Organizations need to patch Pulse Secure VPNs

Organizations using Pulse Secure’s mobile VPN should patch vulnerabilities reportedly being exploited in the wild, possibly by a “Chinese espionage actor”.The patch–available here–is considered important enough that the Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies a deadline of April 23 to apply them.Backup lessons from a cloud-storage disaster
CISA’s…

Organizations using Pulse Secure’s mobile VPN should patch vulnerabilities reportedly being exploited in the wild, possibly by a “Chinese espionage actor”.

The patch–available here–is considered important enough that the Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies a deadline of April 23 to apply them.

CISA’s guidance states that federal users of Pulse Connect Secure VPNs must use the company’s free utility to ascertain whether their devices are vulnerable.

If the vulnerability is found, affected government Pulse Secure software and appliances have to be immediately isolated from the network and a full report has to be made. In addition to the vulnerability detection tool, Pulse Secure has issued a replacement XML configuration file, which prevents the exploits from functioning when placed on affected devices.

“Organizations should examine available forensic evidence to determine if an attacker compromised user credentials,” wrote FireEye cybersecurity subsidiary Mandiant in a blog post. “[Pulse Secure parent company] Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.”

Pulse Secure recommends using its online Pulse Connect Secure Integrity Assurance tool to determine whether Pulse Connect Secure software has been compromised.

The known exploits force the SSL VPN authentication system to reveal credentials and trick it into producing “successful login” results when checking those credentials, according to Mandiant. Several exploit techniques have been used, but the results have been the same—compromised VPN appliances and remotely executed attack code.

The vulnerabilities are partially based on three known issues that were patched over the past two years, according to Pulse Secure’s own blog post on the matter. A newer flaw can allow an attacker to bypass two-factor authentication on the Pulse Secure Connect gateway and execute remote code. An exploit of that vulnerability has apparently been used by multiple groups to target U.S. defense and industrial networks.

There are twelve separate families of malware attacking Pulse Secure VPNs, and multiple actors are likely using the exploit in the wild at least one of which appears to be linked to the Chinese government, said Mandiant.

The APT5 group, described as a “Chinese espionage actor” in the blog post, has persistently targeted U.S. aerospace and defense companies over a period of several years, and has attacked networking and software companies in order to accomplish that end.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

What is split tunneling? Here are the pros and cons

When remote-access VPNs are heavily used, traffic to and from the internet can tax the corporate internet connection as well as the security measures. That’s where split tunneling comes in. Split tunneling is when only the traffic destined for resources at the corporate site go through the VPN. The rest is…

Network World | May 21, 2020

When remote-access VPNs are heavily used, traffic to and from the internet can tax the corporate internet connection as well as the security measures. That’s where split tunneling comes in. Split tunneling is when only the traffic destined for resources at the corporate site go through the VPN. The rest is sent from the remote user’s device, through the internet and directly to other sites on the internet.

Copyright © 2020 IDG Communications, Inc.

Global VPN use exploded in March

With millions of people working from home, the coronavirus outbreak has seen global VPN demand surge. Demand for commercial virtual private networks in the U.S. jumped by 41% between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the U.K.VPNs were already…

With millions of people working from home, the coronavirus outbreak has seen global VPN demand surge. Demand for commercial virtual private networks in the U.S. jumped by 41% between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the U.K.

VPNs were already a growth industry before the COVID-19 outbreak and subsequent shutdown of workplaces. The global VPN market was forecast to grow 12% year-on-year and be worth $70 billion by 2026, according to a Global Market Insights 2020 survey. North America was forecast to remain the leader in VPN usage, with around 30% market share.

Top10VPN.com found global VPN demand increased 41% over the second half of March and remains 22% higher than pre-pandemic levels, with 75 countries seeing significant increases in VPN demand since COVID-19 social restrictions and stay-at-home orders.

The largest VPN demand increases were in unlikely places: Egypt (224%), Slovenia (169%) and Chile (149%). The largest sustained increases (two weeks or more) were in Egypt (154%), Peru (119%), and South Africa (105%).

The growth is hardly a surprise, but some of the reasons cited are surprising.

Top10VPN’s Global VPN Usage Report 2020 found that 51% of people in the U.S. and the U.K. use a VPN to protect their privacy on public Wi-Fi networks. Another 44% of respondents said anonymous browsing was the main reason for using the VPN, followed by secure communication, cited by 37% of VPN users. In addition, 20% of American and British respondents use VPNs to access better entertainment content or restricted download, stream, and torrent sites.

