Attending AWS re:Invent?Where to find us
Get started
Login
WireGuard is a registered trademark of Jason A. Donenfeld.
© 2024 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|June 07, 2023

Security, Productivity, and ZTNA with Tailscale Enterprise

alt

Tailscale makes it easy to create robust networks of devices without having admins worry about properly scoping firewall rules, fine tuning DNS and network configurations, and setting up certificate authorities. To join the network (tailnet), users simply install Tailscale onto their device and log in using an identity provider like Github, Okta, or another one of our supported identity providers. Tailscale’s ease of setup and use is one of the reasons so many individuals choose our free plan to run their homelabs. With a few clicks they can add devices to their tailnet, manage access controls for users, and with a little magic, host a private Minecraft server for their friends. 

The fun doesn’t have to stop when Steve drops his ax—bring the magic of Tailscale to work.

Introducing Tailscale Enterprise 

At a high level, Tailscale is a mesh-capable VPN, or overlay network, used to manage secure remote access for shared IT infrastructure and other resources. Instead of funneling all your traffic through a single VPN concentrator that’s probably really far away, Tailscale facilitates direct connections between devices. For an in-depth overview of Tailscale, refer to our How Tailscale Works post.

Tailscale was created way back in 2019 to help our first customer (a bank) modernize their secure remote access workflows for employees. The timing was just right —as 2020 and the pandemic accelerated the work from home transition, everyone was able to take their laptops home and work on assignments without a hitch. Nothing about their IT infrastructure had to change, because they were already using Tailscale to securely access their network.

Since then, we’ve added a number of features critical for enterprises. The four areas most important to large organizations considering enterprise grade VPNs are:

  1. Integrations: The VPN must work with their existing infrastructure, software, and tools.
  2. Compliance: The VPN must promote adherence to strict security standards like SOC2, PCI, HIPAA and others. It needs to help ensure the organization doesn’t violate any of these standards by exposing sensitive data.
  3. Support: Excellent support with fast turnaround-times and SLAs are often required.
  4. Access Control: The VPN must include the ability for people to have initial access to the network, and once inside the network, least-privileged access to the resources (e.g files, databases , etc) required to complete their work.

With Tailscale, we ensure that your organization can quickly take advantage of these important considerations.

One tool for IT and security teams

Before diving into the features, it’s important to understand the purpose of a VPN. Although it’s typically viewed as a security tool, a VPN also serves as a connectivity tool. The primary purpose is to get people into a private network. In many cases, it’s the job of the IT team to get employees connected to the network.

The purpose of a security tool, however, is to prevent or stop people from performing malicious acts. For example, once the IT team onboards a new employee into a company network, the security team typically updates firewall rules to restrict this employee from accessing specific servers on the network, due to their role or group. Integrating two different kinds of tools - one for connection and another for security - can lead to IT and security teams butting heads about how best to manage and secure a network.

Tailscale is unique in that it does both of these jobs. You don’t need separate tools for getting into a network, and for segmenting access once inside the network. Tailscale provides the connectivity layer, but integrated within this layer, is packet filtering and access controls. This means you can define what kind of access users have in your network at any given time. By combining these two concepts, and having users tied to an identity provider, you can write effective rules to manage access.

With a traditional VPN, you’d generally have to assign an IP address to everyone in the organization. Once it’s assigned, you’d then have to update the firewall to allow traffic from those IP addresses. Different services are then divided into different subnets, with different rules. Anytime an IP address is changed, the firewall rules would need to be updated. This quickly becomes cumbersome and difficult to manage for IT and security teams particularly as development teams increase their usage of ephemeral environments.

One of the benefits of Tailscale is the ability to write a rule once, and have it instantly applied across your entire network. For instance, you can write a rule stating that any person on the engineering team can access any device spun up by their team, and tagged as a development node. In Tailscale’s web admin console, you can audit these rules on the fly and admins don’t necessarily have to be network engineers or especially technical, to view the rules and assess, change, or manage access. When a change is made, Tailscale rapidly propagates that change over your network — often in less than 1/10 of a second. 

