Description

The CoIP® Overlay builds a virtual network to serve application traffic. This virtual network is decoupled from the physical network, and can use a separate IP space from the physical network or can be configured to use the same IP space as the physical network. It enables applications to connect across any physical network boundary, such as an organizational perimeter, a VLAN boundary, or a firewall, without connecting the networks together with a VPN. It supports any TCP, UDP, or ICMP application, and is the fundamental technology driving the CoIP Access ZTNA.

Benefits of the CoIP Overlay

The CoIP Overlay provides numerous security and operational benefits, including:

• Makes the use of VPN for remote application connectivity optional, allowing different network domains to remain disconnected for better security

• Supports simultaneous access to applications or resources in different network domains

• Builds dynamic connectivity as allowed by policy – no static connectivity that can be abused

• Moving valid application traffic to an overlay allows administrators to block traffic on the physical network (e.g. exposed ports used for RDP or Powershell)

The CoIP Overlay can optionally be used with existing PKI infrastructure, enabling existing network security devices such as firewalls to continue to inspect overlay traffic.

Types of Overlay Connections

CoIP WAN

CoIP WAN connections are built between endpoints in different network domains, that do not have a physical routing path between them. A CoIP WAN connection transits through the ZNS data services layer, encrypted in TLS 1.3 tunnels for security.

CoIP LAN

CoIP LAN connections are built between endpoints in the same network domain, where the two devices have a physical routing path between them. CoIP LAN connections use port TCP 9797 by default, and may optionally use TLS 1.3 to encrypt tunnels.

The benefit of using CoIP LAN over direct, point-to-point routes is that it enables applications such as RDP to run normally, even though TCP port 3389 has been blocked by an Application Chamber.   This is a required step for any solution to achieve the "default deny" model for Zero Trust security.

Overlay Addressing

The CoIP Overlay works by assigning each endpoint a new address in an overlay address space, which can be used by applications to reach remote applications. The overlay address space consists of the full 2^32 range, although it is generally a good practice to choose blocks from the RFC1918 space, to avoid overlaying publicly routable IPs.

The overlay space may also overlap the existing physical network, meaning that overlay connectivity can be added without adjusting IP addressing for existing applications.