Technical Brief - NetFoundry

NetFoundry Cloud: Simplifying Zero Trust Networking Deployments

Bill Zujewski — Sat, 09 Nov 2024 14:26:34 +0000

Technical Brief

NetFoundry Cloud: Simplifying Zero Trust Networking Deployments

NetFoundry Cloud is a comprehensive, enterprise-grade Network-as-a-Service (NaaS) solution designed for seamless deployment, configuration, and management of zero trust overlay networks powered by the NetFoundry Ziti platform and architecture. Widely adopted by the open source OpenZiti community, NetFoundry Cloud supports development, prototyping, and production deployment of OpenZiti solutions, even in highly secure and mission-critical environments.

Harnessing the global innovation of OpenZiti, NetFoundry Cloud provides a robust NaaS designed for IT and OT applications with stringent security demands. As a fully managed service, NetFoundry handles all hosting, updates, maintenance, and security, allowing organizations to deploy secure, high-performance overlay networks instantly across the programmable NetFoundry Fabric—without the need for additional infrastructure or hardware.

This resilient, scalable service significantly reduces the cost, time, and complexity of implementing zero trust internet overlays, enabling businesses to focus on their core objectives while benefiting from enhanced security, streamlined scalability, optimized performance, and complete network visibility.

Instant Secure Networks

Unlock secure, high-performance connectivity with NetFoundry Cloud, the enterprise-grade NaaS solution that deploys zero trust overlay networks effortlessly.

NetFoundry vs DIY

Forget the complexities of DIY: NetFoundry Cloud simplifies deployment, management, and compliance with zero trust principles and global reach, while cutting costs and reducing risk.

NetFoundry Cloud Advantages

NetFoundry Cloud drastically simplifies secure networking compared to traditional private self-managed networks. Companies must carefully consider the challenges of building and operating their own infrastructure and networks given the complexity of today’s hyper-connected world and constant exposure to security risks. Here are some advantages of using NetFoundry Cloud over traditional DIY (Do It Yourself) in-house approaches:

Ease of Deployment

DIY: Requires significant time and expertise to manually configure and deploy network components across multiple cloud environments.

Multi-Tenant and OEM/White label

NetFoundry Cloud: The NetFoundry platform is designed to be EOMed and embedded in physical and software products. It is geared toward MSPs, software companies and smart connected product manufacturers who want to build zero trust connectivity into their products and services to deliver to clients. This includes providing a multi-tenant platform with a multi-account structure and RBAC, per customer PKI with the ability to integrate individual customer identity and 3rd party tools seamlessly, extensive logging and auditing, centralized consumption, reporting and billing, high automation and APIs, as well as the ability to white label and brand the product with flexible pricing to fit your commercial Go-To-Market strategy.

DIY: Requires custom solutions for multi-tenancy, RBAC, PKI/integrations, logging, billing, APIs, and white labeling.

Cost Efficiency

NetFoundry Cloud: Reduces costs with a managed service model, eliminating the need for extensive in-house resources and ongoing maintenance. NetFoundry provisions, configures, manages, and upgrades the infrastructure, including OS, Ziti software installations, and NetFoundry-hosted controllers and routers.

DIY: High initial setup costs and ongoing expenses for infrastructure, maintenance, and skilled personnel.

Scalability

NetFoundry Cloud: Seamlessly scales with automatic resource adjustments based on demand, ensuring optimal performance and cost-efficiency. It supports over 150 million fabric sessions weekly.

DIY: Manual scaling is complex and resource-intensive, requiring careful planning and execution.

High Availability

NetFoundry Cloud: Built-in redundancy, load balancing, and multi-region replication ensure high availability and reliability, with daily backups and disaster recovery (DR) across sites for high SLAs.

DIY: Ensuring high availability requires significant expertise and resources to implement and maintain redundancy and failover mechanisms.

Security

NetFoundry Cloud: Comprehensive security services including IAM, encryption, DDoS protection, and zero trust principles are built-in and managed. Production and development systems run in ‘dark networks’ with no inbound ports, with administrative access ephemeral based on JIT/JEA policy.

DIY: Implementing and maintaining robust security measures requires extensive knowledge and continuous effort.

Global Reach

NetFoundry Cloud: Utilizes a global network of data centers for low-latency routing and edge computing, enhancing performance and user experience. Controllers and edge routers can be deployed in several cloud providers’ data centers or self-hosted. Networks can also be geographically constrained and deployed locally for sovereignty.

DIY: Establishing a global presence requires significant investment in infrastructure and expertise in managing distributed networks.