I can relate. I am a big aficionado of Japanese music, but many of the major labels in Japan restrict YouTube viewership by non-Japanese visitors. The fix for me has been the Opera browser, with its native VPN.

Top10VPN found that use with streaming services was a major driver for VPNs. This is for two reasons. One, Netflix’s library is geographically restricted due to copyright agreements. Two, video quality can be improved with a VPN due to their large, private networks. People note fewer interruptions in the stream with a good VPN. And statistics show that in the last month, the global demand for VPN used to watch leading streaming services increased 85%.

Other reasons cited for VPN use were definitely not work-related: 22% said to access sites/files/services when at work, 21% said to avoid bandwidth throttling by their ISP, 20% said to hide browsing activity from the government, and 18% said to access censored websites/content.

All of this rush of activity has had two inevitable results: network overload and an increase in malicious activity. We’ve covered it. And, as seen in a message from OpenVPN’s CEO and ZScaler’s CEO, just to name two, VPN providers are dealing with a crush of users they were not expecting.

With VPN use exploding, the hackers are moving in, looking for exploits and prompting this warning from the federal government’s Cybersecurity & Infrastructure Security Agency. It encourages keeping your VPN patched, which means taking it offline on occasion, as well as using multifactor authentication and extensive use of logging to watch for questionable activity.

One last finding from the group: 72% of U.S. and U.K. VPN users choose free VPN services, while 36% pay to use theirs (I realize the percentages don’t add up to 100%, but that’s the data available). The researchers note that free VPNs are more prone to security problems than the paid ones. So, like everything else, you get what you pay for.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

COVID-19 means remote access needs strategic planning right now

The future of remote work has arrived.To read this article in full, please click here(Insider Story) …

The future of remote work has arrived.

With the work-at-home mandates triggered by COVID-19 quarantines, businesses have adapted on-the-fly to create remote-networking environments that maintain corporate security. Largely, they have done so by expanding traditional remote access solutions including VPN infrastructure and services, virtual desktop infrastructure, secure Wi-Fi access points and even SD-WAN for home use.

These traditional VPN-based solutions can have some significant disadvantages, including poor performance, security vulnerabilities and are not necessarily easy to use. So with the likelihood that work-at-home will become a permanent circumstance, IT departments need to look for a better long-term answer. 

Over the next two to four years, enterprises have the opportunity to strategically plan for a converged architecture that addresses both networking and security: the secure access service edge or SASE (pronounced “sassy”).

SASE combines WAN capabilities with security, and delivers them via services based on identity, time, context, compliance with enterprise policies and risk assessment, according to Gartner, which created the term.

Remote access needs strategic planning right now

The future of remote work has arrived.To read this article in full, please click here(Insider Story) …

The future of remote work has arrived.

With the work-at-home mandates triggered by COVID-19 quarantines, businesses have adapted on-the-fly to create remote-networking environments that maintain corporate security. Largely, they have done so by expanding traditional remote access solutions including VPN infrastructure and services, virtual desktop infrastructure, secure Wi-Fi access points and even SD-WAN for home use.

These traditional VPN-based solutions can have some significant disadvantages, including poor performance, security vulnerabilities and are not necessarily easy to use. So with the likelihood that work-at-home will become a permanent circumstance, IT departments need to look for a better long-term answer. 

Over the next two to four years, enterprises have the opportunity to strategically plan for a converged architecture that addresses both networking and security: the secure access service edge or SASE (pronounced “sassy”).

SASE combines WAN capabilities with security, and delivers them via services based on identity, time, context, compliance with enterprise policies and risk assessment, according to Gartner, which created the term.

Colleges expand VPN capacity, conferencing to answer COVID-19

Colleges that moved from on-campus classrooms to remote learning due to COVID-19 had to quickly upgrade networks to support new VPN connections for remote access. Fortunately, many online-learning platforms rely on cloud-based applications that don’t put additional strain on campus networks.For example, The College of the Holy Cross in Worcester,…

Colleges that moved from on-campus classrooms to remote learning due to COVID-19 had to quickly upgrade networks to support new VPN connections for remote access. Fortunately, many online-learning platforms rely on cloud-based applications that don’t put additional strain on campus networks.

