Network Security in the Digital Age - Zero Trust for Cloud-Native Architecture
Let’s talk about security. Nowadays, with mega breaches like the Equifax Data Breach and the Cambridge Analytica Scandal, the incentive to amp up security has people far and wide scrambling to increase data privacy and protection. We live in an extremely trackable and hackable world so it’s more important than ever to heighten security and protect our most sensitive data.
How do you go about doing that? Whether you’re approaching this from a personal angle or from a business perspective, it’s a question you have probably asked yourself. Let’s narrow down this conversation and take it from a network and application security standpoint.
Back to the NetFoundry Networking Basics
While legacy networking solutions have provided enterprises with reliability, performance and security for the last few decades, they just don’t cut it today.
The digital era is all about empowering innovation, accessibility and agility based around cloud-native applications, serverless compute and devops. While this has enabled IT to become more nimble, responsive and advanced, networks haven’t experienced that same luxury. At least not until NetFoundry.
NetFoundry's has caught networks up to the advancements applications and infrastructure have been enjoying by providing 'networkless connectivity' based around out AppWANs.
Our application-specific connectivity-as-code makes it possible to instantly spin up highly secure, performant, app-specific global networks at scale using our web-based orchestration tools and APIs. All you need is an Internet connection. These AppWANs abstract the network in the same way that containers and virtual machines abstract applications from underlying compute infrastructure. This eliminates the need for private circuits, proprietary hardware, and telco solutions. With NetFoundry, developers can integrate secure, performant north-south networks in software, and use any WAN technology or Internet connection for traversal.
So, now that we’ve established what and how NetFoundry does, let’s take our conversation back to network security.
Reliable and Performant Network Security
Most people are under the impression that traditional networking solutions are the most secure option. However, that is no longer true. Traditional networks can be seen as one dimensional. What we mean by that boils down to encryption. Internet Protocol Security (IPSec) is another name for encryption over a VPN connection. While the VPN is a direct connection to the network, it is only protected by one dimension (or layer) of security: the IPSec connection. If that IPSec connection is broken, data streams can easily be intercepted.
With NetFoundry, our zero-trust network overlay is protected by multiple layers of security. This isolates and protects data flows so that even if one layer is broken, the hacker cannot do anything with that information since there are other layers protecting the network. It results in a private, dark network, micro-segmented by application, even though Public Internet is used. NetFoundry security and compliance needs are defined by the app, rather than managing separate islands of app, network and security infrastructure. This eliminates vulnerabilities caused by separate policies. There are five main layers to NetFoundry’s security architecture which enable zero-trust are:
- Authenticate-Before-Connect: NetFoundry’s software authenticates endpoints before the endpoints are given any network access. This is the first requirement for a dark network and the opposite architecture of the Internet.
- Dark Network – Embedded Software Firewall: NetFoundry endpoint software opens an outbound connection to the private NetFoundry network overlay which “listens” for inbound data sessions which have been authenticated by secure certificate exchange with NetFoundry controllers. The NetFoundry software denies any packets which have not been authorized, making the network dark.
- Least Privilege Access: Each authenticated application endpoint is only given the access it needs, as defined by the compliance and security needs for the application and the business - incl. IAM integration, application micro-segmentation and software-defined perimeter.
- Data in Motion Protection: NetFoundry encrypts all data, using strong encryption, on demand as well a using patented session splitting technology. This splits each individual data session into multiple, individually encrypted data flows, and routes each stream independently. The routes and keys are ephemeral meaning an attacker would need to find and independently decrypt every fragment, before any changes are made to routes or keys, in order to get the full data set of a single app session.
- Move the Attack Surface away from the Business: The NetFoundry network global overlay is used to transit data between source and destination. While the data transit relay IP addresses could be a targets for any attacks - as hackers cannot attack the endpoints - this attack surface is away from the business assets and and data. Our data transit nodes store no data of interest so an attacker can’t gain any usable data and the nodes are disposable, resilient and highly distributed so an attacker can’t compromise the network by taking down individual transit nodes.
WHITEPAPER: OUR ABSTRACTION IS YOUR SALVATION
Take a look below to understand how detrimental one dimensional networks can be for an enterprise.
The Bleichenbacher Catastrophe
This month, it was announced that a new Bleichenbacher oracle cryptographic attack has been set loose using a 20-year-old protocol flaw. This attack compromises the Internet Key Exchange (IKE) protocol used to secure IP Communications. More specifically, the attack is targeting IPSec-based VPN connections. Man-in-the-Middle attacks and access to data carried in VPN sessions are likely to occur.
Yikes.
With NetFoundry’s multi-layered network control fabric, attacks like this are virtually impossible. Don’t let your data and privacy remain vulnerable. Spin up your own secure, performant and application-specific network today.