Simplified Management, Visibility, and Analytics

NetFoundry Cloud: Centralized management of multi-tenant zero trust networks via a web console and APIs, with built-in telemetry, monitoring, patching, upgrades, and detailed dashboards for connection health checks, network flows, path latency, and more. Each network is dedicated to the customer and isolated from other customer networks.

DIY: Requires custom solutions for management, monitoring, and maintaining visibility across the network.

Expert Support and Proactive Monitoring

NetFoundry Cloud: Access to NetFoundry’s team of experts ensures your network runs smoothly and efficiently. NetFoundry provides 24/7 support, including technical engineering and pre-sales assistance, along with built systems and tooling to monitor networks and act on alerts.

DIY: Requires in-house expertise to troubleshoot and resolve issues, adding to operational complexity.

Self-Healing Network

NetFoundry Cloud: Configures the network to properly utilize OpenZiti self-healing capabilities, providing the least latency paths within the fabric for your traffic based on “smart routing”.

DIY: Setting up and operating a self-healing network properly requires advanced knowledge, expertise, and experience.

Accelerated Software Updates

NetFoundry Cloud: Customers can request and receive priority paths for feature requests, sometimes delivered within days, providing rapid software fixes and enhancements. This access to NetFoundry’s product and engineering teams accelerates development and ensures critical capabilities are available when needed.

DIY: Requires internal development resources to create and implement new features, which can be time-consuming and costly.

Compliance and Integration

NetFoundry Cloud: SOC2 Type 2 certified, with a legal framework and SLAs in place. Offers pre-built integrations with leading IdP/CAs, IAM, directories, SIEM/SOC/SOAR, EDR, SSO, and more, simplifying compliance and integration.

DIY: Achieving and maintaining compliance and integrating with various enterprise systems requires significant effort and expertise.

Liability Protection

NetFoundry Cloud: The Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) are two cornerstone regulations designed to address security, safety, and accountability. NetFoundry’s zero-trust platform helps companies meet these by embedding secure, scalable networking into digital products, reducing vulnerabilities and ensuring compliance.

DIY: Without zero trust designed in, companies must bolt on software to comply. This leads to complex security management, higher operational costs, and increased risks.

NetFoundry Cloud Feature Summary

Aspect	NetFoundry Cloud	Unique Capabilities
Ease of Deployment	Quick with orchestration tools.	NetFoundry Console & Orchestration Platform
Cost Efficiency	Lower costs, managed service.	Rapid provisioning, volume purchase power of public cloud computing power, economies of scale
Scalability	Automatic scaling.	Proven, tuned, optimized NetFoundry Fabric
High Availability	Built-in redundancy and DR.	Over 140 POPs available
Security	Comprehensive, managed security.	Configured with no open inbound ports; Services including IAM, encryption, DDoS protection
Global Reach	Global data centers, low-latency.	Over 140 POPs available
Management and Analytics	Centralized with built-in tools.	NetFoundry Console & Telemetry; automated monitoring and alerts
Support and Monitoring	24/7 expert support.	Experienced team
Self-Healing Network	Utilizes self-healing capabilities.	Optimized set up of Ziti self-healing features
Software Updates	Rapid updates and fixes.	Automated processes
Compliance and Integration	SOC2 certified, pre-built integrations.	Hardened and compliant environments
Liability Protection	Secure by design, ideal for CRA and PLD compliance.	Zero Trust connectivity that can be embedded and designed into products.

Navigating EU Regulations

The EU has introduced the Cyber Resilience Act (CRA) and Product Liability Directive (PLD) to ensure digital product security, accountability, and safety. These regulations highlight secure product standards and hold companies accountable for harm due to security flaws, making compliance essential for regulatory adherence and customer trust.

Overview of the Cyber Resilience Act (CRA)

The CRA mandates that connected devices meet cybersecurity standards, covering design, lifecycle maintenance, and post-market updates. It applies to IoT devices and software applications, requiring regular testing and documentation. CRA also introduces penalties for non-compliance, pushing manufacturers to uphold strict security measures.

Overview of the Product Liability Directive (PLD)

The PLD holds companies liable for defects, expanding this to include cybersecurity flaws. It eases the burden of proof for consumers and extends liability across the supply chain, covering new types of damages like data loss. Non-compliance with PLD can lead to financial penalties for manufacturers.

How the CRA and PLD Work Together

CRA proactively requires cybersecurity integration from design, while PLD reactively addresses liability when security flaws cause harm. Together, they enforce cybersecurity as part of product safety, offer consumers protection, and incentivize compliance.

