No More Network Connections
Network connections have traditionally been both essential and risky, serving as gateways for cyber-attacks. NetFoundry’s AppNets revolutionize security by eliminating network connections altogether – attackers can’t attack via the network because there is no longer a network connection. Zero trust microsegmentation is the key.
Network Connections, A Double-Edged Sword
Network connections make our digital world go round. Unfortunately, those network connections are used as tools by cyber-attackers. Historically, we have been forced to accept these risks in exchange for the benefits – we had no choice. Until now. NetFoundry’s AppNets enable us to eliminate network connections. AppNets don’t just try to make network connections ‘secure’ – that’s impossible – AppNets eliminate them altogether. Instead, we use AppNets to connect specific sessions – without exposing the network. AppNets are essentially NetFoundry’s implementation of zero trust microsegmentation.
What are AppNets?
AppNets connect authorized sessions. AppNets enable us to close all our inbound network ports such that attackers can’t use those networks to reach our critical assets. Those underlay networks no longer control access to our APIs, applications, workloads and data. For example, an attacker can steal privileged account credentials, but can’t use those credentials, because there is no network connection to the server. It doesn’t matter if the attacker is inside our WAN, or attacking from the Internet, there are no network connections to the server.
How AppNets work – design principles
Since the underlay networks can no longer reach our software, then what connects authorized sessions? AppNets connect authorized sessions. AppNets have three main design principles:
- Simple
The usual tug-of-war between security and simplicity is a game in which nobody wins. Complexity is both anti-adoption and anti-security. AppNets are simple to use, manage, extend and scale. - Secure by design
Day two security is often a day late. Bolting on security to inherently insecure networks is ineffective, expensive and complex. AppNets build security into the actual network rather than trying to bolt it on – AppNets are secure by design. - Reliable and performant
It is very difficult to get top tier reliability and performance if you don’t control the entire network. Rather than delegate transport to BGP (Border Gateway Protocol), Internet or WANs, AppNets provide end-to-end, full mesh overlay networks.
The Simplicity Of AppNets
- AppNets are very difficult to access for unauthorized users, but simple to access for authorized users. “Users” includes humans, OT machines, PLCs, firewalls, APIs, servers, field IoT devices, etc. The security section below describes how this works. AppNets can be spun up (and down) in minutes, similar to spinning up virtual machines.
- Admins control AppNets as software. This enables simple, centralized management, orchestration, identities and policies. The end-to-end network enables controls, telemetry and reporting. AppNets are independent of underlying networks, infrastructure, edges or clouds. AppNet overlay networks can be managed by administrators, or administrators can use NetFoundry’s NaaS services in a private SaaS deployment model (the networks are private and dedicated to each administrator).
- AppNets go anywhere. By going anywhere, for any use case, AppNets provide administrators with flexibility, and the ability to meet the constraints of any environment. The endpoints of an AppNet can extend all the way into an application (agentless, via NetFoundry SDKs). AppNet endpoints also include OT devices, PLCs, firewalls, browsers, edge servers and reverse proxies. Finally, AppNet endpoints can be installed as host-based agents, gateways, virtual machines or containers for every modern OS, including mobile. In all these cases, the AppNets work for any use case.
AppNets Are Secure By Design
- AppNets provide built-in security. AppNets bake identity, authentication and application-level authorization into the network. This by itself is game changing – the network itself knows if a given session is authorized – not at the endpoint level, but at the session level. AppNets include identities, MFA, posture checks, PKI, enrollment, policy and private DNS. Encryption is end-to-end with the key sovereign to the endpoints, and every link is mTLS. Third-party CAs, identities, directories and policy solutions can optionally be used.
- AppNets move PEP timing and location. AppNets move the policy enforcement point (PEP) to data initiation. AppNets determine if the endpoint is authorized for a specific session before it is granted permission to use an AppNet for that session. Because the AppNet knows application-level permissions, it is able to do this (whereas networks can’t do it by only looking at IP addresses or headers, and so ultimately delegate the final authorization step to an application, web or API server which is deep within the network…which is why the network gets compromised when this final step gets compromised).
- AppNets are session-level microsegmented. This means that a compromised AppNet doesn’t enable an attacker to move laterally through your network. Just about every attack uses the network for lateral movement – to get to the servers with the valuable data, to exfiltrate the data, to ‘phone home’ to get instructions or load more software, etc. AppNets eliminate this.
- AppNets are one-way streets. Authorized AppNet endpoints open sessions towards the AppNet (outbound from their network). This enables firewalls and servers to deny all inbound sessions, drastically reducing the attack surface. This data diode type approach still enables full duplex sessions and server-side initiated sessions (remote access, OTA updates, etc.) because the AppNets overlay routers join both sides of the session; both are outbound from their network towards the private AppNet.
- AppNet endpoints within an enterprise network are microsegmented vaults. Even if the endpoint itself was compromised (difficult since it isn’t exposed to the underlay networks which the attackers always use), the attacker still can’t get out of the vault to attack laterally – the vault doesn’t have any access to the enterprise network.
AppNets Are Reliable, Resilient And Performant
- AppNets are end-to-end. AppNets include the endpoints and a dedicated overlay network in the middle. The dedicated overlay network provides you with end-to-end control, telemetry, performance, resiliency, security and latency minimization. All sessions are end-to-end encrypted, with the keys sovereign to the endpoints, with all links mutual TLS (mTLS).
- AppNets are self-healing. AppNets run on the NetFoundry Fabric, a zero trust overlay mesh architecture that creates a robust, self-healing, and dynamically routed network over the world’s best tier one backbones. It ensures high-performance connectivity by routing data through optimal paths.
- AppNets provide visibility, controls and telemetry. By controlling the end-to-end path, and by combining ‘SD-WAN’ and ‘ZTNA’ into one holistic solution, administrators get the marriage of application-level and network-level telemetry data and controls.
Reimagining Secure Networking and Connectivity
By eliminating traditional network connections, AppNets address the #1 problem in cybersecurity – the actual root cause of just about every cyberattack. By replacing network connections with secure, session-specific connectivity for authorized sessions, AppNets drastically reduce the surface area and last radius of cyber-attacks. Eliminating the networks protects critical assets and data from both internal and external threats, and applies for any type of use case, from OT to IIOT to IT to cloud.
The simplicity and flexibility of AppNets enable easy, software-only deployments and centralized management. The operational complexity and costs of trying to manage inherently insecure network connections with bolted-on security is eliminated..
Additionally, AppNets improve reliability and performance through a programmable, full mesh, global overlay, with real-time routing algorithms choosing the best paths automatically, for each session, across the world’s top backbones. As the overlay is all software, they can even be deployed in air gapped environments.