Wednesday, April 1, 2015

AWS is retiring my instance, now what? How to check on service events and keep a current VNS3 configuration snapshot

AWS is retiring my instance, now what?


Prevent downtime and keep your configuration updated by checking your AWS service events and updating your VNS3 configuration snapshot

Check for any scheduled events with Amazon AWS. In your Amazon EC2 console, click Events to see a list of all resources and associated events. There should also be an area called Events in the EC2 Dashboard lower right side:

So you've got some scheduled retirement? 

  • For EBS-backed VNS3 instances, simply stop and restart your instance yourself. This should help reduce unforeseen downtime. VNS3 version 3.5 and newer are EBS backed, and easier to update.
  • For instance store-based VNS3 instances* you will have to create a new instance. Launch a replacement instance from the most recent VNS3 AMI, and simply import your VNS3 configuration snapshot into your replacement instance.  That simple VNS3 snapshot includes migrate all the necessary data to convert the new instance to the exact configuration of the instance scheduled for retirement. You can terminate your old instance, or wait for it to be automatically terminated when it's retired. Need help? We can guide you.

Always have a VNS3 configuration snapshot on hand!
In case something goes wrong with your underlying VM host, you will be able to quickly get back up to speed. Best practices are to always have a current VNS3 snapshot for all running instances. For a detailed step-by-step guide for taking a snapshot of your VNS3 configuration and uploading it to the new 3.5 version, click here.

Uploading a snapshot in the new VNS3 3.5 is this easy: Upload > Submit.

Better yet, how about instant, automated snapshots? 
VNS3:ms is a single management dashboard for VNS3 networks, and is ideal for customers managing more than one VNS3 instance in an environment. It provides a complete view of all of your virtual networks, including the underlying cloud network elements like Amazon VPCs or Azure VNets.

Instance retirement and instance reboots are great times to make sure your VNS3 versions are up to date. 
While you're updating your instance, check that your VNS3 versions are up to date with the latest 3.5 security updates. The latest VNS3 versions are all EBS-backed and are much easier to update in AWS.

Upgrading is easy! Our YouTube video guide can walk you through the upgrade process with VNS3 version 3.5:

*If your instance store-backed instance passes its retirement date, it's terminated and you cannot recover the instance or any data that was stored on it. Regardless of the root device of your instance, the data on instance store volumes is lost when the instance is retired, even if they are attached to an EBS-backed instance.
**If you have a maintenance reboot pending, our understanding is that this is an instance reboot, and you will not lose your VNS3 configuration.

Friday, March 27, 2015

Security, Cloud and Networking Weekly News Roundup: March 23 - 27

This week's news in cloud, networking, and security - week of March 23rd: 

German cloud provider ProfitBricks attempts to attract customers from other public cloud providers with price/performance guarantees and an offer to credit users with the difference in price if others offers services at a lower cost. ProfitBricks has vowed to match the price and performance of any workload that users have running in Amazon, Google or Microsoft’s clouds. ProfitBricks ignites cloud pricing war with AWS, Google and Microsoft via Computer Weekly

A new Cloud Security Alliance survey of financial companies found that more than 40% of small companies (<=500 employees) had adopted cloud and 61% of institutions are developing cloud strategies. There is still room for improvement, with only 42% reporting actively implemented data encryption solutions for the cloud. Financial firms searching for cloud strategy via Business Cloud

“The most commonly expressed cloud security concerns revolve around the lack of visibility into the data protection measures employed by service providers,” a new report from Ovum states.  With 80% of enterprises are now using some form of cloud technology, service providers need to set up security measures and user control. Ovum urges service providers to get serious about cloud security via Computer Weekly

Google's Cloud Platform now offers Cloud Launcher, a calalog of applications that can be deployed with one click. The service's set includes common applications such as WordPress, LAMP and stack components like Nginx and Node.js. Google Cloud Launcher deploys VM-based apps in a snap via InfoWorld

From the Open Data Center Alliance Cloud Adoption Survey 2014, published this month, reports that ODCA members are focusing on internal clouds over public cloud, and exploring both software defined networking and hybrid cloud.
According to the ODCA, respondents who have greater than 60% of operations in an internal cloud has increased from 10% in 2012 to 24% in 2014.

Image credit: ODCA Cloud Adoption Survey 2014

Upcoming events Cohesive is hosting and attending:
  • 8 April CloudCamp Chicago FinTech
  • 15 April attending the AWS Summit London at ExCel 
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting
  • 2 - 4 June InfoSec London
  • 1 July AWS Summit Chicago 

Friday, March 20, 2015

Security, Cloud and Networking Weekly News Roundup: March 16 - 20

This week's news in cloud, networking, and security - week of March 16th: 

A global Tata Communications study found that organizations with more than 500 employees are seeing tangible benefits from cloud computing.  Cloud Computing Reducing Costs, Improving Productivity  via eweek
  • 85% say cloud has lived up to industry hype and are seeing benefits they did not expect
  • 23% responded that cloud has exceeded their expectations
  • 58% estimate they will have their compute and data storage in the cloud in 10 years, compared with 28% currently