For example, The College of the Holy Cross in Worcester, Mass., added extra VPN user licenses for students and staff now working from home. It also ramped up its VPN-server capacity, according to Dr. Ellen J. Keohane, the college’s CIO. “We’re definitely seeing higher demand on that.”

To accommodate remote learning, the school is using cloud-based services including Google Meet, Panapto (for video recording), and Zoom for videoconferencing. The college bought an upgrade to Zoom Enterprise, which adds classroom features such as breakouts and “raise hand”. It also integrates with Google email and calendars, Keohane said.

She said technology companies have been helpful. “I’m very happy to see some of the technology vendors stepping up to offer free services, such as Google adding Meet Premium to G Suite for Education customers, which allows recording of Google Meet conferencing sessions,” said Keohane. “I suppose it’s in their interest long-term, but not having to spend the extra money for the services at this time is really helpful.”

A larger challenge is working with students to get them Chromebooks or other computers. The school is also scrambling to get enough wireless hot-spot devices that use WAN services such as 4G for Internet access. They can be used to connect students who don’t have broadband internet access at home.

Students who do have home broadband may still have trouble connecting to two-way video and classroom services that require high bandwidth. “Families may need to coordinate who is working online and for what content, giving priority to synchronous school work,” said Keohane.

A recent upgrade helps USC

The IT staff at the University of Southern California found itself in luck when students were sent home to finiish off the semester. “The complete re-architecting and replacement of our network that finished in January was capable of supporting the increased demand,” said Douglas Shook, the CIO at USC. “We are fortunate that we invested in our networks prior to COVID-19.”

Shook said the school had signed enterprise licenses for Zoom and Slack in the fall, and that resource was in place for remote learning when the outbreak occurred.

The one upgrade the school needed: VPN server capacity, primarily to meet the demands of faculty and staff who are working from home, he said.

Students now take classes online are using a hybrid approach: the Blackboard app for course materials and Zoom for live, interactive lectures. The school overestimated the need for Blackboard by several times and quadrupled the number of VPN ports to support the demand.

“We prepared for our first online-only classes in less than one week,” Shook said. “We are continuing to add capacity, documentation, support, help desk capacity, etc., on an ongoing basis.”

The school said it will provide details soon on guidelines for technology assistance for people working from home.

A survey of students before they were sent home found that some had weak internet connections at home, so the school is working on recommendations to address that, including wireless hotspots.

USC also invested in online test-taking software, and spent time creating online training, documentation and help-desk support, Shook said. “The technology upgrades were one aspect,” he said. “The human change management and support probably has been equally challenging.”

VPN upgrades at San Jose State

San Jose State University and its 40,000 students and staffers benefitted from a network upgrade already underway that allowed it to adapt quickly to online-learning demands. It took the IT staff about four to five days to upgrade VPNs and add licenses for online-learning platforms.

“There was no way we would have been able to do this if we hadn’t started this process three years ago and hadn’t looked at the technologies we would need to enable work from anywhere,” said Bob Lim, the university’s CIO and vice president of IT. “When we were given the green light to move forward online, we did it almost without any hiccups.”

Like many other schools, San Jose State upgraded its VPN access. The team installed a new Cisco firewall appliance, boosting the university’s remote-access VPN supports to 10,000 concurrent connections to AnyConnect VPN clients. Shai Silberman, the school’s network services manager, said the number of connections was chosen to support the work-from-anywhere scenarios, not as a specific response to the coronavirus situation. While the previous average was between 70 and 100 concurrent sessions, the team saw an uptick to about 500 due to the new work-at-home requirements for staffers.

While many students do not need the VPN access for regular online classroom learning or videoconferencing, the school is investigating the need for students in labs to be able to access their work remotely. Some areas of the school, such as medical facilities, also need the additional secure access due to HIPAA regulations.

In addition, Lim said the goal of the VPN upgrade was to make sure employees and students have the same network experience, whether they’re on the VPN or on the campus network.

 “[The 10,000 connections are] way beyond what we need, but the reality is we don’t know how long this will sustain,” said Silberman. “We are investigating how we extend the laboratory experiences out to people’s homes, and that will be dependent on VPN as well.”

Silbmeran said staff members who had been working as campus call center agents and other roles now work at home, and that requires secure remote access.

Lim said a big focus for the team was to make sure their network would be ready for the future, which will change teaching and learning methods as a result of the coronavirus outbreak.

