X

The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Zero trust network access with NetFoundry

Raj Hindocha
ISV Cloud Architect

With recent buzz around the zero trust access, let’s understand the new security standard.

What is zero trust access?

The Center for Internet Security (CIS) has been emphasizing on information security architectural shift toward ‘Never trust, always verify’ zero trust Networking. Defenses shift from static, network-based perimeters to focus on users, assets, and resources.

NIST SP 800-207 defines zero trust in the following description:

“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

Oracle Cloud with NetFoundry

With increased focus on zero trust architecture, Oracle partners with NetFoundry to help transform your network and set the foundation for your long-term work from anywhere and zero trust networking strategy. To understand NetFoundry’s implementation of the zero trust access from the NIST 800-207 standard, refer to this whitepaper.

As the incredible events of 2020 continue into 2021, NetFoundry continues to innovate for the Enterprise of the future with enhancements to our Work from Home platform and develop innovative solutions for connecting to Oracle Cloud Infrastructure (OCI). Your employees gain seamless connectivity to applications from anywhere, while advancing your overall security posture. Embed security and performance into your company’s core business applications. Policy-based access controls and micro-segmentation enable you to proactively manage all user connections, ensuring that employees, partners, and contractors can only access resources they’re entitled to and nothing else.

Because NetFoundry is offered as a service, organizations can realize the agility and flexibility benefits of zero trust networking access in a fraction of the time and cost of implementing traditional VPNs or SD-WAN solutions. Ultimately, NetFoundry can transform your networking infrastructure and accelerate employee productivity in the next phase. The NetFoundry software is staged within the OCI Marketplace for easy deployment within any customer OCI region.

The following graphic shows a sample cloud VCN with NetFoundry:

A graphic depicting the architecture for deploying a cloud VCN with NetFoundry.

Deploy the NetFoundry software in OCI for cloud connectivity

Let’s begin with a few simple use cases where you can deploy NetFoundry Network for your business. Maybe you’re moving workloads into OCI from your data center or hosting provider and want a more secure, micro-segmented connectivity solution that traverses the public internet. In the past, you had two options: Buy Telco circuit technology for multiprotocol label switch or use a VPN solution.

With NetFoundry, you now have a third option: You can connect remote workers and customers into your OCI resources, while providing specific policies that restrict application access based on groups of users or applications. Here, NetFoundry showcases the AppWAN, which through the miracle of overlay networking, can be provisioned in minutes.

AppWANs are software-defined encrypted overlays, created using the NetFoundry console, command line interface, or APIs. They define how endpoints are permitted to access services, such as applications, across the internet and public APN LTE networks.

A graphic showing the three steps for deploying with NetFoundry AppWANs.

For more information on AppWANs and SDN overlay networking, see AppWAN 101: What is overlay networking?

Prerequisites

Remote worker and customer application access

NetFoundry’s work-from-home VPN replacement solution has helped several organizations through cost-effective application-specific networking platforms that are highly secure and performant. This solution helps organizations keep their remote workforce up and running in a matter of minutes, without using any hardware. It also allows for the segmentation of company administrators, users, and customers to access only the required applications per AppWAN policy. This application-specific networking platform enables deploying connections regardless of the locations while managing them centrally. The solution is cloud-optimized and public cloud networking-optimized and enables connectivity with the private cloud-hosted applications of organizations easily.

  1. In OCI, identify the applications that you want, such as SSH or RDP for admins and HTTPS for users.

  2. In NetFoundry, create the network and NetFoundry-hosted Edge Router and set the Edge Router Policy.

  3. Create the customer-hosted Edge Router in the web console.

  4. From Oracle Cloud Marketplace, create the NetFoundry Edge Router in the same VCN or subnet as the target virtual machine (VM) or applications. If boot script doesn’t complete it, register the Edge Router from the CLI.

  5. In NetFoundry, create and install the endpoint software on the client host (laptops).

  6. Create the Edge Router-hosted services for SSH, RDP, and https.

  7. Create the AppWAN with your endpoints to use the SSH or RDP service. Create the AppWAN with your endpoints to use with the user or extranet HTTPS service.

A graphic depicting the architecture for connection remote users to OCI through NetFoundry SDN Network.

To deploy this use case in your Oracle Cloud tenancy, see this step-by-step guide.

OCI Autonomous Database connectivity with NetFoundry

NetFoundry provides you with a secure connection to a private endpoint in the VCN without exposing your database to the internet. Private endpoint refers to a network setup for your Autonomous Database with shared Exadata infrastructure where all network traffic moves through a private endpoint within a VCN in your tenancy. If your organization has strict security mandates that don’t allow you to have a public endpoint for your database, you have the necessary private connectivity endpoint. This configuration also uses no public subnets and allows you to keep all traffic to and from your Autonomous Database off the public internet. The following solution brief provides an outline for configuring NetFoundry networking to securely access Oracle Autonomous Database.

  1. In OCI, create your autonomous database with the private endpoint.

  2. In NetFoundry, create the network and NetFoundry-hosted Edge Router and set the Edge Router policy.

  3. Create the customer-hosted Edge Router in the web console.

  4. From Oracle Cloud Marketplace, create the NetFoundry Edge Router in the same VCN or subnet as the autonomous database. If boot script doesn’t complete it, register the Edge Router from the CLI.

  5. In NetFoundry, create and install the endpoint software on the client host (laptop).

  6. Create the Edge Router-hosted service for your autonomous database.

  7. Create the AppWAN with your endpoints and the Autonomous Database Service.

  8. In the Oracle Database client, test your connectivity to database over NetFoundry.

A graphic depicting the architecture connecting your data center and remote users to Oracle Autonomous Database through NetFoundry SDN Network.

To deploy this use case in your Oracle Cloud tenancy, see this step-by-step guide.

Summary

The NetFoundry platform enables secure networking between any user and any app, regardless of where they are, including work-from-home VPN replacement and hybrid cloud integrations. With this integration, companies can provide the modern version of VPNs to their remote users in a simpler, more secure, zero trust, higher-performance manner. VPNs provide access to entire networks. However, contractors, vendors, or remote workers might only need access to specific apps. NetFoundry’s micro-segmentation only provides private IP access to the specific apps as defined by AppWAN, greatly strengthening security and compliance.

A graphic depicting how NetFoundry’s AppWANs restrict access to only users who need it.

A great way to test this process out yourself is with a 30-day free trial of Oracle Cloud Infrastructure, which includes US$300 in credit and our Always Free services.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha