How Corelight severed ties with their old VPN

Corelight is a cybersecurity company headquartered in California that develops network detection and response (NDR) technology to help defend some of the world’s most sensitive, mission-critical organizations. Their open NDR platform sees everything that matters, and includes cloud and on-prem solutions such as Suricata, Zeek, Smart PCAP, and Investigator. Corelight also partners with companies like CrowdStrike to enable extended detection and response (XDR) capabilities.

Louis Gardner joined Corelight in September of 2021 as principal security infrastructure engineer, and his first priority was to look at the current state of Corelight’s infrastructure. He also wanted to come up with solutions to help improve security overall and automate processes that were largely manual up to that point. As Louis describes, “VPNs were one of those things that really needed to be fixed at Corelight.”

OpenVPN required a lot of support, and it wasn’t great for end users either

Before switching to Tailscale, Corelight used OpenVPN to access internal company resources, including on-prem hardware and virtual machines hosted on AWS. But there was a foundational problem: The system was built using an outdated design mentality optimized for the kind of on-prem networks prevalent in the ’90s. As Louis describes it: “You have a single, standalone host that provides VPN connectivity to a network. Then you use an IPsec tunnel to link up to a second network, so anyone connected to the first network can reach stuff on the second network.”

This process required a lot of resources and manual support because it:

  • Relied on network OpenVPN hosts, which were single points of failure.
  • Required manually provisioning new users to grant them access.
  • Depended on endpoints that failed unexpectedly.
  • Resulted in a poor user experience.

OpenVPN’s cumbersome onboarding, slow throughput, and dropped connections yielded a poor user experience for Corelight. As Louis points out, “The servers weren’t very powerful, so if we got a lot of users on one box, it would start to chug a bit. If we got too many, we would start to see dropped connections… So people had to experiment, or guess, and hope they got the server that wasn’t overloaded when they logged on.”

Corelight was spending a lot of time setting up and supporting their old VPN. “Collectively, between troubleshooting user connectivity — both to OpenVPN, and through OpenVPN across the IPsec tunnel — technical operations probably spent five to 25 work hours a week on this,” Louis explains. As a result, Corelight began a search to replace OpenVPN with something more modern and user friendly.

Tailscale surfaced as the best enterprise-grade WireGuard® solution

Louis originally learned about Tailscale through a Google search for enterprise-grade WireGuard solutions. At a previous company, Louis had looked into replacing their VPN with a homespun WireGuard solution, which was untenable because of the engineering work required. So he was curious to see if there was an existing solution. Not only was Tailscale the top result for this search, but Louis immediately recognized the value of additional functionality, such as Tailscale’s ACLs: “Just the writeup I saw on ACLs had me intrigued. That’s what led me down the path of considering Tailscale as an option for our proof-of-concept trials.”

As with many Tailscale customers, the decision to try Tailscale was organically supported by developers, as Louis recounts: “While we were evaluating Tailscale, about three folks I work with brought it up and said ‘Hey, are we considering Tailscale for the VPN replacement?’ So, there’s a lot of knowledge about your product out there.”

And then a funny thing happened on their way to using Tailscale

When Corelight was finally ready to switch VPNs, they narrowed their choice to three providers: Tailscale, Teleport, and AWS client VPN. To make their final decision, they stood up concurrent, limited-scope proofs of concept (POCs) for each of these solutions.

Then Louis told us a great story about just how Corelight severed ties, literally, with their old VPN:

“We had recently moved out of our San Francisco office, where one of our VPN endpoints was located. And since we moved to a WeWork space where we didn’t host any network infrastructure, we were down to a single endpoint — in Columbus, Ohio.

“And it just so happened that the internet connection at our Columbus office got severed by a backhoe during that time. So all of a sudden, our entire engineering infrastructure had no access to our Git repositories, our build systems, or anything that was protected by an IP allowlist. We were just dead in the water.”

That’s where Tailscale came in.