For example, he said many people feel that support systems need to be situated on campus, but in reality with secure VPNs those tasks can be handled farther away. “For many organizations, campus buildings are very important,” Lim said. “We’re looking at moving non-essential areas or areas that don’t deal with students on a regular basis, moving them out further so the campus can be more student-focused in terms of teaching and learning.”

Other areas that the IT team has dealt with in recent weeks include:

  • Training staffers, teachers and students on using the online tools, which includes programs like Zoom and the Canvas by Instructure classroom learning management system.
  • Transferring desktop phone numbers over to cell phones for staffers.
  • Assisting students with equipment needs such as Chromebooks, webcams, microphones and other computers for secure access.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

SASE might be better than VPNs for quickly ramping up remote access

The global pandemic now hitting almost every corner of the world is forcing countless millions of people to work from home. In one sense, we’re fortunate to now have the technology that allows us to do that. Between broadband Internet access in the home, corporate VPNs, team workspaces and videoconferencing…

The global pandemic now hitting almost every corner of the world is forcing countless millions of people to work from home. In one sense, we’re fortunate to now have the technology that allows us to do that. Between broadband Internet access in the home, corporate VPNs, team workspaces and videoconferencing services, many people can continue to do their jobs as effectively as if they were in their regular office environment.

That doesn’t mean it’s all smooth sailing for the IT departments that have to enable and support those critical work-from-home services. Depending on the type of network architecture a company has, it can be relatively easy or significantly challenging to support tens of thousands of employees now suddenly working from home.

I recently talked with Mark Casey, CEO of the network infrastructure services provider Apcela, who conveyed the challenges that many large enterprises have. It’s these companies that typically still have a traditional hub-and-spoke kind of WAN anchored in a physical data center. Corporate traffic is backhauled from branch and remote locations (like workers’ homes) to a centralized data center to pass through a security stack before it is sent to the internet or to cloud services. Unfortunately, this legacy network architecture doesn’t adapt well to the dramatically different traffic patterns resulting from a massive surge in telework.

When you look at the VPN architecture in this environment, it’s largely dominated by Cisco with its AnyConnect solution that pairs with the vendor’s ASA firewall products. Countless large enterprises have these hardware appliances in their on-premises data centers. Whether it’s Cisco equipment or some other vendor’s, the VPN/firewall combination is a real workhorse under normal conditions, but the vast increase in remote workers is causing a strain.

VPN capacity is strained

A home-based worker brings up a VPN connection that creates a secure tunnel to take him straight into the data center. This might be fine when the company expects 10% to 20% of its employees to work remotely at any given time, but now the numbers might approach 50% or 70%. This creates contention for resources and a poor VPN experience for all. What’s more, workers are routing a bunch of internet traffic to the data center along with traffic destined for on-premise applications like Microsoft Office 365. This is the landscape that Casey sees every day as he engages with large enterprise organizations.

“We’ve talked to a number of companies recently that say they need to expand their VPN capacity but the legacy network architecture is holding them back. Cisco, Palo Alto and others are offering free VPN client licenses but the enterprises still need to expand the VPN terminating appliances. It’s hard to quickly scale capacity in this environment,” says Casey. “Whether it’s coronavirus or some other catalyst that puts stress on the legacy network environment, we advocate that enterprises should diversify and shift portions of their network architecture to the cloud. This will give them much more flexibility to provide security and remote access services to their workforce in the long run.”

SASE for flexibility and capacity on demand

Casey points to the Secure Access Service Edge (SASE, pronounced “sassy”) framework as a model for re-architecting the enterprise network. SASE is Gartner’s name for a combination of SD-WAN capabilities with a number of security services that are primarily delivered through a cloud-based delivery model.

Gartner defines the service edge as an offering that supports the access needs of digital enterprises by combining SD-WAN functions with network security services such as secure web gateway (SWG), cloud access security broker (CASB), and cloud-based firewall. In short, a SASE offering helps simplify network management by offering highly customizable policy-based control that can be tailored by user identity, session context, and application needs for performance and security – and it’s delivered from the cloud. 

Casey explains the concept of a service edge with a geographical example. “Suppose an employee is VPNing into his corporate network from his New York area home, and the data center happens to be in Chicago. Ordinarily the traffic would all be directed to Chicago, but if he’s accessing internet content, it would be optimal to egress that traffic via secure web gateway much more locally to where the user is. It’s better to go to a site in New York where the VPN terminates on a local firewall, and there’s a secure web gateway there so the Internet traffic can be offloaded there instead of backhauling it to Chicago. This site in New York is called the service edge.”