OpenSSL releases a patch fixing 14 security flaws  via the InfoSec Handlers Diary Blog

Security experts say law firms are perfect targets for hackers. Research from Mandiant reports at least 80 of the 100 biggest law firms in the US, by revenue, have been hacked since 2011. Cyber Attacks Upend Attorney-Client Privilege
via Bloomberg

VMware's vSphere 6 enters availability. "The company announced Monday general availability of VMware vSphere 6, its flagship suite of software tools for building cloud, its own OpenStack flavor, and the VMware Virtual SAN 6."  vSphere 6, VMware’s ‘One Cloud’ Strategy Centerpiece, Enters Availability via DataCenter Knowledge

After the 2013 breach that leaked 40 million card records, has agreed to settle the irclass-action lawsuit. Target will allocate $10 million to all the victims whose credit and debit card information had been stolen. According to official statements, the company will pay victims up to $10,000 in damages, although the terms of the allocation and the sums allocated are confidential at the moment. Target Finally Settles Class Action via SurfWatch

Upcoming events Cohesive is hosting and attending:
  • 8 April CloudCamp Chicago FinTech
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting

Wednesday, March 18, 2015

How to customize VNS3 with our API: Clientpack

VNS3 sits at the confluence of network function virtualisation (NFV) - networks made out of software, and software defined networking (SDN) - networks configured by software. The key to that configuration is our API, which is thoroughly documented in the VNS3 3.5 API Instructions.

The aim of this blog series is to provide some practical examples of using the API to perform typical administration tasks with VNS3. Each example will be illustrated by a simple shell script.
Image credit: API Academy "What is an API"

Firstly some conventions

All of these scripts need to connect to the manager and make use of the API password. Each example will use a manager IP (MGRIP) of '' and an API password (APIPW) set to 'pa55Word'. Please substitute the correct values in your own scripts, and note that the manager IP will generally need to be its internal IP address.


OpenVPN should be installed, and this script needs bash and curl to be present.

Getting client packs

command -v openvpn >/dev/null 2>&1 || { echo "OpenVPN should be installed first. Aborting." >&2; exit 1; }  
command -v curl >/dev/null 2>&1 || { echo "This script requires curl, but it's not installed. Aborting." >&2; exit 1; }  
if [ -e /etc/openvpn/clientpack.ip ]; then   
  echo "VNS3 Clientpack already installed"   
  CLIENTPACKJSON=`curl -k -X POST -u api:$APIPW -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpacks/next_available`   
  CLIENTPACKNAME=$(echo $CLIENTPACKJSON | grep -Po '"name":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
  CLIENTPACKIP=$(echo $CLIENTPACKJSON | grep -Po '"overlay_ipaddress":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
  curl -k -X GET -H 'Content-Type: application/json' -d '{"name":'$CLIENTPACKNAME',"format":"conf"}' https://api:$APIPW@$MGRIP:8000/api/clientpack -o /etc/openvpn/"${CLIENTPACKNAME//\"}".conf   
  if [ "$NAME" != "" ]; then   
    curl -k -X POST -u api:$APIPW -d '{"key":"name", "value":"'$NAME'"}' -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpack/${CLIENTPACKNAME//\"}   
  echo "${CLIENTPACKIP//\"}" > /etc/openvpn/clientpack.ip  
  service openvpn stop && service openvpn start  
View or download this script from GitHub Gist

If this script is run without parameters it will simply download the next available clientpack.
 $ sudo ./  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100  509 100  509  0   0  2533   0 --:--:-- --:--:-- --:--:-- 2557  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100 7336 100 7295 100  41 51820  291 --:--:-- --:--:-- --:--:-- 52482  
  * Stopping virtual private network daemon(s)...                 *  No VPN is running.  
  * Starting virtual private network daemon(s)...                 *  Autostarting VPN '192_168_56_132'  

If it's run with a parameter then that will be used as the name tag for the clientpack which can then be seen in the VNS3 console.
 $ sudo ./ demo  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100  509 100  509  0   0  2463   0 --:--:-- --:--:-- --:--:-- 2482  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100 7340 100 7299 100  41 49831  279 --:--:-- --:--:-- --:--:-- 50337  
 {"response":{"name":"192_168_56_133","tags":{"name":"demo"}}} * Stopping virtual private network daemon(s)...                          *  No VPN is running.  
  * Starting virtual private network daemon(s)...                 *  Autostarting VPN '192_168_56_133'   

Picking the script apart

If you just want to use the script then hopefully all you need to do is set the variables at the beginning to work with your VNS3 IP and password (and you might also choose to replace the tests for openvpn and curl with the package manager instructions to install them e.g. 'apt-get install -y openvpn curl' if you're using Debian or Ubuntu). If you want to customise it then read on for an explanation of what's going on. I'll start after the test for whether a client pack is already installed, as it's all pretty obvious up to that point.

