We recently talked about the ways you can extend the capabilities of Linode VLANs, including isolating your network with VPCs and extra configuration to expand VLANs across multiple regions. Deploying and maintaining a secure network often requires extra applications and tools to ensure visibility across growing environments. Here are some apps available in Marketplace to further secure your VLANs or VPCs.
Let’s start with an absolutely critical component of any VLAN or VPC configuration – a VPN for users to access isolated resources. WireGuard, one of the most popular VPNs, is a protocol like OpenVPN or IPSec. It’s lean, fast, and incredibly secure. In practical terms, lean means less CPU usage, fast means lower latency and connection times, and secure is by design with the implementation of tough and modern cryptography primitives.
WireGuard also has a very low attack surface right down to the code level. It’s built for Linux with less than 4000 lines of code, versus hundreds of thousands of lines for OpenVPN or IPSec VPNs. Even Linus Tolvards had some positive things to say about Wireguard as it was preparing to be merged into the Linux kernel in 2018.
We rely on VPNs to secure our data over the public internet, so let’s start with one of the most highly regarded protocols in the industry.
WardSpeed is a VPN server that uses the WireGuard protocol and adds some wrap-around functionality for user experience. WarpSpeed supports multiple SSO providers, connection history, and real time bandwidth monitoring. It’s important to note that even though WarpSpeed uses the WireGuard protocol, it is a separate project not affiliated with the WireGuard dev team.
WarpSpeed is free for one user and a limited number of connections with paid business plan options.
Wazuh is a unified security platform that provides unified SIEM and XDR features. It can be used to protect workloads across multiple environments by monitoring infrastructure and detecting threats, vulnerabilities, or intrusions.
- SIEM – Security Information Event Management collects log data from every part of your environment and provides visibility to spot malicious activity.
- XDR – Extended Detection and Response focuses on threat response or proactive mitigation.
*Note: These are very broad definitions. XDR is a relatively new term and there is often overlap between the functionality of SIEM and XDR solutions.
Both SIEMs and XDRs are becoming essential to provide visibility into growing environments and respond to threats quickly and completely.
Since we’re talking about private networking, let’s look at Intrusion Detection with Wazuh. Wazuh can be combined with a Network Intrusion Detection (NIDS) tool like Suricata to monitor transit points on your network or traffic to and from individual servers. Wazuh will pickup NIDS events across your environment and pipe them into a unified dashboard. Check out Wazuh’s documentation for details on how to catch suspicious network traffic with Suricata.
Kali is directly available as a one-click app on Linode and remains an incredibly-popular security platform for penetration testing and research. Kali is a distribution of Linux that is prepackaged with the most widely used security tools in the industry. Let’s take a look at just a few big ones.
- Nmap—short for Network Mapper—uses raw IP packets to pull system and network inventory from your environment. Nmap can rapidly scan large networks and return a list of available hosts, what services they’re running, what type of filters/firewalls are in place, and a lot more.
- Wireshark is a leading networking traffic analyzer for troubleshooting issues in real time. Wireshark is a mainstay in the network admin toolkit that lets us dive into anything from dropped packets to latency issues, and even spot malicious activity. Wireshark requires a decent working knowledge of TCP/IP networking but has a wealth of documentation to help you get started.
- Metasploit is a penetration testing framework that lets us use a massive database of known exploits to simulate real-world attacks on our network. It enables us to be the first to find and mitigate any vulnerabilities in our environment.
Secure Networking on Linode
Linode provides a free VLAN service that recently expanded to Europe in our London and Frankfurt data centers. VLANs are created during the process of deploying a new Linode, including when deploying a Marketplace app. Apply up to three VLANs to a single Linode. Read the documentation for full deployment instructions. You can also build redundant, secure, and geo-distributed applications via a VPC-like implementation.