Casey continues his explanation: “A virtualized version of a company’s firewall sits in the hub. The VPN terminates on the VPN concentrator in the local hub and then the traffic is routed appropriately. That traffic going to the internet goes out through secure web gateway and that traffic that’s destined for an application in the data center goes over a private network inside the security parameters. This is essentially another tunnel back to the data center. And that’s a great use case for this whole concept of SASE, which is to lift some of your core security components and move them out to the cloud.”

With the word cloud, people tend to think of AWS or Azure or Google Cloud Platform, but Casey gives cloud a broader definition. “Cloud is Software as a Service, like Salesforce and ServiceNow,” says Casey. “If you’re an enterprise, cloud is an Equinix data center. Cloud is anything that’s not you, and it’s delivered as a service.”

The service edge is a powerful hub

In Apcela’s parlance, a service edge is called an application hub, or AppHub. Other companies call them communication hubs, cloud hubs, or simply Points of Presence (PoPs). Regardless of the name, the concept is the same.

These hubs consist of racks of switching and routing equipment that are typically deployed in carrier-neutral co-location centers. Then these data centers are interconnected with high-capacity, low-latency circuits that create a high-performance core network. SD-WAN, VPN and security stacks are typically deployed in the hubs. At the edge of this network, an enterprise can directly connect its own data centers, branch offices, remote and mobile users, and even third-party partners. The leading SASE providers have built hubs, or PoPs, around the world so that organizations and their workers can connect to the closest hub to obtain the communication and security services they need. Each enterprise chooses what services it wants to utilize.

When considering how to deploy security as a virtual service, Casey says, “You don’t necessarily want to put all the security in AWS because then it will work great with AWS, but it won’t work for GCP or Azure, and it certainly won’t help you for your SaaS applications. So having this hub environment that sits between the application clouds – Salesforce, Office 365, Workday, etc. – and the users and enterprise locations is the perfect location to put these security services. And because the hubs are essentially an Infrastructure as a Service, you’re not stuck with having to move to some proprietary cloud-based platform.”

SASE infrastructure is essentially on demand, so it’s fairly easy for new customers to adopt it. “It’s not complicated,” says Casey. “We have to find a place, somewhere in the world, and cross connect back into an enterprise’s infrastructure to deliver private connectivity. But it’s all very cloud-like. It takes the agility of cloud and the speed of cloud and enables you to act quickly.”

SASE has VPN capacity pre-built

The SASE model allows companies to expand their VPN platforms easily because the capability is all pre-built. Once the service is turned on, the company is well positioned to support thousands of new home-based workers.

I asked Casey about a realistic timeframe for companies that are new to the SASE approach before they can expect to be up and running with expanded VPN capacity. “I can only speak to the solution Apcela offers, of course, but I’d say it’s a matter of days to weeks, but certainly not months,” he says. “In our case, it depends on their security platform because we leverage virtualized network functions on the security side, so the whole concept of procuring and shipping equipment goes away.” Other vendors might do the deployment in different ways.

Contrast this approach to the legacy model of installing new hardware in a data center to provide more capacity. By the time the company orders the hardware, gets it shipped to the data center, and then installed and configured, two or three months might pass.

Another benefit of the SASE framework is that traffic travels over a private core network rather than the public Internet. “The Internet shouldn’t become your new WAN – certainly not for business and mission-critical platforms. You need a specialized sort of MPLS-like network for your cloud apps, which is what a SASE platform does,” says Casey. “Traffic is taken off the Internet at the secure edge, put onto a private secure network and routed directly to the appropriate SaaS or IaaS platform data center.”

Having a private core network is especially important at this time because the public Internet is under great strain due to the traffic and content pattern shifts now that so many people are staying home or working from home. The strain is so bad that companies like Facebook and Netflix have been asked by the European Commissioner for internal market and services to throttle their services to consume less bandwidth. As Casey says, “You don’t want your corporate traffic to compete for bandwidth against Netflix and all these different videoconferencing services.”

If your organization is struggling with ramping up work-from-home capacity in a hurry, consider how a SASE service might help you.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Recent VPN hacks reveal transparency issues within the industry and its supply chain

Consumers are no doubt becoming increasingly aware about the safety and security of their online activity after many highly publicized studies have shown an uptick in online data theft. According to the Federal Trade Commission, there were 3 million reports of identity theft alone in 2018.Even though these threats —…

Consumers are no doubt becoming increasingly aware about the safety and security of their online activity after many highly publicized studies have shown an uptick in online data theft. According to the Federal Trade Commission, there were 3 million reports of identity theft alone in 2018.

