copyright 2015

Cloud Applications Secured

copyright 2015

Presenters

2

Patrick KerpanCEO

@pjktech

Chris SwanCTO

@cpswan

copyright 2015

Cohesive Networks - Cloud Applications Secured

3

VNS3 family of security and connectivity solutions protects cloud-based applications from exploitation by hackers, criminal gangs, and foreign governments

1000+ customers in 20+ countries across all industry verticals and sectors

PartnerNetwork

TECHNOLOGY PARTNER

copyright 2015

Our lineup

4

Application Security Controllerturret

free, self-service cloud connectivityvpn

security and connectivity networkingnet

scalable VPN

end-to-end encryption

multi-cloud, multi-region

monitor & manage

automatic failover

secure app isolation

✓ ✓ ✓ ✓ ✓ ✓

✓ ✓ ✓ + +

✓ ✓

virtual network management systemms

high availability & automatic failoverha

ADD-ONs+

+

copyright 2015

Available everywhere in Microsoft Azure

5

copyright 2015 6

VNS3 connectivity and security with L4-L7 plug-in systemIsolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network.

Router Switch Firewall ProtocolRedistributor

VPNConcentrator

ScriptableSDN

VNS3 Core Components

Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container

copyright 2015

VNS3 and Cloud Application Segmentation

7

copyright 2015

I don’t need to tell you about the security landscape

8

FUD

copyright 2015 9

The Problem - Lots of apps sprawled across enterprise clouds

The Solution - VNS3 Application Segmentation

copyright 2015

A typical business application

10

WebTier

AppServerTier

DatabaseTier

MessageQueues

copyright 2015

Perimeter Security

Public and Private clouds are filled with these applications, many of them “critical” infrastructure

11

80% of Security $s

20% of Security $s (RSA)

copyright 2015

Perimeter Security

Hard on the outside, soft on the inside

12

copyright 2015

Perimeter Security

One penetration creates significant potentialfor “East-West” expansion of the attack

13

copyright 2015 14

The Problem - Lots of apps sprawled across enterprise clouds

The Solution - VNS3 Application Segmentation

copyright 2015

“Application Segmentation” completes the cloud security model

15

Hardware Managed by

Azure

HypervisorManaged by

Azure

Application Policies

Customers Control

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 3

Layer 2

Layer1

Layer 0

App 1 App 2

Limit of user access,control and visibility

Azure Layer 3Network

Cloud Service

Provider

Cloud Customer

copyright 2015

Introducing the VNS3 Application Security Controller

16

M

Virtual Adapter Virtual Adapter Virtual Adapter

Layer 3Encrypted

Switch

Layer 3Encrypted

Router

GREProtocolBridge

ProtocolRe-

Distributor

Industry Standard L4 - L7 PLUGIN System

Mesh Transaction Management

Core Mesh Firewall

Mesh KeyManagement

Net ManagementInterfaces

SSL VPNEdge

IPsec VPNEdge

AutonomicsAgents

RESTfulAPI Service Cloud Capacity Interfaces

Virtual CPU(s)

AES-NI Interface

Provisioned IOPS

Enhanced Network Drivers

AppFW

CustomMods

SSL/TLSOffload

ContentCache

InternalLB

IDSIPS

Application Security Controller NIC(s)

Unique Encrypted Topology Identity

Unique Encrypted Topology Identity U

niqu

e En

cryp

ted

Topo

logy

Iden

tity

copyright 2015

VNS3 Application Segmentation

17

turret

VNS3 creates a micro-perimeter around critical applications in any data center, cloud or virtualized environment

Traffic only flows inpermitted directions, from permitted locations.

None of the servers talks to any other serverwithout going through a

secure VNS3 switch.

copyright 2015

Why now - “demand”?

18

NIST Cyber Security Framework

PR.AC-5Network integrity is protected, incorporating network segregationwhere appropriate

copyright 2015

Why now - “supply”?

19

Network Function Virtualization- we can make networks out of

virtual machines and containers

Software Defined Networking- we can manage networks

through APIs

DevOps and Containers- makes application networks

just another config

copyright 2015

Once the micro-perimeter is established the broad policy enforcement mechanism is in place, with strict traffic flow controls.

20

copyright 2015

Demo

21

copyright 2015

Demo Topology

22

VNS3 Manager 1 VNS3 Manager 2 VNS3 Manager 3

VNS3 Overlay Network - 192.168.56.0/24

Overlay IP: 192.168.56.111 Overlay IP: 192.168.56.101*Sinatra App Tier Primary DB Backup DB

Active IPsec Tunnel

Public IP: 104.40.234.149 Public IP: 191.236.146.199

Peered

Overlay IP: 192.168.56.101

Public IP: 104.42.102.143

VNS3 Manager 4Public IP: 191.236.53.137 VNS3 Overlay - 172.31.0.0/22

Nginx ServerOverlay IP: 172.31.1.1

Peered

Customer Corp Office

West Europe West US North Central US

East US

copyright 2015

Anywhere an application can go - it needs security & connectivity.

• Perimeter based security models are no longer sufficient. One compromise becomes the starting point for East-West attacks across a series of application deployments.

• Application Security Controllers use NFV and SDN to build an application-centric perimeter rather than traditional “edge” perimeter.

• Application-centric Security is portable across Azure zones and locations.

23