Firstly we call the next_available clientpack API, which returns a lump of JSON
CLIENTPACKJSON=`curl -k -X POST -u api:$APIPW -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpacks/next_available`   

In order to avoid extra dependencies that would be introduced by using a proper JSON parser the name and IP of the clientpack are pulled out by string slicing:
CLIENTPACKNAME=$(echo $CLIENTPACKJSON | grep -Po '"name":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
CLIENTPACKIP=$(echo $CLIENTPACKJSON | grep -Po '"overlay_ipaddress":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   

The clientpack itself is then downloaded:
curl -k -X GET -H 'Content-Type: application/json' -d '{"name":'$CLIENTPACKNAME',"format":"conf"}' https://api:$APIPW@$MGRIP:8000/api/clientpack -o /etc/openvpn/"${CLIENTPACKNAME//\"}".conf  

If a name parameter was passed then the clientpack is tagged:
if [ "$NAME" != "" ]; then   
 curl -k -X POST -u api:$APIPW -d '{"key":"name", "value":"'$NAME'"}' -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpack/${CLIENTPACKNAME//\"}   

and to finish off the clientpack IP  is written to a file (with the quotes around it stripped out), which might be useful for other automation scripts:
echo "${CLIENTPACKIP//\"}" > /etc/openvpn/clientpack.ip  

Finally the OpenVPN service is restarted in order to pick up the new clientpack:
service openvpn stop && service openvpn start  

Tuesday, March 10, 2015

Bastion hosts and the new perimeter


Wikipedia describes a Bastion host as 'a special purpose computer on a network specifically designed and configured to withstand attacks'. This is a great description of how many of our customers use our VNS3 network manager, and is even more apt for our new VNS3:turret Application Security Controller.


I first came across the term 'Bastion host' when working at a large Swiss bank where such things were an essential part of the DMZ design. These would be the first machines that web traffic from the Internet would hit (having come straight through the firewalls that were of course configured to allow web traffic). They were of course *very* well hardened, and very stripped down as they had two simple roles in life:
  1. Pass allowable traffic on to the next link in the application delivery chain (and drop all other traffic)
  2. Don't get compromised and become part of an attacker's 'kill chain'.

What changed in the cloud?

Not a lot really. The physical firewalls have been replaced by security groups that work at a VM or VPC level, and the Bastion host is now a VM rather than a physical box.

What really changed in the cloud?

There's a lot more to a modern DMZ than just the perimeter firewall and the Bastion host serving front of house. The last couple of decades have brought us NIDS/NIPS, dedicated SSL/TLS termination, web application firewalls (WAFs), edge caching and ever more sophisticated load balancing. Each of these things started life as a standalone network box (which was often just an x86 server delivered as an appliance), but over time industry convergence and economic pressures have squeezed these functions into 'unified threat management' (UTM) in some cases or an 'application delivery controller' (ADC) in others.

Whether it's made from a bunch of different special purpose boxes, or one unified appliance, these tools have always been deployed at a network choke point, which has a couple of serious design consequences:

  1. The network appliance has to keep up with everything going through the choke point, meaning that for anything beyond small scale deployments it must go fast - very fast.
  2. The network appliance has to deal with every application beyond the choke point, which is basically every application in the enterprise (or at least that geography), meaning a kitchen sink full of (sometime contradictory) rules.
Cloud changes this model a lot:
  1. There is nowhere to install a physical network box in any normal cloud, everything has to be on a VM (or a bunch of VMs).
  2. Cloud networks tend to be naturally segmented around individual applications (rather than the intranet style deployment of everything on one network), which means that the throughput requirement is lower and the rules scope is much smaller.
The key here is a shift from one huge centralised choke point to a distributed array of smaller, application specific choke points.

This is what we call the Application Security Controller - it's something that does similar functions to a UTM or ADC, but that's deployed completely differently because it creates an application perimeter rather than an enterprise perimeter.

So how does VNS3 fit into this?

At the most basic level the firewall on VNS3 can be configured to forward appropriate traffic back to application serving hosts in the network behind it (which might be an encrypted overlay network or could just be a VPC).

Containers, containers, containers

Containment approaches like chroot have often been used to provide isolation between services, and as container capabilities have got more sophisticated and accessible (with tools like Docker) it's become more practical to put more network application services into containers.

The container subsystem on VNS3 can be used for the full range of application security controller functions, such as proxy, reverse proxy, cache, load balancer, SSL/TLS termination, NIDS and more. For many customers this means taking what might otherwise run in small VMs on the Internet edge of an application and moving that functionality into containers that are co-resident with the core network manager thus shrinking the security surface area, management complexity and of course cost.

So what is VNS3:turret

VNS3:turret is an Application Security Controller. The core network manager is the same as VNS3:net, but it comes with a set of preconfigured network application services and the corresponding rule sets, updates and support services so that it can be tailored to the application(s) it's protecting.


After all this time a strong Bastion host is still a very relevant part of any network perimeter - it's a concept that's survived the transition that's presently happening from enterprise perimeters to more segmented application perimeters. That transition is being driven my a migration to cloud (both public and private) and an ever more attentive regulatory and compliance environment. As that transition happens we see a shift towards the Application Security Controller model, which is why we built one - VNS3:turret.

Share this Post

Related Posts Plugin for WordPress, Blogger...