How NetFoundry Supports Compliance

NetFoundry’s zero-trust solution helps meet CRA and PLD requirements by embedding security into network operations. Key benefits include:

Zero Trust Security: Eliminates traditional network connections to reduce attack surfaces.
Microsegmentation: Independently authorizes each session, protecting against lateral movement.
Logging and Monitoring: Provides real-time telemetry to support compliance audits.
Flexible Deployment: Operates across multi-cloud, hybrid, and on-premises environments.

EU Cyber Compliance

Designed for the Cyber Resilience Act (CRA) and Product Liability Directive (PLD), NetFoundry embeds advanced security into your digital products, reducing vulnerabilities and ensuring accountability.

Real-World Success Stories

Discover how industry leaders leverage NetFoundry’s zero trust solutions to enhance security, scalability, and rapid deployment.

Case Studies

Leading Cybersecurity Software Provider (White Label): Within 90 days, this provider launched a white-labeled zero trust solution for their clients using NetFoundry. Instead of building, managing, and scaling their own infrastructure, they leveraged NetFoundry’s APIs, reducing time and complexity for rapid deployment at scale.
Global Cybersecurity OEM: During a proof-of-concept (PoC) with a major U.S. financial client, this OEM needed NetFoundry to support a specific proxy. NetFoundry quickly developed the solution, enabling a successful PoC and deal closure, demonstrating agile, client-focused support.
Marposs: Marposs used NetFoundry Cloud to develop and launch a secure, next-generation product for OT and mission critical environments. Within days, they had a working prototype, and in under a year, the full solution was deployed, transforming secure deployment in critical infrastructure.
TZ Smart Lockers: TZ implemented NetFoundry to secure its smart locker systems used by global logistics providers. Using zero trust principles, they achieved seamless, scalable, secure connectivity across facilities, allowing real-time access and improved security management for distributed systems.
NetFoundry’s Internal Scaling: As NetFoundry grew, manual patching became impractical. As we started developing a solution, the product (Saltstack) had a very bad CVE and with many massive vendor patching systems being publicly compromised as a result (including Cisco). Realizing we could not risk customer systems in future, we rebuilt our patching system using Ziti itself, to ensure the attack vector is impossible in future.

Summary

NetFoundry Cloud is an enterprise-grade turnkey NaaS solution that eliminates the complexities and costs associated with building and maintaining Ziti-based overlay networks in mission-critical, highly secure environments. The solution includes comprehensive support, advanced features, and seamless integration to ensure your cloud environment is protected, efficient, and future-ready. This managed service approach provides your business with speed, agility, and cost efficiency, allowing you to focus on your core business objectives while enjoying enhanced security, scalability, performance, and visibility.

Secure NaaS Solution

With a fully managed service approach, NetFoundry Cloud delivers agility, scalability, and cost savings—enabling you to focus on business growth while ensuring robust security and seamless performance.

NetFoundry Cloud vs Do-It-Yourself Comparison

Aspect	NetFoundry Cloud	DIY
Ease of Deployment	Quick deployment with orchestration software and APIs; automation tools or YAML/JSON.	Requires significant time and expertise for manual configuration and deployment.
Cost Efficiency	Managed service model reduces costs by eliminating in-house resources and maintenance.	High setup costs and ongoing expenses for infrastructure and skilled personnel.
Scalability	Automatic resource adjustments for optimal performance and cost-efficiency; supports high volume.	Manual scaling is complex and resource-intensive.
High Availability	Built-in redundancy, load balancing, multi-region replication, daily backups, and disaster recovery.	Requires significant expertise and resources for redundancy and failover.
Security	Comprehensive security services including IAM, encryption, DDoS protection, and zero trust principles.	Requires extensive knowledge and continuous effort for robust security measures.
Global Reach	Global network of data centers for low-latency routing and edge computing; local deployment for sovereignty.	Significant investment and expertise needed for managing distributed networks.
Simplified Management and Analytics	Centralized management with built-in telemetry, monitoring, patching, upgrades, and detailed dashboards.	Requires custom solutions for management and monitoring.
Expert Support and Monitoring	24/7 expert support, proactive network monitoring, and alert response.	In-house expertise needed for troubleshooting and resolving issues.
Self-Healing Network	Utilizes OpenZiti self-healing capabilities for optimal traffic routing.	Advanced knowledge and experience needed for setup and operation.
Compliance and Integration	SOC2 Type 2 certified with pre-built integrations for compliance and enterprise systems.	Significant effort required for achieving compliance and integration.
Accelerated Software Updates	Priority feature updates and rapid software fixes provided by NetFoundry.	Internal development resources needed for new features, which can be time-consuming and costly.

