Designing a Zero-Trust Network for Enterprise Services in China

30.05.23 05:50 AM - By admin

Introduction and Context:

Western companies continuing to do business in China have to accept that the security framework of the state will not loosen anytime soon and more likely will drift in the direction of more control, more surveillance with priority given to the collective good and social stability, as promulgated by the ideological thought of the China Communist Party (CCCP), over individual rights and freedoms which are the norm in Western democracies. This, however, does not have to be incompatible with technical innovation, high quality products, and economic growth as has been shown in the past decade according to the authors of a recent Harvard Business Review article from the Understanding China series. For an up-to-date view, see also a 2023 perspective from the Asia Society Policy Institute. It is clear China is a current global competitor in many domains like automotives, space launch technologies, artificial intelligence, biopharma, e-commerce, and high-end consumer products manufacturing at scale. However, China continues a policy whereby western companies must setup a Chinese entity and transfer intellectual properties (IP), for products made and sold in China, to its China domicile business entity. This could be fine as seen by the large number of western companies which have a China based subsidiary. But there are risks of exposure or theft of IP or personal identifiable information  (PII) by malicious actors, or extra-legal intrusive reviews by government entities.

Problem:

A large multinational pharmaceutical company was advised that a way to minimize the risks is to create a new zero-trust network connecting all business offices and manufacturing centers, and to secure each site with robust firewall and security inspection and threat management systems integrated into each site local area network (LAN). However, how to design this network? How can it be managed by the non-China based network team? How to control the #SDWAN edge routers? How can traffic in and out of China be made secure? Is it feasible with the China Great Firewall?   

Ingenium Grex Solution: 

We were initially asked to design only connectivity for the sites. However, as threats and risks were more clearly aligned with business strategy and information security policy, the design scope increased to include two new hosting datacenters, two new cloud regions with high-speed cloud connectivity, and all with resiliency. We proceeded to examine options consider how to best balance cost, functionally, and security requirements. 

Design Outcome:

We designed an Internet circuits underlay and a #Cisco fully meshed SDWAN overlay network for 7 business sites plus 2 datacenters. The network is designed to include high-bandwidth redundant circuits for each site with circuits connected to separate Cisco c or vEdge premise routers depending on size of site and bandwidth capacity needed to support business applications. The circuits are provided by China Telecom and connected to their business class Internet in-country backbone for good and consistent performance and acceptable operations SLA. And this connection architecture, for corporate data traffic, avoids the China Great Firewall by utilizing a private transit network, with another partner provider, to route traffic in and out of China and rest of world (RoW) SDWAN network. 

The site edge CPE routers are managed by a single #vManage control suite dedicated to the new China SDWAN. An alternative examined is to use the China Telecom Accelerator whitelist service to provide a secure and approved path, avoiding the Great Firewall, for Cisco SDWAN control plane traffic. However this solution requires NAT'ing of IP addresses at each site and adds significant configuration complexity. For enterprises which want to utilize a single SDWAN controller for all sites globally, this solution is worth further investigation to ensure control plane traffic will behave as expected with NAT'ing of the edge router loopback management port IP. 

The datacenters which hosts core infrastructure and cloud connect services are built in 21Vianet colocation centers in Beijing and Shanghai to achieve geographic diversity. In addition to redundant connections to the Cisco SDWAN overlay network, the datacenters are inter-connected for an additional layer of redundancy and data backup services using a high-speed IP interconnection circuit. 

Two new Azure cloud regions are setup in China East and China North and hosted by #21Vianet which is the sole operator of Azure services in mainland China. And since the new datacenters are built in 21Vianet facilities, it is straightforward to connect each cloud region by dual high-bandwidth Express Route circuits. This approach puts infrastructure hosting, cloud connects, and cloud subscriptions under a single service provider, 21Vianet, with an objective to minimize MTTR for any cloud access incidents.         

Security is integrated by architects of the pharmaceutical company by designing in the corporate standards of #PaloAlto firewalls and #Panorama hardware management, and #Tuffin for policy management to enable traffic inspection at the ingress and egress points of various virtual LAN (VLAN) control points used in the architecture. 

To achieve a zero-trust security posture for network traffic, all business sites were designed to send traffic destined to RoW up to each Beijing or Shanghai datacenter for inspection and re-encryption before being sent onward to rest of world (RoW). Zero-trust is achieved by using IPSec tunnels between the China datacenters and non-China hosting centers for all traffic in and out of China. These RoW hosting centers serve as another control point with #PaloAlto firewalls to enforce the security and data inspection policy. 

The design provides the connectivity required and minimized security risks by ensuring all traffic in and out of China, and in and out of each site, are inspected and assessed for threats. And data traffic between China business sites, and between any site and RoW is fully encrypted.

Lessons: 

  1. China has specific laws and regulations about how work can be procured and invoiced. For example all professional services need to be sourced through a China based service provider. Some technical services, like network circuits or hardware, can be procured through a non-China service provider, others need to be procured locally. It is important to first understand how to procure all the needed services in Mainland China.
  2. It is equally important to understand the statement of work (SOW) creation and execution process as there are very specific formats, content, regulations and signing requirements. For example, paper based signing is still the norm. 
  3. People communication can be a challenge, but many China based service providers are now able to assign personnel with dual-language skills. This should also be assessed upfront. 
  4. Finally, when deploying virtualized services like SDWAN, SDLAN, etc. It is critical to evaluate technically what is feasible based on the service support model, role based access, and geographic location of support personnel.  

Peter Singh is Principal at Ingenium Grex, and can be reached at peter.singh@ingrex.net        

Categories :