OIDC sessions and more.

In the screen shots throughout we have three windows; upper left the Mac OS WG client, bottom left a command line from the same Mac, and to the right the cloud-based VNS3 server supporting a wide range of cloud networking use-cases, and here specifically WireGuard VPN connections.

VNS3 Network Platform has the concept of “clientpacks” – basically the credentials needed to connect a machine or a person via a VPN client to the network.  Historically they have been “openvpn” by default – and starting in 6.0 they are WireGuard by default. In a future release we will support a dual stack with both “ovpn” and “wg” connections simultaneously, and a goal of IPsec clients as well.

In the picture above and those below we see the “Clientpacks” page. From here you can perform key administrative functions like disabling addresses, re-generating credentials, updating pre-shared keys, and getting access URLs for secure and easy distribution of VPN credentials.

Above shows the results of choosing “Access URL” and displaying its result. This is a secure, one-time, timed URL which allows users to copy/paste the clientpack, download it for import, or for mobile clients use a QR code for import.

It has all the necessary information to make a connection using the standard WG Client – with or without PSKs.

There is also a series of commented lines which are used by CNVPN CLI and GUI for additional enterprise support (failover, dynamic route updates, OIDC authentication) to be discussed in future. For now we just want to focus on how easy it is to connect native WG clients.

Copy/paste the clientpack into the Mac OS client, and click SAVE/ACTIVATE.

Voilà – you are connected to the VPN.  The VNS3 Clientpacks page shows the status as “connected”.

The WG Client now shows its statistics about the connection, and below we are pinging the VNS3 controller’s VPN address to show access to the VPN network.

(By default, this connection can access other addresses on the VPN. If that’s not desired it is easily changed via the Firewall page.)  

If needed you can use the Action menu to perform administrative operations.   For example, if you select “Disable” on the connection, the client is dropped from the VPN.  Below, we see the client set to disabled state by the Admin, and we see the “pings” begin to fail.

Then we “Enable” – and the client is back on the network and packets begin to flow.

And of course similar operations can be performed to re-new or re-secure a connection by adding a PSK or re-generating keys – both of which require the clientpack to be redistributed to the user or device.  But as expected, when you enable a PSK for the connection, the user is unable to access the network.  With the credential re-deployed with the appropriate clientpack containing the PSK, they are back on the net!

Accessing the other devices on the VPN network is one use, what about getting to the Internet?

This requires a couple configuration elements on the client side which requires a little bit of operating system knowledge on the client side and a of couple firewall rules on the VNS3 Controller.  We won’t go into those specifics here.

But, if you look at the Cohesive-specific directives used by the CNVPN CLI and GUI – one of them is “TunnelAllTraffic” – and when this is set to “true” – all the client side magic is done for you!  But that is for another day.

(“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.)

 

Announcing Successful Type 2 Soc 2 Examination

Announcing Successful Type 2 Soc 2 Examination

We’re happy to announce that Cohesive Networks has successfully completed a Type 2 SOC 2 examination. The examination confirmed that our systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems. 

Examination Details

  • Selected SOC 2 Categories:  Security
  • Examination Type:  Type 2
  • Review Period:  November 1, 2021, to April 30, 2022
  • Service Auditor:  Schellman & Company, LLC

Our Secure History

Security and privacy are at the core of our business model and part of our culture. Cohesive Networks was spun out in 2014 from Cohesive Flexible Technologies in part due to a realization we were no longer in the cloud migration business. We were in fact a security and networking company. As a result we had the opportunity and experience to create internal systems and controls to a high standard. All are still overbuilt by today’s measure.

By design, we have no access to customers’ VNS3 provided networks. Access and visibility are completely in the hands of the owner. Given that deployment mode, VNS3 has mechanisms to ensure limited attack surface with no backdoor access: Access URLs and API Tokens.

We also “eat our own cooking.” VNS3 was created by our parent company, Cohesive Flexible Technologies back in 2008.  The purpose was first to secure our Elastic Server product cluster (see Bill-of-Materials approach to virtual machine image creation) and second to provide IP address control and security for the wild west EC2-classic 10/8 network space of the day. Our company runs internal Overlay Networks for our production systems, support engineers, as well as PeopleVPN for our remote/post-geographic team.

Future Plans

Cohesive Networks is committed to continuing annual Type 2 SOC 2 examinations and will plan on adding Availability and Privacy Trust Service categories in the future. Additionally we’ll be evaluating if a SOC 3 examination is more appropriate given our role as a provider of critical network infrastructure for our globally distributed customer base.

The Enterprise and WireGuard

The Enterprise and WireGuard

WireGuard® at its core is a lightweight, low code, VPN tunneling protocol that optimizes for speed, security and ease of configuration. However, extended business functions needed for enterprise usage are left out of its code base by design. This non-opinionated approach allows third parties to develop novel methods that best fit enterprise needs and styles.

Examples of Enterprise needs are:

  • Key (re)generation and distribution for both human users and machine-to-machine networks
  • RESTful API for integration to in-house systems and external services
  • Uniform access to encrypted tunneling via regional or global clusters
  • Dynamic routing so devices on the WireGuard network learn about network paths as they come and go
  • Failover support allowing clients to migrate servers in the event of maintenance or outages
  • Integration to security platforms (Firewalls, WAFs, IDS/IPS)
  • Integration to other “tunneled” paths (IPsec, GRE, VXLAN, cloud direct connects, etc..)
  • Integration to “legacy” monitoring tools like SNMP
  • Integration to “modern” monitoring tools like Datadog and Sumologic
  • Integration to legacy authentication (Active Directory)
  • Integration to modern authentication (OAuth / OpenID, MFA, etc..)
  • AND more!

Cohesive is working to make the WireGuard protocol a first order citizen in our VNS3 Network Platform with a focus on many of these extended capabilities.

Enterprises will need methods to securely store and distribute keys to human and machines. Authenticated REST APIs allow automation frameworks to tag and place keys where needed in a distributed computing environment. Self-service web portals give end users access to allocated keys for their various devices. Administrators and intrusion detection systems need the ability to revoke keys when compromise occurs.

Not all tunneling systems and their keys are the same. Many companies employ encrypted overlay networks, in cloud and between their compute nodes in order to satisfy regulatory requirements and gain network visibility. For automated machine-to-machine communications, public/private key pairs are all that is required, whereas with “people VPN” scenarios added authentication factors are needed.

In the dynamic world of cloud networking and remote work, private networks are now fluid, meaning that network address ranges are added and removed, as new networks and subnets come on line or are decommissioned. In order for systems to communicate they need dynamic route updates providing up-to-date paths through interconnected transit networks.

These encrypted tunneling systems are used to take the enterprise, its customer and partners to, through, and across clouds. This requires the WireGuard feature called “Allowed IPs” that acts as both ACL and route directives to be integrated. In Enterprise WireGuard use-cases, the “Allowed IPs” don’t come from a configuration file, they will be dynamically and seamlessly integrated to the broader systems routing and ACL policies. communications in the enterprise. Companies need the ability to filter and direct traffic at ingress and egress points in cloud networks.

WireGuard is fast becoming an essential operating system and developer tool, and Cohesive Networks believes it’s on its way to being an essential building block for creating robust, enterprise-ready network solutions.

“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.