As organizations increasingly seek to support and secure more remote network connections, many are rethinking the traditional VPN. Numerous VPN alternatives exist to help secure remote access, with mesh VPNs being one of the most prominent. Mesh virtual private networks (VPNs) use a peer-to-peer architecture that can theoretically be less expensive than traditional VPN approaches. VPNs, which are estimated to be used by 1.6 billion people, don’t carry the same weight they used to in the security stack, given massive security holes, port shadow weaknesses, and broad consensus on their susceptibility to cyberattacks. Still, the global VPN market is robust and expected to almost triple by 2030, growing to an impressive $137 billion.
In legacy network stacks, a VPN was primarily used to access network-based resources such as on-prem line-of-business apps and file shares as if you were on the corporate network. Traditional enterprise networks typically provided inherent network-level access to everything on the network if you were within the network perimeter. However, hybrid networks and a push toward zero-trust concepts have the industry moving away from this way of thinking, making the concept of a network perimeter less of a focal point when it comes to securing enterprises. If you are managing a traditional hub-and-spoke VPN architecture, switching to a mesh VPN might be worth considering.
Why Mesh VPN
Mesh VPN is a relatively new concept that is quickly gaining momentum as more vendors bring their services to market. At its core, mesh VPN addresses several weaknesses in traditional VPN approaches and fundamentally integrates tightly with current security stacks, thereby providing several compelling advantages. Unlike a client-server VPN with a hub-and-spoke model, there is no VPN server on the perimeter as a potential attack surface. Traditional VPN servers are frequently easy to identify, as they involve a finite number of VPN standards or proprietary protocols that make discovery effortless for bad actors. Conversely, members of a mesh VPN reside behind corporate firewalls, home networks, or cellular connections, behind NAT and other technical components that frequently cause difficulty with traditional VPNs. The ability for nodes to connect to each other stems from a control plane typically managed and maintained by the VPN vendor.
Another significant advantage of mesh VPNs is their superior support for edge devices. Traditional VPNs primarily come in two flavors: site-to-site and remote access. With modern networks extending to edge devices tasked with enabling business operations, many edge deployments require either a software VPN client or a network appliance configured with a site-to-site VPN connection. Mesh VPNs can leverage a software VPN client on popular operating systems and be implemented directly into containerized applications and cutting-edge deployments that may not fit well with traditional VPNs. Additionally, mesh VPNs inherently provide access only to other members of the mesh VPN, not to the entire network. This can include servers, workstations, storage devices, cloud-based resources, or even application containers, refined further to provide access solely to devices and services appropriate for a specific user. The result is dynamic firewall rules between nodes based on the user’s roles and business requirements.
Automated Management and Integration with Existing Security Tools
Most mesh VPN solutions further enhance aspects of access control by offering API-based management. This means the process of assigning roles and access can be integrated with other management and orchestration tools already leveraged within the organization. For example, this could manifest in an extended detection and response (XDR) solution or simply script-based automation that interacts with business systems. The integration of mesh VPNs with existing security staples such as identity management (IDM) and mobile device management (MDM) forms a cohesive foundation for the hybrid workforce. Integration with IDM helps streamline operations like onboarding and offboarding, as well as dynamic changes in system access based on user identity modifications. Mesh VPN solutions are also compatible with security devices alongside MDM, allowing customer laptops, tablets, and even mobile phones to become potential VPN nodes.
Despite the promising benefits, for a mesh VPN service to be successful in an enterprise, it must fulfill certain non-negotiables. Integration with current authentication services is an absolute must, extending to authenticating devices and ensuring they meet device management policies. Additionally, integration with existing tools in the security stack, such as event monitoring and EDR (endpoint detection and response), remains crucial for devices accessing protected services. Therefore, organizations should carefully weigh these considerations before implementing a mesh VPN solution, ensuring it aligns with their authentication requirements and security infrastructure.
How to: Connect to Centralized Company Resources
Establish a Subnet Router in Tailscale
Establishing a subnet router in Tailscale is the first step to connecting to centralized company resources using a mesh VPN. Install the Tailscale client on a designated computer within the network, then start the client with the –advertise-routes parameter and include the desired IPv4 subnets in CIDR notation. For example:
“`
tailscale up –advertise-routes=192.168.1.0/24
“`
Multiple subnets or individual endpoints can also be defined by separating them with a comma. This setup ensures that Tailscale can adequately support connectivity to your centralized network resources, providing seamless access for remote users.
