In This Section
Introduction to CoIP
Cloud-over-IP® (CoIP) is an advanced overlay network fabric that frees application connectivity and network security from the constraints of physical topology and physical network responsibility. CoIP is the fundamental technology that powers the CoIP Platform, a complete solution for implementing software-defined overlay networks that give enterprises a unified view of connectivity and security across multiple sites, data centers, and cloud providers.
This section provides a high-level overview of CoIP and concepts required to implement a CoIP overlay network.
Fundamental Concepts
CoIP Overview
The CoIP system is proxy network fabric that creates Layer 4-7 network services. It leverages existing physical network infrastructure to create application connectivity without requiring Layer 3 network connections.
CoIP Infrastructure Components
CoIP Controller (zCenter)
The zCenter CoIP controller appliance is the heart of the CoIP Platform. The zCenter appliance provides centralized policy enforcement and control through a web-based UI or through API. The zCenter controller supports multitenancy, allowing customers to provide service for multiple projects or business units from a single zCenter.
zCenter is responsible for authenticating endpoints and registering them to become part of the CoIP network. It is also where licenses and API keys are managed, logging is configured, and serves as a distribution point for endpoint agents (zLink).. This infrastructure component is a software solution that can be deployed on physical and virtual servers in an on-prem or cloud environment.
The zCenter controller can be deployed in a high-availability configuration to improve service availability.
Zentera Network Switch (ZNS)
The ZNS virtual switch is an appliance which bridges connections from CoIP agents or edge gateways. ZNS virtual switches are available as a physical or a virtual appliance; as a virtual appliance, they can support between 1 and 20Gbps of switching capacity.
Multiple ZNS virtual switches can be grouped together into a cluster to support arbitrarily large switching capacity; the zCenter controller will load balance CoIP traffic among the configured ZNS switches in a cluster. Clustering also provides redundancy in the event of a single ZNS switch failure. ZNS clusters may be deployed strategically to optimize application traffic routing.
The zCenter controller integrates a small ZNS virtual switch, capable of up to 500Mbps switching throughput, to support demo and test environments without requiring customers to configure a ZNS virtual switch cluster.
zLink Agent
The zLink agent is user-mode software that installs on an endpoint, creating a virtual proxy interface which provides CoIP connectivity to remote endpoints. This method of deployment provides the highest level of data security, as encryption tunnels are terminated directly in the OS layer. The zLink agent provides many powerful security features, as well as information about the endpoint and the applications attempting to use CoIP that can be used as trust factors to define application connectivity policies.
As this model of deployment also eliminates direct interaction with the physical IP network, it is also the most portable. The zLink agent supports Windows, Mac and Linux operating systems, and is lightweight enough to run on resource constrained embedded CPUs, such as Raspberry Pi devices.
The zLink agent is required for certain advanced policy features, such as Application Interlock. See Zentera Endpoint Agent Installation for information on installing and managing the zLink agent.
Gateway Proxy
The CoIP Gateway Proxy is an appliance that provides a gateway to the CoIP proxy network. A Gateway Proxy is typically installed in a subnet to proxy traffic from machines that are not running the zLink to remote hosts. CoIP’s TLS tunnels are terminated at the edge gateway; therefore, traffic between the endpoint and an edge gateway is not encrypted.
The Gateway Proxy requires Layer 3 networking configuration, so is more complex to configure than the zLink agent. However, the Gateway Proxy can support machines that are under the control of another organization or group (for example, the corporate Active Directory server) or cannot otherwise support the zLink agent (for example, a z/OS mainframe or an IoT device, such as an IP camera).
See Installing a Gateway Proxy for more information on installing and managing a Gateway Proxy.
CoIP Launcher
CoIP Launcher is a Windows, Mac OS and Linux client, which allows users to access various network services provided by CoIP Platform. Those services include:
CoIP Access – Layer 4-7 virtual private network that may be locked for a specific set of applications
CoIP Desktop – Secure virtual desktop supporting RDP or VNC
CoIP File Transfer Manager – Secure file transfer manager, with policy-based approvals and traceability
CoIP Overlay Application Network
The CoIP Platform Overlay enables application connectivity at Layers 4-7. This allows hybrid application connectivity to be created without first building a unified Layer 3 network.
