Why VPNs Can Be Attractive

Traditional VPNs start with the assumption that once a user is authenticated, they can be trusted with access to the entire network. This makes VPNs particularly attractive for organizations looking to get started quickly and improve their security posture. The ease of initial setup and the perception of enhanced security make VPNs an appealing choice for many.

Some proponents argue that VPNs can be configured to support core Zero Trust principles: reducing lateral movement through network segmentation, limiting access to specific IPs and ports using Access Control Lists (ACLs), and auditing access through detailed logging. However, while these configurations are possible, they often introduce significant complexity and management overhead.

The Problem with Traditional VPNs

Traditional VPNs operate under a “trust but verify” model, where once a user is authenticated, they are granted broad access to the network. This approach contradicts the core philosophy of Zero Trust, which advocates for continuous verification of every user and device, regardless of their location or network.

Over-Privileged Access: VPNs typically grant users broad access to an organization’s network. Once inside, users can potentially move laterally across the network, increasing the risk of data breaches if their credentials are compromised.

Lack of Granular Control: Traditional VPNs often lack the capability to enforce strict access controls on a per-application or per-user basis, making it difficult to apply the principle of least privilege.

Centralized Points of Failure: VPNs rely on centralized gateways, which can become bottlenecks and single points of failure. If these gateways are compromised, the entire network is at risk.

Performance Issues: As remote work becomes the norm, the performance limitations of traditional VPNs are becoming more apparent. VPNs can introduce latency, especially when handling large-scale, distributed environments.

Managing VPN Pitfalls is a Nightmare

While it’s true that some common VPN pitfalls can be mitigated by highly knowledgeable operators or architects, the reality is far more challenging. VPNs are often the most common network access solution because they are heavily marketed, familiar to users, and perceived as “good enough.” However, a “good enough” mentality won’t lead you to a secure Zero Trust environment.

Configuring a VPN to mitigate its inherent issues quickly becomes expensive and unwieldy. For instance, managing a VPN per customer or use case, particularly in complex environments like connected products or remote support, quickly spirals into an administrative nightmare.

A real-world example illustrates this point: a company providing remote service and support for connected products initially used multiple VPNs to address connectivity. Before long, the number of support tickets relating to VPN issues dramatically outpaced those for their actual products. This situation is far too common and highlights the need for a more sustainable and secure approach—like NetFoundry’s AppNets.

Why Even Zero Trust VPNs May Not Be Enough

A Zero Trust VPN is a virtual private network that enforces continuous verification of every user and device, ensuring that no implicit trust is granted and that network access is restricted to only the necessary resources, aligning with Zero Trust principles. While Zero Trust VPNs are a significant improvement over traditional VPNs, they may still fall short in protecting against today’s sophisticated cyber threats. By design, VPNs create a tunnel that often provides access to broader network segments than is ideal in a Zero Trust environment. This can still expose organizations to risks such as lateral movement and network-wide vulnerabilities.

Residual Risk of Over-Privileged Access: Even with Zero Trust principles applied, VPNs can inadvertently provide more access than necessary, leading to potential exploitation.

VPNs and Microsegmentation Challenges: Microsegmentation is difficult to achieve with VPNs, as they are not inherently designed to limit access to specific applications or services, which is critical for minimizing attack surfaces.

Dependence on Network Perimeters: VPNs, by their nature, still depend on a network perimeter that, once breached, can expose the entire connected environment.

A Better Approach: NetFoundry’s Ziti AppNets with Microsegmentation

For organizations seeking a more secure and robust solution, NetFoundry’s Ziti Platform offers a superior alternative. Unlike VPNs, the Ziti platform is designed from the ground up with Zero Trust and microsegmentation at its core.

Granular Access Control with Microsegmentation: The Ziti platform allows for precise, application-specific access control, ensuring that users can only access the exact resources they need, with no ability to move laterally across the network.