Approve Routes in the Admin Console
Once the subnet routes have been set up, the next step is to approve the routes via the admin console. Access the Tailscale admin console and approve each configured route. Upon approval, Tailscale users will be able to access the specified applications and services on the network segment. The approval process ensures that only legitimate and intended routes are made available, keeping the network secure while maintaining accessibility for authorized users.
How to: Limit Access to Network Resources and Services
Set Up Access Control Lists (ACLs) in Tailscale
Setting up Access Control Lists (ACLs) is crucial for restricting access to network resources and services to only authorized users. Use the policy editor to define the source and destination for each rule, specifying roles, groups, or individual users and devices to ensure that connectivity is restricted to certain resources. ACLs in Tailscale operate a bit differently from traditional firewall rules. Tailscale ACLs always result in an ‘allow’ action, meaning connectivity is permitted only if explicitly defined. This granularity enables administrators to tightly control who can access specific resources on the network.
Define Rules in ACL Policy Editor
After setting up ACLs, the next step is to define the rules in the ACL policy editor. For instance, to grant devices with the ‘mobile’ tag access to a subnet, you could create a rule like this:
“`
{
“action”: “accept”,
“src”: [“tag:mobile”],
“dst”: [“192.168.1.0/24:80,139,443,445”],
}
“`
This rule ensures that only devices tagged as ‘mobile’ can connect to devices within the specified subnet and on certain ports. Such explicit rules help in maintaining a zero-trust security model by limiting access to resources on an as-needed basis only.
How to: Route Internet Traffic through a Central System
Designate an Exit Node in Tailscale
Designating an exit node in Tailscale is essential for routing internet traffic through a central system. To do this, enable the option within the Tailscale client on the device you chose to serve as the exit node. Once set, the exit node must be confirmed and approved in the admin console. This setup is particularly useful in industries requiring compliance for monitoring and filtering internet traffic.
Approve and Configure Exit Nodes
After designating an exit node, approve it via the admin console. Administrators can choose between recommended (suggested) or obligatory exit nodes, depending on latency or regulatory requirements. A recommended exit node allows Tailscale to select an exit node based on performance metrics, while a mandatory exit node enforces a single, central exit node that all traffic must pass through. Mandatory exit nodes require Tailscale’s premium or enterprise plan, along with an MDM solution to ensure robust management and security.
How to: Use Company DNS Servers for Tailscale Clients
Set Up Internal DNS Servers
To use company DNS servers for name resolution within the Tailscale mesh VPN, set up internal DNS servers in the Tailscale client settings. By default, Tailscale employs a feature known as ‘Magic DNS’ for name resolution among tailnet members. However, this feature doesn’t extend to devices served on subnets like Active Directory servers, which can be problematic.
Configure Split DNS
For comprehensive functionality, configure split DNS to forward requests for specific domains to designated internal DNS servers. This setup can be combined with subnet routing and ACLs to ensure seamless access to internal services that require DNS resolution. Split DNS is particularly useful for environments relying on internal DNS infrastructure for access to domain-specific services, thereby enhancing the overall network’s functional and security capabilities.
How to: Maintain Duty Separation within Tailscale
Assign Built-in Roles
Maintaining duty separation is a cornerstone of IT security and compliance requirements. Tailscale offers several built-in roles to ensure appropriate access levels meet business and compliance needs. These roles include Network Admins, IT Admins, Billing Admins, Auditors, Members, Owner, and Admins. Network Admins manage all aspects of network configuration but can’t make changes to user or device settings. IT Admins focus on user and device management, with no ability to modify network settings. Billing Admins handle pricing plans and billing information but can view all admin console aspects without making network changes.
Manage Permissions
Many mesh VPN solutions enhance access control with API-based management, allowing integration with other management and orchestration tools already used in an organization. This can be seen in solutions like extended detection and response (XDR) or simple script-based automation that interacts with business systems. By integrating mesh VPNs with existing security measures such as identity management (IDM) and mobile device management (MDM), a robust foundation for the hybrid workforce is established. IDM integration streamlines operations like onboarding, offboarding, and dynamic access changes based on identity modifications. Additionally, mesh VPNs working with MDM ensure that customer devices such as laptops, tablets, and mobile phones can become part of the VPN network.
However, for a mesh VPN service to be effective in an enterprise, several essential criteria must be met. It must integrate seamlessly with current authentication services, extending to device authentication and compliance with device management policies. Moreover, compatibility with existing security tools, including event monitoring and endpoint detection and response (EDR), is crucial for securing devices accessing protected services. Organizations should carefully evaluate these factors to ensure a mesh VPN solution aligns with their authentication needs and security infrastructure, providing a seamless and secure user experience.