Owner security

A Virtual Private Network for Zero Trust Security – The New Stack

Long before launching their business, the founders of Tail ladder knew what they wanted to accomplish: give developers small, reliable networks on a human scale to work on, with devices and apps from everyone on that network accessible to each other, and only to each other.

Which is, of course, what Virtual Private Networks (VPNs) are supposed to do. Corn problems with VPN security had already emerged before the pandemic. Since then, the big leap in remote working triggered by the lockdowns has only revealed just how vulnerable they can be.

Even corporate VPNs are riddled with security concerns. In fact, a Zscaler survey Cyber ​​security professionals have found that 93% of organizations still use VPNs even though they know these services have become a target for cybercriminals.

As a result, two-thirds of businesses are looking for alternatives to traditional VPNs for remote access. And due to the growing security risks of VPNs, 72% are focused on adopting zero-trust security practices.

Thus, with the co-founders Chief Technology Officer David cranshaw and chief operating officer David Carney, CEO Avery pennarun wanted to offer developers a secure and scalable alternative to traditional VPNs.

“Our grand vision is to help developers be reasonable about scale,” said Pennarun, a former Google engineer. Although the influence of large tech companies has prompted many companies to build everything to maximum scale, “the long tail of software development is mostly small projects used by small groups,” he said. “The way you design for a billion users is very different from the way you design for fewer users, even for a million users. “

This meant creating small-scale networks that didn’t force developers to get tangled up in security concerns or troubleshoot overload issues so that they could spend their time developing. The guiding principles of the company include “Small is beautiful” and “It must” just work “. “

Private networks on a human scale

Once upon a time, interconnected networks including the Internet included the kind of small, reliable, human-sized networks that Tailscale provides. Many of these users logged in with equals communications, in an early vision of what could become of the Internet.

Eventually, these small and larger networks were interconnected into the public Internet which now potentially includes everyone in the world. But malware security concerns that began in the 1990s, which led to firewalls being set up everywhere, made peer-to-peer connections over the public Internet simply impossible.

Firewalls everywhere have also created the need for employees to spend much more time on security. To create small, reliable distributed networks that developer teams need: “either you’re running things on a local network and people can’t reach them remotely, or you’re running them on the public internet and spending all that time to lock them down, ”said Pennarun. .

The traditional security model of a VPN protected by firewalls has been called the “castle” approach. This is problematic because, once the attackers have crossed the perimeter, everything within it (network, devices and applications) can be compromised.

This model is often contrasted with the zero-trust security model that is now gaining traction in industry and the federal government. Instead of the old assumption that anyone on the network has the right to be there – “trust but don’t verify” – zero trust requires the reverse assumption of “never trust, always verify” .

Technically, Tailscale’s VPN service is a zero trust network. But Pennarun doesn’t like this term because it’s phrased negatively. “What people want is to be able to trust,” he said. “In a small network of humans or computers, if you can build trust between them, most security concerns will go away. Your small group of humans is much less dangerous than the billions of potential attackers on the open Internet.

Developers must build small

Today, only cloud providers have public IP addresses that are not behind firewalls. “Even if you’re running your service for only 10 people, you still have to host it on the public Internet, and then you have to figure out how to secure it,” Pennarun said. “Tailscale’s goal is to skip all of that.”

When the founders looked at how developers work, they found that most of their time isn’t spent fixing customer issues, but obstacles in the development environment, such as infrastructure issues. and unnecessary complexity. “For example, Kubernetes is endlessly scalable, but if I don’t need to run on 1,000 machines, I don’t need to scale,” said Pennarun. “And developing on Kubernetes is incredibly complex. “

Their response has been to create a development infrastructure company so that developers can create small projects, in large and small teams, that serve “smaller customer groups than everyone else on the Internet,” said Pennarun. “Let’s make it easy to create and perform simple things so that you can then move on to the more difficult parts when you really need to.” “

The idea is to make systems evolve, not the overheads involved in securing them or in managing development environment issues.

According to the Tailscale website, “Developers can use Tailscale to publish experimental services for their team without having to configure firewall rules and network configurations. “

Of course, businesses and enterprises can also use the service for remote access by employees working from home or to reduce the complexity of internal networks.

Direct and distributed connections

Unlike traditional star VPN network architectures that send network traffic through a central gateway, Tailscale creates a peer-to-peer mesh network. This mesh topology directly connects each device to all other devices.

A hub-and-spoke architecture is simpler than a mesh, but it has some drawbacks: higher latency for remote users, not allowing direct connections between individual nodes, being more difficult to scale and providing a point single failure that can break the entire network.

In contrast, a peer-to-peer mesh network results in lower latency and higher throughput, and eliminates the need to manually configure port forwarding. It also allows connection migration: existing connections are maintained even when switching to another network, such as from WiFi to wired.

The idea of ​​mesh VPNs has been around for some time, mostly for niche uses. But the advent of cloud-based infrastructure and the increase in the number of remote workers have made organizations take a closer look at them, wrote senior editor Lucian Constantin. in CSO Online.

To enable encrypted point-to-point mesh connections, Tailscale’s service is built on top of open source WireGuard Layer 3 Secure VPN Protocol.

WireGuard is known for its use of advanced cryptography; VPN connections are established using simple public keys. It is far easier to configure than other solutions, requiring only a few lines of code. The whole codebase is only about 4,000 lines compared to over 100,000 for OpenVPN.

The easiest way to install Tailscale is to download and install it on two devices, which are then connected, Pennarun said. As described on the home page of the Tailscale website, the service is “A secure network that works. VPN without configuration. Installs on any device in minutes, manages firewall rules for you, and works from anywhere.

“Yes, users need to have confidence that Tailscale itself will do the right thing, that by providing this service and software we will be taking care of the security of our entire system and supply chain. ”Said Pennarun. “But if you trust us, we create a secure network where it doesn’t matter whether the rest of your software is secure or not, because we kept the bad guys out first. “