VNS3 Network Platform

Earlier this month we released the 5.0 version of our VNS3 virtual controller. This update brings with it a major UI overhaul to improve the usability of VNS3 controllers, key improvements to network performance, IPsec connectivity & scalability, and much more.  Below are some of the highlights of this release. You can find the full release notes for this version here. Stay tuned for new product tutorials and feature highlights in the near future.

New UI, Faster UX

VNS3 5.0 includes a swath of UI updates focused on improving usability while limiting major layout changes to retain simplicity. Highlights of the UI overhaul include:

• New color palette and fonts
• Administration menu
• Click-to-copy functionality for high-use fields and IPs
• Left column menu minimize
• Addition of Controller naming
• More paginated, sortable, searchable tables
• Fast-loading UI with increased performance

We’ll be digging deeper into these UI improvements in the near future, so keep an eye out for that!

System and Platform Updates

With the 5.0 update we’ve moved VNS3 to a hardened OS based on Ubuntu 20.04. All underlying systems and libraries have been upgraded in accordance with this change, bringing greater stability and scalability to the VNS3 platform. While previous VNS3 versions used a hardened Ubuntu 14.04 OS, Extended Security Maintenance has provided ongoing security patches for various system packages. As a result of these changes, VNS3 5.x will no longer display false positives on data-base scanning services like AlertLogic.

Improvements to Network, IPsec, and Multicast Performance & Connectivity

VNS3 also 5.0 brings with it additional kernel memory allocation for improved network performance. Our IPsec subsystem now makes more effective use of available CPU cores in order to increase support for complex networks of many of IPsec connections. With this release we’ve also improved IKEv2 support with added functionality to allow Aliased BGP ASN per-to-peer configuration. This new functionality prevents overlap when connecting to multiple BGP peers and maximizes the flexibility of network connectivity.

VNS3 5.0 is showing a 2-3x speed improvement in multicast deployments with reduced packet loss. These improvements enable deployments that include up to 10 overlay clients, properly configured and using VNS3 MulticastHub, to have bidirectional multicast streams of up to 150mbps with virtually no packet loss. This functionality was tested using a t3.med VNS3 controller and t3.small multicast sender and receivers.

Improved HTTPS Certification Upload and Visibility

This update includes a status improvement to show the existing certificate files being used by the VNS3 web server. The HTTPS certification file chain-of-custody is ensured with SHA-256 checksum/fingerprint. HTTPS certification upload now supports intelligent multi-file uploading of certificates to avoid confusion over which certificates need to be included (root, intermediate chain, end-user). This update is made to accomodate differing file/format preferences of various certificate authorities.

Improved Network Sniffer

VNS3 5.0 also includes usability and scalability improvements to our network sniffer functionality as follows:

• We’ve added an “any” interface for broader capture during troubleshooting.
• Multiple captures can now be run simultaneously so filters can inspect different network segments at the same time.
• Multiple users can now run various packet captures simultaneously. Defined captures are visible to all users for easy sharing.
• Outputs can now be downloaded in pcap format.
• All monitors now self-terminate after 1 hour to prevent overlogging.
• A network sniffer on an Interface home page now uses identical implementation as Network Sniffer page

VNS3 Plugin Manager BETA

As part of this 5.0 release, the VNS3 Plugin Manager has progressed to its BETA phase. The plugin manager now allow users to configure and manage their plugin containers via the UI or API. Simply include a Plugin Manager config file in a VNS3 container to allow complete control via either method. You can now edit specific container configuration files with an automated version history log. We’ve also introduced functionality that allows you to quickly view log files, stop & start services & processes, and export container configurations for easier controller upgrade & migration. We’ll be exploring the plugin manager in greater detail in the near future.

Announcing the Launch of our New Documentation Site!

We are proud to announce the launch of our new documentation site! Moving forward, this will be the new home for all of our documentation detailing cloud setup, VNS3, VNS3:ms, network edge plugins, upgrading, troubleshooting, and the like. As part of this process we’ve also begun converting our API specifications to the OpenAPI spec standard.Starting with VNS3 v4.8, you can view and downloadthe specification as JSON. The OpenAPI standard will improve the testability and usability of Cohesive APIs. Users can also generate an API client library in their language of choice with the OpenAPI Generator. We will be supporting API clients in the near future with added API macro functions for simplifying topology automations.

Cybercrime in Residential Networks

KrebsonSecurity discusses The Rise of “Bulletproof” Residential Networksin a recent article. These residential networks are considered bulletproof by cybercrooks because they typically ignored abuse complaints or blamed the abuse on a reseller. The article describes a Maryland based IP provider that either mistakenly or intentionally provided just such a network. Krebs traces down ownership of the IP addresses and finds a hacker selling services on this “bulletproof” network.

Web Browsers Band Together to Block Kazakh CA Certificate

The Register released an articlethis week claiming that “Google, Apple, and Mozilla said their web browsers will block the Kazakhstan root Certificate Authority (CA) certificate” citing collectively emphatic statements condemning the certificate as a surveillance tool. The move to block this certificate comes on the heels of intriguing notifications to Kazakhstani telecom customers about the legality, permanence, and nature of the certificate.

Check Your Bluetooth Devices

As the Key Negotiation of Bluetooth (KNOB) narrative continues to develop, it seems prudent to start at the conveniently named source of the investigation. If you haven’t heard, this attack identifies an encryption vulnerability for all Bluetooth BR/EDR connections and includes “chips from Broadcom, Qualcomm, Apple, Intel, and Chicony.’ It allows attackers to intercept and manipulate bluetooth traffic. The resource suggests that devices updated after late 2019 might have addressed the vulnerability by now, but it might be worth double-checking for yourself. The resolution included an update to the Bluetooth specification to recommend an increased encryption key length.

Introducing the Confidential Computing Consortium

The Linux Foundation’s newly-formed Confidential Computing Consortium has announcedtheir “new cross-industry effort” which boasts a team representing the likes of Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent. In this first press release they promise to bring together organizations affecting all major aspects of computing in order to drive transformation via “a variety of technical open source projects and open specifications” in the near future.

PSA: Cisco Advisories & Alerts

Cisco just discloseda large number of vulnerabilities – many of which are critical – via their security advisories and alerts publication. We advise reviewing and relevant product vulnerabilities and implementing any suggested workaround offered by Cisco.