The post NetFoundry Cloud: Simplifying Zero Trust Networking Deployments appeared first on NetFoundry.

Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK

Surendran Naidu — Fri, 18 Oct 2024 13:49:04 +0000

NetFoundry

Resources

Technical Brief

Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK

Technical Brief

NetFoundry AWS Zero Trust

NetFoundry AWS Zero Trust offers private, zero trust networking to S3 buckets for apps, devices, and users

In this NetFoundry solution guide, learn how to securely access your S3 buckets using VPC endpoints, the Boto3 S3 client, and NetFoundry’s Ziti SDK. This guide outlines the process to integrate NetFoundry’s secure cloud network for high performance and security in your AWS environment. You’ll learn how AWS Zero Trust principles enhance security by embedding zero trust connectivity, ensuring secure access and protection for modern cloud environments

The solution described in this guide uses NetFoundry Cloud which makes it easy to instantly spin up highly secure, performant, edge, app or device -to-cloud networks for workloads in AWS. Our secure private overlays on the internet offer private, zero trust networking to S3 bucket and objects for apps, devices and users.

With NetFoundry, you can extend secure zero trust connections to S3 buckets and objects that are not public, following least privilege access and micro segmentation principles. Smart fabric from NetFoundry provides you with optimal latency routes for your apps. This ensures you can build highly secure and performant connectivity in minutes using cloud-native tools without the burden of a direct connect solution.

This guide explores how to leverage NetFoundry to establish secure access for your private Amazon S3 buckets from a python log pusher program running a Boto3 Client for S3. We’ll establish the private overlay using a NetFoundry edge router in AWS and a NetFoundry Python SDK imported in the Py log pusher program. You can follow the approach for any Py based app or explore our SDKs for other programming languages. We would be exploring how to access the bucket and objects from a laptop that is running a NetFoundry Ziti Desktop Edge software client.

Secure Cloud Access

Discover how to implement private, zero trust networking for Amazon S3 buckets using NetFoundry’s AWS solution.

This guide provides step-by-step instructions for integrating VPC endpoints and the Boto3 S3 client, ensuring secure access and protection for cloud environments.

Getting Started Guide

Kick off your NetFoundry journey with a free trial account! Ensure you have a network set up with at least one public router and follow our guides to meet firewall policy requirements for secure outbound access.

AWS Zero Trust: Getting Started

What you need to get started:

A NetFoundry Cloud account
- Go through the steps to create a free trial account if you don’t have one.
A network in your account with at least one public router. The articles will guide you through this process.
- How to create a network
- Provision a public router ( NetFoundry hosted)
- Firewall policy requirements to provide outbound only access to the NetFoundry network

Solution Architecture:

Setting up S3 bucket, VPC interface endpoint and policies in AWS

A. S3 Bucket:

You can follow the steps outlined in the following document to create a S3 bucket.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html

Create the bucket that is not public.

B. Interface VPC endpoint:

Create a new VPC or use an existing VPC to provision your VPC endpoint.
Create an interface VPC endpoint to controls access to S3 bucket. The S3 bucket would be reached within the VPC via the interface VPC endpoint.
Refer the following document for details on using interface VPC endpoint to access a S3 bucket: https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

Interface VPC endpoint are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC which will be used to configure NetFoundry service.

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon S3. The policy in the snapshot below provides the interface VPCE access to all resources within the VPC.

C. S3 Bucket Policy:

Once the VPCe and S3 bucket are provisioned, the next step is to provision the S3 bucket policy. With Amazon S3 bucket policies, you can secure access to objects in your buckets, so that only services or users with the appropriate permissions can access them. For this demo, we’re using a bucket policy to restrict access by a VPC endpoint . Below is a bucket policy that allows access to the specific VPCe ” vpce-0db2ff4e77e2622ba” to perform actions on the S3 bucket “sdktestingwithboto3” and its objects.

Setting Up S3 Access

Securely set up your S3 bucket by creating it as private, configuring an interface VPC endpoint, and applying a bucket policy that restricts access to authorized services only.

Deploying NetFoundry Edge Router

Set up the NetFoundry edge router as your WAN gateway within the same VPC as your interface VPC endpoint, ensuring secure access to your S3 bucket.

Spin up a NetFoundry edge router in AWS

The NetFoundry edge router is the WAN gateway in the VPC that helps you to reach the S3 bucket via the VPC endpoint over a private and secure zero trust overlay. The ER is deployed on a EC2 instance. You can also deploy the ER in a container.