Combining ease of use with robust secure-by-default features, positively impacts how your IT and security teams collaborate.

An incremental approach to Zero Trust

Security and IT teams wanting to implement tenets of zero trust networking, but unsure about how to reconcile with their VPNs and current network configuration, can use Tailscale to incrementally transition at a rate of their choosing. Although zero trust is difficult to define and ultimately achieve, it’s a paradigm many companies are seeking to adopt and roll out throughout their networks. In general terms, you can think of zero trust as not implicitly trusting the network. Essentially, using Tailscale as your overlay network means you no longer have to absolutely trust your physical network, establishing protocols to explicitly authorize and authenticate every connection.

In a traditional VPN set up, a user connects using the VPN and gains access to the organization’s network. Once inside, the user has complete access to any resource on the network. One of the functions for firewalls is to help protect against malicious actors from breaching the network and they are usually deployed in larger numbers on the network perimeter, and in smaller numbers inside the network. This can expose organizations to lateral attacks, which is when a malicious actor exploits a vulnerability in a server, and successfully moves across the network until they find their desired target.

Tailscale provides a much better, safer and preferred alternative. Every potential connection has to be authorized. Unlike legacy VPNs, Tailsacle is able to provide least-privilege access enforcement at the node level, making it significantly harder to execute lateral movement attacks.

The ability to isolate sections of a network and apply security controls is commonly referred to as segmentation. With Tailscale, you can segment entire blocks of your network behind a subnet router. In this way, companies with thousands of servers can incrementally adopt zero trust without manually adding each device to the network (micro segmentation). There’s no longer a need to spend months setting up a zero trust environment and then flipping a switch to activate thousands of servers at the same time.

Enterprise Grade Functionality

Tailscale Enterprise includes features that are specific to the needs of large organizations.

Access Control Lists (ACLs)

Access Control Lists (ACLs) are available on every plan, but their breadth and scope increases as you advance from Starter to Enterprise plans. ACLs are a critical tool for preventing lateral movement attacks, and bolstering your network security. In Tailscale, the ACL is a configuration file which can be updated from the admin console or via the API. This policy file is written in a superset of JSON, referred to as HuJSON, that allows for comments, commas, and is more user friendly for admins to read and write. The ACL configuration file is a text file which allows you to:

  • update it with GitOps, for version-control and code review
  • add rules so it will automatically update as new users and devices are added
  • institute access controls across your entire network

For instance, if you commented out a line in the ACL file that removed permission for one device to connect with another, that change will be reflected immediately across all nodes in your Tailscale network without having to reconfigure firewalls, file tickets, or wait for the change to be executed by other teams. If you make a mistake, and decide to revert changes, your edits are immediately reflected across your network.

Speaking of mistakes, another feature of Tailscale ACLs is that you can create unit tests to ensure that when you do change a security rule, it will reject or approve that change depending on the rules of the unit test. For example, If a person always needs to have access to a particular server, and you wrote a rule that accidentally revoked  that person’s access to the server, the unit test would reject that request.

User and Group provisioning (SCIM)

System for Cross-domain Identity Management (SCIM) is a user and group synchronization system. SCIM is built into many identity providers (IdPs), like Okta, and makes it so that in your ACLs, you can refer to groups defined in your identity system and grant permission to people based on that identity. With Tailscale, you can use SCIM to increase your ability to write access control rules that  refer to, and automatically sync to users and groups defined in your IdP.

You can streamline this workflow for your organization using SCIM. For example, HR could create accounts for new employees and add them to their respective team groups. Once placed, these users will automatically gain access to the resources their team can access. This is all synced to Tailscale and doesn’t require you to do anything else. Tailscale compiles the ACLs down, including group definitions, within the packet filters and sends the packet filters to all the devices in the network. The connections on and to the devices are then enabled or disabled.