“I had Tailscale running (as well as the other two POC VPNs), and Tailscale’s API and ACLs were really nice because I didn’t have to be in a web interface to make it work. So I told my CISO, ‘Hey, I can open this up to all of engineering and get them back rudimentary access to our entire infrastructure.’ And he said, ‘Do it.’”

In a matter of about 10 minutes, I was able to give our entire engineering staff back their access to our infrastructure, and they were able to continue working.

Louis Gardner Principal Security Infrastructure Engineer

Louis was able to do this by leveraging Tailscale ACLs: “It was really fast for me to just hammer out a few commands, get a bunch of users into the ACL, and get them to where they had access through our subnet router into our various networks that [the subnet router] was granting access to.”

At the end of the day, the ease with which Louis was able to deploy Tailscale, integrate a large number of users, and get documentation out to them on how to download, install, and authenticate to Tailscale was key in making this an easy choice for Corelight. “After that,” Louis says, “I wrote up my recommendation with a stack-rank, and Tailscale was sitting way at the top. The API, the simplicity of the ACLs, plus the granularity it gives us in access control is unchallenged, and it presents a wonderful opportunity to improve security at our company and provide a much more simple and usable experience for our staff.”

Corelight got up to speed fast with Tailscale ACLs

Before Corelight could roll out Tailscale across their organization, Louis wanted to be sure they could version control their ACL file, and use their IdP to dynamically populate group members within the ACL. Leveraging the Tailscale API, Louis was able to write a microservice to do all of this work utilizing modules he had previously written in Python. This service pulled the version controlled ACL template file, populated it, checked it, and pushed it out if it passed all checks. “Now we have a centralized and version controlled, with peer review, ACL that’s dynamically populated by our IdP,” says Louis.

Corelight implements zero trust network access with Tailscale

Using ACLs, Corelight was able to get incredibly fine-grained security, making it even easier to follow the principle of least privilege. This was particularly important to Corelight because, as Louis explains, “We are a security services company, and we have customers that trust us all over the world, and being able to ensure that access to our systems is not only protected, but managed with fine-grained access controls, provides peace of mind for us as well as our customers.”

In the short term, Corelight plans to use Tailscale for an internal zero trust implementation. Corelight is very selective about what systems they will authorize to their tailnet: Only systems with endpoint protection, that they know originate from them, will be authorized; anything else won’t be. In the long term, after Corelight gets their zero trust SAML implementation in place, they plan to explore using SAML SSO for Tailscale as well.

How Corelight uses Tailscale

Corelight’s infrastructure includes AWS virtual machines (VMs), co-located servers, and local office networks that engineers need to securely access. With Tailscale, Corelight developers can now connect to these networks for access to product development environments, network testing, internal resources, sensory networks, build pipelines, and more.

“I can’t tell you how many times I’ve had an engineer say, ‘You know, it’s so much easier to utilize Tailscale to connect and get access to my systems,’” says Louis — and that’s just the tip of the iceberg. “We’re starting to roll out Tailscale SSH so our product teams can give themselves direct SSH access into bastion hosts without a public IP attached to it. That way, they can manage these large fleets of Kubernetes or otherwise container-based hosts that run the cloud products we offer like Investigator, or Corelight Cloud Sensor SaaS.”

More than two-thirds of Corelight employees are using Tailscale today, but as Louis points out, he’s currently working on use cases outside of engineering. “We want to enable Tailscale for our other office users so, for example, they can use an exit node to encrypt traffic when they find themselves at a coffee shop, or on some kind of shifty Wi-Fi that they’re not entirely certain of.”

That’s why Corelight chose Tailscale — for a better, more user-friendly experience

Overall, Corelight couldn’t be happier with Tailscale, in part because of the granularity with which they can manage and automate access control lists, simplify SSH connections, significantly reduce their use of public IPs, and much more.

It’s also simple for end users to get connected, and get access to the systems they need in order to do their jobs. “There were so many people who lauded the fact that they install the application, login, click their username, and they’re done,” says Louis, who left us with this final thought: “Tailscale, to me, is a cloud-powered VPN that every other VPN I’ve ever used wishes they could be.”