No Dependence on Network Perimeters: By embedding Zero Trust directly into applications (networking-as-code), Ziti eliminates the need for traditional network perimeters, significantly reducing the attack surface.

Enhanced Security through End-to-End Encryption: Ziti ensures that all data is encrypted end-to-end, and no traffic is ever in the clear, providing unmatched security even in the face of sophisticated threats.

AppNets: Revolutionizing Connectivity

AppNets take this a step further by eliminating traditional network connections altogether. Instead of securing network connections, AppNets focus on securing specific sessions, drastically reducing the attack surface and eliminating the risks associated with traditional VPNs.

Conclusion: The Future of Secure Connectivity

As cyber threats continue to evolve, so too must the tools we use to defend against them. While traditional VPNs, and even some Zero Trust VPNs, offer a degree of security, they fall short in providing the granular control and security needed in today’s environment. NetFoundry’s Ziti platform, with its focus on microsegmentation and networking-as-code, and the innovative AppNets, represent the future of secure connectivity. These technologies enable organizations to build networks that are truly secure, resilient, and aligned with Zero Trust principles, moving beyond the limitations of VPNs and toward a more secure digital future.

The post Why Zero Trust VPNs Fall Short: A Look Beyond Traditional Security appeared first on NetFoundry.

No More Network Connections

Network connections have traditionally been both essential and risky, serving as gateways for cyber-attacks. NetFoundry’s AppNets revolutionize security by eliminating network connections altogether – attackers can’t attack via the network because there is no longer a network connection. Zero trust microsegmentation is the key.

Network Connections, A Double-Edged Sword

Network connections make our digital world go round. Unfortunately, those network connections are used as tools by cyber-attackers. Historically, we have been forced to accept these risks in exchange for the benefits – we had no choice. Until now. NetFoundry’s AppNets enable us to eliminate network connections. AppNets don’t just try to make network connections ‘secure’ – that’s impossible – AppNets eliminate them altogether. Instead, we use AppNets to connect specific sessions – without exposing the network. AppNets are essentially NetFoundry’s implementation of zero trust microsegmentation.

What are AppNets?

AppNets connect authorized sessions. AppNets enable us to close all our inbound network ports such that attackers can’t use those networks to reach our critical assets. Those underlay networks no longer control access to our APIs, applications, workloads and data. For example, an attacker can steal privileged account credentials, but can’t use those credentials, because there is no network connection to the server. It doesn’t matter if the attacker is inside our WAN, or attacking from the Internet, there are no network connections to the server.

How AppNets work – design principles

Since the underlay networks can no longer reach our software, then what connects authorized sessions? AppNets connect authorized sessions. AppNets have three main design principles:

1. Simple
   The usual tug-of-war between security and simplicity is a game in which nobody wins. Complexity is both anti-adoption and anti-security. AppNets are simple to use, manage, extend and scale. 
2. Secure by design
   Day two security is often a day late. Bolting on security to inherently insecure networks is ineffective, expensive and complex. AppNets build security into the actual network rather than trying to bolt it on – AppNets are secure by design.
3. Reliable and performant
   It is very difficult to get top tier reliability and performance if you don’t control the entire network. Rather than delegate transport to BGP (Border Gateway Protocol), Internet or WANs, AppNets provide end-to-end, full mesh overlay networks.

The Simplicity Of AppNets 

• AppNets are very difficult to access for unauthorized users, but simple to access for authorized users. “Users” includes humans, OT machines, PLCs, firewalls, APIs, servers, field IoT devices, etc. The security section below describes how this works. AppNets can be spun up (and down) in minutes, similar to spinning up virtual machines.
• Admins control AppNets as software. This enables simple, centralized management, orchestration, identities and policies. The end-to-end network enables controls, telemetry and reporting. AppNets are independent of underlying networks, infrastructure, edges or clouds. AppNet overlay networks can be managed by administrators, or administrators can use NetFoundry’s NaaS services in a private SaaS deployment model (the networks are private and dedicated to each administrator).
• AppNets go anywhere. By going anywhere, for any use case, AppNets provide administrators with flexibility, and the ability to meet the constraints of any environment. The endpoints of an AppNet can extend all the way into an application (agentless, via NetFoundry SDKs). AppNet endpoints also include OT devices, PLCs, firewalls, browsers, edge servers and reverse proxies. Finally, AppNet endpoints can be installed as host-based agents, gateways, virtual machines or containers for every modern OS, including mobile. In all these cases, the AppNets work for any use case.