Tailnet Lock

At a high level, Tailscale’s control plane manages and distributes public keys required for devices to join the network and encrypt every communication. We run a SaaS service in the cloud that you send your public keys to. This service handles the authentication integration with your ID provider, and sends the public keys back. 

There are a number of associated dangers with not possessing complete control over which nodes are able to join and connect to devices on your VPN. Organizations using a traditional on-premises physical VPN, experience significant maintenance requirements over time to ensure the network remains stable. Although this can put a strain on teams, one obvious advantage is you can establish fine grained controls to stop potential bad actors from reconfiguring your control plane. 

Tailnet Lock is a feature that combines the best of both virtual and physical worlds. So even though we run our control plane in the cloud, your devices will not accept anything from our control plane, unless those instructions are signed by a device that you control. To learn more about how you can use Tailscale without trusting our infrastructure, read our blog post on Tailnet Lock. The advantage is that you don’t have to self-manage the VPN and host the control plane — which is the security equivalent to a root certificate authority that is difficult to secure. Even if you wanted to host an on-premises Tailscale instance, you would still have to run your own root CA.

To avoid this overly complicated set up, you can continue using the cloud-hosted, Tailscale control server, but turn on Tailnet Lock as an added security measure. Instructions still come from Tailscale, but you don’t have to accept them, unless verified by your own node. You get the best of both worlds: control over your own environment, while not having to run and host the control plane yourself. This model provides layered network infrastructure protection. If someone were to try and break into your network, they would have to break into Tailscale and your signing system’s instance to execute their attack. By using Tailnet Lock, you reduce the operational overhead for your teams associated with managing the control plane, while drastically improving your security posture.

Log Streaming

No one likes the idea of a single point of failure, but everyone enjoys the advantages of a single point of control. Traditional VPNs funnel all traffic through a single point, or VPN concentrator, which potentially transforms into the single point of failure for your network. In the case of logging, centralizing auditing is a very good thing.

Because Tailscale can generate a mesh overlay network, it eliminates the single points of failure vulnerability and can scale really well as the number of users and devices fluctuate. There isn’t a single point where you’re funneling all traffic. However, there is a limitation when it comes to logging: you don’t have the ability to log all the traffic at a single point, and the tools you may have used to do that, don’t work in this instance.

With Tailscale Log Streaming, every node in the network logs its own traffic metadata and sends that data wherever you want it to go. We’ve partnered with Splunk and Elasticsearch for the initial release, but you can also connect it to other SIEM providers. The output of the traffic logs are comparable with the traffic logs you might receive from a physical set of routers.

In order to address potential threats of tampering with individual nodes, Tailscale logs both ends of your connection. This is important because it’s extremely difficult for someone to tamper with both ends of a connection simultaneously. So when you notice a difference between two end-points in the logs, that would indicate to your security team that there was potential tampering that requires further investigation. 

In addition to network flow logs, we have configuration audit logs. Every change made to the ACLs, every node that gets added to your network, every key that gets refreshed, and logins into your network are written into the logging system.

Tailscale SSH and SSH Session Recording

When you log into Tailscale using your identity provider, it takes your network layer identity that is attached to the IP address Tailscale assigns you, and carries it over to SSH sessions. For example, you can turn Tailscale SSH on for a server, then SSH to that server using the Tailscale brokered connection, and now, you no longer need to manage SSH keys because your identity has been carried forward. The server will let you in based on the configuration that you place into the ACL policy file.

Typically, you can log SSH sessions using a jump box or server. To help organizations improve security practices or strengthen compliance adherence, Tailscale now also offers SSH session recording. This feature allows you to place the session recording layer over SSH servers running on your network. SSH logs contain sensitive and private information like API keys, usernames and passwords. We don’t want to have access to any of that. Instead of handing your sensitive data to us, you can launch your own recording node on your Tailscale network, and send your SSH logs to this recorder node that you completely control. While we do facilitate generating the session logs, all of the data is end-to-end encrypted so we never see the unencrypted content. Again, we never see the SSH logs and have no ability to access them. 

