copyright 2015 Cloud Applications Secured
Aug 06, 2015
copyright 2015
Cohesive Networks - Cloud Applications Secured
3
VNS3 family of security and connectivity solutions protects cloud-based applications from exploitation by hackers, criminal gangs, and foreign governments
1000+ customers in 20+ countries across all industry verticals and sectors
PartnerNetwork
TECHNOLOGY PARTNER
copyright 2015
Our lineup
4
Application Security Controllerturret
free, self-service cloud connectivityvpn
security and connectivity networkingnet
scalable VPN
end-to-end encryption
multi-cloud, multi-region
monitor & manage
automatic failover
secure app isolation
✓ ✓ ✓ ✓ ✓ ✓
✓ ✓ ✓ + +
✓ ✓
virtual network management systemms
high availability & automatic failoverha
ADD-ONs+
+
copyright 2015 6
VNS3 connectivity and security with L4-L7 plug-in systemIsolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network.
Router Switch Firewall ProtocolRedistributor
VPNConcentrator
ScriptableSDN
VNS3 Core Components
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
copyright 2015 9
The Problem - Lots of apps sprawled across enterprise clouds
The Solution - VNS3 Application Segmentation
copyright 2015
Perimeter Security
Public and Private clouds are filled with these applications, many of them “critical” infrastructure
11
80% of Security $s
20% of Security $s (RSA)
copyright 2015
Perimeter Security
One penetration creates significant potentialfor “East-West” expansion of the attack
13
copyright 2015 14
The Problem - Lots of apps sprawled across enterprise clouds
The Solution - VNS3 Application Segmentation
copyright 2015
“Application Segmentation” completes the cloud security model
15
Hardware Managed by
Azure
HypervisorManaged by
Azure
Application Policies
Customers Control
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 3
Layer 2
Layer1
Layer 0
App 1 App 2
Limit of user access,control and visibility
Azure Layer 3Network
Cloud Service
Provider
Cloud Customer
copyright 2015
Introducing the VNS3 Application Security Controller
16
M
Virtual Adapter Virtual Adapter Virtual Adapter
Layer 3Encrypted
Switch
Layer 3Encrypted
Router
GREProtocolBridge
ProtocolRe-
Distributor
Industry Standard L4 - L7 PLUGIN System
Mesh Transaction Management
Core Mesh Firewall
Mesh KeyManagement
Net ManagementInterfaces
SSL VPNEdge
IPsec VPNEdge
AutonomicsAgents
RESTfulAPI Service Cloud Capacity Interfaces
Virtual CPU(s)
AES-NI Interface
Provisioned IOPS
Enhanced Network Drivers
AppFW
CustomMods
SSL/TLSOffload
ContentCache
InternalLB
IDSIPS
Application Security Controller NIC(s)
Unique Encrypted Topology Identity
Unique Encrypted Topology Identity U
niqu
e En
cryp
ted
Topo
logy
Iden
tity
copyright 2015
VNS3 Application Segmentation
17
turret
VNS3 creates a micro-perimeter around critical applications in any data center, cloud or virtualized environment
Traffic only flows inpermitted directions, from permitted locations.
None of the servers talks to any other serverwithout going through a
secure VNS3 switch.
copyright 2015
Why now - “demand”?
18
NIST Cyber Security Framework
PR.AC-5Network integrity is protected, incorporating network segregationwhere appropriate
copyright 2015
Why now - “supply”?
19
Network Function Virtualization- we can make networks out of
virtual machines and containers
Software Defined Networking- we can manage networks
through APIs
DevOps and Containers- makes application networks
just another config
copyright 2015
Once the micro-perimeter is established the broad policy enforcement mechanism is in place, with strict traffic flow controls.
20
copyright 2015
Demo Topology
22
VNS3 Manager 1 VNS3 Manager 2 VNS3 Manager 3
VNS3 Overlay Network - 192.168.56.0/24
Overlay IP: 192.168.56.111 Overlay IP: 192.168.56.101*Sinatra App Tier Primary DB Backup DB
Active IPsec Tunnel
Public IP: 104.40.234.149 Public IP: 191.236.146.199
Peered
Overlay IP: 192.168.56.101
Public IP: 104.42.102.143
VNS3 Manager 4Public IP: 191.236.53.137 VNS3 Overlay - 172.31.0.0/22
Nginx ServerOverlay IP: 172.31.1.1
Peered
Customer Corp Office
West Europe West US North Central US
East US
copyright 2015
Anywhere an application can go - it needs security & connectivity.
• Perimeter based security models are no longer sufficient. One compromise becomes the starting point for East-West attacks across a series of application deployments.
• Application Security Controllers use NFV and SDN to build an application-centric perimeter rather than traditional “edge” perimeter.
• Application-centric Security is portable across Azure zones and locations.
23