The proxy mode of operation allows CoIP Platform to be deployed without reconfiguring existing network and security infrastructure. The following diagram illustrates how this application connectivity is built without building unified network connectivity. All connections are outbound from the zLink agent or the Gateway Proxy to the zCenter and ZNS.
CoIP Tunnels and Encryption
Within the CoIP Platform, application traffic is protected in TLS 1.3 tunnels. CoIP automatically creates a unique TLS tunnel between each pair of hosts (based on the source and destination addresses of those hosts). Unlike a persistent IPsec VPN, CoIP tunnels are set up on-demand when applications begin sending traffic, and last while application traffic continues to flow.
The cipher suite used in a CoIP Platform deployment can be customized through the zCLI command line interface.
CoIP Addresses
Within the CoIP proxy overlay, the user essentially has a full private IPv4 address space. Compute resources, known as endpoints, carry two and possibly more IPv4 addresses:
Private IP - Sourced from the physical network private IP address
Public IP - An optional public IP address if assigned to an End Point
CoIP IP - A virtual IPv4 address used in CoIP application networks. CoIP addresses can be Dynamic, First-Time Dynamic, or Static
Hosts on a CoIP network are assigned a new virtual IPv4 address, which is completely private to the CoIP network. This CoIP address has the same format as a normal IPv4 address. Unlike normal IP addresses, the CoIP address does not imply anything about the physical topology of the network; it is essentially a 32-bit unique identifier. The benefit of reusing a similar scheme to an IP address is that applications can use a CoIP address instead of an IP address without requiring modification. All routing decisions are made by the zCenter CoIP Controller based on policies that define the flow of application traffic.
While the actual CoIP addresses used are unimportant to the routing of CoIP itself, the selection of CoIP addresses can be important in certain deployments. For more information about specific cases, see Deployment Examples and Best Practices.
CoIP addresses may overlap the physical network address space. This property enables capabilities such as IP migration and Network in Motion, which are important for some deployments, such as datacenter migration usage scenarios.
CoIP Encapsulation
In a LAN environment, CoIP packets are routed directly from host to host using the underlying physical network. Packets are encapsulated, but application traffic may be optionally encrypted.
In a WAN environment, CoIP packets are encapsulated using Zentera's proprietary ZP protocol. The original application L3 and L4 headers are encrypted along with the packet payload, while the ZP header contains normal TCP/IP headers needed for standard networking routers and switches to send the CoIP packet along its journey.
CoIP Transport
CoIP LAN
A CoIP LANs environment consists of hosts that have a physical network connection to each other. They typically correspond to a VPC or a subnet, but can also exist in larger networks that have routing rules configured (e.g. a campus LAN environment).
CoIP LAN
A group of hosts that have a route to each other through the physical network can be placed in a CoIP LAN.
In a CoIP LAN, CoIP provides policy-based segmentation controls, but peer-to-peer traffic takes the same path as non-CoIP traffic would. As a result, there is no additional routing delay compared to non-CoIP traffic.
All CoIP LAN traffic is encapsulated and runs by default on TCP port 9797. CoIP LAN traffic can be optionally encrypted, providing LAN encryption for applications that were not designed to support it.
CoIP WAN
A CoIP WAN environment is defined as a where application traffic must flow between hosts which do not have a direct route to each other. This is typically the case when connecting on-premises hosts to hosts in a cloud, or in a multi-cloud environment. However, a CoIP WAN can be also used to provide connectivity to hosts that are prevented from routing to each other by VLAN segmentation on-premises or VPC settings in the cloud. In a CoIP deployment, CoIP WANs connect different Cloud Domains.
CoIP WAN
Groups of hosts that do not have direct physical network connectivity to each other must be connected with a CoIP WAN.
CoIP WAN traffic is always protected in a TLS tunnel.
The Application View of CoIP
CoIP is largely transparent to applications that use it. The zLink package creates a virtual network interface for all CoIP overlay traffic, and applications can send traffic over the CoIP network simply by addressing it to a CoIP address.
Addressing
CoIP IP addresses are in the standard IPv4 address format. CoIP addresses, but this does not necessarily mean that the application needs to be changed – the CoIP address space can overlap with the physical IP address space.