Usually, you have to choose between centralization or control, and deal with latency and jump boxes with SSH. With Tailscale SSH and SSH session recording, you can have the best of both worlds.

Enterprise Pricing

Our belief is that if we align our incentives with your incentives, we’re all going to be more successful. So we’ll always do our very best to mitigate  over paying us. We want you to get the full and true value of what you’re paying for. With Enterprise planning and billing, we have flexible billing programs that fit a variety of budgets.

First, we’ll only bill you for the seats that you’re actually using each month. This means that we bill you for users that actually transfer data over the network. If a user is not sending bytes, they don’t count as an active user. 

On our self-serve monthly plan, we automatically bill each month for the number of active users. You can even set a limit for the amount of users so that you exert more control over costs. If you have an annual or pre-paid plan, you can buy credits up front and we’ll deduct the credits based on how much you use Tailscale so you’ll only pay for what you use.

Answers to Lingering Questions

We understand that there are situations where companies are trying to adopt Tailscale incrementally. The infrastructure you have in place took a lot of work and we respect the work you’ve done. You may have also configured your network a certain way, and want it to continue running that way. We can help you set up Tailscale alongside your current network infrastructure, but you may have some questions. Here are a few answers about Tailscale Enterprise. 

Can you configure the IP range Tailscale Uses?

When rolling out a VPN, you typically assign certain teams to one IP subnet (like the engineering team to one IP subnet, and Marketing to another). Then the security team sets up firewalls to say that the people coming from a certain subnet must be engineers, and therefore allowed to access servers on the engineering subnet.

Tailscale lets you do this but we generally recommend against it. The ACL system on Tailscale is much more powerful and the problem with subnets is that you can only be on a single subnet at a time. With ACL policies and rules, you can assign a person to multiple roles at the same time in case that person is in both engineering and marketing. This person would then have access to the necessary files, servers, etc. without subnets.

Will IPs always be unique?

Tailscale assigns IP addresses to every device you add to your tailnet. It hands out an address in the 100.64/10 IPV4 range, which has about four million addresses. Even at four million addresses, it isn’t enough addresses for all the Tailscale users in the world.

The way we handle that is we reuse IP addresses between tailnets. Then, if you want to share nodes between organizations, we make sure to give you a number that is not shared between them. You can also turn off IPv4 addressing and stick to an IPv6 only mode. Tailscale can carry IPv6 protocol over IPv4 networks.

Does Tailscale automate deployment and provisioning?

Tailscale is not a provisioning company, but it can work seamlessly with your existing  infrastructure software like Terraform or Pulumi. We don’t try to do automated deployments, but we do try to make it easy for you to plug Tailscale into your deployment and infrastructure management systems.

What options are there for device compliance checks?

We’re working on a solution. Devices on your Tailscale network will have attributes — key value pairs that are associated with them — that will be able to answer questions  like, “Has disk encryption been turned on?”, “Is the OS up to date?”, “Is the OS fully patched?”, “Which OS is this?” and others. We will then populate these attributes so you can add a policy for dealing with non compliance devices.

Does Tailscale work with SaaS applications?

Yes, but this isn’t the core functionality of Tailscale. Tailscale handles the network layer for your private stuff and doesn’t get in the way of your access flows for things on the internet. Traditionally, engineers funnel all of their traffic through their existing VPN, which is added to an IP allow list for various SaaS products. So basically, you have to be on the corporate VPN before you can log into something like Zendesk. Tailscale can reproduce this by intercepting IP addresses and routing all traffic through an exit node.

Get started with Tailscale Enterprise

Additional details about Tailscale Enterprise are available on our pricing page, or if you have any questions about migrating an existing account, please contact sales.

Share

Authors

Jairo CamachoJairo Camacho
Jeff SpencerJeff Spencer
Loading...

Try Tailscale for free

Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face