AppNets Are Secure By Design

• AppNets provide built-in security. AppNets bake identity, authentication and application-level authorization into the network. This by itself is game changing – the network itself knows if a given session is authorized – not at the endpoint level, but at the session level. AppNets include identities, MFA, posture checks, PKI, enrollment, policy and private DNS. Encryption is end-to-end with the key sovereign to the endpoints, and every link is mTLS. Third-party CAs, identities, directories and policy solutions can optionally be used.
• AppNets move PEP timing and location. AppNets move the policy enforcement point (PEP) to data initiation. AppNets determine if the endpoint is authorized for a specific session before it is granted permission to use an AppNet for that session. Because the AppNet knows application-level permissions, it is able to do this (whereas networks can’t do it by only looking at IP addresses or headers, and so ultimately delegate the final authorization step to an application, web or API server which is deep within the network…which is why the network gets compromised when this final step gets compromised).
• AppNets are session-level microsegmented. This means that a compromised AppNet doesn’t enable an attacker to move laterally through your network. Just about every attack uses the network for lateral movement – to get to the servers with the valuable data, to exfiltrate the data, to ‘phone home’ to get instructions or load more software, etc. AppNets eliminate this.
• AppNets are one-way streets. Authorized AppNet endpoints open sessions towards the AppNet (outbound from their network). This enables firewalls and servers to deny all inbound sessions, drastically reducing the attack surface. This data diode type approach still enables full duplex sessions and server-side initiated sessions (remote access, OTA updates, etc.) because the AppNets overlay routers join both sides of the session; both are outbound from their network towards the private AppNet. 
• AppNet endpoints within an enterprise network are microsegmented vaults. Even if the endpoint itself was compromised (difficult since it isn’t exposed to the underlay networks which the attackers always use), the attacker still can’t get out of the vault to attack laterally – the vault doesn’t have any access to the enterprise network.

AppNets Are Reliable, Resilient And Performant

• AppNets are end-to-end. AppNets include the endpoints and a dedicated overlay network in the middle. The dedicated overlay network provides you with end-to-end control, telemetry, performance, resiliency, security and latency minimization. All sessions are end-to-end encrypted, with the keys sovereign to the endpoints, with all links mutual TLS (mTLS).
• AppNets are self-healing. AppNets run on the NetFoundry Fabric, a zero trust overlay mesh architecture that creates a robust, self-healing, and dynamically routed network over the world’s best tier one backbones. It ensures high-performance connectivity by routing data through optimal paths.
• AppNets provide visibility, controls and telemetry. By controlling the end-to-end path, and by combining ‘SD-WAN’ and ‘ZTNA’ into one holistic solution, administrators get the marriage of application-level and network-level telemetry data and controls.

Reimagining Secure Networking and Connectivity

By eliminating traditional network connections, AppNets address the #1 problem in cybersecurity – the actual root cause of just about every cyberattack. By replacing network connections with secure, session-specific connectivity for authorized sessions, AppNets drastically reduce the surface area and last radius of cyber-attacks. Eliminating the networks protects critical assets and data from both internal and external threats, and applies for any type of use case, from OT to IIOT to IT to cloud.

The simplicity and flexibility of AppNets enable easy, software-only deployments and centralized management. The operational complexity and costs of trying to manage inherently insecure network connections with bolted-on security is eliminated.. 