Follow the instructions to spin up the NetFoundry edge router in AWS from the AWS marketplace. The router has to be spun up in the same VPC as your interface VPC endpoint or have the reachability to the VPC endpoint if it is spun up in a different VPC.

The router should show registered and online once provisioned successfully.

Create your identity, service and service policy

You can access your S3 bucket via a NetFoundry endpoint software on your laptop or via ziti python SDK embedded into your application that requires access to S3 bucket.
- Create your identity each to access the S3 bucket from the NetFoundry Ziti Py SDK and the Ziti desktop edge
- Create your service for accessing S3 bucket via interface VPC endpoint.The following URL is used for private access to S3 buckets associated with the interface VPC endpoint from the boto3 client for S3 imported in the python program.

https://sdktestingwithboto3.vpce-0db2ff4e77e2622ba-uf7ato7f.s3.ap-southeast-1.vpce.amazonaws.com

From the laptop running ziti desktop edge, the following URL is used to access the object netfoundry.jpg

https://sdktestingwithboto3.s3.ap-southeast-1.amazonaws.com/netfoundry.jpg

The service configuration is configured with the “wildcard” domain name using the DNS name of the interface VPC endpoint and the private IP address attached to elastic network interface (ENI) .

The identity is that of the customer edge router that was provisioned in AWS from the marketplace.

Port 443 has been selected for private access within the VPC via the interface VPC endpoint.

- Create your service policy to allow your identity (or identities) to access the S3 Access service.

Create a service policy to allow the identities for devices or the router identity deployed in your factory or site to access the S3 bucket over the highly secure NetFoundry cloud network.

The service policy that allows identities to access the S3 bucket has been created as shown below:

Accessing S3 with NetFoundry

Access your S3 bucket securely using the NetFoundry Ziti SDK or the Ziti Desktop Edge.

Secure S3 Access

Easily access AWS S3 private buckets using Python with the Ziti SDK. Download the demo program to generate log files and upload them securely over the NetFoundry Cloud network. Start by enrolling your identity and running the provided commands.

Accessing S3 bucket and objects using a Boto3 client + Ziti Python SDK over the NetFoundry Cloud

Download demo python program that imports AWS’s boto3 and ziti SDK to access the private buckets via the Ziti. The Py program generates logfiles and uploads them to the S3 bucket, creating a folder and uploading the log files to the folder over the NetFoundry Cloud network.

https://github.com/openziti-test-kitchen/boto-demo/tree/main

Use the following commands to run the Py program. You can run export ZITI_LOG=4 to view the logs:

python boto-demo-main/s3z/s3z.py \

–ziti-identity-file “/d/S3/identityname.json” \

–bucket-name “sdktestingwithboto3” \

–bucket-endpoint “https://bucket.vpce-0db2ff4e77e2622ba-uf7ato7f.s3.ap-southeast-1.vpce.amazonaws.com” \

–push-log-dir “logs” \

–object-prefix “foldername”

The identityname.json is the json file of the identity that is registered with the NetFoundry network.

How to enroll the jwt obtained from the console and generate the json:

python -m openziti enroll –jwt identityname.jwt –identity identityname.json

https://github.com/openziti/ziti-sdk-py/blob/main/sample/README.md#get-and-enroll-an-identity

The bucket name is the name of your S3 bucket.

The bucket-endpoint is the DNS of the S3 VPC endpoint prefixed with your bucket name.

The object-prefix is the name of the folder you want to create in S3.

Once you execute the Py program, you will find the output like the one below:

The folder is created in your S3 bucket:

And the log files are uploaded in the folder:

Accessing S3 bucket and objects using a Ziti desktop edge over the NetFoundry Cloud

Install the desktop edge based on the OS of your device: https://netfoundry.io/downloads/

You’ll find the installation instructions for the endpoints in the respective sections.

With the required service policy in place, you should see the S3 service listed on your endpoint.

Access the S3 object from your device over the NetFoundry network:

Unlock S3 Connectivity

Install the desktop edge for your OS and gain seamless access to S3 objects via the NetFoundry network. Register your identity and follow the instructions to begin.

AWS Zero Trust Security

Adopt AWS Zero Trust to enhance your cloud security, prevent unauthorized access, and protect your applications and data in a complex digital landscape.

Conclusion: The Power of AWS Zero Trust

Incorporating AWS Zero Trust principles into your cloud infrastructure ensures that your systems are protected by advanced, modern security measures. By embedding zero trust connectivity, organizations can prevent unauthorized access and reduce the risk of security breaches, all while maintaining seamless operations. AWS Zero Trust empowers businesses to secure their applications, data, and users in an increasingly complex digital landscape.

The post Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK appeared first on NetFoundry.