Even though these threats — and the rash of data breaches — continue to grab headlines, consumers still are connecting to public wifi despite the threats and are joining other unsafe networks while traveling. More cautious or tech-savvy individuals know to turn to virtual private networks (VPNs) as a way to safely connect online, and as VPNs become more mainstream, some project the VPN market can grow to more than $35 billion by 2022. We’ve even seen some vendors to capitalize by creating flashy TV commercials that insinuate that they are consumers’ digital doorman. 

However, as these companies look to pull back the curtain on the nefarious digital underworld, I can’t help but wonder if the curtain has been sufficiently pulled back on their own operation? I don’t mean this as if they, too, are digital thieves taking oblivious consumers’ data (though some very well do sell your data to third parties), but instead question whether the VPN industry has been transparent about its own security protocols. 

It wasn’t that long ago that NordVPN, probably the most well-known vendor, was hacked. An attacker broke into one of its servers in an overseas data center by penetrating a surprisingly insecure remote management system left by the “unnamed” data center provider. 

While NordVPN became the latest high-tech hack and even though there’s great irony of being an insecure security system, that’s not the egregious issue here. It’s also not the fact that the breach went unnoticed for a month, though that one does sting a little extra. The real warning here is that NordVPN not only didn’t know the system was being used to support its operation, but it also had no idea the thing even existed. Think about that for a minute; a data-security vendor engaged with a core partner and didn’t audit all of the potential vulnerabilities within their partners. 

Was NordVPN just an industry anomaly that had a single lapse in judgement? Nope, we came to find out that this vulnerability not only compromised NordVPN, it also exposed others like TorGuard. Now we have a scary trend. There are already a lot of sketchy VPN providers marketing to a consumer base that is still largely unfamiliar with the technology — including those that may be willing to share your data with authoritarian governments. But now even the most “trusted” have proven that they, too, have either lax or downright sloppy protocols in place to mitigate all points of potential attacks.

Why is this such an issue? The whole situation exposes a huge question mark around whom is auditing these VPN players’ infrastructure. It also completely exposes the lack of transparency that the VPN industry has around its supply chain. Even in the wake of the NordVPN hack, the guilty data center provider was left unnamed.

When I was managing infrastructure at Google to make sure it all ran securely and efficiently, which included dealing with thousands of devices and partners, I experienced firsthand how difficult it was to have perfect visibility into the infrastructure supply chain. We went to great lengths — and had to invest a lot of resources — to map out every single integration, app and extension that our employees and partners used to do their jobs.

While not every organization has access to the same level of resources that I did at Google, many VPN providers claim to have all the best features to keep consumers safe (military-grade encryption, no logging, automatic kill switches, etc.). However, it’s all moot if they fail at keeping their servers secure. What the VPN industry seemingly lacks is a framework, infrastructure and process in place to understand the treats posed by all the vendors supporting them – including their vendors’ vendors.

There’s no doubt that it’s a hard networking challenge to solve, but it’s not without options. The supply chain and partner auditing issues are two of the reasons why I was attracted to blockchain-backed networking after leaving Google, because the blockchain developer community understands that transparency and auditing are paramount in an increasingly complex threat environment. Auditing might be a bit more straightforward because each supplier would record what they did and didn’t do on the blockchain while also signing in using their private key. In the NordVPN case, it could’ve allowed for a log of the administration tool left on the server, which might have been flagged if there was a review of the supply-chain history.

The bottom line is that it’s time these VPN vendors start minding their own kitchen before they burn the whole house down. It’s no longer enough to simply trust the VPN industry to disclose its supply chains and then assume it’ll self-police. If vendors want to truly provide the utmost transparency and lock down their infrastructure, then a good place to start is either making a commitment and investment in independent auditing or take some cues from the vigilant blockchain community.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

The VPN is dying, long live zero trust

The venerable VPN, which has for decades provided remote workers with a secure tunnel into the enterprise network, is facing extinction as enterprises migrate to a more agile, granular security framework called zero trust, which is better adapted to today’s world of digital business.To read this article in full, please click…

The venerable VPN, which has for decades provided remote workers with a secure tunnel into the enterprise network, is facing extinction as enterprises migrate to a more agile, granular security framework called zero trust, which is better adapted to today’s world of digital business.

VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.

Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.

There are a variety of flaws associated with the perimeter approach to security. It doesn’t address insider attacks. It doesn’t do a good job accounting for contractors, third parties and supply-chain partners. If an attacker steals someone’s VPN credentials, the attacker can access the network and roam freely. Plus, VPNs over time have become complex and difficult to manage. “There’s a lot of pain around VPNs,” says Matt Sullivan, senior security architect at Workiva, an enterprise software company based in Ames, Iowa. “They’re clunky, outdated, there’s a lot to manage, and they’re a little dangerous, frankly.”  

At an even more fundamental level, anyone looking at the state of enterprise security today understands that whatever we’re doing now isn’t working. “The perimeter-based model of security categorically has failed,” says Forrester principal analyst Chase Cunningham. “And not from a lack of effort or a lack of investment, but just because it’s built on a house of cards. If one thing fails, everything becomes a victim. Everyone I talk to believes that.”

An SD-WAN service that gets around the Great Firewall of China legally

The saying goes that China is the world’s factory. For many companies around the world, their products or components of their products are produced in mainland China. At the same time, China’s population of more than a billion people makes it one of the world’s largest consumer markets. Thus, for…

The saying goes that China is the world’s factory. For many companies around the world, their products or components of their products are produced in mainland China. At the same time, China’s population of more than a billion people makes it one of the world’s largest consumer markets. Thus, for either production or sales, many companies want to do business in China and have established facilities there.

On the networking front, this means that multinational companies need to extend their wide area network into China to support their large or rapidly growing operations—and that’s easier said than done.

Many organizations had done this using VPNs, but in early 2018, the Chinese government placed restrictions on IPsec traffic to basically block it from going in and out of the country. The Ministry of Industry and Information Technology (MIIT) said these restrictions are in accordance with the China Cross-border Data Telecommunications Industry Alliance (CDTIA), which was created to regulate cross-border data communication.

The results of the regulation were very disruptive to businesses that depended on their VPNs for access to cloud services and data security, among other things. This regulation threw a big monkey wrench in the global WAN strategies for a lot of enterprises. Companies weren’t totally left without options to deploy a WAN into China, but the solutions that were available at that point were very expensive.

One option is to run an MPLS circuit into the country. So, for example, a business with a factory in Shanghai can run an MPLS circuit from there back to Hong Kong or Singapore, and then connect that into a global SD-WAN. However, this option is very expensive, takes a long time to deliver and is bandwidth-constrained. A typical Chinese MPLS circuit is somewhere south of 20 MB of bandwidth, and it could cost $15,000 to $20,000 for a single circuit. On the other hand, it does work, it’s reliable, and it is compliant with the CDTIA requirements, making it a viable solution for enterprises that must have WAN access in China.

Another option is to go with a managed VPN solution from one of the three major telecom providers: China Telecom, China Unicom and China Mobile. While the service they provide is based on IPsec, they are sanctioned by the MIIT to provide this service because they agree to force all outbound traffic through the Great Firewall of China. This enables the telecom companies to block restricted traffic, which of course is sub-optimal for enterprises. What’s more, going through the Great Firewall causes tremendous performance issues. For example, it can take two minutes just to load a text-only website if one has to go through the firewall to get to it.

The CDTIA regulations have a loophole that allows an enterprise to do VPN connectivity between sites that go outside the country, as long as the traffic is carried by one of the three Chinese telecom providers listed above. Businesses can use a private MPLS circuit or managed IPsec. Broadband access within China actually offers good performance and is relatively inexpensive. A 500 MB broadband connection from China Telecom is about $30 a month. The performance degradation occurs when traffic has to pass through the Great Firewall but going from one factory to another within China across broadband is pretty fast.

A new option for SD-WAN service into China

Now there is a third option for WAN connectivity outside China. Teridion has developed an SD-WAN solution that leverages the plentiful, fast, low-cost domestic broadband and builds on it to provide access into high speed WAN connectivity outside the country in a way that’s consistent with the regulatory environment. To develop its SD-WAN Service for China, Teridion worked with legal authorities within China to ensure that this solution meets all Chinese regulations while being available to the world.

Outside of China, Teridion has built a global WAN service that utilizes the public Internet as a backbone with unique capabilities to direct and manage the routing of traffic across this network. Teridion leverages a private routing infrastructure using Teridion Cloud Routers (TCRs) at the edge to establish the fastest path, at any given time, between a source and a destination. This approach provides accelerated access from one user site to another, or from user to SaaS applications and cloud workloads.