Additionally, AppNets improve reliability and performance through a programmable, full mesh, global overlay, with real-time routing algorithms choosing the best paths automatically, for each session, across the world’s top backbones. As the overlay is all software, they can even be deployed in air gapped environments.

The post AppNets appeared first on NetFoundry.

AppNets are software-defined encrypted overlays created using the NetFoundry Console, command-line interface, or APIs that define how endpoints are permitted to access services (such as applications) across the Internet and/or existing private networks like MPLS.

Clear as mud, right? Let’s take a step back…

What is Overlay Networking?

Overlay networking is a method of using software to create layers of network abstraction that can be used to run multiple separate, discrete virtualized network layers on top of a physical network, providing new applications or security benefits. One major benefit of NetFoundry’s overlays (AppNets) is that since they’re abstracted above the infrastructure, they’re completely service-provider agnostic. Overlay networks also add layers of security and isolation when you’re working over the Internet, in public clouds, or in shared environments.

SDxCentral describes it best: One way to conceptualize an overlay is to think of it as endpoints designated by an identification tag or number, somewhat like the phone system. A device can be located simply by knowing its identification tag or number in the networking system. In a traditional physical network, such as the original phone system, the phone number was used to locate a specific physical device hard-wired onto a network. However, in the modern phone system, a phone number can become “virtualized” – that is, assigned to devices or software, or programmed to follow the user. This is a form of virtualization or overlay.

AppNets and Zero Trust Microsegmentation

An AppNet is a software-defined segment of a Ziti overlay network dedicated to a specific application with access defined by a unique set of Identities, Services, and Policies. In the zero trust realm, this is called microsegmentation.

Everything NetFoundry does starts with zero trust, including applying the fundamentals of application microsegmentation.

Application-centric networking is a key concept of NetFoundry. Each AppNet focuses on the connectivity needs of specific applications rather than the entire network infrastructure. This approach ensures that each application receives the network performance, security, and compliance it requires.

NetFoundry also ensures Isolation and Segmentation. Each AppNet is isolated from other networks, providing an extra layer of security by segmenting networks on a per-application basis. This eliminates the lateral movement of potential security threats within networks.

Here are some key aspects of an AppNet:

• Virtualized Networking: The AppNet uses an overlay network to create virtual connections between devices or services, independent of the underlying physical network. This allows for a flexible, software-defined approach to networking.
• Application-Centric Zero Trust MicroSegmentation: The AppNet is designed with an application-centric approach, which means it focuses on establishing secure connections between specific applications or services rather than relying on traditional network-based models.
• Zero Trust Security: AppNet follows the zero trust security model, which means that it authenticates and authorizes each connection based on identity, reducing the risk of unauthorized access.
• Overlay Networking: The AppNet forms an overlay network on top of existing network infrastructures. This allows it to manage connections and enforce security policies without requiring changes to the underlying physical networks.
• Dynamic & Programmable: An AppNet is dynamic and programmable, allowing organizations to create, manage, and modify network configurations and policies in real time. This flexibility enables quick responses to changing business needs.
• Encrypted Communication: An AppNet ensures that all communications are encrypted end-to-end, providing robust security for data in transit.
• Endpoint Agnostic: An AppNet is created when an endpoint or group of endpoints (which can be any combination of servers, virtual gateways, virtual machines, IoT devices, smartphones, laptops, etc.) is assigned permission to access a set of services (applications).

As you can see, NetFoundry’s AppNet is a secure, dynamic, and programmable network designed to connect applications directly, improving security and operational flexibility. An AppNet is the fundamental NetFoundry building block for application-centric networking — using endpoint identities to define how endpoints are permitted to access services and applications.

How B2B and IIoT Product Providers Use AppNets

In today’s hyperconnected world, ensuring secure and efficient communication between devices and systems is paramount. This is particularly true for B2B and IIoT product providers who must navigate the complexities of secure networking in industrial environments. Here are some of the ways AppNet can be leveraged to embed secure connectivity in IIoT products.

