Inside Netcraft’s proactive approach to digital risk protection with Tailscale
Netcraft is a cybersecurity services company that specializes in proactively detecting, monitoring, and disrupting cyberattacks. As experts in brand protection and digital risk protection, Netcraft safeguards domains against impersonation and misuse. The security they provide is crucial for brands in the modern age, but as demand grew, so did Netcraft’s need for reliable networking for a growing and increasingly international staff.
Michael Douglas and Nick Allam work as DevOps Engineers at Netcraft. They’re sharing their story on how adopting Tailscale evolved Netcraft’s networking stack, access controls, and onboarding process into a sleek, secure, and unified approach to remote networking that scales with their business.
A proactive approach to both cyber threats and networking
Netcraft approaches cybersecurity differently than its competitors. Instead of waiting until their clients are attacked, they proactively identify and eliminate threats. Michael explains, “A lot of companies rely on the customer to report fraud. We proactively search for what’s targeting them and then take it down,” all before clients are aware the threat exists.
“This is critical in a time-sensitive environment where attacks happen very quickly,” he adds. “Most phishing attacks happen not very long after the site is live. The sooner we can take down the phishing sites, the better.”
Netcraft’s engineering team deployed a patchwork of solutions to fulfill their remote networking needs, including IPSec and OpenVPN. However, finding the right fit for both technical and non-technical users remained a struggle.
“On the staff VPN side, managing an OpenVPN setup is a pain because you have to deal with the certificates,” shares Nick. “You have to, at some level, educate all the staff on how the certificates work and how authentication works.”
When Netcraft’s team was mostly comprised of engineers, using a solution like OpenVPN was less cumbersome. However, as the company and staff expanded and diversified, Nick and Michael began to consider a more approachable and user-friendly solution.
“I know this is a bit of a cliche with Tailscale, but it does just work in pretty much all scenarios.”
“We used to be a company of 90% engineers,” Michael explains. “When that was the case, shipping someone an OpenVPN key bundle and saying, ‘Hey, drop this in your program files, download this utility, and connect’ was fine. As we've grown, we've found that the burden on the IT team of managing those certificates has gone up significantly.”
There were also concerns about how to keep staff connected to critical resources during outages, especially international teams in different countries. “We were thinking, if our main office lost internet connectivity, which is where our main VPN servers are. How do we have people elegantly fall back to a server in a different location?” explains Nick.
Michael elaborates, adding, “As we’re growing the business geographically, we've got people in Australia who need to access infrastructure in Australia. If we try to hook that into our existing staff VPN, then they're going to be bouncing via the UK, which is not going to be a good experience.”
Adopting Tailscale
Given these challenges, Nick and Michael realized that it was time for a smarter solution. Michael had previous experience with Tailscale from a past role, and his recommendation was swiftly accepted in their streamlined engineering team.
“Thankfully, we're at a company size where this is not too onerous a process yet,” shares Nick. “We recommended it to the head of our platform engineering department, and he goes, ‘I think this is a good idea.’”
Now, a large part of Netcraft uses Tailscale for secure, remote networking, and there are plans to roll it out to the entire company. Nick explains, “At this stage, we have a 50% adoption rate, but that's mostly because a lot of people are in the office.”
However, expansion is on the horizon, and Michael shares, “We are planning on rolling it out to the entire company. So, eventually everyone will have Tailscale.”
“Now, setting up a new VPS is pretty much just installing Tailscale. I tag it with the appropriate tag, and then it has access to whatever it needs.”
Getting up and running
Netcraft has most of its production in the cloud, though some of it still operates using on-premises machines. Nick explains, “We still have some on-prem machines. The majority of our cloud estate is in AWS, now split across multiple regions, and we also have a huge collection of VPS providers providing servers in various countries.”
Netcraft has begun scoping their ACLs in Tailscale for better access management. “We already have some resources in our Tailscale ACL scoped, so only certain departments can access certain things. Then, once we sync in the groups for the other company functions, we’ll have it so they can access internal resources, but not servers and administration stuff,” shares Nick.
Tailscale has also helped significantly streamline setting up virtual private servers that are crucial to the company’s operations. Nick shares, “Now, setting up a new VPS is pretty much just installing Tailscale. I tag it with the appropriate tag, and then it has access to whatever it needs.” Michael adds, “Then we run our configuration management, and you're done.”
So far, Michael, Nick, and Netcraft’s engineering team have been pleased. Nick shares, “I'd say that the initial setup for off-site machines reaching our infrastructure services over Tailscale was relatively smooth.”
Getting business wins and enabling services
As Michael puts it, “I know this is a bit of a cliche with Tailscale, but it does just work in pretty much all scenarios.” So far, one of the biggest wins Netcraft has achieved from adopting Tailscale is a significant reduction in managing IP allowlists as part of their fraud detection services.
“As part of what we do, we're fetching a lot of fraud from around the world,” Michael explains. “Fraudsters have some brains to them, and if you just fetch from a static IP in AWS, you’ll quickly get blocked by them.” To combat this, Netcraft uses an intricate system that involves servers deployed worldwide.
Michael explains, “There was a burden in having those servers dial back to our configuration management server and our LDAP server for auth. We were maintaining these massive IP allowlists, which naturally fall out of date.”
Now, all of Netcraft’s virtual private servers are connected to Tailscale for easier management and better security. “They were actually the first things onboarded, and they're using Tailscale to speak to all of our internal infrastructure that they need to,” adds Michael.
Future plans and saving costs
Looking toward the future, Nick and Michael's team have “fairly grand plans” for Tailscale, specifically when it comes to connecting services between Kubernetes clusters using Tailscale Services.
Nick explains, “We have a dozen or so different Kubernetes clusters for various teams and projects. They expose web services that other services and other clusters need to access and hook into. Currently, we do this with Amazon Elastic Load Balancers. ” This is an industry-standard way of routing external traffic into a Kubernetes cluster. However, this solution proved costly given the volume of traffic Netcraft’s team uses.
“When you're passing many terabytes per month of traffic through them, they can get quite expensive,” he shares. “What we're hoping to do with Tailscale Services is have Tailscale Service IPs that those clusters access via the Tailscale Kubernetes Operator to have a local, client-side load balancing setup.”
According to Michael, eliminating the need for elastic load balancers entirely could save Netcraft thousands of dollars a month in AWS costs. “We think that getting this fully rolled out, all the places we have internal APIs speaking to each other will basically pay for Tailscale by saving money in AWS.”
Netcraft evolves with a networking solution that scales
Growing companies are often limited by the inflexible networking solutions that work “well enough” for small teams but cause problems during expansion. By adopting Tailscale, Netcraft deployed a tool that can grow with them, saving time, resources, and networking headaches.
With user-friendly onboarding, sharper access control, and better-managed operations, Netcraft is positioned for a future of even greater expansion and success.
Explore how Tailscale can support your company as it grows by contacting our sales team for a demonstration.