Performance and Latency
Hosts need to be specifically granted network access by policy. The policy check occurs on the CoIP Controller when a network socket is opened, and a tunnel may need to be set up, both of which add a small amount of delay to the first packet of the application flow. However, these steps are performed only when a tunnel is set up; once set up, application latency is not affected are not performed again as long as application traffic continues to flow.
Each of the switching components typically adds 200-250 microseconds of latency. As a result, the end-to-end latency, even in a CoIP WAN Type 3 case, typically is less than 1 millisecond.
Routing
The proxy network fabric created by CoIP Platform forwards packets from the source to the destination. Actual packet traffic routes over the existing IP network, but CoIP itself does not require or support the concept of “routing” – from the CoIP perspective, all other hosts are one hop away.
Broadcast and Multicast
CoIP Platform is a Layer 4-7 proxy network fabric, and does not support lower layer functions such as broadcast or multicast. In this way, CoIP Platform is similar to any cloud provider’s SDN – broadcast and multicast are not supported in the cloud.
CoIP WAN Types
CoIP WAN connections can be grouped into three major categories.
CoIP WAN Type 1 - Application to Application
A CoIP WAN Type 1 connects End Points assigned to an Application (server group) to endpoints in another Application in another physical network. Type 1 connections are the most common type of CoIP WAN connection.
CoIP WAN Type 2 - Application to Gateway Proxy
A CoIP WAN Type 2 connects endpoints assigned to an Application to Services hosted on a Gateway Proxy. The endpoint in the Application can communicate via Layer 3 traffic with any machines that are configured on the Gateway Proxy. These machines are technically not part of the CoIP network, but reachable through the CoIP network.
CoIP WAN Type 3 - Gateway Proxy to Gateway Proxy
A CoIP WAN Type 2 connects machines on subnets configured on the "left side" of an Gateway Proxy pair to the machines on subnets configures on the "right side" of pair. The machines on either side of the Gateway Proxy pair can communicate via Layer 3 traffic with any machines that are configured on the Gateway Proxy. These machines are technically not part of the CoIP network, but reachable through the CoIP network.
Type 3 WAN connections can only be configured from the Advanced Management view.
Additional CoIP WAN Features
Traffic Directionality - CoIP WAN policies can be unidirectional or bidirectional. Both unidirectional CoIP WANs perform stateful packet filtering and drop packets that don't match a list of source addresses. Unidirectional CoIP WANs only allow traffic to originate in one direction, while bidirectional CoIP WANs enable any server to originate a connection.
Filtered Protocols and Ports - CoIP WAN traffic can be filtered by Protocol (TCP, UDP, or ICMP) and source/destination ports. Additionally
For more information on configuring these features, refer to zCenter Admin Portal Overview.
Platform Support
Zentera CoIP components are validated against the following platforms.
Component | Windows | Linux† |
|---|---|---|
zLink Core CoIP Services | Windows XP, 7, 8, 10, 11 Windows Server 2003, 2008 (SP2), 2012, 2016, 2019 | CentOS 6, 7, 8 Red Hat Enterprise Linux 5, 6, 7, 8 Canonical Linux Ubuntu 20.04, 18.04, 16.04, 14.04 SUSE Enterprise Linux 11.4, 12.3, 12.4, 15 openSUSE Leap 42.3, 15.1 Amazon Linux 2 |
Gateway Proxy | -- | CentOS 7, 8 Red Hat Enterprise Linux 7, 8 Canonical Linux Ubuntu 20.04, 18.04, 16.04, 14.04 |
† This is not an exhaustive list, and other Linux distributions than those listed here will likely work as expected. CoIP is supported on Linux kernels 2.6.32 and beyond, but a minimum of kernel version 3.8 is recommended for best performance. If you encounter issues installing to your chosen Linux distribution, please contact Zentera Systems support. Please review the online support matrix for more information.
The zCenter and ZNS components, whether a physical or a virtual appliance, come with a CentOS 7-based operating system that has been configured per guidelines published by the Center for Internet Security, and further hardened based on the application requirements.
Comments
0 comments
Please sign in to leave a comment.