1. Enhancing Security in Industrial Environments – Security is a top priority for B2B and IIoT product providers. AppNets provides a robust solution by allowing these providers to create secure overlay networks tailored to their products’ specific needs. For instance, a product designer in an industrial equipment manufacturer can use an AppNet to securely connect its machinery across multiple factory floors, ensuring that data transmitted between machines is encrypted and protected from unauthorized access.
2. Simplifying Network Management—Managing a complex network of connected devices can be challenging. AppNets simplifies this by abstracting the underlying network infrastructure, allowing product providers to manage their networks through a single, unified interface. This reduces the need for specialized network management skills and allows for quicker deployment and scaling of connected devices.
3. Embedding Secure Connectivity in Products – By embedding AppNets directly into their products, IIoT leaders can ensure that their devices are inherently secure. This means that a device is part of a secure, managed network from the moment a device is deployed. For example, a manufacturer of smart sensors can embed AppNet connectivity into each sensor, ensuring that data collected is securely transmitted back to a central system without the need for additional security layers.

How Do NetFoundry AppNets Work?

First, an administrator uses NetFoundry’s web-based orchestration console and/or APIs to design and instantly deploy cloud-native, application-specific networks (AppNets). An AppNet is created when an endpoint or group of endpoints (which can be any combination of virtual gateways, virtual machines, IoT devices, smartphones, laptops, etc.) is assigned permission to access a set of services (applications). The console and APIs enable the administrator to enforce their policies, without needing to manage the infrastructure itself.

Each AppNet is managed by a NetFoundry controller, enabling the administrator to benefit from NetFoundry’s network fabric without needing to manage the underlying network. Controllers interact with business and application systems such as IAM, IoT identity, and cloud policies to enable each AppNet to be programmatically controlled by the application contexts and needs.

NetFoundry’s global network fabric and endpoint software enable secure, reliable networking from anywhere to anywhere. The endpoint software connects to the fabric from any Internet connection, extending each AppNet to the application edge. The software routes each session to the NetFoundry network fabric and adaptively manages the Quality of Experience (QoE) during each session.

What Else Can I Do With AppNets and Overlay Networking?

The sky’s the limit. Since AppNet-based overlay networking is service-provider and infrastructure agnostic by design, there’s not much stopping you from connecting the things you need to connect to the applications they need to access. Plus, since administrators can “spin up” AppNets from the console in minutes, you can extend the agility you demand from your DevOps teams to your network, opening up a whole new world of possibilities.

One of the most interesting use cases for AppNets is multi-cloud connectivity. AppNets designed for multi-cloud enable instant creation of cloud-to-cloud and cloud-to-edge private network fabrics over existing internet circuits.

The components within our orchestration console were designed to make building and augmenting AppNets for multi-cloud situations easy and seamless. For example, our virtual gateways, which connect your AppNets to cloud instances, come pre-built to integrate quickly and seamlessly with popular providers such as AWS, Microsoft Azure, Google Cloud Platform, and IBM Bluemix. They are also available as VMIs for ESXi 5.0 or greater for more custom deployments.

As a result, AppNets designed for multi-cloud connectivity make stubborn, legacy applications cloud-portable. They use a layered security architecture that isolates and protects data flows through data stream fragmentation (aggregation and disaggregation) and military-grade encryption. The result is a private, dark, zero-trust network.

The best part is that you’re not stuck connecting clouds. AppNets are incredibly agile and elastic, so you can connect any combination of endpoints, whether employee laptops or IoT devices, in any combination that works best, at application-level granularity.

To learn how to access our web console and start spinning up AppNets for your business, click here to set up a free personalized demo or start a 30-day free trial.

The post AppNets 101: What Is Overlay Networking and Zero Trust Microsegmentation appeared first on NetFoundry.