Because Teridion has a lot of flexibility in choosing routes, this approach eliminates the reliability and performance gaps that are introduced when relying on the public Internet. What’s more, it provides reliability equivalent to MPLS and is fully backed by Teridion’s SLAs, according to Ed Wright, Director of Marketing at Teridion. The company has more than 400 PoPs worldwide, enabling them to create a high performance and highly reliable “middle mile” global network, he said.

Teridion is using that same architecture and same technology to build out its China SD-WAN solution. The company deploys TCRs at the cloud edge within China. Sites in China connect to the TCRs via an IPsec connection through broadband. The connection to the rest-of-world Teridion network runs through dedicated circuits from inside China to Hong Kong and Singapore. Think of it as two “twinned” Teridion architectures which are connected to each other through these massive circuits between China and Hong Kong and Singapore. It’s a layered approach that meets the regulatory environment but also allows for broadband at the edge, and the advantages of Teridion optimization, according to Wright.

A unified global WAN

From a customer perspective, this “twinned” model results in a unified environment for a global WAN. A customer can go into a Teridion portal to manage their Chinese locations in exactly the same way they manage their other locations, all through a single pane of glass. The Chinese sites look exactly the same, and there’s nothing to configure or manage differently with the Chinese sites.

The solution leverages the low cost, high speed local broadband connections in China, allows the enterprise to use these fully, connects to Teridion within country, and then Teridion takes the traffic out of the country and passes it onto the network out of the country. All of this takes place within the regulatory environment so that Teridion and its customers can comply with Chinese law. Teridion says it has received certification of compliance from the providers, who are then in turn beholden to the government.

From the standpoint of the enterprise, they’re simply connecting to Teridion’s network. Let’s say a company has a site in Los Angeles site as well as one in Guangzhou. In Guangzhou, they bring up an IPsec connection to a Teridion Cloud Router that’s running in Shanghai. And so, from their standpoint, they’ve got an IPsec connection into mainland China, an IPsec connection in the US, and then Teridion routes the traffic through its network, which is conforming to the spirit of the CDTIA regulations as imposed by the MIIT.

“It’s confusing,” says Pejman Roshan, VP of Products and Marketing for Teridion. “It took us a lot of lawyers to figure out what was allowed and what wasn’t allowed. Even when we talked to the Chinese ISPs, the big three, it’s very gray and muddy. We had a dedicated team of lawyers in the US and in China that were helping us navigate these rules to finally figure out what’s allowed, what’s not allowed, what’s compliant, and how we maintain compliance so it doesn’t just turn off tomorrow. It’s all very complicated and we’ve eliminated that complexity for enterprises as part of this.”

Sean Dublin is president of business development with the IT consulting firm 26Connect. “Our global customers were looking for a ubiquitous platform for all of their users, including their mainland China sites,” says Dublin. “Up until recently there really hasn’t been a good solution. You could go back to the previous world of MPLS, but if you don’t have physical connectivity between mainland China and the rest of the world, the experience is sub-par, to say the least. Before partners like Teridion, there wasn’t a great solution other than the Chinese carriers. It was very kludgy. Technology is now meeting that demand and a company like Teridion that offers an agnostic platform where you can overlay MPLS, SD-WAN, IP, any of those different things means now we have a true solution for mainland China.”

“What we found with SD-WAN is that people were putting PoPs in mainland China and then in the rest of the world but they weren’t going the extra step for the physical connectivity through the Great Chinese Firewall,” says Dublin “With the constant fluidity and volatility of the Great Firewall and their regulations pertaining to IPSec, we need partners like Teridion who are willing to take that extra step for you to really get that true, perfect, even customer experience.”

26Connect has clients that are on the Teridion network and they have been waiting for the Chinese service to be generally available. (It went live October 24.) “The good news is, with Teridion, regardless of what region they open up, the platform is the same. With China there will be some marketing differentiators with compliance, but at the end of the day what you have is a single platform that can now work throughout the entire world,” says Dublin. “For Teridion to bring a proven technology that will solve that problem at the price point they are able to do it is kind of mind blowing. It’s a difficult thing to do so people usually charge a significant premium for it. Teridion is now able to offer that to anybody who has offices in mainland China and have it be cost-effective.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.